Excellence in Information Technology Practices



246380-444500Excellence in Information Technology Practices2020 Reviewers GuideThis guide is intended to serve as a general guide to answering the ‘Information Technology Practices’ award. The guidelines given will list the goals for each question that will allow the reviewer to grade an individual question or entire category as:0. Information not presentPoor explanation or does not satisfy criteriaProficient explanationOutstanding practice or explanationThere are two levels of awards. Those entities receiving a minimum score of Proficient in 8 of the 10 categories will receive an “Achievement in Information Technology Practices” award. Those receiving an ‘Outstanding’ grade in 6 of the 10 categories and a ‘Proficient’ in the remaining 4 categories will receive an “Excellence in Information Technology Practices” award.Due to differing sizes and other factors, IT organizations may not answer the questions in the same way. The grading of the applications is intended to accommodate differing IT practices, and agency size.The applications, reviewer’s comments, and any related materials will be considered confidential and not released to any organization nor published without the author’s consent. The determination of awards by the judges will be final.Agency: For MISAC Use OnlyQuestionRatingReviewer's CommentsIBudget and Strategic PlanningThe goal of the budget category is to have control of the IT budget, input into any departments that control their own budget, and a long range technology plan that is suitable for the organization.Outstanding:would require a score of “3” on at least 5 questions, and a minimum score of “2” on the others. To rate outstanding, the agency must have long range planning and budget procedures in place, IT must directly control its own budget and the majority of the City’s technology expenditures, with sufficient input to other departments.What percentage of your agency’s annual budget for all funds is related to information technology in all funds? Include all agency dollars related to technology, even if budgeted in various departments. (Answer shall show calculation and state percentage). Map the percentage given to industry standards – Answer should include spending from all departments: 3 = >3.5%2 = 3.0 to 3.5%1 = 2.0 to 3.0%0 = < 2.0% or no answerIs the information technology manager/director responsible for developing the annual information technology budget for the agency? If not, who is responsible? Describe the process and methodologies used to develop and manage the budget. Explain how the information technology department or division is involved in other departments’ and divisions’ information technology budgets.3 = “Yes” or “No” with good explanation.2 = “No” with acceptable around but in need of material improvement.1 = “No” with acceptable work.0 = No control / no answer.Does IT have input to other divisions for appropriate replacement of old equipment, maintenance, new projects?Explain your agency’s planning and budget mechanism to replace major hardware, software and other infrastructure. Please address both hardware and software in your response, particularly if your procedures and/or lifecycle planning differ by type of technology.For outstanding they need to describe planning and budget for technology assets, in sufficient detail to ensure that the agency is planning for all types of technology in use.3 = Detailed explanation and solid procedures. 2 = Some procedures in place but either not comprehensive or not described sufficiently to rate outstanding. 1 = Workaround in place or flawed procedure/policy. 0 = Fails to meet standards for a higher rating.How does your agency incorporate new technologies?3 = Well-explained R&D and/or testing methodologies, addresses how they plan ahead, get input, etc.2 = Good procedures for reviewing and testing new products.1 = IT decides what to use without department input, no methodology for testing, etc. Some fairly significant flaw, but with an underlying process in place.0 = No answer or no methodology in place. Do you have an IT strategic plan? Please provide a copy.2 or 3 = Determined based on factors such as the quality of the plan with consideration to agency size, staffing, and any other explanation/background provided, how the agency gets Council and department buy-in, is it a living document, etc.1 = Plan does not include current projects (plans nearing the end of life may not rate 1 if still within the cycle, but reviewer may want to recommend an update).0 = No plan/no answer. Describe how your agency developed and maintains its strategic plan. Has the plan been updated in the last 4 years?3 = Need to have a process to keep the plan going over time.2 or 3 = Determined based on factors such as the quality of the plan with consideration to agency size, staffing, and any other explanation/background provided, how the agency gets Council and department buy-in, is it a living document, etc.1 = Out of date plan with no update scheduled or a plan that is too high level to guide long-term activities.0 = No plan/no answer. How does the IT strategic plan directly tie into the IT budget? Describe any processes or policies that ensure the plan will be funded over its life.This answer should describe mechanisms for funding systems throughout the plan’s lifecycle. 3 = Will describe a thorough process or policy that ensures funding for current and future needs.2 = Weaker tie or not enough detail in the explanation, or no long term budget ties.1 = Tied to current budget with no mechanism to fund future planned initiatives.0 = No answer or no process.Is the information technology manager/director involved in your agency’s department head or strategic planning meetings?3 = “Yes”.2 = “No” with a good communication workaround described.1 = “No” with an extra level of management or poor workaround.0 = No input, no strategic planning, or no answer.IIPurchasingThe goal of the Purchasing category is to have standards and a mechanism to enforce those standards.Outstanding: Requires “Outstanding” on a majority of questions and proficient on the others except those indicated “optional” in the reviewer’s comments below. Must rate 2 or above on the mandatory items to rate or outstanding in the category.Explain how your agency develops standards and keeps them up to date for the following:Desktop Computers / LaptopsServersDesktop SoftwareApplication SoftwareOther information technology related equipment.3 = Good explanation of how they decide what the standard will be for each item, with a thorough method of reviewing products, determining needs, getting user input, etc, and a process for updates.2 = Standards exist and are periodically updated, for most types of equipment.1 = Standards exist but there is no process for regular updates, or a major type of technology has been left out (for example they only have standards for PCs, but nothing else).0 = No standards or no answer.How does your department/division enforce agency-wide information technology standards?Does the agency have a mechanism to sufficiently enforce the standards, and control purchasing? 3 = “Yes” with a good explanation of a solid process.2 = “Yes” with some enforcement.1 = Flawed process.0 = “No”. Explain your technology purchasing procedures and how you ensure low cost and high quality products for all types of purchases (i.e., No-Bid, Informal Bid, Formal RFP, Consultant Services and Sole Source). Include an explanation of how you rate “value.”3 = Looking for a good explanation that includes provisions for both RFP and non-RFP situations. Should include both what they do to achieve a good price, and what they do in cases where they want the best value (e.g. software purchase). 2 = They have some flexibility in purchasing, and are doing more than just getting 3 quotes or buying everything off CMAS.1 = Flawed process or answer unclear as to details. 0 = Not doing anything to ensure low cost/high value, no answer, no process.Explain how your agency tracks its information technology inventory.3 = Looking for a way of tracking multiple assets, including provisions for changes. Outstanding is distinguished by the quality and depth of the process described, for example automated updates, red flags changes, reporting, or other advanced capabilities. 2 = Periodic physical inventory and database or written records would be sufficient, provided they can explain how they know what they own and where it is.1 = Insufficient process or explanation, but they have made a start.0 = No process, answer, or inventory.Does your agency have written plans, policies, or procedures for equipment purchases? Please explain.3 = Need at least a high level written purchasing plan or policy; this could be the agency policy rather than a specific IT policy, depending on how the agency does business.2 = Adequate explanation as to why there isn’t anything in writing, with a sufficient process in place; comments should recommend they add documentation.1 = Weak procedure, policy and/or documentation.0 = No answer, no policy, no procedures.Is your agency properly licensed on all your current software applications? 3 = “Yes” is mandatory for outstanding in this category. 0 = “No”.Managing Software Licenses for an IT operation (i.e., desktops, servers, applications) is challenging. Explain how IT manages software licensing and verification procedures for all software licensed by your agency.3 = Requires a good explanation, and solid procedures. 2 = Procedure in place but some process improvements required. 1 = Explanation that shows IT has made a start but needs major improvements. 0 = Fails to meet standards for a higher rating.Does the agency have policies or procedures to control non-IT approved software purchases? Please explain.3 = Requires “Yes”, a good explanation, and solid procedures. 2 = “Yes” with explanation, perhaps with some process improvements required, or “No” but a good explanation of a good process.1 = Explanation that shows IT has some input.0 = Fails to meet standards for a higher rating.Does the agency have IT suggested policies or guidelines for application contracts that are cloud based or hosted off-site?Looking for discussion on how cloud based files and procedures are protected. Do they follow the MISAC guides (in the library)3 = Requires “Yes”, a good explanation, and solid procedures. 2 = “Yes” with explanation, perhaps with some process improvements required, or “No” but a good explanation of a good process.1 = Explanation that shows IT has some input.0 = Fails to meet standards for a higher rating.How does your agency dispose of old equipment? Please provide a detailed description, including an explanation of any procedures for recycling, donation, and/or environmentally correct disposal of hazardous technology-related materials, if applicable. Security concerns should also be addressed.3 = Procedures must include adequate provisions for environmentally correct disposal (e.g. batteries and/or monitors), and a detailed explanation of a well-designed system. Security concerns should be addressed.2 = Sufficient procedures to ensure that material is disposed of efficiently. 1 = Doing something other than throwing out old equipment. 0 = No process or no answer.IIIOperations and StaffingThe goal of the Operations category is to make sure that anti-virus measures, backups and support issues are covered.Outstanding: Requires “Outstanding” on a majority of questions and proficient on the others except those indicated “optional” in the reviewer’s comments below. Must rate 2 or above on the mandatory items to rate outstanding in the category.Has your agency identified your entire agency’s critical information technology system equipment? Please explain how you are ensuring support and availability for systems. 3 = “Yes” check mark should be checked with all critical pieces of equipment on maintenance or capable of being repaired with parts stocked in-house. 2 = Good and workable explanation of what they would do for the pieces that aren’t covered. 1 = Areas of weakness that are not addressed. 0 = No maintenance provisions.Explain how your agency’s application software maintenance is handled (e.g., vendor contract or in-house staff)?3 = Either in-house or 3rd party are acceptable answers, looking for support description. Good support resources and well-explained provisions. 2 = Adequate support. 1 = Somewhat under-staffed or gap in coverage. 0 = No provisions for support in one or more key areas.Describe your information technology organization. Describe how your agency ranks and evaluates its IT resource needs versus desired results. Does the agency consider metrics and/or others in resource decisions? (Possible Metrics/New 2011: ICMA Annual Survey 3.0%, MIX 2008 Survey – 3.48%, Gartner 2010 (loc/state) 3.5%, Gartner 2010 (utility) 5.5%, 2004 Metric 2.5%).Use old or new metrics. 3 = Looking for appropriate number of staff in relation to city size, a fairly flat organization, and a good explanation. 2 = Organization sufficient to get the job done, but some process or structural improvement recommended by reviewer.1 = Insufficient staff, organizational structure poorly defined.0 = Explanation describes a situation as extreme as to warrant rating lower.Describe how many networked PCs per technician your agency has.? How does your agency compare with proposed metric of 150 workstations per technician? If you are using contractors, outsourced services, managed and/or virtual desktops, or other techniques to improve your ratio of desktops to technicians, please explain in enough detail to rate the process. Old rating scale from 2004Number of PC’s per tech is only a partially relevant metric. What is the process used to meet the IT demands for the agency. 3 = Looking for appropriate number of staff in relation to city size, a fairly flat organization, and a good explanation. 2 = Organization sufficient to get the job done, but some process or structural improvement recommended by reviewer.1 = Insufficient staff, organizational structure poorly defined.0 = Explanation describes a situation as extreme as to warrant rating lower.To whom does the head of information technology report? If not a department head, does the head of IT have direct communication with the City Manager and Department Heads? Explain.3 = Agency head or good explanation of some other reporting structure that allows direct access to agency head and department heads through formal or informal channels. 2 = Department head or equivalent such as Assistant City Manager. 1 = Lower official. 0 = No one assigned to this role.Does your agency have a “use of equipment policy?” If so, please attach. 3 = Requires “Yes” and an acceptable policy. 2 = “Yes” but failed to include the policy or “No” with a good explanation. 1 = Policy needs significant improvement. 0 = “No” without explanation or an incorrect/incomplete process.Do you require your employees to sign a "use of equipment policy?” If not, please explain.2 = Either “Yes” or “No” would be acceptable with a good explanation.1 = The response has a poor explanation0 = “No” without an explanation.A “No” answer does not mean the agency will not rate outstanding in this category, but reviewer comments should recommend requiring signature.Do you require your council members and elected officials to sign a "use of equipment policy?” If not, please explain.2 = Either “Yes” or “No” would be acceptable with a good explanation.1 = The response has a poor explanation0 = “No” without an explanation.A “No” answer does not mean the agency will not rate outstanding in this category, but reviewer comments may recommend requiring signature.Northern team note – most of our attorneys say signature is not neededWhat procedures are in place to ensure your daily operational policies and procedures documented? What staff is assigned to the task, how often is it reviewed, how do you ensure it is kept current? When is the last time the agency reviewed the policies to ensure that they are complete?3 = Requires a good explanation and solid procedures. 2 = Acceptable documentation, perhaps with some improvements recommended. 1 = Explanation that shows there is documentation but it needs improvement. 0 = No documentation or an incorrect/incomplete process.Please describe what you have identified as critical operational procedures. What staff is assigned to the task, how often is it reviewed, how do you ensure it is kept current?MANDATORY3 = Requires a good explanation and solid procedures. 2 = Some improvements recommended. 1 = Explanation that shows the documentation needs material improvement. 0 = No documentation or an incorrect/incomplete process.Describe the type of documentation you have for major application systems.Looking for sufficient detail to be able to recreate or audit the systems. 3 = Requires a good explanation, and sufficient formal documentation. 2 = Agency has documentation but some improvements recommended. 1 = Explanation that shows the documentation needs material improvement. 0 = “No” or inadequate documentation.Do you have a document or file retention schedule? Explain if it is considered on maintaining your backups. Please attach your records retention schedule.3 = Requires a “Yes” with an explanation that demonstrates understanding of the impact of document and file retention on backups (legal issues, etc.)2 = Agency has a retention schedule but some improvements recommended. 1 = Explanation that shows document/file retention policy and/or procedure needs material improvement. 0 = “No” or inadequate documentation.Does your agency provide a Help Desk? If yes, please explain. If not, how does your agency handle this function?3 = Requires a “Yes” with a good explanation and solid procedures.2 = “Yes” with explanation, perhaps with some improvements recommended or “No” but a good explanation of a successful alternative approach. 1 = Explanation that shows the help desk process needs material improvement. 0 = “No” without explanation or lack of successful alternative.Have you evaluated ITIL (Information Technology Infrastructure Library), NIST (National Institute of Standards and Technology) or other best practices guides for use in your organization? If you have evaluated any, what have you implemented? If you have not evaluated any, what do you use to guide your organization to utilize best practices?Looking to see if the Agency has evaluated UTIL or other Industry standard practices for implementation in their agency.3 = Response demonstrates that the agency has implemented some level of the UTIL or standards program. 2 = Response demonstrates that the agency has reviewed UTIL against current procedures. 1 = Explanation that demonstrates that they have not evaluated UTIL. 0 = “No” or inadequate documentation.Do you have procedures for e-discovery or retention of information such as e-mail, files and or reports when requested?3 = Requires a “Yes” with a good explanation and solid procedures.2 = “Yes” with explanation, perhaps with some improvements recommended or “No” but a good explanation of a successful alternative approach. 1 = Explanation that shows the e-discovery process needs material improvement. 0 = “No” without explanation or lack of successful alternativeHow does your agency control or provide for BYOD devices? Please explain.3 = Requires a “Yes” with a good explanation and solid procedures.2 = “Yes” with explanation, perhaps with some improvements recommended or “No” but a good explanation of a successful alternative approach. 1 = Explanation that shows the e-discovery process needs material improvement. 0 = “No” without explanation or lack of successful alternativeHow does your agency ensure compliance with ADA standards for websites or software?3 = Requires a “Yes” with a good explanation and solid procedures.2 = “Yes” with explanation, perhaps with some improvements recommended or “No” but a good explanation of a successful alternative approach. 1 = Explanation that shows the e-discovery process needs material improvement. 0 = “No” without explanation or lack of successful alternativeIVCustomer SatisfactionThe goal of the Customer Satisfaction category is to look for feedback from end-users.Outstanding: Requires “Outstanding” on a majority of questions and proficient on the others except those indicated “optional” in the reviewer’s comments below. Must rate 2 or above on the mandatory items to rate outstanding in the category.Explain how your agency measures internal customer/end user satisfaction related to information technology within your organization? MANDATORY3 = Requires “Yes”, a good explanation, and solid procedures to measure satisfaction. 2 = “Yes” with explanation but some process improvement suggested. 1 = Explanation that shows IT has some feedback mechanism but material improvement is needed. 0 = “No” or otherwise fails to meet standards for a higher rating.How does your agency measure customer satisfaction, as related to IT, in external customers (e.g., external agencies, website users, constituents, etc.)?3 = Requires a good explanation, and solid procedures to measure satisfaction. 2 = Measuring satisfaction but some process improvements suggested. 1 = Explanation that shows some feedback mechanism but material improvement is needed. 0 = Not measuring external satisfaction, or otherwise fails to meet standards for a higher rating.If your agency measures customer satisfaction, please explain how you use the data to improve your organization, in particular the IT function. How is internal and/or external customer satisfaction relative to technology measured and used for improvement?3 = Requires a good explanation, and a well-implemented process to use internal and external feedback for improvement. 2 = Measuring satisfaction, and using the results for improvement in some informal fashion. 1 = Explanation that shows some feedback/improvement mechanism but material improvement is needed. 0 = Not measuring external satisfaction, not using the information to improve, or otherwise fails to meet standards for a higher rating.Does your agency provide users with regular information regarding the information technology operation within your agency?Looking for “Yes” for Outstanding. A “No” answer does not mean the agency will not rate proficient in this category, but the reviewer may recommend improvement in this area.Does your agency have an internal users group?Looking for “Yes” for Outstanding. A “No” answer does not mean the agency will not rate proficient in this category, but the reviewer may recommend improvement in this area.VInternetThe goal of the Internet section is to control the access and have a written policy on Internet usage.Outstanding: Requires “Outstanding” on a majority of questions where “outstanding” may be earned (i.e. some questions are only worth a score of “2” so do not count in figuring “majority”), and proficient on the others except those indicated “optional” in the reviewer’s comments below. Must rate 2 or above on the mandatory items to rate outstanding in the category.Does your agency have a written Internet policy? If yes, how does your policy address web browsing and email use? Please attach.MANDATORY3 = Requires “Yes”, a good explanation, and solid procedures documented as a formal policy. 2 = “Yes” with explanation, perhaps with some process or policy improvement suggested. 1 = Explanation that shows IT material improvement is needed.0 = “No” or otherwise fails to meet standards for a higher rating.Does your agency have an internal position assigned to the function of “webmaster? (I.e. Webmaster versus Department Users)”? If so, please explain position title and duties; if not, how are these duties handled? Include how often the web site is updated and by whom.3 = “Yes” or “No” with a good explanation; in either case, for outstanding, the agency should have a way of making sure the site is current, content is well thought out, and proactively ensuring that future needs will be met. Frequent updates. Where possible, authorized users can update their own sections2 = Looking for a “Yes” prefer done in-house for speed but a valid explanation is acceptable as long as the agency is able to keep the content fresh in a manner that works for the organization (e.g. a flexible outsource agreement). 1 = Insufficient staff, and/or deficient work around unless the explanation describes a situation as extreme as to warrant rating lower. 0 = No established update process, content out of date, or otherwise fails to meet standards for a higher rating.The reviewers may take the size of the organization into account in rating this category – score should be based on accepted practice in comparable agencies.How would you describe your agency’s web site? Static – information only, Dynamic – provides real time information from internal systems to the Internet, Transactional – provides both information from internal systems and accepts input into internal systems from outside users. Please explain and give specific examples.3 = Dynamic or transactional with significant citizen-friendly resources, and/or accessibility features, use of new technology in an effective manner, or other capabilities. 2 = Good, solid site, with fresh content. Dynamic or Transactional systems1 = Static site with infrequent updates. 0 = Difficult navigation, lacks features, or no website. Does the response show that the organization has integrated Internet access into some of its applications?The reviewers may take the size of the organization into account in rating this category – score should be based on accepted practice in comparable agencies.How often does your agency continue to improve the web site and the services offered on the site? Identify the existing transactional services available to public and staff. Identify any planned improvements for the web site over the next 12 -18 months along with any budgets available to complete the project.3 = Requires a good explanation and frequent updates. 2 = Adequate explanation, but with some process improvement suggested. 1 = Explanation that shows some process, but material improvement is needed. 0 = No established update process, content out of date, or otherwise fails to meet standards for a higher rating.The reviewers may take the size of the organization into account in rating this category – score should be based on accepted practice in comparable agencies.The question is looking for application development using web tools either internally or externally. The response could include interactions with GIS, existing web sites or existing applications. Next year, the question needs to have added a comment regarding Web 2.0 tools or public interactions. Critiques might include discussions about future goals of public interaction applications.Has your agency developed a policy for social networking sites or social media? If so, please attach. 3 = The agency has a policy or a solid explanation of the process or goals.2 = Adequate explanation, but with some process improvement suggested.1 = Explanation that shows some process, but material improvement is needed. 0 = No response to the questionHas your agency posted and updated an Enterprise System Catalog (according to SB272) on your website?Have they updated it since it was first posted2 = yes1 = noHas your agency posted a prominent link to its agenda (according to AB2257)?2 = yes1 = noVIProject Management and Application DevelopmentThe goal of the Project management section is to show that IT has input from sources outside from IT, but also has input, standards and controls for implementation and acquisitionsOutstanding: Requires “Outstanding” on a majority of questions and proficient on the others except those indicated “optional” in the reviewer’s comments below. Must rate 2 or above on the mandatory items to rate outstanding in the category.Please explain how your agency implements major information technology projects.3 = Requires a good explanation, and solid procedures. 2 = Acceptable explanation, perhaps with some minor process improvements suggested. 1 = Explanation that shows some material improvement is needed. 0 = No process for implementing projects, or otherwise fails to meet standards for a higher rating.Does your agency typically involve user and/or departmental committees in the development of RFPs, selection of vendors, evaluation of proposals, and project implementations? Please explain the process used.3 = Requires a good explanation, and solid procedures for getting buy in and involving users. 2 = Acceptable explanation, perhaps with some process improvements suggested. 1 = Explanation that shows some material improvement is needed. 0 = No involvement outside IT, or end user project decisions made without IT involvement, or otherwise fails to meet standards for a higher rating.Does your agency have written policies and procedures for major project implementation? Please attach.3 = Requires “Yes”, a good explanation and solid procedures, with at least a high level policy documented. 2 = “Yes” or “No” with explanation, perhaps with some non-material process or policy improvement suggested. 1 = “No” with an explanation that shows material improvement is needed. 0 = “No” without explanation or otherwise fails to meet standards for a higher rating.Please describe the quality control/improvement processes employed in your projects.3 = Requires a good explanation and solid procedures. 2 = Adequate explanation, but with some process improvement suggested. 1 = Explanation that shows some process, but material improvement is needed. 0 = No quality improvement process or otherwise fails to meet standards for a higher rating.How does the agency stay current on project management procedures and standards?3 = The agency has a dedicated project management office type of function. The response states that there is on-going education and review.2 = Adequate explanation, but with some process improvement suggested.1 = Explanation that shows some process, but material improvement is needed0 = No quality improvement process or otherwise fails to meet standards for a higher rating.How does your agency ensure security issues are part of the software development life cycle (new/maintenance)? Is security considered before and during the development? What procedures are in place to ensure a layered and integrated security model is used?3 = Explanation demonstrates that security issues are considered when applications are developed such as only specified people are able to access the application development tools or processes, Departmental standards are followed, security review of data and projected access, there will be tie-ins to change management and auditing capabilities and there can be automated tools to track versions or changes.2 = Adequate explanation, but with some process improvement suggested.1 = Explanation that security issues are not addressed and material improvement is needed. 0 = No quality improvement process or otherwise fails to meet standards for a higher rating.Discussion could include topics that include maintenance issues and release notes from vendors.Describe any line of business applications that are managed by users or ‘power’ users. Describe how those applications are controlled or developed. How does the IT organization support those applications?The question looks for a review of maintenance and change control on applications that are managed by users such as Permitting where the ‘Super’ users update fees or other application logic. To what extent can IT guide the applications so that the users don’t hurt themselves?3 = IT is able to influence and assist in the maintenance of the application. There could be audit capabilities, periodic reviews, or user groups. IT assists with the initial design (in general) so that standards are followed. The application and data structures are designed so that they can be used by multiple applications across the enterprise. Security is enforced so only appropriate users have access to data.2 = No applications are managed by Power Users or IT has some influence on applications such as initial design and then major support where the users update the yearly changes. Some process improvement can be suggested.1 = There are power user applications but IT has no support or influence on those applications. Significant improvement is needed.0 = No response is given.How is change management implemented for ongoing applications?The question is intended to review both purchased and in-house developed applications. Many purchased applications do not include significant change or version controls for updates or patches.3 = The agency has developed and follows change management procedures. There can be code reviews, review of release notes, audit groups, testing procedures, test environments, change logs, and version control procedures or software/tools.2 = Adequate explanation, but with some process improvement suggested1 = The response does not indicate change management procedures or material improvement are suggested.0 = No response is givenVIIProfessional Development and TrainingThe goal of the training section is to show that the IT department is responsive to its client’s need in providing training.Outstanding: All yes answers and an acceptable answer on how the department measures the need for training. For proficient, the agency must rate “2” or higher on a majority of the questions.How does your agency assess the need and track information technology training within the organization? Please explain.3 = Looking for a “Yes” and good explanation for outstanding. 2 = “No” with an acceptable explanation. 1 = “No” without an acceptable explanation or with significant improvement required. A “No” answer does not mean the agency will not rate proficient in this category, but the reviewer may recommend improvement in this area.Does your agency track professional development? If yes, please explain.3 = Looking for a “Yes” and good explanation for outstanding. 2 = “No” with an acceptable explanation. 1 = “No” without an acceptable explanation or with significant improvement required. A “No” answer does not mean the agency will not rate proficient in this category, but the reviewer may recommend improvement in this area.Are there established training goals or a training plan for the IT staff? If yes, please explain.3 = Looking for a “Yes” and good explanation for outstanding. 2 = “No” with an acceptable explanation. 1 = “No” without an acceptable explanation or with significant improvement required. A “No” answer does not mean the agency will not rate proficient in this category, but the reviewer may recommend improvement in this area.Does your agency have training goals and criteria for both IT staff and agency staff? If yes, please explain goals and criteria.3 = Looking for a “Yes” and good explanation for outstanding. 2 = “No” with an acceptable explanation. 1 = “No” without an acceptable explanation or with significant improvement required. A “No” answer does not mean the agency will not rate proficient in this category, but the reviewer may recommend improvement in this area.Does the agency have a goal for its staff to receive more industry standard accreditations (ITIL, CISSP, PMP, etc.) and or vendor specific accreditations (Microsoft, Cisco, Juniper, etc.)? Please describe which accreditations the organization values and how the agency encourages their attainment.Looking for the goal of developing professional certifications and if the agency is elevating the level of its staff. 3 = Looking for a “Yes” and good explanation for outstanding. 2 = “No” with a good explanation. 1 = “No” without an acceptable explanation or with significant improvement required. A “No” answer does not mean the agency will not rate proficient in this category, but the reviewer may recommend improvement in this area.Does your agency participate in regional or national product or peer-focused user groups? Please list and explain your level of participation (including MISAC).3 = Looking for a “Yes” and good explanation for outstanding. 2 = “No” with an acceptable explanation. 1 = “No” without an acceptable explanation or with significant improvement required. A “No” answer does not mean the agency will not rate proficient in this category, but the reviewer may recommend improvement in this area.How is your agency addressing succession planning agency-wide? How does the plan affect the IT organization?The question is looking for recognition that there should be succession plans within IT and the organization as a whole. Is there a growth potential for IT staff into upper management (not always)3 = Looking for a “Yes” and good explanation for outstanding. 2 = “No” with an acceptable explanation. 1 = “No” without an acceptable explanation or with significant improvement required. A “No” answer does not mean the agency will not rate proficient in this category, but the reviewer may recommend improvement in this area.VIIIDisaster Preparation and RecoveryThe goal of the Disaster Preparation and Recovery section is to show the that the department has documented plans for identifying, prioritizing and replacing systemsOutstanding: Requires “Outstanding” on a majority of questions and proficient on the others except those indicated “optional” in the reviewer’s comments below. Must rate 2 or above on the mandatory items to rate outstanding in the category.Does your agency have an information technology disaster plan that will allow recover of key systems in a local or regional disaster? If yes, please attach.MANDATORY3 = Requires “Yes”, a good explanation and solid procedures, with plan documented in a formal manner. 2 = “Yes” with explanation, perhaps with some process or plan improvement suggested. 1 = “No” with an explanation that shows material improvement is needed. 0 = “No” without explanation or otherwise fails to meet standards for a higher rating.Does your agency’s plan include provisions for emergency replacement of all IT equipment? Please explain. (The explanation should include network devices, hardware, phones, etc.)MANDATORY3 = Requires “Yes”, a good explanation and solid procedures, with plan documented in a formal manner. 2 = “Yes” with explanation, perhaps with some process or plan improvement suggested. 1 = “No” with an explanation that shows material improvement is needed. 0 = “No” without explanation or otherwise fails to meet standards for a higher rating.Describe how you have identified, addressed, or prepared for business continuity in the case of an extended Internet outage and or loss of cloud computing applications.Do they discuss the difference for cloud based applications and connectivity?3 = Requires “Yes”, a good explanation and solid procedures for dealing with a cloud outage. 2 = “Yes” with explanation, perhaps with some process or other improvement suggested. 1 = “No” with an explanation that shows material improvement is needed. 0 = “No” without explanation or otherwise fails to meet standards for a higher rating.Does your agency’s IT disaster plan include provisions for off-site storage and/or replacement of software license keys? Please explain.MANDATORY3 = Requires “Yes”, a good explanation and solid procedures for off-site storage. 2 = “Yes” with explanation, perhaps with some process or other improvement suggested. 1 = “No” with an explanation that shows material improvement is needed. 0 = “No” without explanation or otherwise fails to meet standards for a higher rating.Describe how your agency’s IT disaster plan is tested. Your explanation should include details as to how IT emergency operational capabilities are tested and when the plan was last tested.3 = Requires a good explanation and solid procedures for testing and addresses how IT will run in an emergency. Answers that fail to address IT operations will not receive an outstanding (e.g. answer describes agency plan as required by SEMS only). 2 = “No” with a very good explanation. 1 = “No” without an acceptable explanation or with significant improvement required. Depending on the answers to the other questions in this section, a “No” answer does not absolutely guarantee the agency will not rate proficient in this category, but the reviewer will recommend improvement in this area.Explain how critical IT emergency operational contingency procedures are identified, created and maintained for the IT operation. MANDATORY3 = Requires a good explanation and solid procedural documentation and addresses how IT will handle various operational emergency situations. Answers that fail to address IT operations will not receive an outstanding (e.g. answer describes agency plan as required by SEMS only). 2 = “No” with a very good explanation. 1 = Significant improvement required, but there is a procedure in place. 0 = “No” without an acceptable explanation.How is information and documentation stored off-site? Please explain.3 = Looking for a “Yes” answer with a good explanation. 2 = “Yes” with an acceptable explanation. 1 = “No” without an acceptable explanation or with significant improvement required. Depending on the answers to the other questions in this section, a “No” answer does not absolutely mean the agency will not rate proficient in this category, but the reviewer will recommend improvement in this area.IXSecurityOutstanding: Requires “Outstanding” on a majority of questions and proficient on the others except those indicated “optional” in the reviewer’s comments below. Must rate 2 or above on the mandatory items to rate outstanding in the category.Describe your processes or tools (active & passive) to identify and inventory all the devices attached to the network. (CIS #1) 3 = Requires “Yes”, a good explanation and solid procedures. 2 = “Yes” with explanation, perhaps with some process or plan improvement suggested. 1 = “No” or “Yes” with an explanation that shows material improvement is needed. 0 = “No” without explanation or otherwise fails to meet standards for a higher rating.How does your agency authenticate devices before they can connect to the network? e.g., port control (802.1x), which requires certificates (CIS #1)3 = Requires “Yes”, a good explanation and solid procedures. 2 = “Yes” with explanation, perhaps with some process or plan improvement suggested. 1 = “No” or “Yes” with an explanation that shows material improvement is needed. 0 = “No” without explanation or otherwise fails to meet standards for a higher rating.Describe the processes your agency uses to identify all software applications installed in the organization. (CIS #2)3 = Requires “Yes”, a good explanation and solid procedures. 2 = “Yes” with explanation, perhaps with some process or plan improvement suggested. 1 = “No” or “Yes” with an explanation that shows material improvement is needed. 0 = “No” without explanation or otherwise fails to meet standards for a higher rating.How do you ensure that only authorized software is allowed to execute on the agency's systems? (CIS #2)3 = Requires “Yes”, a good explanation and solid procedures. 2 = “Yes” with explanation, perhaps with some process or plan improvement suggested. 1 = “No” or “Yes” with an explanation that shows material improvement is needed. 0 = “No” without explanation or otherwise fails to meet standards for a higher rating.Describe the processes and tools your agency has to identify any software vulnerabilities on operating systems, applications and third-party software in the organization. (CIS #3)3 = Requires “Yes”, a good explanation and solid procedures. 2 = Good explanation but some process or plan improvement suggested. 1 = “No” or “Yes”, with an explanation that shows material improvement is needed. 0 = “No” without explanation or otherwise fails to meet standards for a higher rating.Does your agency have a patch management system to continuously update the operating systems, applications and third-party software? Please explain (CIS #3) 3 = Requires “Yes”, a good explanation and solid procedures. 2 = “Yes” with explanation, perhaps with some process or plan improvement suggested. 1 = “No” or “Yes”, with an explanation that shows material improvement is needed. 0 = “No” without explanation or otherwise fails to meet standards for a higher rating.Describe how you audit and monitor all users with elevated rights on the agency's systems, in accordance with the principle of least privilege. (CIS #4) 3 = Requires “Yes”, a good explanation and solid procedures. 2 = “Yes” with explanation, perhaps with some process or plan improvement suggested. 1 = “No” or “Yes”, with an explanation that shows material improvement is needed. 0 = “No” without explanation or otherwise fails to meet standards for a higher rating.Describe the processes and system configuration tools your agency uses to enforce configuration settings to systems. (CIS #5) 3 = Requires “Yes”, a good explanation and solid procedures. A review has been done recently. 2 = “Yes” with explanation, perhaps with some process or plan improvement suggested. 1 = “No” or “Yes”, with an explanation that shows material improvement is needed. 0 = “No” without explanation or otherwise fails to meet standards for a higher rating.Describe the processes your agency has in place for comprehensive audit logging and review (including network devices and applications). (CIS #6)3 = “Yes”, with an explanation that demonstrates appropriate actions 2 = “Yes” with explanation, perhaps with some process or plan improvement suggested. 1 = “No” or “Yes”, with an explanation that shows material improvement is needed. 0 = “No” without explanation or otherwise fails to meet standards for a higher rating.Describe the tools your agency uses to enforce filters and limit a user’s ability to connect to malicious domains or unapproved websites, and how are they updated? (CIS #7)3 = “Yes”, or “no” with a good explanation 2 = “No” with explanation, perhaps with some process or plan improvement suggested. 1 = “No” or “Yes”, with an explanation that shows material improvement is needed. 0 = “No” without explanation or otherwise fails to meet standards for a higher rating.Describe the tools your agency has to block unwanted or malicious email messages and email attachments. (CIS #7) 3 = Requires “Yes”, a good explanation and solid procedures. 2 = “Yes” with explanation, perhaps with some process or plan improvement suggested. 1 = “No” or “Yes”, with an explanation that shows material improvement is needed. 0 = “No” without explanation or otherwise fails to meet standards for a higher rating.Does your agency have an anti-malware solution to continuously monitor and defend each of the agency's workstations and servers, and is it up-to-date? Please explain (CIS #8)3 = Requires “Yes”, a good explanation and solid procedures, or “No” with no such access in use. 2 = “Yes” or “No” with explanation, perhaps with some non-material process or plan improvement suggested. 1 = “No” or “Yes”, with an explanation that shows material improvement is needed. 0 = “No” without explanation or otherwise fails to meet standards for a higher rating.Explain how your agency ensures your backups are protected and can be safely used for recovery. (CIS #10) 3 = Requires “Yes”, a good explanation and solid procedures, or “No” with no such access in use. 2 = “Yes” or “No” with explanation, perhaps with some non-material process or plan improvement suggested. 1 = “No” or “Yes”, with an explanation that shows material improvement is needed. 0 = “No” without explanation or otherwise fails to meet standards for a higher rating.Describe any security settings that have been implemented on workstations and servers that limits an attacker's ability to move laterally and compromise neighboring systems. (CIS #14)3 = Requires “Yes”, a good explanation and solid procedures. 2 = “Yes” with explanation, perhaps with some process or plan improvement suggested. 1 = “No” or “Yes”, with an explanation that shows material improvement is needed. 0 = “No” without explanation or otherwise fails to meet standards for a higher rating.Does your agency use multi-factor authentication? Please explain (CIS #16)3 = Requires “Yes”, a good explanation and solid procedures. A third party certificate provider is used. 2 = “Yes” with explanation, perhaps with some process or plan improvement suggested. 1 = “No” or “Yes”, with an explanation that shows material improvement is needed. 0 = “No” without explanation or otherwise fails to meet standards for a higher rating.Does your agency have a security awareness program for employees to complete on a regular basis? Please describe (CIS #17) 3 = Requires “Yes”, a good explanation and solid procedures. 2 = “Yes” with explanation, perhaps with some process or plan improvement suggested. 1 = “No” or “Yes”, with an explanation that shows material improvement is needed. 0 = “No” without explanation or otherwise fails to meet standards for a higher rating.Does your agency conduct regular external and internal penetration tests, and/or general IT security assessment? Please explain (CIS #20)3 = Requires “Yes”, a good explanation and solid procedures. 2 = “Yes” with explanation, perhaps with some process or plan improvement suggested. 1 = “No” or “Yes”, with an explanation that shows material improvement is needed. 0 = “No” without explanation or otherwise fails to meet standards for a higher rating.Does your agency perform background checks on information technology employees? If so, please explain the process.3 = Requires “Yes”, a good explanation and thorough background screen suitable to the nature of the agency. 2 = “Yes” or “No” with acceptable explanation, but with some process or plan improvement suggested. 1 = “No” or “Yes”, with an explanation that shows material improvement is needed. 0 = “No” without explanation or otherwise fails to meet standards for a higher rating.A “No” answer does not absolutely mean the agency will not rate proficient in this category, depending on the answers to the other questions, but the reviewer may recommend improvement in this area.When an employee leaves or is fired, what is the process to verify that their ability to access the system is also terminated? How is IT informed? What happens if IT is not informed?3 = Requires “Yes”, a good explanation and thorough procedure.2 = “Yes” or “No” with acceptable explanation, but with some process improvement suggested. 1 = “No” or “Yes”, with an explanation that shows material improvement is needed. 0 = “No” without explanation or otherwise fails to meet standards for a higher rating.Has your agency evaluated your security procedures against PCI Version 3 Standards and Control Objectives?3 = The agency has reviewed PCI standards, attended training and has worked to implement or integrate them into the agency operations. They specified that they have looked at Version 3.2 = The agency has evaluated PCI standards and goals against current procedures. 1 = The agency has not reviewed PCI standards or the explanation shows that material improvement is needed.0 = “No” without explanation or otherwise fails to meet standards for a higher rating.Has your agency identified applications with personally identifiable information (PII)?2 = The agency has identified PII applications or lack of PII applications 1 = The agency has not identified PII applications or the explanation shows that material improvement is needed.0 = “No” without explanation or otherwise fails to meet standards for a higher rating.What methods are you using to control spam so that the agency will not be designated as a spammer? 3 = Requires “Yes”, a good explanation and solid procedures, 2 = “Yes” with explanation, perhaps with some process or plan improvement suggested. 1 = “No” with an explanation that shows material improvement is needed. 0 = “No” without explanation or otherwise fails to meet standards for a higher rating.Reviewers are looking to see that the solution includes use of industry standards from such entities as NIST Pub 800-45 Guidelines on Electronic Mail Security. Answers should not disclose sensitive information but provide enough detail to the rater to evaluateXGISIf the agency does not provide GIS support then it will not be graded down. - If the agency does provide GIS support and the answers do not meet minimum standards then it will be graded down. The entire category is scored as NA. The section is not required for an ‘Excellence’ rating. Does your agency provide GIS application and data support?3 = The agency provides GIS support to multiple agencies and/or has a well developed program2 = The agency provides GIS support across the agency and the agency has a designed program with identified resources1 = The agency does not provide GIS support or the response does not provide enough content to evaluate it.0 = “No” without explanation or otherwise fails to meet standards for a higher rating.Does your agency provide a GIS Users Group?3 = Requires “Yes”, a good explanation and solid procedures, 2 = “Yes” with explanation, perhaps with some process or plan improvement suggested. 1 = “No” with an explanation that shows material improvement is needed. 0 = “No” without explanation or otherwise fails to meet standards for a higher rating.The question is looking for overall GIS governance and direction from the usersHas your agency developed a strategic plan for GIS? Has your agency included a list of the spatial data elements and layers that it would like to develop?3 = The agency has a plan that identifies applications, interactions with existing applications, data layers & elements, resources or specialized equipment, training, and budget necessary for future development. The document is provided for review.2 = The agency has parts of the overall plan or has identified layers. There are suggested improvements or no plan is provided for review.1 = “No” or “Yes”, with an explanation that shows material improvement is needed. 0 = “No” without explanation or otherwise fails to meet standards for a higher rating.Does the GIS strategic plan include integration with other agency applications? Which application have you been able to integrate with GIS data?3 = The strategic plan identifies applications that have been or will be developed that integrate with existing data and applications.2 = The strategic plan shows that GIS applications and data will follow either industry or agency standards so that future applications can be integrated.1 = “No” or “Yes”, with an explanation that shows material improvement is needed. 0 = “No” without explanation or otherwise fails to meet standards for a higher rating.How does the agency provide for spatial data quality control?3 = The agency has identified quality control processes for the collection or import of data. There are no suggested improvements.2 = The agency has identified quality control processes for the collection or import of data. There are suggested improvements.1 = “No” or “Yes”, with an explanation that shows material improvement is needed. 0 = “No” without explanation or otherwise fails to meet standards for a higher rating.XIBase Level ServicesThe goal of the Base Level of service section is to show the amount of automation in the organization. Proficient: At least 5 of the 8 areas of service or a good explanation in the additional services questions that may offset a lower score. Outstanding: All base services provided, or a good explanation in the additional services questions that may offset a lower score. 2010 Change – The description needs to state whether it is provided in-house or outsourced.Do you support internal and external e-mail?Looking for a “Yes” check mark. Can be in-house or vendor supplied.Do you support financial applications?Looking for a “Yes” check mark. Can be in-house or vendor supplied.Do you support desktop office applications?Looking for a “Yes” check mark. Can be in-house or vendor supplied.Do you support imaging applications?Looking for a “Yes” check mark. Can be in-house or vendor supplied.Do you support telecommunications services?Looking for a “Yes” check mark. Can be in-house or vendor supplied.Do you support revenue and billing functions?Looking for a “Yes” check mark. Can be in-house or vendor supplied.Do you support human resources and payroll functions?Looking for a “Yes” check mark. Can be in-house or vendor supplied.Describe any other services your information technology department/division provides to your agency and its users.Any answer is acceptable. Significant additional services may be used to increase the overall category rating from proficient to outstanding, or substitute for a service the IT group is not providing that is listed above to achieve a proficient rating.XIIOther The goal of the “Other” section is to provide general information about the organization. This section is not scored. If you have submitted for the award in prior years, how have you addressed the suggestions and comments?Any answer is acceptable. The section is not scored. It allows for an agency to disagree with findings from previous years. The review is a snapshot in time. If an agency does not address the previous suggestions, it may be used as a tiebreaker. We want agencies to show growth.Describe any special projects, functions, activities, procedures, or technologies which your information technology department/division provides, which have not been covered in this questionnaire but should be included for the purposes of evaluating the information technology readiness of your agency.Any answer is acceptable. Significant additional services may be used to increase the rating from proficient to outstanding, or substitute for a service the IT group is not providing that is listed above to achieve a proficient rating. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download