GITA Orientation Training for: State Project Management Certification February 22, 2010
Project Management Certification • Welcome (Paul Wix) • Introductions • Background • Objectives of the Program
Project Management Certification • Agenda • PIJ and Project Oversight – Paul Wix • IT Security & Privacy – Jim Ryan • State Web Portal – Andy Miller • Break • Enterprise Architecture – Raj Kollengode • Clarity – John Harrell • Phoenix Chapter PMI – Forrest Smith
Project Investment Justification • Project Investment Justification (PIJ) • Oversight Authority • GITA/ITAC Statutes • PIJ Overview • PIJ Recommendation • PIJ Policy, Standard, Procedure • Questions
Project Investment Justification • Oversight Authority • Arizona Revised Statute, 41-3504 Powers and Duties of the Agency, requires the Government Information Technology Agency (GITA) to evaluate and monitor Information Technology (IT) projects, including expenditures, activity reports and to perform periodic reviews.
Project Investment Justification • GITA/ITAC Statutes • IT Projects of $25K or more – GITA • IT Projects of $1M or more and high risk projects will require ITAC review and approval – ITAC • Projects shall not be artificially divided to avoid review • Demonstrate competencyto carry out IT projects successfully • Monitoring, Collaboration and Support from GITA Oversight Managers. • There are times when temporarily suspension of a project may be required to evaluate a go/no go decision. • Life Cycle Analysis
Project Investment Justification • PIJ Overview • GITA’s goal is to be involved as early as possible in the project lifecycle to provide advice and guidance in the project solutions and strategy during the onset of the approval process. • When the PIJ is submitted to GITA it will be reviewed by the Oversight Manager assigned to your agency. They will work with the agency to ensure the information in the PIJ is clearly defined, provide advice, direction and request details to meet the requirements for the PIJ approval process. • PIJ Template based on dollar requirements $25K / $100K / $1M, risk and project type. • Management Summary • To Be • As Is • Proposed Technology • Major Deliverables & Outcomes • Roles & Responsibilities • Other Alternatives Considered • Summary Project Management Schedule • Value to the Public / Benefits to the State • Financial Assessment • Risk Assessment • Approvals • Itemized List • Connectivity Diagram • Gantt Chart
Project Investment Justification • PIJ Approvals • Approval Types: • Approval • Approval with Conditions • EXAMPLE: The ITAC voted in the affirmative for Approval with Conditions of the technology project as follows: The assigned Project Manager must have completed either Project Management Professional or State of Arizona Project Management certification. • Provisional Approval • Disapproval • Returned • Withdrawn • Other Approvals as Required • ITAC Approval
Project Investment Justification • PIJ Policy, Standard, Procedure • PIJ Review Process • Definitions WWW.AZGITA.GOV
Project Investment Justification • Questions ? • Contact Information: Joyce Raschiatore, email@example.com (602) 364-4976 Chuck Revenew, firstname.lastname@example.org (602) 364-4796 Paul Wix, email@example.com (602) 418-5350 Sue Anderson firstname.lastname@example.org 602-284-8252
GITA Oversight Project Oversight Authority Responsibilities Process & Procedures Clarity PPM Tool – Project Management System
GITA Oversight Oversight Authority Arizona Revised Statute, 41-3504 Powers and Duties of the Agency, requires the Government Information Technology Agency (GITA) to evaluate and monitor Information Technology (IT) projects, including expenditures, activity reports and to perform periodic reviews.
GITA Oversight GITA Oversight Responsibility Your agency’s GITA Oversight Manager will continue with you from the PIJ approval process through the project monitoring process… After projects are approved, GITA is responsible for Reviewing project progress, in order to track major milestones, deliverables, financials, outstanding risks and issues, and changes to scope/cost/timeline Supporting the agency Project Manager Providing direction, advice and guidance If project issues are reported, GITA: May make recommendations for improvements or corrections to the project. Will track project progress in the Clarity system.
GITA Oversight Agency Responsibilities The Agency & GITA will form a partnership based on the same common goal…a successful project that is managing scope, timeline and budget with risk & issue management throughout the lifecycle of the project. Agency provides GITA with ongoing and ‘event-based’ status reports For all IT projects that are reviewed and approved by GITA. Monthly status reports will be required by the 10th of the month An project event may occur outside of the normal status report timeframe, in this case an "event based" status report would be required at the date of the event. (on hold, resumed, cancelled) Status reports help ensure Projects are being managed in an appropriate manner Sound project management practices are being followed from financial, scope and timeline perspectives.
GITA Oversight Oversight Process Starts Request for Start Up email sent to the agency contact by the GITA Oversight Manager once PIJ is approved. Project Status Report template and instructions also provided along with Request for Start Up (basic PIJ information will be filled out by GITA) Project Name PIJ ID Agency Contact in PIJ Reporting requirements Approved Development Budget Project Description PIJ Conditions (if applicable) Agency will fill out Start Up project information on the “Project Start Up Status Report” template and send to GITA prior to spending project funds. Contact Information Project Status – Required Fields Project Commentary Project Schedule/Major Tasks or Milestones with estimated start and end dates – Required Fields Project Financials – Required Fields FTE Hours Risk/Issue (when required) PIJ Condition Updates (when required)
GITA Oversight Project Status Report Template
Project Budget, FTE Hours, Risk, Issue, Changes & PIJ Conditions Template (Continued)… Project Budget, FTE Hours, Risk, Issue, Changes & PIJ Conditions
Status Reporting • PROJECT STATUS REPORTING - OVERALL PROJECT STATUS • It is important to look at the three areas of project control - cost, schedule and scope - to determine how the project is trending.
PROJECT STATUS EVENT • During the project lifecycle the project may experience “event changes” these events must be communicated through the “project status report”. Below are the events that will be reported during the project. • Startup Project Status - When the project start date has been established. It is most important that the Startup Project Status Report be completed and submitted to GITA before any funds are expended, and that the Project Start and End dates are as accurate as possible. You’ll also need to provide milestones on the Status form that support the Project Start and End dates, as well as the planned activities per the PIJ. • Current Project Status - Ongoing report on the status of the project. Factors to report on include project status, accomplishments, progress against milestones, expenditures to date, issues, risks and other areas of concern that have been encountered. The Condition section of the form can be updated to indicate that a condition has been met, if applicable. • Project On Hold Status - If a major delay is encountered in the project. No additional development funds are to be expended while the project is on hold. NOTE: If the project remains on hold for more than 2 years, an updated PIJ document from the agency will need to be resubmitted for PIJ approval due to the possibility of new technology advances. • Project Resumption Status - As soon as an on hold project can start again. See project change request section for more details, since a change to the end date may be necessary. • Project Cancellation Status - If cancelled or never officially started. A Project Cancellation generally indicates that no funds have been expended on the project. Should that not be the case, and yet there are circumstances requiring that the project be cancelled, those should be discussed with the GITA Oversight Manager before submitting the Project Cancellation Status Report. • Project Completion Status - When the project has successfully • completed. Final information on all applicable sections of the Status • Report is to be provided. .
Project Risk and Issues • PROJECT RISKS • Identify something that MAY OCCUR during the project and cause problems. Risks need to be mitigated before they become an issue. • What is the PROBABILITY that the risk could occur • and what is the IMPACT if it does occur? • PROJECT ISSUES • Identify something that HAS OCCURED which is causing impact on the project and needs to be resolved. • What is the PRIORITY of the ISSUE?
GITA Oversight Project Data is captured in Clarity Project Portfolio Management (PPM) Tool Captures project information provided by Agency in Start Up and ongoing status reporting PIJ information Approval Status Start/End Date once established Project Manager/Contact Status Comments and Status Indicator (green, yellow, red) Milestones/Major Tasks w/ start, end dates & progress completed Approved Budget and ongoing Spent to Date Project Risk/Issues Project Changes Documentation
GITA Oversight Clarity Project Portfolio Management (PPM) Tool – Project Details
Capture PIJ Information Capture PIJ Information from the approval process
Capture Milestones/Task/Baselines Capture Project Major Milestones/Tasks from Agency’s Project Start Up Status Report
Capture “Approved Development Budget” and “Spent to Date” Capture “Approved Development Budget” and “Spent to Date” from ongoing Status Reporting
Project Risk, Issue and Changes Project Risks, Issues and Changes
GITA Oversight PROJECT CHANGE REQUEST (formally known as Amendment) PROJECT CHANGES In the event that a major change occurs during the lifecycle of a project or at resumption (if the project has been on hold), the Agency MUST submit a “Project Change Request” to GITA for approval before proceeding. A major change is identified as any one of the following: Project End Date Development Cost Scope (including changes in technology, deliverables or outcomes) Changes to the Project End Date can be approved by the GITA Oversight Manager, with email authorization by your Agency CIO. All other changes may require formal GITA approval, and as such, require that the “Project Change Request” form be signed by the Agency CIO. For changes in development expense or scope, additional information in the form of updated financial or other applicable pages from the PIJ should be submitted along with the Change Request form. If you are not certain whether a Change Request is required or what additional information may be needed, contact your GITA Oversight Manager before submission.
GITA Oversight Project Change Request Form (formally known as Amendment)
GITA Oversight Oversight Procedures Written instructions for roles and responsibilities: azgita.gov/policies_standards/#management S341,S342,S343 Forms are posted on our website. www.azgita.gov Please feel free to contact your GITA Oversight Manager at anytime during the project approval process and monitoring. **Very Important – If you start experiencing problems with your project, then get us involved right away! PLEASE NOTE: Redesign efforts are currently underway for PIJ and Oversight processes and procedures…new templates will be provided through a communication to your Agency with instructions as they become available.
State Project Management Development • GITA has begun to launch a “Community of Interest” offering that would include a series of topics. • Virtualization • Information Security • Document Management • Project Management • Team up with PMI for PDU on wheels events • Symposiums for special events • Establish forums and local users groups
GITA Oversight Questions ? Contact Information: Joyce Raschiatore, email@example.com (602) 364-4976 Chuck Revenew, firstname.lastname@example.org (602) 364-4796 Paul Wix, email@example.com (602) 418-5350
Statewide Information Security & Privacy Office (SISPO) SISPO Orientation
SISPO Agenda • SISPO • Authority • Organization & Functions • Activities • Project Requirements • Confidentiality and Project Management • Project Privacy Checklist • Conclusion
State of Arizona A.R.S. 41-3507 • SISPO’s Roles and Responsibilities: • Strategic planning & coordination • Continuity of Operations Planning (COOP) and IT Disaster Recovery Planning (DRP) • Compliance plan for Information Security & Privacy • Agencies required to report incidents • Statewide Infrastructure Protection Center (SIPC) • Review & Escalation • Mitigation • Compliance & Monitor • Reporting • Training & Awareness Program • Tailored Awareness Compliance Training • Web Based CBT Programs • Security Certification - on Hold (CISSP)
SISPO Organization • Staff: • Chief Information Security Officer (Jim Ryan) • Chief Privacy Officer (Mary Beth Joublanc) • State HIPAA Coordinator • Operations/Relationship Manager (Sherri Eshkibok) • Functions: • Strategic Alignment • Rule Writing (ARS 41-3507) • Risk Assessments and Compliance Reviews • Incident Response Reporting and Mitigation • Awareness Training and Education • Consulting
SISPO Activities • Review Incidents • Internal controls & procedures • Collaboration with agencies and ADOA • Executive Order compliance • 2008-10 (See Slides 34 and 35) • Update Incident Reporting Procedure • Project Investment Justification (PIJ) • Security / Privacy • Continuity of Operations Plan • Mission Essential Business Functions • IT Disaster Recovery Plan
SISPO Activities • Relationship Management • Agency Deputy Directors (G1s) (COO) • Agency Directors (G2s) • Agency CIOs, ISOs, APOs • Vendors • Legislators • Committees • Other Branches of AZ Government • Other States CISOs/CPOs • Federal Government and Industry Groups
SISPO Activities • Policy, Standards & Practices • Review / update & formulate new • TISA (Technology Infrastructure & Security Assessment) • Annual reporting • Gap analysis • Compliance reviews and oversight • Committees • Participate in current • Organize new • Oversight • Provide support to existing activities • Create compliance review process
Project Requirements • Risk Assessment and Management • Determine level of risk • Data Classification • Data Inventory • Brand, Media, Public Perception, Financial • Create controls to mitigate risk • By design • Encryption is a great control process • Defense in Depth • Social Engineering & Insider Threat • Project Goals for Privacy • Protection of • Personally Identifiable Information (PII) • Do you know what the PII is for your project? • Consult your CPO if in doubt • Confidential Information • Individually / Aggregate
The Challenge of How to Define “Confidential” or “Private” • AZ Health Information laws and the federal Health Insurance Portability and Accountability Act (HIPAA) (45 CFR 160, 162, 164) • Arizona Medical Record Confidentiality Laws (ARS 12-2291-12-2297) • Agency Confidentiality Laws (Numerous: ADES, ADHS, DOHS, ADC, etc) • Social Security Number Protection (ARS 44-1373 – 1373.03) • Breach Notification Law (ARS 44-7501) • Data Destruction (ARS 44-7601) • Anti-Identification Laws – Expands Definition of PII (ARS 41-4171, 41-4172 and 13-2001) • State Agency Web Site Records and Privacy Laws (ARS 41-4151 and 41-4152) • Many other state and federal laws
Confidentiality and Project Management • Does leadership value data as an asset? • Do organizational procedures, practices and investments address protecting confidential information? • Will project involve a new or different use of PII or other confidential information? • Is there statutory authority? • ID all parties who will have access (role based) • Monitoring and Incident Reporting • Security for electronic and hardcopy PII or confidential information • Retention & Redaction provisions • Use Scope of Work for specific privacy and information security Ts & Cs
Privacy Checklist • Critical assets • Paper • Digital • Infrastructure • Recovery • Audit “ability” • Activity logging • Accountability • Unique identity
Privacy Checklist • Monitoring • Critical activity • Regulations • Laws • Information destruction • Delete vs. permanent • User training • Privacy • Information Security
Privacy Checklist • Service Level Agreements • Privacy Goals • Privacy and Information Security Measures • Privacy is what you protect, security is how you protect it • Statewide Policies & Standards • NIST and GAPP (Generally Accepted Privacy Principles) Alignment • Provide Key Guidelines • Report all incidents to: • SISPO and SIPC • Agency Executives • For Non-state agencies: • As directed by agency (e.g. agency privacy officer, risk manager, executive management)
Remember • Privacy is the GOAL • Security is the journey • Technology can help • People are the key
Jim Ryan Chief Information Security Officer 602.364.4771 or firstname.lastname@example.org Mary Beth Joublanc Chief Information Privacy Officer and State HIPAA Coordinator 602.364.4537 or email@example.com Sherri Eshkibok Operations/Relationship Manager 602.480.335.7642 or firstname.lastname@example.org SISPO Contacts for Questions/Consultations • www.azgita.gov/sispo/
Delivering e-Government Services Andy Miller Digital Government Services Manager, GITA