Sam Chapter View to Print

4800 STATE INFORMATION MANAGEMENT PRINCIPLES
(Revised 09/08)

The Office of the State Chief Information Officer (OCIO) has broad responsibility and authority to guide the application of information technology (IT) in California State Government. The OCIO's areas of responsibility include policy making, interagency coordination, IT budget and procurement review, technical assistance and advocacy. In view of the scope of these activities and their potential impact on state government, the OCIO has articulated the fundamental principles, policies and procedures to govern the use of information technology in Sections 4800 through 5180 of the State Administrative Manual (SAM).

Note that any and all project approvals or conditions made by the Department of Finance (Finance) prior to January 1, 2008, remain in effect unless otherwise notified.

Priority of Information Technology.

Information technology is an indispensable tool of modern government. Accordingly, each state agency is expected to seek opportunities to use this technology to increase the quality of the services it provides and reduce the overall cost of government.

Authority and Responsibility.

Each agency director should be knowledgeable about the information requirements and information management practices of the agency and should provide active leadership in the exploration of new opportunities to use information technology. Each agency should establish clear lines of authority and responsibility for information management.

Management of Information.

Each agency shall establish and maintain an information management function consistent with its own operational needs and organizational structure. This function shall serve to ensure the agency's ability to identify the information it collects, maintain the integrity and security of the information, and provide for appropriate access to the information.

Management Methods.

Each state agency shall employ proven management methodologies to guide and control the planning, acquisition, development, operation, maintenance, and evaluation of information management applications. Pilot projects and/or independent oversight shall be required for larger, more complex applications.

Basis for Decisions.

Decisions regarding the application of information technology shall be based on analysis of overall costs and benefits to the people of California over the life of the application. Each agency shall plan far enough into the future to ensure that adequate time is available for analysis of alternatives, for obtaining necessary management approvals, and for the administration of procurements. Agencies shall determine the impact of their decisions across departmental and agency lines and give priority to alternatives that provide the greatest benefit from a statewide perspective.

Record of Decisions.

Each agency shall maintain records of management decisions concerning the use of information technology. These records must be sufficiently detailed to satisfy the requirements of oversight agencies as well as internal management. The records must address such topics as:

Identification of information technology needs;
Setting of priorities for applications of information technology;
Evaluation of application alternatives;
Project management and control;
Contingency planning and risk management; and,
Operational controls and maintenance provisions.

Agency Personnel.

Agency managerial, technical, and user personnel should possess the knowledge and skills necessary to use information technology to the best advantage for the state. Each agency should regularly assess the information technology skills and knowledge of its personnel in relation to job requirements, identify and document training needs, and provide suitable training within the limits of available resources.

Compatibility.

In selecting or developing applications of information technology, each agency shall consider the benefits and costs of maintaining compatibility with other planned and existing applications within the agency and in other state agencies. Such consideration of compatibility shall include computer languages, applications and system software, computer hardware and telecommunications equipment, data formats, and the specific knowledge and skills required of state personnel.

Procurement.

In acquiring equipment, software, and services involving information technology, agencies shall seek maximum economic advantage to the state. Procurements shall normally be competitive, in conformance with the applicable sections of the Public Contract Code and SAM. Agencies shall use master contracts whenever the functional requirements for which the contract was awarded are substantially the same as the agency's requirements.

Cost Allocation.

Each agency shall adopt policies and establish procedures for assignment of costs associated with information technology by program or operational unit within the agency, as well as for the assignment and recovery of the costs of services provided to other agencies, private individuals, and organizations.

Risk Management. Each state agency shall adopt and maintain a risk management program for the purpose of identifying and avoiding or minimizing threats to the security of information it maintains and the operational integrity of its information systems, telecommunications systems, and data bases.

Documentation. Applications of information technology shall be fully documented with respect to the needs of (1) nontechnical users; (2) technical personnel; (3) agency measurement; and (4) outside auditors. The adequacy of documentation shall be an evaluation criterion in all procurements involving information technology (equipment, software, services and telecommunications facilities). Project plans shall include specific provision for the creation of suitable documentation.

Provision for Emergencies. In planning for the use of automated information systems and telecommunications facilities, agencies shall develop policies and procedures to be followed in times of emergency; when systems are preempted to preserve the public health, welfare or safety; and when other events occur which prevent reliance on automated systems for extended periods of time.

Individual Rights. Information management policies and procedures shall be consistent with the California Constitution, the Public Records Act, the Information Practices Act, and other applicable laws. Each state agency shall safeguard the right to privacy of individuals who are the subjects of the records it maintains.

Ethics. In the conduct of their operations and in the accomplishment of the policies stated above, state agencies and their employees shall employ information technology in a legal and ethical manner consistent with government statues, rules and regulations. Information technology shall not be used for purposes that are unrelated to the agency's mission or that violate state or federal law. Contract provisions, including software licensing agreements, shall be strictly followed.

4804 ACCESS TO INFORMATION BY THE OFFICE OF THE LEGISLATIVE ANALYST
(Renumbered from 4841.8 03/08)

Section 11734 (f) of the Government Code requires that procedures be published in SAM to allow the Legislative Analyst to use data in, or products of, state data processing information systems to analyze programs and budgets.

In order to enable the Legislature to determine the fiscal or program effects of changes (1) proposed by the Administration or (2) considered by the Legislature, any state department operating an automated information system shall, upon receiving a written request, allow the Legislative Analyst reasonable access to any relevant data contained in the system's master files, transaction files, history files and/or other appropriate automated files.

However, such access shall not be provided to information: (1) specifically prohibited by Federal law or (2) relating to proposed administrative actions (such as Budget Change Proposals submitted by individual state entities) not yet approved by the Administration.

It is the responsibility of the department to whom the information pertains to ensure that any data made available under these provisions are as accurate and up-to-date as is consistent with the department's normal use of data.

The Legislative Analyst must agree that any confidential information obtained under these provisions shall remain confidential.

4806 ACCESS TO INFORMATION BY THE CALIFORNIA STATE AUDITOR
(Renumbered from 4841.9 03/08)

Section 11734 (f) of the Government Code requires that procedures be published in SAM to allow the Auditor General in the conduct of his audit to use data in, or products of, state data processing information systems. Section 10527 of the Government Code provides that the Auditor General shall have access to, and authority to examine, records of any state agency. Section 10528 of the Government Code provides that the Auditor General shall examine and report annually upon the financial statements of the state and make special audits and investigations, including performance audits, of any state agency.

In order for the Auditor General to conduct these audits in an expeditious manner, any department operating a statewide information system shall, upon receiving a written request, allow the Auditor General "read only" access to any relevant data contained in the system's master files, transaction files, history files and/or other appropriate automated files.

The department operating the information system is authorized to require the Auditor General to reimburse it for any additional costs incurred as a direct result of the Auditor General's acquisition of data from the system.

It is the Auditor General's responsibility to check with the individual state entities to whom the information pertains to ensure that any data acquired under these provisions are accurate and up-to-date.

Any confidential information obtained by the Auditor General under these provisions shall remain confidential.

4810 STATUTORY PROVISIONS
(Revised 09/08)

The following provisions apply to all state departments, offices, boards, commissions, institutions, and special organizational entities except the State Compensation Insurance Fund, the Legislature, or the Legislative Data Center in the Legislative Counsel Bureau.

Office of the State Chief Information Officer:

Pursuant to Government Code Sections 11545 and 11546, the State Chief Information Officer is charged with the duty to advise the Governor on the strategic management and direction of the state's information technology resources. In addition to this advisory role, the OCIO is responsible for: establishing, maintaining, and enforcing the State's IT strategic plans, policies, standards procedures, and enterprise architecture; approval and oversight of IT projects; consulting with agencies during initial project planning; and suspending, reinstating, or terminating IT projects.

Department of Finance:

Pursuant to Government Code Section 11547, the Department of Finance shall perform fiscal oversight of the state's information technology projects. The oversight shall consist of a determination of the availability of project funding from appropriate sources and project consistency with state fiscal policy.

4819 GENERAL
(Revised 09/02)

The SAM Section 4819 provides definitions and summarizes the compliance requirements for the administration of information technology in state government. Additional detail regarding specific requirements, policies or procedures is provided throughout SAM Sections 4800–5953, SAM Sections 6700 – 6780, and the State Information Management Manual (SIMM).

4819.2 DEFINITIONS
(Revised 09/08)

The following definitions of administrative and technical terms are provided to assist agencies in their application of information technology policy.

The primary source for technical definitions is the Information Processing Systems Technical Report, American National Dictionary for Information Processing Systems, developed by the American National Standards Committee, X3 Information Processing Systems. In some cases the definitions have been modified to meet state needs.

Agency. When used lower case (agency), refers to any office, department, board, bureau, commission or other organizational entity within state government. When capitalized (Agency), the term refers to one of the state's super agencies such as the State and Consumer Services Agency or the Health and Human Services Agency.

Confidential Information. Information maintained by state agencies that is exempt from disclosure under the provisions of the California Public Records Act (Government Code Sections 6250-6265) or other applicable state or federal laws. See SAM Section 5320.5.

Continuing Costs. Costs associated with the operation and maintenance of an information technology system or application after development and implementation of the system.

Critical Application. An application that is so important to the state that the loss or unavailability of the application is unacceptable. With a critical application, even short-term unavailability of the information provided by the application would have a significant negative impact on the health and safety of the public or state workers; on the fiscal or legal integrity of state operations; or on the continuation of essential agency programs.

Data. A representation of facts, concepts, or instructions in a formalized manner suitable for communication, interpretation, or processing by humans or by automated means.

Data Processing. The systematic performance of operations upon data, e.g., handling, merging, sorting, computing. Synonymous with information processing.

Data Processing System. A system, including computer systems and associated personnel, that performs input, processing storage, output, and control functions to accomplish a sequence of operations on data.

Data/Information Storage. The retaining of data/information on any of a variety of mediums (i.e., magnetic disk, optical disk, or magnetic tape) from which the data can be retrieved.

Data Transmission. The conveying of data from one functional unit to one or more additional functional units through the transmission of signals by wire, radio, light beam, or any other electromagnetic means. (Voice or video transmissions are not considered data transmission for the purposes of state policy.)

Development. Activities or costs associated with the analysis, design, programming, staff training, data conversion, acquisition, and implementation of new information technology applications.

Hardware. See IT equipment.

Information Processing. The systematic performance of operations upon data, e.g., handling, merging, sorting, computing. Synonymous with data processing.

Information Technology. Information technology means all computerized and auxiliary automated information handling, including systems design and analysis, conversion of data, computer programming, information storage and retrieval, voice, video, data communications, requisite systems controls, and simulation. The term "information technology" is commonly abbreviated as "IT".

Information Technology Activities. Any activity listed below, or any combination of these activities for a single information technology project, is to be considered an "information technology activity."

IT facility preparation, operation and maintenance.
Information management planning.
Feasibility determination, development and implementation of application systems or programs, or changes to application systems or programs to meet new or modified needs, or maintenance, including: feasibility study preparation, systems analysis, systems design, purchase and installation of software, programming, conversion of data or programs, documentation of systems and procedures, and project appraisal or assessment.
Operation of application systems or programs including handling, assembling, or editing of input-output data or media where information technology equipment or information technology personnel are used.
Services or equipment received through an EDP Master Agreement (SAM Section 5207.5).
Acquisition, installation, operation, and maintenance of data processing equipment.
Other installation management activities including performance measurement, system tuning, and capacity management.
Preparation and administration of requests for proposals or bid solicitations for contracts for any of the above activities.
Preparation of contracts, interagency agreements, and purchase estimates for any of the above activities.
Employment of personnel in support of, or directly related to, any of the above activities, including: administration, technical services, clerical services, travel, training, and preparation of periodic and special reports.
Control functions directly related to any of the above activities.

Information Technology Expenditure. The expenditure of funds regardless of source by any state entity for information technology activities, equipment, facilities, personnel, services, supplies and the automated processing of information.

Information Technology (IT) Project Oversight Framework. Minimum requirements for IT project management, risk management and IT project oversight activities for departments and agencies. Description of control agency project reporting requirements and processes for assessing department and agency project management and oversight activities. See SIMM Section 45.

Information Technology Policy Letter. Letters issued by the OCIO announcing new or changes to existing IT policies and procedures.

Information Technology Procurement. Any contract, interagency agreement or purchase estimate to conduct any activity listed below, or any combination of these activities is to be considered an "information technology procurement."

IT facility preparation, operation maintenance.
Development and implementation of application systems or programs, or changes to application systems or programs to meet new or modified needs, or maintenance, including: feasibility study preparation, systems analysis, systems design, purchase and installation of software, programming, conversion of data or programs, documentation of systems and procedures, and project appraisal or assessment.
Operation of application systems or programs including handling, assembling, or editing of input-output data or media where information technology equipment or information technology personnel are used.
Services or equipment received through an EDP Master Agreement. SAM Section 5207.
Acquisition, installation, operation, and maintenance of data processing equipment.
Other installation management activities including performance measurement, system tuning, and capacity management.
Employment of personnel in support of, or directly related to, any of the above activities, including: administration, technical services, clerical services, travel, training, and preparation of periodic and special reports.
Control functions directly related to any of the above activities.

Information Technology Project. A project that encompasses computerized and auxiliary automated information handling, including systems design and analysis, conversion of data, computer programming, information storage and retrieval, data transmission, requisite system controls, simulation, and related interactions between people and machines. Synonymous with IT project.

Input-Output Unit/Device. A unit or device in an IT system by which data may be entered into the system, received from the system, or both.

IT Equipment. Information Technology devices used in the processing of data electronically. The following are examples of IT equipment:

Central processing units (mainframes) and all related features and peripheral units, including processor storage, console devices, channel devices, etc.;
Minicomputers, midrange computers, microcomputers and personal computers and all peripheral units associated with such computers;
Special purpose systems including word processing, Magnetic Ink Character Recognition (MICR), Optical Character Recognition (OCR), photo composition, typesetting and electronic bookkeeping;
Communication devices used for transmission of data such as: modems, data sets, mutiplexors, concentrators, routers, switches, local area networks, private branch exchanges, network control equipment, or microwave or satellite communications systems; and
Input-output (peripheral) units (off-line or on-line) including: terminals, card readers, optical character readers, magnetic tape units, mass storage devices, card punches, printers, computer output to microform converters (COM), video display units, data entry devices, teletypes, teleprinters, plotters, scanners, or any device used as a terminal to a computer and control units for these devices.

IT Personnel. All state personnel employed in IT or telecommunications classifications as defined by the Department of Personnel Administration or by the Trustees of the California State University and Colleges, and all personnel of other classifications in state agencies who perform information technology activities for at least 50 percent of their time. Users of personal computers and office automation are not included in this category unless they are in information technology classifications or spend at least 50 percent of their time performing information technology activities.

IT Supplies. All consumable items and necessities (excluding equipment defined as IT equipment) to support information technology activities and IT personnel, including:

Documents (such as standards and procedures manuals, vendor-supplied systems documentation, and educational or training manuals);
Equipment supplies (such as printer forms, punch card stock, disk packs, "floppy" disks, magnetic tape, and printer ribbons or cartridges); and
Furniture (such as terminal tables and printer stands).

Life Cycle. The anticipated length of time that the information technology system or application can be expected to be efficient, cost-effective and continue to meet the agency's programmatic requirements. Synonymous with operational life system.

Maintenance. Activities or costs associated with the ONGOING UPKEEP of operational applications of information technology. Maintenance includes correcting flaws, optimizing existing systems or applications, responding to minor changes in specified user requirements, renewal of equipment maintenance agreements, and meeting normal workload increases using substantially the same equipment, facilities, personnel, supplies and software.

One-Time Costs. Costs associated with the analysis, design, programming, staff training, data conversion, acquisition, and implementation of new information technology applications. See State Information Management Manual (SIMM) Section 20 (Economic Analysis Workbook Package).

Operational Life. See life cycle.

Operations. Activities or costs associated with the CONTINUED USE of applications of information technology. Operations includes personnel associated with computer operations, including network operations, job control, scheduling, key entry, and the costs of computer time or other resources for processing.

Peripheral Unit/Device. With respect to a particular processing unit or device, any equipment that can communicate directly with that unit or device.

Previously Approved Effort/Project. An information technology activity or project previously approved by the OCIO (or Finance prior to January 1, 2008) or the agency's executive officer in accordance with SAM Section 4819.3. Qualification of an activity as a previously approved effort requires an approved Feasibility Study Report (FSR) AND an approved Post-Implementation Evaluation Report. Applicable activities include meeting modified needs, improving the effectiveness of the activity, program or system maintenance, or extension of existing services to new or additional users performing essentially the same functions as those that the project was designed to support. A previously approved effort/project must use substantially the same equipment, facilities, technical personnel, supplies and software to meet substantially the same requirements or to meet normal workload increases. : (Note: "Substantially the same equipment" does not include the addition, upgrade or replacement of a central processing unit)

Program. A sequence of instructions suitable for processing. See information processing or data processing.

Programming. The designing, writing, testing, debugging, and documentation of programs.

Project. A set of related activities carried out according to a plan and budget to achieve a specific set of objectives within a specified time schedule. (See information technology project.)

Proprietary Software. Computer programs which are the legal property of one party, the use of which is made available to a second or more parties, usually under contract or licensing agreement.

Public Information. Any information prepared, owned, used or retained by a state agency and not specifically exempted from the disclosure requirements of the California Public Records Act (Government Code Sections 6250-6265) or other applicable state or federal laws.

Sensitive Information. Information maintained by state agencies that requires special precautions to protect it from unauthorized modification or deletion. See SAM Section 5320.5. Sensitive information may be either public or confidential (as defined above).

Software. Programs, procedures, rules, and any associated documentation pertaining to the operation of a system. (Contrast with hardware.)

Statewide Information Management Manual (SIMM). The Statewide Information Management Manual (SIMM) as structured by the OCIO contains instructions and guidelines as well as samples, models, forms and communication documents that state agencies either must use, or will find helpful to use, in complying with established state policy relating to IT. For clarity, references in SIMM to "Department of Finance" that are not related to budget documents such as Budget Change Proposals or Finance Letters, should be read as references to the "Office of the Chief Information Officer".

Telecommunications. Includes voice and data communications, the transmission or reception of signals, writing, sounds, or intelligence of any nature by wire, radio, light beam, or any other electromagnetic means.

Workload Increase. Employing substantially the same resources (equipment, facilities, personnel, supplies, software) to process a greater volume of the same or similar information. The results of the processing are the same or similar outputs distributed to comparable users.

4819.3 STATE INFORMATION MANAGEMENT AUTHORITY AND RESPONSIBILITY
(Revised 09/08)

4819.31 BASIC POLICY
(Revised 09/08)

Each state agency is required to:

Establish and maintain an Operational Recovery Plan, so that it will be able to protect its information assets in the event of a disaster or serious disruption to its operations, and submit the plan or its update to the Office of Information Security and Privacy Protection (OICPP) as outlined in the Operational Recovery Plan Quarterly Reporting Schedule (SIMM Section 05). See SAM Sections 5350-5355.
Establish an ongoing information management strategic planning process to support the accomplishment of its overall business strategy (i.e., its strategy to carry out its programmatic mission) and submit its strategic plan to the OCIO for approval. See SAM Section 4900.2.
Adopt standards for an agency information technology infrastructure consistent with SAM Section 4900.1.
Prepare annually an IT Capital Plan for long-term planning of the State's strategic IT investments. See SAM Section 4904.
Conduct a feasibility study in order to establish the business case for each proposed information technology project (development or acquisition) and obtain approval of the FSR from the OCIO, or, if approval authority has been delegated to the agency director, from the agency director before expending any resources on the project. See SAM Sections 4819.34-4819.35.
Manage information technology projects following the established IT Project Oversight Framework (SIMM Section 45) minimum requirements, to ensure that projects are completed on-time, within budget, and that they accomplish the objectives defined in their FSRs. See SAM Section 4800.
Protect the integrity of its information management capabilities and databases and ensure the security and confidentiality of information it maintains.
Establish an ongoing acquisition planning process to develop IT Procurement Plans (ITPP) for IT project acquisition of IT goods and services as determined by the Department of General Services.

If an agency fails to meet these requirements, the agency will be required to obtain the OCIO approval before expending any resources on information technology projects.

The project approval process is described in SAM Section 4819.34.

4819.32 EXCLUSIONS
(Revised 09/08)

For purposes of the IT Project Submittal and Approval Policy, the following are excluded from State Administrative Manual (SAM) Section 4819.3, which defines State information management authority and responsibility for IT projects:

The SAM Section 4819.3 shall apply to all State departments, offices, boards, commissions, institutions, and special organizational entities except the State Compensation Insurance Fund, the Legislature, or the Legislative Data Center in the Legislative Counsel Bureau.
Information technology activities directly associated with single-function process-control systems (such as those applied in the controlling of water gates, traffic signals, or environmental systems for buildings), analog data collection devices, or telemetry systems are excluded from SAM Section 4819.3. Process Control, for the purposes of the exclusions from the OCIO project approval and oversight, includes automated processing systems that monitor and control the operation of a single function system, and that can perform that control in isolation from other systems. Examples may include all components necessary to monitor and control the traffic lights at an intersection, the position of water restriction and diversion components in a water supply and distribution system, or to adjust the behavior of a motorized conveyer in response to changes in load and demand.

Sensors, telemetry devices, functional components such as motors or traffic lights, electronic control processors, and the network system that connects those devices into a single-function process control system meet the process control system exclusion.

Process control should not be interpreted to include information processing and network systems in which data is gathered, stored, transmitted, processed, analyzed, displayed, printed or reported for purposes other than the direct, automatic monitoring and controlling of a single function system, or for the manual review of the performance and activities of that single system.

Any component that may be added to any process control system, such as additional sensors, processing capacity or network communications capability, that is necessary for use in conjunction with a current or planned information technology system must be included in all feasibility study reports, plans, proposals and budget estimates for the information technology system.
Acquisition of telecommunications equipment used exclusively for voice or video communications are excluded from SAM Section 4819.3. This exclusion does not apply to:
1. Voice systems that include the use of interactive databases.
2. Videoconferncing systems that include the tranmission of sensitive data or the use of interactive databases.
Acquisition of electronic typewriters and copiers are excluded if they are NOT:
1. Capable of general purpose computing; or
2. Intended to be used as an input/output peripheral device to a computer system.
Acquisition of the following consumable items or office equipment necessary to support approved information technology activities and personnel are excluded
1. Documents (such as standards and procedures manuals, vendor-supplied systems documentation, and educational training manuals);
2. Equipment supplies (such as printer forms, disk packs, "floppy" disks, compact disks, magnetic tape, and printer ribbons or cartridges); and,
3. Furniture (such as terminal tables and printer stands).

4819.34 PROJECT APPROVAL AUTHORITY
(Revised 09/08)

Authority for approval of information technology projects lies with the OCIO, but it is the intention of the State's Chief Information Officer to delegate approval authority to agency directors to the maximum extent practicable. When an agency's proposed expenditures on information technology are consistent with established policies and when the agency has consistently adhered to those policies and successfully implemented information technology projects, the OCIO will consider delegating authority for the approval of resources to agency directors, as defined below.

The OCIO will establish an agency-specific cost delegation level, i.e., the project cost level above which the agency must obtain the OCIO's approval of an FSR or Feasibility Study Report - Reporting Exemption Request (FSR-RER) (see SAM Section 4819.37) before the agency is authorized to initiate the project.

The OCIO's delegations fall into one of three general groups:

Group 1 - Desktop and Mobile Computing Delegations–Agencies that have established and currently maintain an acceptable operational recovery plan and plan for the appropriate application of desktop and mobile computing will be delegated authority for the acquisition of equipment and software to support their desktop and mobile computing activities. See SAM Section 4989.2.

Group 2 - Agency Delegation for Non-Reportable Projects –Approval authority for projects which are not classified as reportable is delegated to the agency director. Agencies undertaking delegated projects are expected to employ appropriate project review, approval, and reporting procedures as specified in SAM Sections 4819.35 and 4819.36. See SAM Sections 4819.37 and 4819.39 for a list of reportable project criteria and a definition of delegated cost threshold.

Group 3 - Requested Delegation for Reportable Projects–An agency with an acceptable Operational Recovery Plan and an Agency Information Management Strategy that has been approved by the OCIO may submit a Feasibility Study Report - Reporting Exemption Request (see SAM Section 4819.38) to the OCIO prior to the encumbrance or expenditure of funds, including the use of staff resources, on the project beyond the feasibility study stage. The OCIO will review the form and notify the agency whether it has been delegated approval authority for the proposed project. If delegation is not granted, the agency must submit the project FSR to the OCIO for approval.

1. Among the factors considered by the OCIO in determining whether a project should be delegated are:

a. The apparent adequacy of the agency's planning process;

b. The cost, scope, and complexity of the project;

c. The size and composition of project staff;

d. The agency executive staff's project management experience;

e. The level of complexity and completeness of prior FSRs prepared by the
     agency;

f. The number and complexity of previous information technology projects
    attempted by the agency;

g. The demonstrated ability of agency project management staff to successfully
     monitor, control, and report progress during a complex undertaking; and

h. The agency's past success in applying information technology to attain goals
     on time and within budget and to realize expected objectives.

Delegation of approval authority will NOT normally be given for projects which:

a. Have significant statewide, interdepartmental, or intergovernmental impact;

b. Involve the establishment or use of nonstandard or extensive communication
   facilities;

c. Propose software or equipment acquisition expenditures that are large in
   relation to the agency's information technology budget;

d. Have the potential for involving new or unfamiliar technology;

e. Produce revenue for the state, such as licensing fees, tax collection, etc.;

f. Have a high potential risk associated with the security and confidentiality of the
   information being processed; or

g. Depend upon decisions to be made during the development or enactment of
    the Governor's Budget, such as approval of a Budget Change Proposal or
    Budget Revision.

2. Splitting a project into smaller projects to avoid either fiscal or procedural
controls is prohibited.

3.   Agencies undertaking delegated projects are expected to employ appropriate
     project review, approval, and reporting procedures as specified in SAM
      Sections 4819.35 (Feasibility Study Report) and 4819.36 (Project
      Reporting/Oversight) below.

4.   All information technology projects are subject to audit. Documentation
     supporting project decisions must be kept by the agency for a minimum of two
     years following approval of the Post-Implementation Evaluation Report (PIER).
     See SAM Sections 4947-4947.2.

5.   The OCIO, at its discretion, may rescind previously delegated approval
      authority for individual projects or for all information technology activities in
     progress or proposed by an agency. The OCIO may require that project
     planning, design or implementation be halted or redirected.

The decision to rescind delegation will typically be based on review (audit) of the agency's information management practices; review of a specific project; redefinition of the project; significant increases in project cost projections; major cost overruns; specific control language placed on expenditures through legislation (i.e., the Budget Act); identification of significant unresolved technical issues; or a change in the direction of state policy.

4819.35 FEASIBILITY STUDY REPORT
(Revised 09/08)

The mechanism for approving information technology projects is the Feasibility Study Report (FSR). The FSR establishes the business case for investment of state resources in the project by setting out the reasons for undertaking the project and analyzing its costs and benefits.
An FSR, prepared in accordance with SAM Section 4928, must be approved for every information technology project prior to the encumbrance or expenditure of funds on the project, including the use of staff resources, beyond the feasibility study stage. The only exceptions to this requirement is that the feasibility studies for projects whose costs fall below a specified level may be documented by means of a Project Summary Package (see SAM Section 4930 and SIMM Section 20). Agencies are required to follow the SIMM Section 20 instructions for preparing and submitting the FSR.
If, during project development or implementation, the agency finds that program requirements cannot be adequately satisfied by the course of action described in the approved FSR and that an alternative course of action is more appropriate, a Special Project Report (SPR) (SAM Sections 4945-4945.2 and SIMM Section 30) shall be prepared. No encumbrance or expenditure of funds, including the use of staff resources, shall be made to implement such change or alternative course of action until approval has been received from the OCIO, or from the agency director if the OCIO has delegated approval of the project to the director and the project remains within the limitations of the agency's delegated authority. SPRs that must be submitted to the OCIO must be transmitted within 30 days after recognition of the situation that necessitates preparation of the SPR. Agencies are required to follow the SIMM Section 30 instructions for preparing and submitting the SPR.
Projects subject to approval by the OCIO (non-delegated projects) require submission of an FSR to the OCIO and to the Office of the Legislative Analyst. In addition, the FSR must be submitted to the Department of General Services when the contract total exceeds the agency's delegated purchasing authority. See SIMM Section 20.
The DGS is responsible for policies and processes for IT procurement. For projects reportable to the OCIO, state agencies must submit FSRs that include the proposed IT procurement strategy. Prior to submission of the FSR for the OCIO's review, state agencies must consult with DGS Procurement Division to ensure project alignment with current procurement guidelines on all IT procurement exceeding $500,000 or for all IT procurements if the agency does not hold a DGS Procurement Division IT procurement delegation.
Projects whose approval has been delegated to the agency director normally require an FSR prepared in accordance with SAM Section 4928 and approval of the FSR by the agency director (SAM Sections 4921 and 4926). A copy of the report, including the Project Summary Package, and a signed document indicating approval by the agency director must be on file in the agency.
The OCIO may decide to review specifications in procurement documents before they are advertised to ensure that the specifications are consistent with the functional specifications and system design in the FSR or SPR for the projects. See SAM Section 5211.1.

4819.36 PROJECT REPORTING/OVERSIGHT
(Revised 09/08)

Projects Approved By the OCIO–Project reporting documentation submitted to the OCIO usually will require:
1. Submission of an SPR (SAM Sections 4945-4945.2) to the OCIO and the Office of the Legislative Analyst, if:
  1. The total information technology project costs deviate or are anticipated to deviate by ten percent (higher or lower) or more, or by more than a specifically designated amount as determined by the OCIO, from the last approved estimated information technology project budget (to be measured against the combined total of each fiscal year's One-time Project Costs plus Continuing Project Costs);
  2. The last approved overall project development schedule falls behind or is anticipated to fall behind by ten percent or more;
  3. The total program benefits deviate or are anticipated to deviate by ten percent (higher or lower) or more from the last approved estimated total program benefits (to be measured against the combined total of each fiscal year's Cost Savings and Cost Avoidances);
  4. A major change occurs in project requirements or methodology;
  5. Any conditions occur that require reporting to the OCIO as previously imposed by the OCIO; or
  6. A significant change in state policy draws into question the assumptions underlying the project.
2. Submission of the Independent Project Oversight Report (IPOR), (see SIMM Section 45, Appendix G), on a monthly basis for projects classified by the OCIO as high criticality projects and on a quarterly basis for projects classified as medium criticality. The OCIO may modify the IPOR reporting frequency based on project performance. The OCIO may also validate the content of the IPORs for reportable projects as needed.
3. Submission of a Post-Implementation Evaluation Report (PIER) (SAM Sections 4947-4947.2) to the OCIO and the Office of the Legislative Analyst at the conclusion of the project.
4. The OCIO MAY require submission of specific project reports (SAM Section 4944) to the OCIO and the Office of the Legislative Analyst.
The OCIO may require agencies to submit an SPR under other circumstances, such as the agency's failure to meet a critical milestone or a significant increase in the project's cost in any fiscal year relative to the costs that were forecast when the project was approved by the OCIO. Additionally, the OCIO may require periodic reviews be conducted at any point during the project.
Projects Approved By The Agency Director–Projects for which reporting was delegated to the agency director require at a minimum:
1. Appropriate project oversight and project reporting to the agency director in lieu of the OCIO, and maintenance of documentation in support of agency decisions on the project. Documentation should be sufficient to meet the needs of outside auditors and to prepare the PIER.
2. Approval of a PIER (SAM Sections 4947-4947.2) by the agency director at the conclusion of the project.
3. Submission of a SPR (SAM Sections 4945-4945.2) to the OCIO and the Office of Legislative Analyst if:
  1. Any criteria listed in SAM Section 4819.37, other than the project's cost exceeding the level the OCIO may have delegated to the agency, arise during the development or implementation of the project;
  2. A significant change in state policy draws into question the assumptions underlying the project; or
  3. The project costs exceed or are estimated to exceed the cost level the OCIO may have delegated to the agency AND one or more of the following conditions are true:
    1. The total information technology project costs deviate or are anticipated to deviate by ten percent (higher or lower) or more from the estimated information technology project budget (to be measured against the combined total of each fiscal year's One-time Costs plus Continuing Costs);
    2. The overall project development schedule falls behind or is anticipated to fall behind by ten percent or more;
    3. The total program benefits deviate or are anticipated to deviate by ten percent (higher or lower) or more from the estimated total program benefits (to be measured against the combined total of each fiscal year's Cost Savings and Cost Avoidances); or
    4. A major change occurs in project requirements or methodology.

Based on its review of the Agency Information Management Strategy (see SAM Sections 4900-4900.6) and its assessment of the agency's project management capabilities, the OCIO MAY require one or more of the following additional project reporting/oversight responsibilities for projects subject to oversight by the agency director:

Submission of the FSR and/or approval document, signed by the agency director, to the OCIO and the Office of the Legislative Analyst.
Submission to the OCIO of a detailed project schedule showing key milestones during the life of the project;
Submission of periodic project reports (SAM Section 4944) or SPRs (SAM Sections 4945-4945.2) to the OCIO and the Office of the Legislative Analyst; or
Submission of a PIER (SAM Sections 4947-4947.2) to the OCIO and the Office of the Legislative Analyst at the conclusion of the project.

Responsibilities and Tasks

Office of the Chief Information Officer

The OCIO is responsible for developing and maintaining the state-level IT Project Oversight Framework (see SIMM Section 45), which provides the minimum requirements for IT project management, risk management, project oversight, and project reporting activities at the department, agency and control agency levels.
The OCIO is responsible for assessing department and agency IT project management and oversight activities to ensure compliance with state-level IT policies and standards. The OCIO will assess IT projects to determine the degree to which projects are on costs, schedule, and scope as compared to the approved project plan.
The OCIO will recommend and pursue prescriptive measures and corrective actions to minimize risk to the state and help ensure that IT projects achieve expected outcomes in accordance with the approved project plan.

Agencies

Agencies are responsible for developing IT strategic plans that are aligned with their business plans and ensuring that IT plans are updated as their business needs and requirements change.
Agencies have ultimate responsibility and accountability for the successful implementation of their IT initiatives and must implement processes and procedures to facilitate success, including appropriate project management and quality assurance processes and methodologies.
Agencies are responsible for establishing the required project management and oversight activities and functions defined in the IT Project Oversight Framework (see SIMM Section 45). Each agency must update its project management and oversight practices to reflect changes in State policy, processes, and the IT Project Oversight Framework.
Agencies are responsible for ensuring that projects consistently follow state-level IT oversight policies and requirements, legislative mandates, and applicable laws.
Agencies are responsible for providing project status information sufficient to allow the OCIO to meet its oversight reporting and full disclosure responsibilities.

4819.37 PROJECT REPORTING CRITERIA
(Revised 09/08)

Before encumbering or expending funds on, or dedicating staff resources to, any of the following reportable projects, the agency must: (1) obtain the OCIO's approval of an FSR for the project; or (2) obtain the OCIO's approval of a Feasibility Study Report - Reporting Exemption Request (FSR-RER), with the subsequent approval of an FSR by the agency director:

Projects whose initiation depends upon decisions to be made during the development or enactment of the Governor's Budget, such as approval of Budget Change Proposal or Budget Revision to increase the agency's existing information technology activities related to the project;
Projects that involve a new system development or acquisition that is specifically required by legislative mandate or is subject to special legislative review as specified in budget control language or other legislation;
Projects that have a cost that exceeds the level the OCIO may have delegated to the agency and do not meet the criteria of a desktop and mobile computing commodity expenditure (see SAM Section 4989-4989.3);
Projects that meet previously imposed conditions by the OCIO.

Agencies that seek exemption from project reporting to the OCIO for a project meeting any of the above criteria must submit an FSR-RER (see SAM Section 4819.38) to the OCIO. An agency with an acceptable Operational Recovery Plan and an Agency Information Management Strategy that has been approved by the OCIO may submit an FSR-RER.

4819.38 PREPARING THE FEASIBILITY STUDY REPORT - REPORTING EXEMPTION REQUEST
(Revised 06/04)

SIMM, Section 40 provides instructions for completing the Feasibility Study Report - Reporting Exemption Request (FSR-RER). Agencies are required to follow the SIMM instructions for preparing and submitting the FSR-RER.

4819.39 DELEGATED COST THRESHOLD
(Revised 09/08)

The OCIO assigns each agency a minimum total project development cost threshold for reporting purposes. See SIMM Section 15. The OCIO delegates to the agency the resource approval authority for any IT proposal with an estimated total development cost equal to or less than the agency's assigned cost threshold, provided the proposal does not meet any other OCIO established reporting criteria defined in Section 4819.37.

The total development cost is synonymous with one-time cost and is defined as all estimated or projected costs associated with the analysis, design, programming, verification and validation services, staff training, data conversion, acquisition, and implementation of an information technology investment. Excluded from development costs are estimated costs of continued operations and maintenance.

4819.40 EXPENDITURES FOR ONGOING INFORMATION TECHNOLOGY ACTIVITIES
(Revised 09/08)

Expenditures in support of an ongoing information technology activity will normally not require the OCIO approval of a new FSR providing:

The activity meets the definition of previously approved project/effort as defined in SAM Section 4819.2:

Applicable activities include meeting modified needs, improving the effectiveness of the activity, program or system maintenance, or extension of existing services to new or additional users performing essentially the same functions as those that the project was designated to support. A previously approved effort/project must use substantially the same equipment, facilities, technical personnel, supplies and software to meet substantially the same requirements or to meet normal workload increases.

Note:

"Substantially the same equipment" does not include the addition, upgrade or replacement of a central processing unit (mainframe).
Minor changes in functionality and/or equipment will normally meet the definition of previously approved project/effort. Significant changes in functionality and/or equipment that require budget actions do not meet the definition of previously approved project/effort.

Expenditures in support of activities not meeting the above criteria are considered to be new projects, not ongoing information technology activities.

Qualification of an information technology activity as a previously approved effort requires an approved FSR AND an approved PIER in accordance with SAM Section 4819.35.

4819.41 CERTIFICATION FOR PROCUREMENT
(Revised 6/03)

A signed certification of compliance with state information technology policies is required for all information technology procurements that cost $100,000 or more and are in support of a development effort. Development is defined in SAM Section 4819.2 as "Activities or costs associated with the analysis, design, programming, staff training, data conversion, acquisition, and implementation of new information technology applications." Procurements of hardware, software, and services (including interagency agreements) are included in this requirement.

A certification is not required for:

Procurements for less than $100,000;
Procurements limited only to maintenance services;
Procurements in support of previously-approved efforts. See SAM Section 4819.40;
Procurement of services to conduct a feasibility study, provided the services are limited to supporting or conducting the feasibility study and/or preparing the feasibility study report (SAM Sections 4927 and 4928);or
Procurements of excluded activities as described in SAM Section 4819.32.

The certification must be completed by the agency that will directly utilize the procured goods or services, and the original signed certification must be included with the transmittal of the procurement package to the procurement agency or authority. For audit and review purposes, a copy of the signed certification must be retained in the procurement file. The required format for the certification is provided in SAM Section 4832.

4819.42 BUDGET CHANGE PROPOSALS
(Revised 09/08)

Budget Change Proposals (BCP) containing specified information technology (IT) components are reviewed by the OCIO staff and an evaluation is provided to the Department of Finance Program Budget Manager responsible for review of the agency's budget.

BCPs which request funding for IT projects must be consistent with the agency's Agency Information Management Strategy (see SAM Sections 4900.1-4900.5) and the IT Capital Plan (see SAM Section 4904). The BCP must be supported by an approved Feasibility Study Report (FSR) (SAM Section 4928), or Special Project Report (SPR) (SAM Sections 4945-4945.2) prior to approval of the funding request. In exceptional circumstances, with OCIO approval, the funding request may be supported by an approved FSR Reporting Exemption Request or Project Summary Package.

FSRs and SPRs must be submitted in the format and within the time frames specified in SAM, SIMM, and IT Policy Letters issued by the OCIO. BCPs must be submitted in the format and within the timeframes specified in annual budget letters issued by Finance. Incomplete or "placeholder" FSRs or SPRs submitted for consideration with an associated BCP may be returned to the agency without consideration.

4832 CERTIFICATION OF COMPLIANCE WITH POLICIES
(Revised 09/08)

The SAM Section 4819.41 specifies that signed certifications of compliance with the state's information technology policies must be included with the transmittal of certain procurement packages to the procurement agency or authority. The required format of the certification is provided in SAM Section 4832, Illustration 1.

Signature Authority Certifications for procurements of $100,000 or more MUST be signed by the agency director or by a member of agency management specifically designated by the director for this purpose.

As shown in 4832 Illustration 1, the certification must reference one of the following with respect to the justification and approval of the proposed procurement:

If the procurement is the result of a OCIO-approved Feasibility Study Report (FSR), the project is currently under development, and the Post-Implementation Evaluation Report (PIER) has not yet been approved, provide the project number, the title, and approval date of the FSR. If the procurement is the result of an agency-approved FSR, provide the agency project number, the title, and approval date of the FSR.
If the procurement is an Interagency agreement to procure services from a consolidated data center in support of multiple projects, it must be certified that: (1) the funding level is appropriate for the nature and scope of the services to be supplied; (2) the services are consistent with approved FSRs and/or PIERs; and (3) project reporting for the various projects is current.

Submission of an FSR to the OCIO or to the agency director does not constitute project approval. Approval requires an approval letter from the OCIO or, for delegated projects, a document indicating approval by the agency director or the director's designee.

4833 INFORMATION TECHNOLOGY ACCESSIBILITY POLICY
(Revised 09/08)

It is the policy of the State of California that information and services on California State Government Web Sites are designed to be accessible to people with disabilities. In 1998, Congress amended the Rehabilitation Act and strengthened provisions covering access to information in the Federal sector. As amended, section 508 of the Rehabilitation Act requires access to the Federal government's electronic and information technology.

The Department of Justice has clearly opined that Title II of the Americans with Disabilities Act (ADA) requires all state and local governments to develop and maintain accessible web sites just as they are required to build accessible facilities. It is the responsibility of the agency to become familiar with the guidelines for achieving universal accessibility and to apply these principles in designing and creating any State of California Website. To achieve compliance, agencies need to adhere to Paragraphs A thru P of Section (1194.22) - Web-based Intranet and Internet Information and Applications (www.access-board.gov/sec508/guide/).

The use of the Federal guidelines will ensure that web sites created by the State of California are developed to serve the largest possible audience. Compliance with these guidelines provides an added benefit to those users with text-based browsers, low-end processors, slow modem connections and/or no multi-media capabilities on their computer. This policy also covers access to California State Websites by new and future technologies.

4834 INFORMATION TECHNOLOGY INFRASTRUCTURE POLICY
(New 03/02)

Agencies Information Technology Infrastructure must enable information sharing across traditional barriers, enhance California's ability to deliver effective and timely services, promote interoperability, support departments and agencies in their efforts to improve government functions, and promote migration to enterprise solutions with reduced complexity and support costs.

4846 CALIFORNIA SOFTWARE MANAGEMENT POLICY
(New 09/02)

Each agency shall establish and maintain appropriate computer software management practices and ensure that computer software they use and/or have purchased with State funds is legally procured and is used in compliance with licenses, contract terms, and applicable copyright laws. Each agency shall develop and implement policies and procedures to ensure that all staff understand and adhere to proper software management policies.

4846.1 SOFTWARE MANAGEMENT PLAN
(New 09/02)

To prevent software piracy and promote good software management practices, each agency must maintain a software management program. Each agency must document this effort through a software management plan. See SIMM Section 120 for guidelines on the development and maintenance of this plan.

4846.2 SOFTWARE MANAGEMENT POLICY REPORTING REQUIREMENTS
(Revised 09/08)

Beginning January 31, 2004, and ongoing, each agency shall retain internally for three years, by the agency Chief Information Officer, an annual certification along with the summary of updated inventories conducted by the agency as part of its ongoing software management practices. This certification must also identify the individual responsible for ensuring agency compliance with the California Software Management Policy, SAM Section 4846. In support of this certification, each agency must maintain a detailed inventory report that must be made available upon request to the OCIO and/or the Department of General Services. See SIMM Sections 80 and 120 for this and any other reporting requirements.

4851 STATUTORY REFERENCES
(Revised 09/08)

Chapter 834, Statutes of 2006 (SB 834) created the OCIO, and responsibilities were expanded via Chapter 183, Statutes of 2007 (SB 90) as described in Government Code Sections 11545 and 11546.

4854 TRAINING AND EMPLOYEE DEVELOPMENT
(Revised 09/08)

General Philosophy. The OCIO recognizes that training and employee development are primarily a responsibility of line management. The identification of needs, establishment of priorities, and implementation of training clearly reside with the discretion of each agency. These guidelines relate to technical IT training since management training and development and other general training activities are often intermixed with broader departmental goals. The following statements of policy are intended to facilitate these key objectives.

Policy. Employee training and employee development are the responsibility of each agency. Within an agency, line management is responsible for identification of needed skills, development and implementation of a training plan and establishment of priorities.

Training Coordinator. Agencies should appoint a training coordinator to assist line management in inventorying employee skills, assessing training needs and developing a training schedule. This may be a person in the departmental training office or a person in the IT organization.

Additional responsibilities of the training coordinator will be to act as liaison with other departments for the purpose of joint or coordinated training efforts.

Training Plans. The dynamic field of information technology requires continuous upgrading of skill in order to remain abreast of rapidly changing technology. Because of technological changes and evolving personnel needs, it is imperative that agencies have a plan that will ensure that skills required by the department are developed in an orderly fashion. Management should be aware of the extent to which the effectiveness of their programs are dependent upon the technical skills of their staff.

Training Priorities. It is recommended that priority be given to development of those skills necessary in the effective performance of each person's current position. After essential needs are met, career-related training needs may be addressed.

Source of Training. Agencies should assess their training needs and attempt to satisfy their needs through the most cost-beneficial source. Some training alternatives are: on-the-job training; development of in-house training; cooperative training programs with other departments; training programs through the state data centers; departmental group contracts with outside vendors; and attendance of one or more employees at an outside vendor's training class. The OCIO encourages close coordination and cooperation between agencies.

Out-Service Training Needs. Agencies should make every effort to identify those skills areas where they anticipate the need to contract for training with outside vendors. These needs should be outlined in their training plans. Inclusion in the preliminary plans will provide an opportunity to determine whether comparable training may be made available through a more cost-effective source or whether these needs might be coordinated with the needs of other departments.

4900 PURPOSE
(Revised 5/94)

Strategic planning is essential to the successful adoption of information technology in state government. An agency information management strategy provides a means of coordinating systems development throughout the agency over the long term. It enables the agency to build systems within a common infrastructure and recognizes that no investment in systems should be made without proper planning. Inherent in the concept of information strategy is the commitment to develop business systems that are based on the real business priorities of the agency.

The purposes of the planning requirements in this section are to ensure that:

Agency plans for and uses of information technology are closely aligned with agency business strategies;
Each agency identifies opportunities to improve program operations through strategic uses of information technology; and
Each agency establishes and maintains an information technology infrastructure that supports the accomplishment of agency business strategies, is responsive to agency information requirements, and provides a coherent architecture for agency information systems.

4900.1 DEFINITIONS
(New 5/94)

Agency Information Management Strategy. An agency's information management strategy is the agency's comprehensive plan for using information technology to address its business needs, i.e., to successfully carry out its programmatic mission. Ideally, the agency's information management strategy represents one aspect of a well-defined overall agency business strategy and is therefore closely aligned to its business strategy. If the agency has not established a business strategy, agency staff who are responsible for the agency information management strategy must make assumptions based on their knowledge of the agency's overall mission, its program resources and priorities, and the changing nature of its environment.

Business Strategy. An agency's business strategy is its overall plan for accomplishing its mission in a changing environment with the resources it can reasonably expect to be available. Such a strategy typically addresses the agency's statutory mission and historical role, the expectations of its key stakeholders (individuals and organizations that affect the agency or that the agency affects), the factors that are critical to its success as an organization, the agency's internal strengths and weaknesses, and the political, social, economic, and technological forces in its environment that support or constrain its programs. Business strategies articulate the key issues that must be successfully addressed by the agency and identify the priorities and required resources for proposed actions. A strategy may have a time frame that is as short as a few months, if there is a limited window of opportunity for significant change. However, most agency business strategies present a three- to five-year perspective, with some agencies finding it useful to extend their strategic vision as much as ten to twenty years into the future. Strategic planning is not a one-time effort; it is a fundamental, continuing management process that allows the agency to respond in an effective manner to a changing environment.

Information Technology Infrastructure. An agency's information technology infrastructure is the base or foundation for the delivery of information to support the agency's programs and management. The infrastructure contains elements upon which an agency's information technology activities are dependent. An agency must therefore define, implement, and manage these infrastructure elements to successfully employ information technology.

The desirable characteristics of this infrastructure are efficient support for the exchange of information within the agency and between the agency and other organizations; reliable availability of information processing capabilities whenever and wherever they are needed; preservation of the integrity and confidentiality of information maintained by the agency; sufficient flexibility to allow the timely and efficient addition of new information management capabilities and modifications of established capabilities; and consistency with a coherent set of technical and managerial standards for the employment of information technology.

Typical elements in an information technology infrastructure include:

Application Systems. The applications that an agency purchases and/or develops to achieve personal productivity and program support benefits.

Architecture. The guidelines or blueprints that an agency follows in designing, acquiring, and implementing information technology solutions. Organizationally approved definitions, specifications, and standards are the primary components in an agency's information technology architecture.

Communications. Local area and wide area network components, including linkages with other organizations.

Equipment. An agency's hardware platforms and components ranging from individual personal computers to mainframes and associated peripherals.

Facilities. The electrical, ventilation, fire suppression, physical security, wiring, and other components required to support an agency's information technology capability, including the physical structure itself.

Funding. Current and projected funding for information technology planning, acquisition, development, and operations activities.

Partnerships. Relationships with other public and private sector organizations that support and enable the agency's pursuit and use of information technology.

People. An agency's technical staff, user community groups, and executive steering and oversight committees that are charged with information technology planning, approval, development, management, operations, and security responsibilities.

Plans. Detailed designs or methods for aligning information technology activities with agency business strategies and accomplishing business objectives. Typical agency information technology plans include strategic, risk management, and operational recovery.

Policies. The rules, conventions, and protocols adopted by the agency to govern the pursuit and use of information technology.

Processes and Procedures. The defined steps for planning, approving, acquiring, developing, operating, maintaining, enhancing, and using information technology within the agency.

Service Definitions. The types of services provided, accepted service levels, and service delivery time frames established for an agency's information technology support organization.

Software. The set of operating system, utility, communications, user interface, and management programs that enable users to operate and control computers and develop application systems.

The infrastructure includes elements owned by the agency and available under contract or through interagency agreement. For agencies that employ the services of a consolidated data center, for example, the required data center resources are considered part of the agency's infrastructure.

Reengineering the Business Process. The search for, and implementation of, radical changes in business processes that result in dramatic efficiencies, reductions in turnaround time, improvements in quality, or improvements in customer service.

Strategic Planning Process for Information Technology. The process of aligning agency plans for, and uses of, information technology with the agency's business strategies.

4900.2 BASIC POLICIES
(Revised 09/08)

Each state agency must establish an ongoing strategic planning process for information technology and submit its strategic plan to the OCIO for approval. The strategic planning process established by an agency should be consistent with its needs, resources, uses of information technology, and management style. However, the strategic planning process should:

Be consistent with the current statewide strategic direction for information technology, with relevant statewide policies contained in the State Administrative Manual and current management memos, and with agency policies for the management of information and information technology;
Include active participation of agency executive and program management;
Align agency strategies for information technology with agency business strategies;
Identify emerging threats and opportunities in the agency's environment that have a potential impact on the agency's information management and its use of information technology;
Assess the strengths and weaknesses of the agency in terms of its information technology infrastructure and information management capabilities;
Assess the potential of new information technologies to enable new business strategies and further the accomplishment of established strategies;
Provide for the creation and maintenance of an agency information technology infrastructure that will support agency information requirements and business strategies; and
Establish goals and priorities for the acquisition of new information management capabilities.

Each agency may determine the format and content of the documentation of its strategic plan for information technology. The documentation must satisfy agency management requirements and be sufficiently detailed to provide the OCIO with a clear understanding of the agency's information management strategy. Agency Information Management Strategy (AIMS) documentation guidelines can be found in SIMM Section 110.

It is the responsibility of the agency to ensure that the information available to the OCIO represents its current strategy. The OCIO will base its decisions regarding the approval of an agency's information technology activities and support for its budget augmentations in part upon its understanding of the Agency's Information Management Strategy (AIMS) and the relationship between the AIMS and the agency's overall business strategy. In general, activities and proposals that are not supported by an AIMS that meets the basic requirements of this section or that are inconsistent with an agency's established strategy will not be approved or supported by the OCIO. Any agency that does not have an approved AIMS will have all information technology project delegation rescinded, including delegation for expenditures under the Desktop and Mobile Computing Policy (SAM Section 4989.)

The agency must submit documentation of its information management strategy to the OCIO at the time it completes its initial strategic planning effort and, thereafter, whenever there is a significant change in strategy. SAM Section 4900.3 provides guidelines for the AIMS documentation that must be submitted to the OCIO. Additionally, the agency must annually certify that the AIMS approved by the OCIO represents its current strategy. See SAM Section 4900.5 and SIMM Section 60.

Note that approval of an agency's AIMS does not imply approval of specific projects, nor does it guarantee funding for the plan or specific projects an agency may initiate under the plan. Project funding must be addressed through the budget process, where final determination will be based on statewide as well as agency priorities.

4900.3 AGENCY INFORMATION MANAGEMENT STRATEGY DOCUMENTATION
(Revised 09/08)

Each agency is expected to tailor the documentation of its information management strategy to its own needs and to provide the OCIO with sufficient information for the OCIO to understand that strategy in light of the agency's overall business strategy. AIMS documentation guidelines can be found in SIMM Sections 60 and 110.

Agencies are requested to address at least the following in their submittal to the OCIO:

Changes in Mission and Programs. A summary of expected changes in the agency's mission and programs that will require changes to the agency's information management capabilities.

Agency Business Strategy. A summary of the agency's business strategy for the period covered by the information management strategy.

Information Technology Vision. A summary of the agency's values and principles that articulate the conceptual basis or foundation for the agency's chosen information technology infrastructure.

Impact on Information Management. An assessment of the impact of the agency's business strategy upon its information management practices.

New Information Technologies. A statement of how new information technologies will be employed in the business strategy.

Current Information Technology Infrastructure. A description of key elements in the agency's current information technology infrastructure: standards, hardware, software, communications, personnel, partnerships, and application systems.

Planned Information Technology Infrastructure. A description of how that infrastructure will be developed or leveraged to meet future information requirements.

Information Management Priorities, Objectives, and Resources. A statement of the agency's priorities, objectives, and resources for achieving the development or acquisition of new information management capabilities.

Activities to Reengineer Agency Business Processes. A description of changes the agency has made, or is making, to restructure its business operations in an effort to achieve dramatic improvements in critical measures of performance, such as efficiency, turnaround time, customer satisfaction, and quality.

An agency may prepare a separate summary of its information management strategy for submission to the OCIO or it may choose to provide the OCIO with copies of its internal documents. The OCIO may request additional information to clarify its understanding of an agency's strategy. Agencies are encouraged to submit informational copies of their business strategies with their information management strategies and to provide oral briefings to the OCIO in conjunction with submitting their strategies.

4900.5 AGENCY INFORMATION MANAGEMENT STRATEGY REPORTING REQUIREMENTS
(Revised 09/08)

The AIMS must be submitted to the OCIO at the time the agency completes its initial strategic planning effort. A revised AIMS must be submitted to the OCIO for approval whenever there is a significant change in the agency's strategy. Additionally, to assist the OCIO in reviewing an agency's information technology BCPs (see SAM Section 4819.42), the agency annually must certify, by August of each year, or as instructed by the OCIO, that the AIMS approved by the OCIO represents its current strategy. SIMM Section 60 provides a template for the AIMS transmittal letter, which must be signed by the agency director or chief deputy director, for this annual certification.

4903 EXHIBITS AND SUPPORTING DOCUMENTS
(Revised 5/94)

The documents required in SAM Sections 4903.1-4903.4 supplement the information in the agency's AIMS by providing details about the organization or information management within the agency and the resources available to the agency.

4903.1 INFORMATION MANAGEMENT ORGANIZATION
(Revised 09/08)

By June 30 of each year, or as instructed by the OCIO, each agency must submit to the OCIO organization charts showing:

The relationship between the organizational unit or units responsible for information management functions (including telecommunications) and other units within the agency; and
The internal organization of the unit or units responsible for information management functions, including telecommunications. The internal organization chart should indicate numbers of positions by classification.

4903.2 INFORMATION MANAGEMENT COSTS
(Revised 09/08)

By January 31 of each year, or as instructed by the OCIO, each agency is required to summarize its actual and projected information technology costs for the past year, current year, and budget year in a format required by the OCIO. See SIMM Section 55. Information technology is defined as all electronic technology systems and services, automated information storage and retrieval, telecommunications which include voice, video, and data communications, requisite systems control, simulation, and electronic commerce.

Agency telecommunications costs are to be summarized separately from all other information technology costs. Thus, two cost summaries are required:

A Summary of Data Processing Costs–Which must include all information technology costs except those for telecommunications; and
A Summary of Telecommunications Costs–For the purposes of the summaries, telecommunications activities include voice and data communications, the transmission or reception of signals, writing, sounds, or intelligence of any nature by wire, radio, light beam, or any other electromagnetic means. The costs of all other information technology activities are to be included in the data processing summary.

4904 INFORMATION TECHNOLOGY FIVE-YEAR CAPITAL PLAN
(New 09/08)

To forge the necessary integration of the business and IT functions in California state government, state Agencies are required to prepare and submit a Five Year IT Capital Plan (Agency IT Capital Plan) for review by the OCIO and the Department of Finance. These plans will serve to inform the Statewide Five Year IT Capital Plan. The Agency IT Capital Plans will:

Ensure that IT investments drive program efficiency and effectiveness and improve the quality of government services for Californians.
Facilitate improvements in internal business processes and financial management through IT investments.
Link IT investments to state and agency priorities and business direction.
Promote the alignment of IT investments with the Agency's enterprise architecture (Technology, Standards, and Infrastructure).
Enhance and promote enterprise data sharing through IT investments.
Facilitate consideration and conceptual approval to pursue selected IT investments.

The scope of the Agency IT Capital Plans will include (see SIMM Section 57):

All projects or IT investments (including infrastructure changes) that are proposed for initiation during a five year period; and
The documentation necessary for the OCIO to provide conceptual approval.

The Agency IT Capital Plans must be updated annually or more frequently as needed and do not eliminate the requirement for a detailed business case for conceptually approved IT projects.

The Statewide IT Capital Plan will represent the Administration's plan for strategic IT investments and will be supported by the Governor's Budget, the CIO's Statewide IT Strategic Plan, Budget Change Proposals, and Feasibility Study Reports.

4920 PURPOSE
(Revised 09/02)

The feasibility study represents the first opportunity for agency management to assess the full implications of a proposed information technology project. The feasibility study is also the means of linking a specific information technology project to the agency's strategic business plans and information technology plans, and to ensure that the proposed project makes the best use of the agency's information technology infrastructure. The purposes of the feasibility study are to:

Determine whether there is a business case for a proposed project, i.e., whether the expenditure of public resources on the project is justified in terms of the project's:
1. Being responsive to a clearly-defined, program-related problem or opportunity;
2. Being the best of the possible alternatives;
3. Being within the technical and managerial capabilities of the agency; and
4. Having benefits over the life of the application that exceed development and operations costs. Project benefits typically include reduced program costs, avoidance of future program cost increases, increased program revenues, or provision of program services that can be provided only through the use of information technology.
Provide a means for achieving agreement between agency executive management, program management, and project management as to:
1. The nature, benefits, schedule, and costs of a proposed project; and
2. Their respective management responsibilities over the course of the project.
Provide executive branch control agencies and the Legislature with sufficient information to assess the merits of the proposed project and determine the nature and extent of project oversight requirements.

4921 FEASIBILITY STUDY BASIC POLICY
(Revised 12/04)

A feasibility study must be conducted prior to the encumbrance or expenditure of funds on any information technology project. For most projects, the feasibility study must be conducted in conformance with SAM Sections 4922 through 4927. The only exception to this requirement is the acquisition of desktop and mobile computing commodities under the Desktop and Mobile Computing Policy. (See SAM Section 4989.) In addition, a Feasibility Study Report (FSR), which documents the feasibility study, must be approved prior to the encumbrance or expenditure of funds, including the use of staff resources, on any information technology project beyond the feasibility study stage. For most projects, the FSR must be prepared in accordance with SAM Section 4928. For projects that have been delegated to the agency director and whose costs fall below a specified level, the feasibility study may be documented by means of a Project Summary Package. See SAM Section 4930 and SIMM Section 20.

The FSR must be reviewed and approved in accordance with the general requirements of SAM Sections 4819.3-4819.42 (State Information Management Authority and Responsibility), as well as the specific requirements of Sections 4926-4930.1. See SIMM Section 20 for FSR Preparation Instructions.

4922 FEASIBILITY STUDY SCOPE
(Revised 5/94)

The scope of the feasibility study must be commensurate with the nature, complexity, risk, and expected cost of the proposed use of information technology.

The study must provide sufficient information to assure agency program management that the proposed response meets program requirements. The study also must provide sufficient information to allow agency executive management to make a sound decision as to the merits of the proposed response as an investment of public resources.

4923 FEASIBILITY STUDY PARTICIPATION
(New 3/87)

The feasibility study must be based on an understanding of the needs, priorities, and capabilities of: (1) the users of the information that is to be provided; and (2) the agency unit or program that will have operational responsibility for the information technology application. Representatives of program management and staff must participate in the feasibility study process.

4924 FEASIBILITY STUDY DOCUMENTATION
(Revised 09/08)

The SAM Section 4928 and instructions and guidelines published by the OCIO (see SIMM Section 20) specify the content of the FSR, which must provide a complete summary of the results of the feasibility study. In addition to the FSR, the agency must maintain sufficient documentation of each study to ensure that project participants, agency management, and control agency personnel can resolve any questions that arise with respect to the intent, justification, nature, and scope of the project.

4925 CONSISTENCY WITH AGENCY INFORMATION MANAGEMENT STRATEGY AND IT CAPITAL PLAN
(Revised 09/08)

Each proposed project must be consistent with the agency's overall strategy for the use of information technology, as expressed in its current Agency Information Management Strategy (see SAM Sections 4900.2-4900.6) and IT Five-Year Capital Plan (see SAM Section 4904).

4927 FEASIBILITY STUDY PROCESS
(Revised 5/94)

Each agency must follow a systematic, analytical process for evaluating and documenting the feasibility of information technology projects, as defined in SAM Section 4819.2. This process must include:

Developing an understanding of a problem (or opportunity) in terms of its effect on the agency's mission and programs;
Developing an understanding of the organizational, managerial, and technical environment within which a response to the problem or opportunity will be implemented;
Establishing programmatic and administrative objectives against which possible responses will be evaluated;
Preparing concise functional requirements of an acceptable response;
Identifying and evaluating possible alternative responses with respect to the established objectives;
Preparing an economic analysis for each alternative that meets the established objectives and functional requirements;
Selecting the alternative that is the best response to the problem or opportunity;
Preparing a management plan for implementation of the proposed response; and
Documenting the results of the study in the form of a Feasibility Study Report (FSR), as specified in SAM Section 4928.

4928 FEASIBILITY STUDY REPORT
(Revised 09/08)

The FSR must provide an accurate summary of the results of the feasibility study. As with the study itself, the scope of the FSR must be commensurate with the scope and complexity of the problem or opportunity being addressed. Enough technical detail must be included in the FSR to show that the proposed response to the problem or opportunity is workable and realistic. The FSR must provide a basis for understanding and agreement among project management, executive management and program management, as well as satisfy the information requirements of state-level control agencies.

The FSR must be submitted to the OCIO and to the Office of the Legislative Analyst. In addition, the FSR must be submitted to the Department of General Services when the contract total exceeds the agency's delegated purchasing authority threshold. FSRs must be submitted in a format specified by the OCIO and signed by the agency director or his/her designee. The OCIO publishes detailed instructions and guidelines for agencies' use in preparing FSRs. A copy of the instructions, guidelines, and required forms is available in SIMM Section 20. The instructions and guidelines specify the MINIMUM amount of information necessary for the OCIO's approval of the FSR.

The FSR must provide a complete summary of the results of the feasibility study and establish the business case for investment of state resources in a project by setting out the reasons for undertaking the project and analyzing its costs and benefits. Documentation provided by the agency must contain at least the following information:

A description of the business problem or opportunity the project is intended to address.
The project objectives, i.e., the significant results that must be achieved for an alternative to be an effective response to the problem or opportunity being addressed.
A thorough description of the selected alternative, including the hardware, software and personnel that will be used.
A discussion and economic analysis of each of the alternatives considered in the feasibility study that meets the established objectives and functional requirements, and the reasons for rejecting the alternatives that were not selected.
A complete description of the information technology capabilities and the conditions that must exist in order to satisfy each defined objective.
An economic analysis of the life cycle costs and benefits of the project and the costs and benefits of the current method of operation during the life cycle of the project.
The source of funding for the project.
A detailed project schedule showing key milestones during the project's life.

A Project Summary Package (SAM Section 4930) must be prepared and included in the FSR.

The agency must maintain sufficient documentation of each study to ensure that project participants, agency management, and control agency personnel can resolve any questions about the intent, justification, nature, and scope of the project.

4930 PROJECT SUMMARY PACKAGE
(Revised 12/04)

A Project Summary Package must be prepared and included in each FSR and SPR. In addition, the Project Summary Package may be used to document the feasibility study for projects with a total development cost equal to or less than ten percent of the agency's cost delegation threshold. See SAM Section 4819.39.

See SIMM Section 20 and/or 30 for instructions for completing the Project Summary Package.

4940 PROJECT OVERSIGHT AND PROJECT IMPLEMENTATION AND EVALUATION POLICY
(Revised 09/08)

Agencies must establish project reporting and evaluation procedures for each approved information technology project. The scope of these procedures must be commensurate with the overall scope of the project's associated risk to the state.

The fundamental requirements for project oversight and evaluation are specified in SAM Sections 4819.30-39 - 4819.42. All projects, including projects delegated by the OCIO to the agency director, are subject to those requirements. Projects that have been delegated to the agency director in accordance with SAM Section 4819.36 require appropriate project reporting by the project manager to the agency director.

4941 OVERVIEW
(Revised 09/08)

Once the FSR for an information technology project has been approved the project may proceed, contingent upon any conditions imposed by the OCIO. Throughout the project phases, agency management must follow the IT Project Oversight Framework (see SIMM Section 45) to provide the appropriate level of independent project oversight, project management practices and project risk assessments to ensure the success of the project.

Post-Implementation and Evaluation Report. Following completion of each information technology project, a post-implementation evaluation must be carried out by the agency. The evaluation should:

Measure the benefits and costs of a newly-implemented information technology application or system against the most recently approved project objectives; and
Document projected operations and maintenance costs over the life of the application or system.

4942 COMPLIANCE REVIEW
(Revised 09/08)

Specific projects or agencies as a whole may be subject to compliance reviews conducted by the OCIO. The purposes of a compliance review are to verify agency adherence to statewide information technology policies as well as approved agency policies, and to determine agency fulfillment of approved plans. The OCIO will review project reporting documentation in conjunction with its compliance review and oversight responsibilities.

The OCIO may impose sanctions, such as a reduction or elimination of an agency's delegated cost threshold for reporting and approval of IT projects by the OCIO, or other sanction deemed appropriate by the OCIO, upon finding that a state agency is consistently and/or willfully out of compliance with state policies.

4943 AUDIT OF INFORMATION TECHNOLOGY PROJECTS
(Revised 09/08)

All information technology projects are subject to audit, with project reporting and evaluation documents an essential aspect of the audit trail. Documentation supporting project decisions must be kept by the agency for a minimum of two years following approval of the post-implementation assessment.

Some projects may be subject to ongoing review by the Office of State Audits and Evaluations (OSAE). OSAE may review the Feasibility Study Reports of projects approved by the OCIO and the Feasibility Study Report - Reporting Exemption Requests of projects delegated to agencies by the OCIO. OSAE will select projects for ongoing review based on their risk, cost, and materiality.

For projects selected for ongoing review, OSAE will develop and submit to agency management periodic status reports and the project Post-Implementation Evaluation Report (PIER) required under SAM Section 4947. Agencies are required to submit final versions of the periodic status reports and the project PIER to the OCIO within five working days after they are received from OSAE.

If OSAE determines that the project should be audited, the agency must enter into an interagency agreement with OSAE for that purpose. Since the cost that the agency otherwise would have incurred in monitoring the project and producing progress reports and the PIER will no longer be borne by the agency, these costs should not be included in the project budget. However, the agency should ensure that the project budget includes an amount sufficient to cover the costs of the interagency agreement with OSAE.

4944 IT PROJECT OVERSIGHT AND REPORTING
(Revised 09/08)

The OCIO will conduct Agency, department, IT project management and oversight assessments designed to provide agency management and the OCIO information on the progress of a project, including compliance with the minimum requirements for IT project management, project risk management, project oversight and project reporting activities at the agency and control agency levels as outlined in the IT Project Oversight Framework (see SIMM Section 45). The OCIO will schedule assessment based on an established criteria.

Independent Project Oversight Reports (IPORS) are required to be submitted on a regular basis based on project criticality to the OCIO (see SIMM Section 45).

4945 SPECIAL PROJECT REPORT—GENERAL REPORTING REQUIREMENTS
(Revised 09/08)

Preparation of an SPR is required whenever a project substantially deviates from the costs, benefits or schedules documented in the approved FSR, when a major revision occurs in project requirements or methodology, when criteria listed in SAM Section 4819.37, other than the project's cost exceeding the level the OCIO may have delegated to the agency, arise during the development or implementation of the project, or when a significant change in state policy draws into question the assumptions underlying the project. No encumbrance or expenditure of funds shall be made to implement an alternative course of action until approval has been received from the OCIO or the agency director, as appropriate. SAM Section 4819.36 lists specific conditions that require submission of an SPR to the OCIO.

If an SPR for a delegated project must be submitted to the OCIO, the agency must attach to the SPR a copy of the approved Feasibility Study Report and the Transmittal signed by the agency director or his/her designee.

The SPRs which must be submitted to the OCIO should be transmitted within 30 days after recognition of a substantial deviation. The SPR must be submitted to the OCIO and the Office of the Legislative Analyst. SPRs must be submitted in a format specified by the OCIO and signed by the agency director or the director's designee. See SIMM Section 30 for SPR Preparation Instructions.

4945.2 SPECIAL PROJECT REPORT—CONTENT AND FORMAT
(Revised 09/08)

The SPR must provide sufficient information for agency management, executive branch control agencies, and the Legislature to assess the merits of the proposed project change and determine the nature and extent of future project oversight requirements. If a SPR lacks sufficient information for these purposes, the OCIO will request that the agency provide additional information.

Information provided in the SPR must be commensurate with the level of deviation of costs, benefits, timelines, or project requirements from those of the approved FSR or last approved SPR.

The SPRs must be submitted in a format specified by the OCIO and signed by the agency director or his/her designee. The MINIMUM content for an SPR is project status, an explanation of the reason for the project deviation, a revised project management schedule, and economic summary information. The OCIO publishes instructions and guidelines for agencies' use in preparing SPRs. See SIMM Section 30 for SPR Preparation Instructions.

4946 MAINTENANCE AND OPERATIONS PLAN POLICY
(Revised 09/08)

The Maintenance and Operations (M&O) Plan provides an orderly, cost effective and planned process for ongoing routine M&O activities of implemented information technology (IT) systems.

The OCIO may request agencies to submit an M&O Plan for IT projects. Agencies requested to submit an M&O Plan must have the plan approved by the OCIO before commencing M&O activities. Once an M&O Plan is approved, agencies must provide the OCIO annual updates. The OCIO can suspend or withdraw its approval of the M&O Plan to respond to changing circumstances.

See the Statewide Information Management Manual M&O Plan Guidelines located in SIMM Section 160.

4947 POST-IMPLEMENTATION EVALUATION REPORT
(Revised 09/08)

Unless the agency has entered into an interagency agreement with the Office of State Audits and Evaluations (OSAE) under SAM Section 4943, a post-implementation assessment must be carried out by the agency following the completion of each information technology project. No project is considered complete until the report of that assessment, the Post-Implementation Evaluation Report (PIER), has been approved by the OCIO or by the agency director, as appropriate. Approval of a PIER by the OCIO or the

Quick Links

Chapter 4800 - Office of the State Chief Information Officer