Subdivision 1. Development. The office shall develop, establish, and enforce policies and standards for state agencies to follow in developing and purchasing information and telecommunications technology systems and services and training appropriate persons in their use. The office shall develop, promote, and manage state technology, architecture, standards and guidelines, information needs analysis techniques, contracts for the purchase of equipment and services, and training of state agency personnel on these issues.
Subd. 2. Responsibilities. (a) The office shall develop and establish a state information architecture to ensure:
(1) that state agency information and communications systems, equipment, and services do not needlessly duplicate or conflict with the systems of other agencies; and
(2) enhanced public access to data can be provided consistent with standards developed under section 16E.05, subdivision 4.
When state agencies have need for the same or similar public data, the chief information officer, in coordination with the affected agencies, shall manage the most efficient and cost-effective method of producing and storing data for or sharing data between those agencies. The development of this information architecture must include the establishment of standards and guidelines to be followed by state agencies. The office shall ensure compliance with the architecture.
(b) The office shall review and approve agency requests for funding for the development or purchase of information systems equipment or software before the requests may be included in the governor's budget.
(c) The office shall review and approve agency requests for grant funding that have an information and technology component.
(d) The office shall review major purchases of information systems equipment to:
(1) ensure that the equipment follows the standards and guidelines of the state information architecture;
(2) ensure the agency's proposed purchase reflects a cost-effective policy regarding volume purchasing; and
(3) ensure that the equipment is consistent with other systems in other state agencies so that data can be shared among agencies, unless the office determines that the agency purchasing the equipment has special needs justifying the inconsistency.
(e) The office shall review the operation of information systems by state agencies and ensure that these systems are operated efficiently and securely and continually meet the standards and guidelines established by the office. The standards and guidelines must emphasize uniformity that is cost-effective for the enterprise, that encourages information interchange, open systems environments, and portability of information whenever practicable and consistent with an agency's authority and chapter 13.
Subd. 3. Risk assessment and mitigation. (a) A risk assessment and risk mitigation plan are required for all information systems development projects undertaken by a state agency in the executive or judicial branch or by a constitutional officer. The chief information officer must contract with an entity outside of state government to conduct the initial assessment and prepare the mitigation plan for a project estimated to cost more than $5,000,000. The outside entity conducting the risk assessment and preparing the mitigation plan must not have any other direct or indirect financial interest in the project. The risk assessment and risk mitigation plan must provide for periodic monitoring by the commissioner until the project is completed.
(b) The risk assessment and risk mitigation plan must be paid for with money appropriated for the information and telecommunications technology project. The chief information officer must notify the commissioner of management and budget when work has begun on a project and must identify the proposed budget for the project. The commissioner of management and budget shall ensure that no more than ten percent of the proposed budget be spent on the project, other than the money spent on the risk assessment and risk mitigation plan, is spent until the risk assessment and mitigation plan are reported to the chief information officer and the chief information officer has approved the risk mitigation plan.
History: 1997 c 202 art 3 s 10; 1999 c 250 art 1 s 114; 2000 c 488 art 12 s 17; 2001 c 7 s 11; 1Sp2001 c 10 art 2 s 45; 2005 c 156 art 5 s 13; 2008 c 318 art 1 s 10; 2009 c 101 art 2 s 109; 2010 c 392 art 1 s 8; 1Sp2011 c 10 art 4 s 4; 2013 c 134 s 23; 2014 c 271 art 4 s 4