2006 Information Resource Strategic Plan

1.1.1 Describe how technology is deployed in direct support of the agency mission, goals and objectives. Summarize the agency mission, goals and objectives, and address both strategic and tactical perspectives as applicable.

[ Mission: Teaching, Searching, Serving The University of Texas Health Science Center at Houston is a comprehensive health science university composed of six schools, an institute of molecular medicine and a psychiatric center. UTHSC-H's mission is to treat, cure and prevent disease now and in the future by educating health science professionals; discovering and translating advances in social and biomedical sciences; and modeling the best practices in clinical care. UTHSC-H has identified four short term goals/priorities:

1. develop facilities for education, research, and clinical practice;
2. increase the scope of the university's research enterprise;
3. enhance educational excellence; and
4. launch an integrated marketing and development initiative.

UTHSC-H has established the following three longer term goals/priorities:

1. provide facilities to support academic excellence;
2. recruit and retain outstanding educators, researchers, clinical practitioners, students, administrators, and staff; and
3. increase the scope of the institution's research enterprise.

Technology is deployed directly in support of the mission & goals in the following ways: Facilities require extensive technology infrastructure for all mission areas. Research is a collaborative effort requiring collaborative tools, networking, massive amounts of data storage and high capacity computing. Clinical care requires electronic medical records, imaging systems, patient scheduling systems, billing systems and complex interfaces between hospitals, clinics, doctors' practices and insurance companies. HIPAA makes security paramount in a health care setting. Teaching has expanded far beyond the traditional classroom with online courses and distance education. Professors are supported in the classroom with a variety of technological aids from simple PowerPoints to complex simulators to grading systems. Administrative functions like payroll, accounting and student systems, are highly automated to reduce overhead in support of all mission areas. The ability to publish on the web and communicate with a worldwide audience is essential to building and maintaining a public support base for attracting funding, world class faculty, researchers, clinicians and students. ]

1.1.2 Describe technology deployments that are not directly supporting agency goals and objectives.

[ It is highly unlikely that there are technology deployments of any significance that do not directly support the goals & objectives of the UTHSC-H. IT reviews and approves any technology expenditures greater that $5,000. Alignment with the goals and objectives of UTHSC-H is required. ]

1.1.3 Has agency executive leadership from both business and technology divisions/units identified a need for improving alignment (communications and interaction) of business and technology?

(*) Yes
( ) No

1.1.4 If an agency plan is in place for improving the alignment of business and technology in terms of communications an interaction, how is it managed?

( ) Business divisions/units (including executive leadership)
( ) Technology divisions/units (including IRM and technology directors)
(*) Collaborative group or committee (a combination of business and technology)
( ) Not applicable

1.2.1 Does the IRM report directly to a person with a title functionally equivalent to executive director or deputy executive director (president, chancellor or vice chancellor for institutions of higher education)?

(*) Yes
( ) No

1.2.2 Describe the IRM's business role, including alignment of business and technology and the development of the Agency Strategic Plan (state agencies only) and/or requests for funding through the legislative appropriations request process (LAR).

[ The IRM has the title of Vice President for Information Technology and Chief Information Officer.The CIO reports to the Senior Executive Vice President and Chief Operating Officer. The COO is considered part of the Office of the President and had broad responsibility and authority for the operation of the university. The CIO is a member of the Executive Council of the university and an active member of the Strategic Planning committee and the committee that develops and executes the 'Compact with UT System' that is mandated by the Chancellor. The CIO also is an active member of the IT Governance Council for the university. The COO chairs the ITGC. The ITGC reviews and approves all technology initiatives with campus-wide impacts. Plans, policies and budgets are included in the review. Several members of the ITGC also sit on the university's Executive Budget Committee that makes budget decisions for the university. The CIO and staff have regular contact with the Executive Vice Presidents of Research, Academic Affairs and Finance & Administration. Clinical activities are largely conducted in the schools. The CIO and staff work with the Associate Deans to coordinate the application of technology in these areas. ]

1.2.3 Does the agency's IRM also serve as IRM for one or more other agencies?

( ) Yes
(*) No

1.2.4 What is the status of implementing a standard project management methodology for technology projects in the agency?

( ) Implemented
(*) Implementation In Progress
( ) Planned or Planning In Progress
( ) Not Implemented and Not Planned

1.2.5 What is the status of implementing a standard portfolio management methodology for technology projects in the agency?

( ) Implemented
(*) Implementation In Progress
( ) Planned or Planning In Progress
( ) Not Implemented and Not Planned

1.2.9 Does the project/portfolio management methodology document successes and failures and determine how future projects will benefit from these findings?

(*) Yes
( ) No
( ) Not applicable

1.2.8 Does the project/portfolio management methodology monitor and control key project activities?

(*) Yes
( ) No
( ) Not applicable

1.2.7 Does the project/portfolio management methodology define the sequence of activities (the project life cycle) necessary to complete the project?

(*) Yes
( ) No
( ) Not applicable

1.2.6 Are any Texas Project Delivery Framework tools used as part of the agency's project/portfolio management methodology?

( ) Yes
( ) No
(*) Partial
( ) Not Applicable

1.2.10 Does the project/portfolio management methodology verify that project risks are identified?

(*) Yes
( ) No
( ) Not applicable

1.2.11 Does the project/portfolio management methodology ensure that costs and benefits for the project have been identified?

(*) Yes
( ) No
( ) Not applicable

1.2.12 List any automated tools being used for project/portfolio management. (Enter "None" if no automated tools are being used.)

[ MS Project is widely used for project planning and monitoring. HEAT is used for issue and service request tracking. Quest is used in the AIX RS/6000 environment used for the PeopleSoft Human Resource Management System, PeopleSoft Financial Management System and the Student Information System. It is a comprehensive library, production migration, change approval/notification system for these systems. UTHSC-H has a home grown change notification/approval system that is used for all IT environments. ]

1.2.13 Describe project-level and portfolio-level governance practices, including change management and issue resolution.

[ The information technology infrastructure is mostly owned and operated by the central Information Technology department. The portion that is not is owned and operated by school level IT groups that have a 'dotted line' reporting responsibility to the CIO. This arrangement gives the CIO and IT department visibility into any significant IT projects at the university. The Project Support Office, which reports to the CIO and is staffed by the former director of data processing, assists schools and departments in the application of good project development policy and practice. The plans, budgets and status are reviewed regularly with the CIO and the IT Governance Council. Both the CIO and the ITGC have taken action to keep projects on track. This has been proven to be an effective (and surprisingly popular) way of enforcing the use of project management and system development techniques. Change management is addressed across the university with an in house developed notification/approval system. All significant IT changes are reported through this system. On a lower level, change management is handled for several critical administrative systems via Quest. Issues are reported and tracked through HEAT. Reports can be entered through the Help Desk or entered directly by the person reporting the problem. ]

1.2.14 What is the status of implementing a standard software development life cycle (SDLC) in the agency?

(*) Implemented
( ) Implementation In Progress
( ) Planned or Planning In Progress
( ) Not Implemented and Not Planned

1.2.15 Describe current SDLC practices and status.

[ Projects with certain characteristics must follow the System Development Methodology (SDM) or seek an exemption. The SDM requires a phased approach to reduce the risk of failure. It also requires the explicit designation of responsible parties with appropriate levels of authority. The SDM may be tailored based on risk and complexity. The major phases are:

• Strategy
• Analysis
• Design
• Development
• Transition to Production
• Production & Post Implementation Assessment

]

1.2.16 If the agency has implemented an SDLC methodology, does it incorporate the Texas Project Delivery Framework SDLC deliverable templates and guidelines?

( ) Yes
(*) No
( ) Partial
( ) Not Applicable

1.2.18 Describe any performance management products and/or services the agency has implemented, or is planning. Specify any "best practices" elements, including tools used or developed.

[ Performance of systems technology is highly monitored with several vendor tools that track performance of components, log results and alert IT staff and vendors of problems and potential problems. Examples include Nagios (for Unix), Insight Manager (HP), CiscoWorks and BindView. Many operating systems and databases now have the monitoring capabilities built in. Customer feedback on the effectiveness of technology is routine and can be brought to the IT Governance Council through constituent representation. Audits guarantee independent evaluations of effectiveness and efficiency of IT. ]

1.2.17 What is the status of implementing a standard product and/or service performance management process for use by all technology projects in the agency?

( ) Implemented
(*) Implementation In Progress
( ) Planned or Planning In Progress
( ) Not Implemented and Not Planned

1.2.19 What is the status of implementing a standard requirements management process for the agency?

(*) Implemented
( ) Implementation In Progress
( ) Planned or Planning In Progress
( ) Not Implemented and Not Planned

1.2.20 What is the status of implementing a standard project change control / change management structure and process for the agency?

(*) Implemented
( ) Implementation In Progress
( ) Planned or Planning In Progress
( ) Not Implemented and Not Planned

1.2.21 What is the status of implementing a standard configuration management process for the agency?

(*) Implemented
( ) Implementation In Progress
( ) Planned or Planning In Progress
( ) Not Implemented and Not Planned

1.2.22 Describe current requirements management, change control/management and configuration management practices and status, along with future plans in these areas. List any automated tools used.

[ Requirements that do not meet basic standards for completeness or inclusion of the right parties for input will not be accepted by the Project Support Office, the CIO or the IT Governance Council. At the code development level, unit testing, system testing, integration testing, acceptance testing and load testing are required and enforced based on complexity and risk of the change. Tools such as Quest are used. Separate development, test and production environments requiring management review and approval enforce standards. On the broad scale, the in-house change notification/approval system is applied to all technology changes. Hardware and software configurations are largely directly managed by the central IT department. Those that aren't must comply with acceptable standards to be housed in the data center or on the network. ]

1.2.23a Describe the agency's telecommuting and/or AWA policy.

[ The university endorses the use of telecommuting as appropriate for the work to be performed and the employee's capabilities. The university provides guidelines to help the supervisor evaluate the work and employee for telecommuting. The university also provides example agreements. The decision to telecommute is made between the supervisor and the employee with endorsement from the department and/or school. ]

1.2.23 Does the agency have a policy regarding telecommuting or AWA (alternative workplace arrangements) that allows employees to work one or more days per week at home or at alternate locations?

(*) Yes
( ) No

1.2.24a Describe how the agency addresses telecommuting and AWA in its disaster recovery and/or business continuity plans.

[ Telecommuting is explicitly recognized as an option during an IT outage. Since it is supported by the university for regular work assignments, activating the plan requires little effort other than communicating its availability again. Some telecommuters would require setup but the majority of the users have already taken advantage of the capability to access university resources through the Virtual Private Network (VPN). Their biggest problem would be with their personal internet provider. ]

1.2.24 Does the agency incorporate telecommuting or alternative workplace arrangements in its disaster recovery and/or business continuity plans, related to potential scenarios which could limit the use of central facilities?

(*) Yes
( ) No

1.2.25 List all applications and/or applets that are hosted on an agency intranet, which may be useful to other agencies through reuse.

[ Only applications that require extra security are restricted to the university's 'intranet'. Most applications on the university's intranet are proprietary and; therefore, not available without licensing from the vendors (like PeopleSoft, IDX, etc.). In-house developed applications available on the university's intranet are few and oriented toward an academic health center. The Web-based Time Management System (TMS) captures time reports, accepts leave requests and tracks leave balances. The Graduate Medical Education Information System (GMEIS) is on the intranet and might be of some interest to other medical schools. The in-house LDAP/eDirectory/Active Directory synchronization application is probably too specific to UTHSC-H's technical environment but might be of some interest. ]

1.3.1 Describe the agency's practice of Enterprise Governance. Indicate whether strategic direction, impact analysis and issue resolution for technology and business divisions/units are addressed collaboratively.

[ The president leads the university but delegates the day to day operation to the COO who is designated as part of the Office of the President. Each mission area: research, academic affairs, clinical affairs and business affairs has their own executive vice president. Vice presidents lead IT, Public Affairs and Facilities. This leadership group, plus the deans of the schools, form the Executive Council, which is the governing body of the university. Various sub-groups of this plus an extensive system of councils, make recommendations and report status on policy and other matters of interest to the entire campus. This includes strategic planning, major projects (including IT projects), IT security and compliance. The IT Governance Council is composed primarily of non IT leaders from each school and administration. It is chaired by the COO. Project sponsors are regularly invited to discuss their requirements/proposals for IT applications. ]

1.3.2 Describe the agency's practice of technical architecture modeling, including development, testing and production environments, hardware, software, DBMS, infrastructure, and other technology assets. Indicate if technical architecture modeling is managed or coordinated at an enterprise level (across business and technology divisions/units).

[ The central IT department has responsibility for the technical architecture and has been able to build a consistent architecture in key areas like data center operation, network operation, server configuration, DBMS implementations, etc. Areas still being addressed include distance education (including video) and web presence. Both of these areas are being managed effectively through collaboration with a 'lead department' outside of the IT organization. ]

1.3.3 Describe the agency's practice of Business Architecture modeling, including business divisions / organizational structure, business processes and requirements, and business re-engineering efforts. Indicate if business modeling is performed at the enterprise level (across business divisions/units).

[ UTHSC-H went through an intensive business reengineering effort in the late 1990's through 2002 followed by major reorganizations and staffing reductions in 2003. These changes were the result of internal and external reviews of major functions like Human Resources, Financial Services, Facilities, Information Technology, etc. Since that time, reengineering is performed on an 'as needed' basis. A lot of the reengineering efforts that are being performed are related to the planned introduction of technology to meet a business requirement. ]

1.3.4 Describe the agency's practice of information architecture modeling, including data models, taxonomies and databases. Indicate if data modeling is managed or coordinated at an enterprise level (across systems / applications / business divisions/units).

[ The central Information Technology department coordinates the collection, storage and dissemination of university information to avoid duplication and misinterpretation, provide backup and recovery, and enforce security. This is done by identifying and managing the applications and data that belong to the university as a whole and fitting them into the overall data architecture rather than creating new databases. ]

1.3.5 For all new applications being created at the agency, what technology platforms are being used (include hardware, software, programming languages, DBMS, tools, and COTS)?

[ University applications (under the direction of the central IT department) generally run on HP or Dell servers under Windows. The major administrative applications (HRMS, FMS & SIS) run on IBM RS/6000 AIX. Several academic applications run on Sun equipment. The predominant database is Oracle due to the UT System-wide license. IBM DB2 is used for the Student Information System (SIS) due to a vendor requirement. SQL is gaining in popularity as its capabilities expand. PeopleSoft uses COBOL and PeopleTools. Java is used for a lot of custom development, as is C. The IDX Professional Fee Billing & Scheduling System was licensed from IDX, now a subsidiary of GE. The AllScripts electronic medical record was licensed by TouchWorks. Axium and MiPACS are the electronic dental record and imaging systems for the Dental Branch. The School of Nursing uses Practice Partner but is likely to move to AllScripts as is the Valley Border Project operated by the School of Nursing. The IT department uses many tools from Novell and Bindview to monitor server and application performance. It also uses open source software, like Nagios. The university is adopting SAS for end user reporting. Report Distribution is provided by Cypres from ASG. Production Scheduling is facilitated with Tidal. The IT department also uses many tools to manage and monitor desktops. These are predominantly MicroSoft and Novell products. Security is provided with CheckPoint firewalls, IronPort SPAM filters, Packeteer packet shapers, Websense web monitoring and Tipping Point IPS. HEAT is used to enter and track issue resolution. ]

1.4.1 [1] Database Name

[ Human Resource Information System (HRMS) ]

1.4.2 [1] DBMS and Version

[ Oracle 8.1.7.3.0 ]

1.4.3 [1] Purpose

[ PeopleSoft Human Resource information repository ]

1.4.4 [1] Data Models, Data Dictionaries, and Taxonomies

[ Provided and updated by PeopleSoft ]

1.4.5 [1] Associated Applications

[ Time management, identity management, financial management, student information systems ]

1.4.6 [1] Analysis and Reporting Tools/Versions

[ nVision, Query, SQR, Crystal, TOAD (sys admins only) & PeopleTools ]

1.4.7 [1] Data Sharing and Data Exchange

[ See applications listed in 1.4.5. In addition, users can download information for their use locally. ]

1.4.8 [1] Age of Database

[ Implemented in 2001. It is kept current and there are no plans to replace. ]

1.4.1 [2] Database Name

[ Financial Management System (FMS) ]

1.4.2 [2] DBMS and Version

[ Oracle 9.2.0.6.0 ]

1.4.3 [2] Purpose

[ PeopleSoft Financial Management information repository ]

1.4.4 [2] Data Models, Data Dictionaries, and Taxonomies

[ Provided and updated by PeopleSoft ]

1.4.5 [2] Associated Applications

[ HRMS, Student Information System, Billing systems including copy services and telephones, ]

1.4.6 [2] Analysis and Reporting Tools/Versions

[ nVision, Query, SQR, Crystal, TOAD (sys admins only) & PeopleTools ]

1.4.7 [2] Data Sharing and Data Exchange

[ See systems in 1.4.5 ]

1.4.8 [2] Age of Database

[ Implemented in 2003. It is kept current and there are no replacement plans. ]

1.4.1 [3] Database Name

[ Student Information System (SIS) ]

1.4.2 [3] DBMS and Version

[ DB2 UDB Enterprise Server Edition v8.2 ]

1.4.3 [3] Purpose

[ Student Information repository for INFORMS (vendor) application. ]

1.4.4 [3] Data Models, Data Dictionaries, and Taxonomies

[ Provided and maintained by the vendor ]

1.4.5 [3] Associated Applications

[ HRMS, FMS, BlackBoard, identity management, student services ]

1.4.6 [3] Analysis and Reporting Tools/Versions

[ SAS ]

1.4.7 [3] Data Sharing and Data Exchange

[ See systems in 1.4.5 ]

1.4.8 [3] Age of Database

[ Will be in production in December 2006. Replaces VSAM database. ]

1.4.1 [4] Database Name

[ IDX Professional Fee Billing and Patient Scheduling ]

1.4.2 [4] DBMS and Version

[ Cache 5.0.5 ]

1.4.3 [4] Purpose

[ Professional fee billing and patient scheduling ]

1.4.4 [4] Data Models, Data Dictionaries, and Taxonomies

[ Provided and maintained by the vendor ]

1.4.5 [4] Associated Applications

[ AllScripts (electronic medical record), Harris County Hospital District systems, Memorial Hermann Hospital Systems ]

1.4.6 [4] Analysis and Reporting Tools/Versions

[ DBMS, IDX Analyzer utilizing Cognos Impromptu and PowerPlay ]

1.4.7 [4] Data Sharing and Data Exchange

[ Applications listed in 1.4.5 share information for billing patients. ]

1.4.8 [4] Age of Database

[ Less than 2 years old. No plans to replace. Upgrades are applied regularly. ]

1.4.1 [5] Database Name

[ BlackBoard Learning Management System ]

1.4.2 [5] DBMS and Version

[ Oracle 9.2.0.7.0 ]

1.4.3 [5] Purpose

[ Content delivery & class management system online learning. ]

1.4.4 [5] Data Models, Data Dictionaries, and Taxonomies

[ Provided and maintained by the vendor ]

1.4.5 [5] Associated Applications

[ SIS, identity management system ]

1.4.6 [5] Analysis and Reporting Tools/Versions

[ Crystal ]

1.4.7 [5] Data Sharing and Data Exchange

[ See applications in 1.4.5 ]

1.4.8 [5] Age of Database

[ 5 years ]

1.4.1 [6] Database Name

[ Graduate Medical Education Information System ]

1.4.2 [6] DBMS and Version

[ Oracle 9.2.0.1 ]

1.4.3 [6] Purpose

[ Tracking. Resident personnel system biographics, demographics, and credentials; Resident contracts; rotation scheduling; Billing; Online Evaluations; compliance. ]

1.4.4 [6] Data Models, Data Dictionaries, and Taxonomies

[ Maintained by developers ]

1.4.5 [6] Associated Applications

[ Continuity Clinic Tracking System and Identity Management System ]

1.4.6 [6] Analysis and Reporting Tools/Versions

[ Java and Oracle provided tools ]

1.4.7 [6] Data Sharing and Data Exchange

[ See 1.4.5. Feeds resident information to Identity Management System ]

1.4.8 [6] Age of Database

[ 3 years ]

1.4.1 [7] Database Name

[ Document Management (Documentum) ]

1.4.2 [7] DBMS and Version

[ MS SQL 2000 ]

1.4.3 [7] Purpose

[ Document repository used largely for retention but also for distribution and workflow. ]

1.4.4 [7] Data Models, Data Dictionaries, and Taxonomies

[ Maintained by the developers ]

1.4.5 [7] Associated Applications

[ Some administrative systems (SIS, HRMS) populate the index fields in Documentum. In addition, student applications are loaded into Documentum from the MDAC. ]

1.4.6 [7] Analysis and Reporting Tools/Versions

[ Crystal, MS Access, Documentum Query Language (DQL) ]

1.4.7 [7] Data Sharing and Data Exchange

[ See systems in 1.4.5 ]

1.4.8 [7] Age of Database

[ 3 years ]

1.4.1 [8] Database Name

[ HEAT Issue Tracking ]

1.4.2 [8] DBMS and Version

[ MS SQL 2000 ]

1.4.3 [8] Purpose

[ Issue management and tracking ]

1.4.4 [8] Data Models, Data Dictionaries, and Taxonomies

[ Provided and maintained by the vendor ]

1.4.5 [8] Associated Applications

[ HEAT accepts identity information from the identity management system ]

1.4.6 [8] Analysis and Reporting Tools/Versions

[ Crystal, SQL Query Manager ]

1.4.7 [8] Data Sharing and Data Exchange

[ See systems in 1.4.5 ]

1.4.8 [8] Age of Database

[ 9 years ]

1.4.1 [9] Database Name

[ Dental Clinic Information System (CIS) ]

1.4.2 [9] DBMS and Version

[ Oracle 10G ]

1.4.3 [9] Purpose

[ Electronic Dental Record for the Dental Clinic Practice. ]

1.4.4 [9] Data Models, Data Dictionaries, and Taxonomies

[ Provided and maintained by the vendor ]

1.4.5 [9] Associated Applications

[ Integrates with dental imaging system MiPACS. ]

1.4.6 [9] Analysis and Reporting Tools/Versions

[ Axium Info Manager, Crystal ]

1.4.7 [9] Data Sharing and Data Exchange

[ See 1.4.5 ]

1.4.8 [9] Age of Database

[ One month ]

1.4.1 [10] Database Name

[ Identity Management System ]

1.4.2 [10] DBMS and Version

[ Oracle 9.2.0.1.0, SunOne Directory 5.2, eDirectory 8.7.3.7, Active Directory 2003 ]

1.4.3 [10] Purpose

[ Centrally controls access rights to the UTHSC-H network and applications. ]

1.4.4 [10] Data Models, Data Dictionaries, and Taxonomies

[ eDirectory and AD provided by vendor, SunOne is RFC standard, others maintained internally ]

1.4.5 [10] Associated Applications

[ Accepts data from source of record systems such as HRMS, SIS & GMEIS. Authenticates and authorizes access to network resources (like wireless) and applications. Not all applications are able to use this system. The identity management 'system' synchronizes information among LDAP, eDirectory, Active Directory & Shibboleth and allows network login. Individual applications that use the identity management system for login are not listed due to the length of the list. ]

1.4.6 [10] Analysis and Reporting Tools/Versions

[ Bindview and Novell tools, Java, Oracle tools, SunOne Console and Softerra ]

1.4.7 [10] Data Sharing and Data Exchange

[ See 1.4.5 ]

1.4.8 [10] Age of Database

[ Oldest portions are 8 years, newer ones are 2 years ]

1.4.9 Is the agency one of the 27 agencies prioritized to participate in the data center consolidation or an institution of higher education?

(*) Yes (skip questions 1.4.10 - 1.4.16 )
( ) No (proceed to the next question)

2.1.1 Is the agency one of the 27 agencies prioritized to participate in the data center consolidation, or an Institution of higher education?

(*) Yes (skip to question 2.1.9)
( ) No (proceed to next question)

2.1.10 If the agency maintains a written disaster recovery plan, describe its scope and status. OR, if the agency does not maintain a written disaster recovery plan, describe the strategy and timeline for developing and implementing one.

[ Central IT maintains a Disaster Recovery Plan which is tested annually for the following systems:

1. PeopleSoft HRMS
2. PeopleSoft FMS
3. Student Information System
4. Dental Branch Clinical Information System
5. IDX Billing and Scheduling System

Systems currently under evaluation for inclusion in the DRP are:

1. AllScripts EMR
2. E-Mail
3. BlackBoard

All systems have backups. Critical backups are stored offsite. Many services are spread among multiple servers to reduce the likelihood of outages. Some services are split between facilities providing a measure of protection. ]

2.1.9 Does the agency maintain a written disaster recovery plan for information resources?

(*) Yes
( ) No

2.2.1 Does the Information Security Officer (ISO) have additional job titles/responsibilities (e.g., IRM, technology director)?

( ) Yes
(*) No

2.2.2 To whom does the ISO report in the agency?

(*) Information Resources Manager (IRM)
( ) Executive Director (or equivalent)
( ) Technology Division Director
( ) Other (specify) [ ]

2.2.3 Who in the agency is primarily responsible for setting security policy?

(*) Information Security Officer (ISO)
( ) Information Resources Manager (IRM)
( ) Executive Director (or equivalent)
( ) Technology Division Director
( ) Other (specify) [ ]

2.2.4 Who in the agency is primarily responsible for reviewing/approving projects for security features?

(*) Information Security Officer (ISO)
( ) Information Resources Manager (IRM)
( ) Executive Director (or equivalent)
( ) Technology Division Director
( ) Other (specify) [ ]

2.2.5 Who in the agency is primarily responsible for analyzing agency security risks?

(*) Information Security Officer (ISO)
( ) Information Resources Manager (IRM)
( ) Executive Director (or equivalent)
( ) Technology Division Director
( ) Other (specify) [ ]

2.2.6 Who in the agency is primarily responsible for determining budget requirements to address security risks?

(*) Information Security Officer (ISO)
( ) Information Resources Manager (IRM)
( ) Executive Director (or equivalent)
( ) Technology Division Director
( ) Other (specify) [ ]

2.2.7 Who in the agency is primarily responsible for identifying cyber security violations?

(*) Information Security Officer (ISO)
( ) Information Resources Manager (IRM)
( ) Executive Director (or equivalent)
( ) Technology Division Director
( ) Other (specify) [ ]

2.2.10 Does the agency budget include line item(s) for security training and/or education?

(*) Yes
( ) No

2.2.9 Does the agency budget include security-specific funding levels as an overall percentage of the agency budget, or as a percentage of the technology budget?

( ) Yes
(*) No

2.2.8 Is security funding set by analyzing risks and determining the appropriate investment needed to address the risks?

(*) Yes
( ) No

2.2.11 Does the agency fund some security functions and/or initiatives for which there are no security-specific cost categories or line items in the agency budget?

(*) Yes
( ) No

2.2.12 Describe the process the agency utilizes to determine security funding requirements. Include the level of funding and/or the percentage of security funding compared to overall budget (for FY 2008-09) if this information is available.

[ From FY 2001 through FY 2003, the UTHSC-H was building an IT security function and the capital and operating budgets were based on the needs. Since FY 2003, the operating budget for IT Security has been flat due to financial constraints for the entire university. Capital funds have been available for new equipment but generally not available to upgrade and replace the existing infrastructure. The IT Security budget is $550,000 for FY 2006. The UTHSC-H operating budget (all fund sources) for FY 2006 is $654,000,000. The percentage of the budget that is allocated to IT Security is .08%. ]

2.2.13 What is the status of the agency's capabilities in the area of automated security tools, including patch management, risk assessment, and incident reporting?

(*) Currently in place
( ) Planned within the next 1 to 3 years
( ) Not planned, but will be considered
( ) Not feasible for agency

2.2.14 What is the status of the agency's capabilities in the area of computer incident response mechanisms and related training?

(*) Currently in place
( ) Planned within the next 1 to 3 years
( ) Not planned, but will be considered
( ) Not feasible for agency

2.2.15 What is the status of the agency's capabilities in the area of cyber vulnerability detection and remediation methods?

(*) Currently in place
( ) Planned within the next 1 to 3 years
( ) Not planned, but will be considered
( ) Not feasible for agency

2.2.17 What is the status of the agency's capabilities in the area of security training and awareness programs for all levels of the organization (users, management, technology professionals, and security professionals)?

(*) Currently in place
( ) Planned within the next 1 to 3 years
( ) Not planned, but will be considered
( ) Not feasible for our agency

2.2.16 Are security staffing levels sufficient to meet statutory requirements and agency needs?

( ) Yes
(*) No

2.2.18 Provide a general description of the agency's overall security capabilities, and describe any plans for expanding or improving these capabilities over the next five fiscal years..

[ UTHSC-H has an effective IT Security program in place. The IT staff are knowledgeable in IT security basics and implement and operate a secure infrastructure and applications. Areas that need to be addressed include: 1. Develop a more proactive awareness program for users of technology. 2. Upgrade and replace existing technology. 3. Expand technology to handle new requirements and new buildings. 4. Integrate the components of identity management under IT Security. ]

2.2.19 Rank the following security services and functions based on which would provide the greatest benefit to the agency. Click the greatest benefit item first, etc. (1 = greatest benefit, 7 = least benefit).

[1] Periodic external IT security assessments to help identify information resource strengths and weaknesses
[3] State Cyber Security Response System that rapidly identifies, contains, and recovers from any attack or attempt to disrupt critical information and communications technology infrastructure
[5] Identification, development, and maintenance of best practice rules, standards, and guidelines to help reduce agency workload while providing more timely, complete, and accurate data for internal and external monitoring and management
[6] Shared network security services and solutions provided by a network security and operations center (NSOC)
[4] Improved cyber security information sharing and enhanced security communication and collaboration throughout the state by leveraging new technologies
[2] Comprehensive cyber security training program requirements development to ensure IT security professionals, agency leadership, and network users at all levels are able to perform cyber security responsibilities
[7] Cyber security integration into state homeland security exercises and promotion of tailored exercises to help reduce network vulnerabilities and minimize the severity of cyber attacks

2.2.20 Provide additional detail if needed, and describe how DIR could help improve the security capabilities of the agency.

[ For large agencies like UTHSC-H where an onsite presence is essential to providing service to faculty, staff and students, the most valuable service DIR can provide are state contracts with vendors for products and services. Other valuable services include:

1. Training opportunities and
2. Development & promulgation of state-wide standards, policies and procedures based on best practice.

]

2.3.1 What is the agency's Voice Network Infrastructure upgrade status, or plans to upgrade?

( ) Upgraded within the past year
( ) Plan to upgrade within one year
(*) Plan to upgrade within three years
( ) Plan to upgrade within five years
( ) No plans to upgrade at this time

2.3.2 In the agency's Voice Network Infrastructure upgrade plan, has the agency considered (or will it consider) a shared service arrangement through DIR to support agency efforts in this area?

(*) Yes
( ) No

2.3.3 What is the agency's Data Network Infrastructure upgrade status, or plans to upgrade?

( ) Upgraded within the past year
(*) Plan to upgrade within one year
( ) Plan to upgrade within two years
( ) Plan to upgrade within three years
( ) No plans to upgrade at this time

2.3.4 In the agency's Data Network Infrastructure upgrade plan, has the agency considered (or will it consider) a shared service arrangement through DIR to support agency efforts in this area?

( ) Yes
(*) No

2.3.5 What is status of any Voice Over Internet Protocol (VoIP) initiative in the agency?

( ) No plans to adopt VoIP
(*) Evaluating VoIP
( ) Planning a VoIP implementation
( ) Have an active VoIP pilot project
( ) Have an operational VoIP installation

2.3.6 Has the agency considered, or will it consider, a shared service arrangement through DIR to support agency VoIP efforts?

(*) Yes
( ) No

2.3.7 What are the agency's plans for Interactive Voice Response (IVR)?

( ) No plans to adopt IVR
( ) Evaluating IVR
( ) Planning an IVR implementation
(*) Have an operational IVR system

2.3.8 Has the agency considered, or will it consider, a shared service arrangement through DIR to support agency IVR efforts?

( ) Yes
(*) No

2.3.9 What is the status of any telephone call center in the agency?

( ) No plans to implement a call center
( ) Evaluating call center operations and technologies
( ) Planning a call center implementation
(*) Have an operational call center

2.3.10 Has the agency considered, or will it consider, a shared service arrangement through DIR to support agency call center efforts?

( ) Yes
(*) No

2.3.11 What is the status of any video conferencing system in the agency?

( ) No plans to implement video conferencing
( ) Evaluating video conferencing systems and technologies
( ) Planning a video conferencing implementation
( ) Have an operational agency video conferencing system
(*) Utilize a shared video conferencing system among a number of institutions of higher education

2.3.13 What is the status of any wireless data service initiative in the agency?

( ) No plans to adopt wireless data services
( ) Evaluating wireless data services and infrastructure
( ) Planning a wireless data service implementation
( ) Have an active wireless data service pilot project
(*) Have an operational wireless data service

2.3.14 Has the agency considered, or will it consider, a shared service arrangement through DIR to support agency wireless data service efforts?

( ) Yes
(*) No

2.3.15 Does the agency use TEX-AN contracts for purchasing telecommunications services?

( ) Always
(*) Sometimes
( ) Never

2.3.16 What is the agency's rationale for purchasing these services through other sources?

[ TEX-AN is used whenever possible which is almost all of the time. However, TEX-AN billing runs several months behind meaning that funds for one year can be lapsed while the following year is over budget. This is a serious problem for some funding sources. ]

2.3.17 Rank the following network operations/services based on which would provide the greatest benefit to the agency, whether or not the agency provides or plans to provide these operations or services. Click the greatest benefit item first, etc. (1 = greatest benefit, 7 = least benefit).

[4] Upgrades to voice network
[3] Upgrades to data network
[1] Voice over Internet Protocol (VoIP)
[7] Interactive Voice Response (IVR)
[6] Call centers
[2] Video conferencing
[5] Wireless data services and infrastructure

2.3.18 Please provide additional detail if needed, and describe how DIR could help improve the network capabilities of the agency.

[ For large agencies like UTHSC-H where an onsite presence is essential to providing service to faculty, staff and students, the most valuable service DIR can provide state contracts with vendors for products and services. Other valuable services include:

1. Development and operation of a state-wide video network,
2. Training opportunities and
3. Development & promulgation of state-wide standards, policies and procedures based on best practice.

]

2.4.1 Does the agency currently take, or would it be interested in taking payments for services over the Internet (see Payment Services in Glossary)?

(*) Agency currently offers this service
( ) Agency is interested in offering this service
( ) Agency has no need or interest in this service

2.4.2 What payment services vendor does the agency use? What is the agency plan for receiving payments, including any provisions for security and performance measures?

[ BearingPoint ePay, PayPal and PCPay ]

2.4.3 Describe any barriers or limitations that could inhibit the taking of payments for agency services over the Internet.

[ Security of the service provider, security of the network and the ability to interface into financial and other systems are the only concerns. ]

2.4.4 Does the agency currently collect, or would it be interested in collecting fees or fines over the Internet (see "collection of fees/fines" in Glossary)?

(*) Agency currently provides this service
( ) Agency is interested in providing this service
( ) Agency has no need or interest in this service

2.4.5 Does the agency currently offer or accept online applications or forms that can be filled in and transferred to the agency over the Internet?

(*) Yes
( ) No

2.4.6 Describe the agency's policies for offering or accepting applications or forms over the Internet, including any provisions for security and performance measures.

[ Any university level application or form will be processed by a system that meets all applicable security and confidentiality rules and regulations. This includes student applications submitted through the Medical Dental Application Center (MDAC) and financial aid applications. The central IT department handles these systems. ]

2.4.7 Does the agency require a mailed copy of the application or form with a signature?

( ) Yes
(*) No

2.4.8 Does the agency currently take, or would it be interested in taking, applications through IVR via the telephone?

( ) Agency currently offers this service
( ) Agency is interested in offering this service
(*) Agency has no need or interest in this service

2.4.9 What is the approximate number of e-mail mailboxes currently in use within the agency?

( ) 0 - 100
( ) 101 - 500
( ) 501 - 1,000
( ) 1,001 - 2,500
( ) 2,501 - 5,000
(*) 5,001 +

2.4.10 What e-mail rich client type is used on the majority of desktops within the agency?

(*) Microsoft Outlook
( ) IBM Lotus Notes
( ) Novell GroupWise
( ) Other (specify) [ ]

2.4.11 What is the status of the agency's participation in DIR's Messaging and Collaboration initiatives?

( ) Currently in place
( ) Planned within the next 1-3 years
( ) Not planned, but will be considered
(*) Not feasible for agency

2.4.12 Is the agency planning an upgrade of its current e-mail/messaging system in FY2008-09 (maintenance renewal, upgrade, or replacement of an existing messaging system) at a cost of $50,000 or more?

( ) Yes
(*) No

2.4.13 What is the agency's estimated Total Cost of Ownership for messaging /e-mail services, expressed in dollars per mailbox per month?

[ ]

2.4.14 Describe the agency's costs for messaging/e-mail, how they were calculated, and any comparative analysis completed by the agency.

[ Answering this question was shown as optional. ]

2.4.15 Does the agency currently offer, or is it interested in offering, event registration over the Internet?

(*) Agency currently offers this service
( ) Agency is interested in offering this service
( ) Agency has no need or interest in this service

2.4.16 Describe the types of events for which the agency offers, or is interested in offering registration over the Internet.

[ Continuing Medical Education, on-line courses via BlackBoard, UT System Telecampus, health events, charity events, lectures, etc. ]

2.4.17 Does the agency currently manage, authorize, and/or issue grant monies over the Internet to other governmental entities, public service organizations, or citizens?

( ) Yes
(*) No

2.4.18 Rank the following shared services based on which would provide the greatest benefit to the agency, whether or not the agency provides or plans to provide these services. Click the greatest benefit item first, etc. (1 = greatest benefit, 6 = least benefit).

{Rank the following from 1 to 6}
[1] Receiving payments over the Internet
[2] Collecting fees or fines over the Internet
[3] Offering or accepting forms over the Internet
[5] Providing e-mail/messaging and collaboration services
[4] Offering event registrations
[6] Managing, authorizing and/or issuing grant monies

2.4.19 Please provide additional detail if needed, and describe how DIR could help improve the shared services capabilities of the agency.

[ DIR can provide state contracts with vendors for products and services. ]

2.5.1 How does the agency benefit from the Cooperative Contracts Program? (CHECK ALL THAT APPLY)

(*) Enhanced contract terms and conditions
(*) Reduced staff time and time to receive goods and services
(*) Actual monetary savings
( ) Higher level of expertise
(*) Agency could get better pricing through other means
( ) Agency does not find the Cooperative Contracts Program beneficial
( ) Other [ ]

2.5.2 Describe the agency's experience with the Cooperative Contracts Program.

[ Simplifies the procurement process. Sometimes better pricing is available to higher education than to the DIR. ]

2.5.3 What future improvements (2-5 years) to the Cooperative Contracts Program would benefit the agency and the state? Include areas where DIR could provide additional services/support to improve the program.

[ The more vendors on the program, the better. Take a look at the major IT vendors in state agencies and try to put state wide agreements together to address licensing and maintenance costs. ]

2.5.4 Describe any strategies used by the agency for acquiring technology and/or non-technology goods and services that could provide a best practices model for the state's information and communications technology procurement processes and practices, such as reverse auctions and external contracting.

[ UTHSC-H follows state procurement guidelines. For systems integration contracts, the key to success is the development of a complete RFP and evaluating responses thoroughly. We have a good process for doing this at UTHSC-H. I suspect some other agencies do well too, but I have found that developing and evaluating RFP's for integration services is rarely done well. UTHSC-H uses eProcurement from PeopleSoft with a ePlus catalog management system. This is quite effective in reducing non PO purchases and directing purchases to preferred vendors. ]

2.6.1 Does the agency use the Texas Project Delivery Framework (deliverable templates and instructions)? (CHECK ALL THAT APPLY)

( ) Yes, for major technology projects (life cycle costs of $1 million or more)
( ) Yes, for non-major technology projects (life cycle costs of less than $1 million)
(*) No, Framework is not being used

2.6.2 Describe the benefits and/or any recommendations or challenges associated with use of the Framework templates and instructions.

[ The TPDF promotes good practice in IT project delivery. The major challenge is tailoring it to the environment and obtaining buy in from all parties who are unfamiliar with the process or the reasons for it. These parties are typically not IT staff and may be agency executives who are getting pressure to have IT stop filling out forms and start implementing technology! We have formed a Project Support Office specifically to help tailor and apply the university's SDM in these cases. The university will comply with all State requirements for use of the TPDF. However, it will be tailored on the campus to fit the needs of the people who have to apply it. ]

2.6.3 DIR is establishing a Texas Project Delivery Framework Training Program. Does the agency have a training need within any of the following areas? (CHECK ALL THAT APPLY)

(*) Portfolio and project management practices
(*) Portfolio and project governance
(*) Systems Development Life Cycle (SDLC)
(*) Executive leadership practices
(*) Performance management
(*) Business case analysis

2.6.4 Describe details of agency Framework training needs and interests.

[ While some IT staff could use training in these areas, the biggest area of need is in the business areas that partner with IT in such projects. These people are unlikely to attend such a training session. But, if training could be web-based or otherwise made available when projects are initiated on campus, this would be very helpful! ]

2.7.1 Describe current or planned reuse or adaptation of existing business assets (requirements, models) and/or technology assets (designs, code) from other projects, within or outside the agency.

[ It is our policy to share information, designs and code for applications or modifications that UTHSC-H owns with other components of UT. UTMB and UTHSC-SA are the most similar users of our major applications. UTMB and UTHSCH frequently share information, designs and code for PeopleSoft and SIS. RFP's for system integration services are routinely modified and reused for different systems. Schools and departments which develop reports are encouraged to save and share them with other others who have a similar need. Code is kept in libraries where it can be shared among the development staff. ]

2.7.2 Describe the factors that reflect success in reuse of business and technology assets, and indicate which of those success factors are currently met at the agency.

[

1. Reduced cost.
2. Reduced implementation time.
3. Improved quality.

These success factors are currently met by the efforts described in 2.7.1 ]

2.7.4 Which resource(s) would help the agency to identify and/or evaluate reuse opportunities, or to produce more reusable assets? (CHECK ALL THAT APPLY)

(*) Business asset reuse guidelines and training
(*) Technology asset reuse guidelines and training
(*) Information asset reuse guidelines and training
(*) Reuse asset inventory (with contact info, but without repository)
(*) Reuse asset inventory and repository
(*) Statewide business asset standards facilitating reusability
(*) Statewide technology asset standards facilitating reusability
(*) Statewide information asset standards facilitating reusability
( ) Support resources to mentor and support agency reuse efforts

2.7.3 Describe any plans to produce reusable business or technology assets that may be valuable to other state agencies or institutions of higher education.

[ UTHSC-H is currently participating in a new effort to select systems at UT Southwestern. Several UT components have recently gone through this process and will assist in this effort. UTHSC-H is migrating its SIS to a unix platform and has contacted UTMB about sharing this technology since they still use the mainframe based version of the same system. ]

2.7.5 Describe the types of services, systems and applications that the agency would like to find and reuse that may have already been developed by other governmental entities.

[ The UTHSC-H is currently evaluating requirements for systems for: 1. Pre-award contract and grant management 2. Contract management including routing, approvals, archiving, version management and renewal reminders 3. Research animal protocols 4. Identity management (likely unique to our environment) ]

2.7.6 Describe any other ideas or suggestions for improving agency capabilities for reuse.
[ DIR can facilitate this through:

1. Cataloging reusable technology which could include policies, procedures, etc.
2. Contracting with major technology vendors to encourage use of the same technology by making it less expensive and easier to obtain.
3. Continuing to promulgate standards which will make it more likely that technology can be reused.

]

2.7.7 Describe current collaborations with other agencies, institutions of higher education and/or local governments.

[ Also see 2.7.3 UTHSC-H, like all UT components, rely on internet connectivity from UT System. UTHSC-H participates in the South East Texas GigaPop (SETG), offering local network peering relationships with University of Houston, Baylor College of Medicine, Rice University, Texas A & M University @ IBT, UT MDACC, and Stephen F Austin University. UTHSC-H is a member of Lonestar Education And Research Network (LEARN) and when completed allow additional network peering relationships within Texas. UTHSC-H, in collaboration with UT System, is implementing a system-wide Tandberg video conferencing capability to facilitate the school's distance education program. UTMDACC and UTMB students use the UTHSC-H BlackBoard system. UTMDACC and UTHSC-H are implementing a shared directory to facilitate application sharing between the institutions. Shared applications support the shared Office of International Affairs, Student Financial Aid, Bursar and Registrar. All UT components are collaborating to create the UT Federation to simplify logging into shared resources. This initiative uses Shibboleth technology. ]

2.7.8 Describe any planned collaboration initiatives with other agencies, institutions of higher education and/or local governments.

[ The collaborations in 2.7.7 will grow. An opportunity to share exists with the UTHSC-H Student Information System. ]

2.7.9 Which resource(s) would help the agency to identify and/or evaluate collaboration opportunities with other agencies, institutions of higher education, local governments and/or private entities? (CHECK ALL THAT APPLY)

( ) Inter-agency collaboration guidelines and training
( ) Public-private collaboration guidelines and training
(*) List describing agency projects and applications
(*) List of public-private collaboration opportunities
( ) Statewide standards for IR project collaboration (including collaboration governance)
(*) Support resources to mentor and support agency collaboration efforts

2.7.10 Describe any other ideas or suggestions the agency has for improving capabilities for collaboration on technology projects.

[ The biggest problems with collaborative efforts are:

1. Timing...the agencies have differing timetables for implementation.
2. Differing requirements ...sometimes accommodated by basically creating two versions of the same system!
3. Division of costs ...agencies with more funding can afford more and want more.

How are these costs and additional functionality shared? Identifying opportunities well in advance through planning and actually participating in the funding at the State level will solve some of these issues. ]

2.7.12 Describe any potential interoperability opportunities which could add value within the agency or outside the agency. Indicate the value associated with each opportunity.

[ A Statewide identity management program would reduce the pain of multiple logins. This is an extremely difficult problem to resolve and should be undertaken by the federal government. ]

2.7.11 Describe significant interoperability constraints and requirements that exist with other agencies, local or federal government, and institutions of higher education, stakeholder groups or private sector entities. These include systems and/or applications outside the agency with which data must be integrated and/or shared.

[ Surely no one intentionally creates problems for other agencies but when specifications for file transfers change, knowing that well in advance provides preparation time. Identity management across agencies requires multiple login schemes. ]

2.7.13 Has the agency developed and implemented standards for information (data) architecture, including standards for data modeling, database design, and taxonomies?

( ) Yes
(*) No

2.7.14 Describe the key areas of focus on any existing data modeling, database and/or taxonomy standards. Indicate if the agency's data-focused standards may be valuable to other agencies.

[ The areas that have responsibility for this are doing an adequate job but there are no documented university standards. ]

2.7.15 Has the agency undertaken an enterprise data modeling effort?

( ) Yes
(*) No

2.7.17 How many agency data models (enterprise and/or application-specific) include data dictionaries or taxonomies?

( ) More than 50%
( ) Between 10% and 50%
( ) Less than 10%
( ) Not applicable

2.7.19 What could DIR do to support the agency's information architecture practices?

[ Continue to endorse the need as 'best practice'. ]

2.7.18 Describe the agency's policy and practice of keeping data models, database designs and/or data dictionaries/taxonomies (enterprise or application-specific) up-to-date or current.

[ Data models, database designs and data dictionaries are necessary documentation and, as such, are the responsibility of the developer to keep up to date. There is not a separate policy for each type of documentation. Given resource constraints, risk must be considered. Critical systems must be maintained. Software vendors often provide this documentation with their system. ]

2.7.21 Describe the key areas of focus on any existing coding and design standards (security, interfaces, etc). Indicate if the agency's coding and design standards may be valuable to other agencies.

[ Coding and design standards promote maintainability, quality, reusability and security. These need to be tailored for the specific technical environment to be usable to developers. The detailed standards are maintained and enforced for the environment which usually equates to a development team. ]

2.7.20 Has the agency developed and implemented coding and design standards for technical architecture?

(*) Yes
( ) No

2.7.22 How much of the agency's technical architecture has been modeled (development, testing and production environments, hardware, software DBMS, infrastructure, and other technology assets)?

(*) More than 50%
( ) Between 10% and 50%
( ) Less than 10%
( ) Not applicable

2.7.23 Describe the agency's policy and practice of keeping technical architecture models and/or system requirements and designs up-to-date or current.

[ Technical architecture models, system requirements and designs are necessary documentation and, as such, are the responsibility of the developer to keep up to date. There is not a separate policy for each type of documentation. Given resource constraints, risk must be considered. Critical systems must be maintained. Software vendors often provide this documentation with their system. ]

2.7.24 What could DIR do to support the agency's technical architecture practices?

[ Continue to endorse as 'best practice'. ]

2.7.27 Describe the key areas of focus on any existing business modeling/requirements standards and/or methodology. Indicate if the agency's business modeling/requirements standards and/or methodology may be valuable to other agencies.

[ Requirements must clearly identify:

1. customers
2. current processes
3. new processes
4. scope definition
5. anticipated benefits
6. process owner
7. anticipated impacts & mitigation strategy
8. technical considerations like backup & recovery, security, remote access, etc.
9. responsibility for data input & reporting

These items are typical of a requirements definition and are not unique to UTHSC-H. ]

2.7.25 Does the agency gather business requirements separately and in advance of gathering system requirements?

(*) Yes
( ) No

2.7.26 Has the agency developed and implemented business modeling and business requirements gathering methodology and standards?

(*) Yes
( ) No

2.7.29 Describe the agency's policy and practice of keeping business models and/or business requirements up-to-date or current.

[ Business models and/or business requirements are necessary documentation and, as such, are the responsibility of the business process owner and developer to keep up to date. There is not a separate policy for each type of documentation. Given resource constraints, risk must be considered. Critical documentation must be maintained. ]

2.7.28 How much of the agency's business architecture (across all business divisions) has been modeled (enterprise service delivery and/or business process models)?

( ) More than 50%
( ) Between 10% and 50%
(*) Less than 10%
( ) Not applicable

2.7.31 What could DIR do to support the agency's business architecture process?

[ Training for Business System Analysts on how to perform business systems analysis and non technical managers on the value of the process and what outcomes should be expected. Training materials for business departments that could be used at the agencies to train participants on what to expect. ]

2.7.30 If the agency currently practices business architecture/modeling/requirements separate from system requirement efforts, which group(s) are responsible for producing the business models/ requirements? (Note: business analysts and system analysts are generic role names, not job titles.) (CHECK ALL THAT APPLY)

(*) Business analysts who work WITHIN a particular business division
( ) Business analysts who work ACROSS business divisions, but are NOT technology staff
( ) Business analysts who work ACROSS business divisions, but ARE technology staff
(*) Systems analysts who work ACROSS business divisions, and ARE technology staff
( ) Systems analysts who work WITHIN a particular business division, and ARE technology staff
( ) Business or solution architects who work WITHIN or ACROSS business divisions, and are NOT technology staff
( ) Business or solution architects who work ACROSS business divisions, and ARE technology staff
( ) Not applicable
( ) Other (specify) [ ]

2.7.32 In which technology areas could shared or consolidated management and/or support help the agency better accomplish its mission? (CHECK ALL THAT APPLY)

( ) E-mail/messaging/collaboration services
( ) Human resources applications
( ) Financial applications
( ) Help desk
( ) Web services
( ) None of the above
(*) Other (specify) [ Statewide identity management ]

2.7.33 Describe the agency's interest in the technology area(s) indicated above (question 2.7.32).

[ Sharing resources across agencies is impaired by each agency having to create a new identity for each user although the user probably already has an identity at another agency already. ]

2.8.2 Describe the extent to which the agency experiences inconsistent technology terminology and definitions among different oversight agencies.

[ DIR seems to have the best definition of technical terms so we rely on those when reporting unless some other specific definition is requested. Definitions are usually broad enough to allow application of the DIR's terminology. ]

2.8.1 Describe the extent to which the agency experiences redundancies in technology reporting to oversight agencies and groups, including LBB, Comptroller of Public Accounts, Contract Advisory Team, DIR, Quality Assurance Team, and/or the Texas Building and Procurement Commission.

[ The amount of reporting that is required has increased dramatically over the last 10 years. Reports are rarely 'redundant' but they do overlap and/or require a slightly different set of data. This requires generating a new report rather than drawing on an existing report. The result is that reports do not match, probably creating confusion on the recipient's end. Making decisions based on information contained in reports that are not fully understood can create problems. Compliance (accountability) activities at agencies also require reporting that increases overall generation of reports. ]

2.8.4 Describe any other challenges the agency faces in reporting technology information to oversight agencies.

[ ]

2.8.3 Describe challenges in technology reporting to oversight agencies, including manual reporting requirements and/or the inability to directly export existing datasets.

[

1. Reporting requirements that change every few years require that the agency redo the process to produce the reports as well.
2. Web technology allowing the entry of material directly into oversight agencies databases helps the oversight agency, but it means that agencies must collect information and then 'key stroke' or 'cut and paste' to get it into the database.
3. The format of some reporting to oversight agencies renders the resulting report of little value to the agency the that produced it.
4. The volume of reports is growing.

Note that items 2 & 3 are probably not solvable since someone has to put the data into a consistent format. The question is who: the agency or the oversight agency? ]

2.8.5 Describe the agency's strategy and approach to technology asset management. Indicate if automated tools are used to discover, track and/or manage asset usage and status information. Technology assets include hardware, software, licenses, and service contracts.

[

1. All technology assets have an owner/manager.
2.  The fewer owners, the better.
3. All assets, not just technology, are tracked in accordance with State regulations. Asset inventories are performed annually.
4. Central tracking of technology assets via automated tools is promoted wherever possible.
5. Site licenses and blanket contracts are used where cost effective to reduce the requirement to count assets.
6. Central control of assets identifies cost saving options such as volume purchasing and license aggregation.
7. Licenses and service contracts are reviewed annually for scope and cost.

]

2.9.1 What types of automated tools does the agency currently use to manage data and information? (CHECK ALL THAT APPLY)

( ) Automatic classification systems
( ) Business intelligence
(*) Content management
(*) Document management
(*) Enterprise search engines
(*) Records management
(*) Imaging systems
(*) Information life cycle management
(*) Data Warehouse
(*) Web content management
(*) Workflow
( ) E-mail archiving
( ) None of the above
( ) Other (specify) [ ]

2.9.2 Which of the data and information management tools listed above is the agency considering or planning to purchase during the 2008-09 biennium?

[ E-mail archiving & web content management. ]

2.9.3a Describe how the agency would benefit from DIR support or shared services in data and information management.

[ State wide vendor contracts are helpful. Shared services for e-mail archiving could be of value as well. ]

2.9.3 Would the agency benefit from DIR support or shared services in the data and information management areas cited in question 2.9.1?

(*) Yes
( ) No

2.9.5 Describe the agency's strategy and approach for protecting the citizens' personal data in content that is published on the agency's Web site or on publicly available information systems.

[ As an academic health center, 'citizen' data is likely covered by either HIPAA or FERPA which are far more restrictive regulations. This data isn't available on the web except through tightly controlled access available only on an 'as needed' basis. The UTHSC-H publishes policies with regard to data available on the web and periodically scans web sites for possible violations. 'Owners' of data have the responsibility of authorizing the use of their data and informing users of security requirements. ]

2.9.4 Describe the agency's strategy and approach for creating, retaining, and disposing of electronic records as detailed in the Electronic Records Standards and Procedures.

[ UTHSC-H has a Records Retention Schedule (RRS) that is certified by the State Library and UT System. Records kept in an electronic medium are covered by the RRS. The technology required to meet the intent of the RRS as applied to electronic records is in place. This includes storage, access, security, backup and recovery. ]

2.9.6 How often are agency Web sites (Internet and intranet) and public-facing Web-based applications checked/tested for accessibility compliance? (CHECK ALL THAT APPLY)

(*) Upon modification of existing content or functionality
(*) Upon development of new content or functionality
( ) Monthly
(*) When a problem is identified
( ) Accessibility compliance has not been tested

2.9.7 Who performs accessibility compliance testing? (CHECK ALL THAT APPLY)

(*) Agency Web/application design staff using test and evaluation tools
( ) Other state or public resources (e.g., the UT Accessibility Institute)
( ) Contracted service with a design/accessibility assessment contractor (e.g., Knowbility)

3.1.1 The agency head or his or her designated representative must review and approve ownership of information resources and their associated responsibilities.

Status
( ) Implemented
(*) In Progress
( ) Planned
( ) Not Planned
( ) Not Applicable

Estimated Date
(*) 10/2006

3.1.2 Each agency must designate a full time Information Security Officer.

Status
(*) Implemented
( ) In Progress
( ) Planned
( ) Not Planned
( ) Not Applicable

3.1.3 Each agency must have annual reviews of their security program for compliance with the TAC 202 Security Standards.

Status
(*) Implemented
( ) In Progress
( ) Planned
( ) Not Planned
( ) Not Applicable

3.1.4 Each agency must perform a security risk analysis of information resources.

Status
(*) Implemented
( ) In Progress
( ) Planned
( ) Not Planned
( ) Not Applicable

3.1.5 Each agency must have documented Physical Security measures in place.

Status
(*) Implemented
( ) In Progress
( ) Planned
( ) Not Planned
( ) Not Applicable

3.1.6 Each agency must have a Business Continuity Plan.

Status
( ) Implemented
(*) In Progress
( ) Planned
( ) Not Planned
( ) Not Applicable

Estimated Date
(*) 01/2007

3.1.7 Each agency must take measures to ensure that designated confidential information is accessible to only authorized users.

Status
(*) Implemented
( ) In Progress
( ) Planned
( ) Not Planned
( ) Not Applicable

3.1.8 Each agency must utilize the DIR monthly incident reporting system.

Status
(*) Implemented
( ) In Progress
( ) Planned
( ) Not Planned
( ) Not Applicable

3.1.9 Each agency must have controls in place to ensure that test functions for systems development, acquisition and testing are either physically or logically separated from production functions.

Status
(*) Implemented
( ) In Progress
( ) Planned
( ) Not Planned
( ) Not Applicable

3.1.10 Each agency must establish a perimeter protection strategy.

Status
(*) Implemented
( ) In Progress
( ) Planned
( ) Not Planned
( ) Not Applicable

3.1.11 All System Identification/Logon Banners must have the appropriate warning statements.

Status
(*) Implemented
( ) In Progress
( ) Planned
( ) Not Planned
( ) Not Applicable

3.1.12 All authorized users of agency information resources must be required to formally acknowledge that they will comply with security policies and procedures before they are granted access to information systems.

Status
(*) Implemented
( ) In Progress
( ) Planned
( ) Not Planned
( ) Not Applicable

3.1.13 Each agency must create, distribute and implement information security policies.

Status
(*) Implemented
( ) In Progress
( ) Planned
( ) Not Planned
( ) Not Applicable

3.2.1 During the current and past biennium has the agency coordinated in advance with the Texas Geographic Information Council on expenditures of over $100,000 to acquire, enhance, or develop a GIS base map dataset?

Status
( ) Implemented
( ) In Progress
( ) Planned
( ) Not Planned
(*) Not Applicable

3.2.2 If the agency originates or adds content to a digital geospatial dataset and distributes it to other agencies or the public, does it offer the dataset in at least one format which is readily usable by a variety of GIS software packages?

Status
( ) Implemented
( ) In Progress
( ) Planned
( ) Not Planned
(*) Not Applicable

3.3.3 If the agency acquires a federal or other public domain geospatial dataset, does it make it available to other agencies and the public via the agency's Web site and/or the Texas Natural Resources Information System?

Status
( ) Implemented
( ) In Progress
( ) Planned
( ) Not Planned
(*) Not Applicable

3.2.4 If the agency originates or adds content to a digital geospatial dataset and distributes it to other agencies or the public, does it prepare standardized metadata documentation for each dataset, and distribute this metadata with the dataset?

Status
( ) Implemented
( ) In Progress
( ) Planned
( ) Not Planned
(*) Not Applicable

3.2.5 If the agency generates or contracts for positional data using field measurement techniques, does it utilize the North American Datum of 1983 (NAD83) for horizontal positional data and the North American Vertical Datum of 1988 (NAVD88) for vertical elevation data?

Status
( ) Implemented
( ) In Progress
( ) Planned
( ) Not Planned
(*) Not Applicable

3.3.1 The agency must adhere to the published standards when wiring or rewiring state-owned or state-leased space.

Status
(*) Implemented
( ) In Progress
( ) Planned
( ) Not Planned
( ) Not Applicable

3.3.2 If the agency holds an open or closed meeting by video conference call, the systems used must comply with the approved standards.

Status
(*) Implemented
( ) In Progress
( ) Planned
( ) Not Planned
( ) Not Applicable

3.3.3 The agency must purchase commodity software in accordance with contracts developed by the department, or obtain an approved waiver.

Status
(*) Implemented
( ) In Progress
( ) Planned
( ) Not Planned
( ) Not Applicable

3.3.4 If the agency receives information resources technologies under a contract from another state entity, it must solicit bids or proposals for the procurement of such technologies by giving public notice of a request for proposals or a request for bids.

Status
(*) Implemented
( ) In Progress
( ) Planned
( ) Not Planned
( ) Not Applicable

3.3.5 Each agency must manage electronic records according to the Electronic Records Standards and Procedures adopted by the Texas State Library and Archives Commission.

Status
(*) Implemented
( ) In Progress
( ) Planned
( ) Not Planned
( ) Not Applicable

3.3.6 Each agency must ensure that electronic records in its custody that have historical value to the state are properly preserved.

Status
(*) Implemented
( ) In Progress
( ) Planned
( ) Not Planned
( ) Not Applicable

3.3.7 Each agency must remove restricted personal information from any associated storage device prior to the sale or transfer of data processing equipment, to other than another Texas state agency or agent of the state.

Status
(*) Implemented
( ) In Progress
( ) Planned
( ) Not Planned
( ) Not Applicable

3.3.8 Each agency's IRM should at a minimum have a four-year degree from a fully-accredited post secondary institution (if appointed after September 1, 1992).

Status
(*) Implemented
( ) In Progress
( ) Planned
( ) Not Planned
( ) Not Applicable

3.3.9 Each agency's IRM should meet or exceed the IRM continuing education requirements for FY2005.

Status
(*) Implemented
( ) In Progress
( ) Planned
( ) Not Planned
( ) Not Applicable

[ ] [agencyacronym] considers its 2006 IRSP submission to be complete.