Enterprise IT policies, standards and guidelines: process for introduction, development, review, approval and communication [2007]

Georgia Technology Authority
ENTERPRISE IT POLICIES, STANDARDS AND GUIDELINES PROCESS FOR INTRODUCTION, DEVELOPMENT, REVIEW,
APPROVAL AND COMUNICATION
Georgia Technology Authority (GTA)

TABLE OF CONTENTS
1 DEFINITIONS........................................................................................................................ 3 1.1 Items Covered by this Procedure .................................................................................... 3 1.2 Types of Requests ........................................................................................................... 3 1.3 Approval Pathway Definitions....................................................................................... 4
2 REQUEST CATEGORIES..................................................................................................... 5 3 PROCESS ............................................................................................................................... 5
3.1 Process Flow Fast Track .............................................................................................. 5 3.2 Description of Flow for Fast Track................................................................................. 5 3.3 Process Flow Main & Emerging Tracks...................................................................... 7 3.4 Description of Flow for Main & Emerging Tracks ........................................................ 8
Page 2

1 DEFINITIONS
1.1 ITEMS COVERED BY THIS PROCEDURE
Policy - A general or high level statement of a direction, purpose, principle, process, method, or procedure for managing technology and technology resources. A "policy", as defined in this procedure applies to policies which have been published by GTA pursuant to Enterprise Policy P-07-001.
Standard - A prescribed or proscribed specification, approach, directive, procedure, solution, methodology, product or protocol which must be followed. A "standard", as defined in this procedure applies to standards which have been published by GTA pursuant to Enterprise Policy P-07-001.
Guideline - A Guideline is similar to either a Standard or a Policy, in that it outlines a specific principle, direction, directive, specification, or procedure but is not binding. Rather, a Guideline is a recommended course of action.
1.2 TYPES OF REQUESTS
Agency Request - Driven by an Agency to solve a problem. Can be complicated requiring GTA research, recommendations and implementation requirements.
GTA Request to Solve a Problem - Driven by a need to solve a specific problem. It's on the Fast Track. It is usually narrow in scope and it usually requires little review and needs to be processed quickly.
GTA or Agency Request to Rescind Driven by a need to retire or rescind an established policy, standard or guideline.
GTA Request that is Forward Looking Driven by a need for setting new technology norms for the enterprise that requires extensive research and consideration. An example is the standards for Wireless.
Page 3

1.3 APPROVAL PATHWAY DEFINITIONS
Fast Track Refers to a new request and/or need to revise an existing or developing PSG that requires immediate attention. A Fast Track request, by way of example, may be applicable to a mission critical system, a security issue, a State CIO or legislative mandate.
Main Track - Refers to a PSG request that needs to be analyzed and formalized before the CIO Council considers how to proceed. This is usually an Agency Request requiring SME expert(s) from that Agency. These types of requests may have exceptions and these exceptions are considered in the review process.
Emerging Track A PSG Request, usually enterprise in scope, requires extensive research, testing and review by a Work Group appointed by GTA's Enterprise Technology Planning Division (ETPD).
Page 4

2 REQUEST CATEGORIES
PSG categories are listed by Category areas which are subdivided into Content Addressed sections. For a listing of the Category / Content Addressed areas for which PSG requests can be made, see the Standards Taxonomy document posted at the http://gta.ga.gov Web-site.

3 PROCESS

3.1 PROCESS FLOW FAST TRACK
This section and 3.2 provide a step-by-step explanation of how Fast Track IT policies, standards and guidelines are introduced, developed, reviewed and approved in Georgia. The descriptions below identify the tasks involved in Fast Track development of technology policies, standards and guidelines.

Requestor (Any State Agency /
GTA personnel)

Enterprise Technology
Planning Division

Enterprise IT Policies, Standards and Guidelines Introduction, Development, Review and Approval

FAST TRACK

Requestor Submits Policy,
Standard or Guideline Request

Requestor Notification No

Concept Review: Submission is Screened for Completeness / Soundness / Decision to Continue / SME Appointment

Continue?

Appointed SMEs

Yes

Draft Impact Analysis & Recommend

Proceeding or Not

No

Appointed

Continue?

Yes

SMEs Draft PSG

Statement

Yes No
Implementation Review:
ITPO Director ETPD Senior Technology Planning Officer
State CTO Deputy State
CIO State CIO

Notify Requestor

No Proceed? Yes Sort
Policy
GTA Board Review

Standards Guidelines
No

State CIO Signs
Yes

Approve?

GTA Senior Officers

GTA Board

Publish to GTA
Website

GTA Communications

3.2 DESCRIPTION OF FLOW FOR FAST TRACK
Step 1. Requestor Submits Policy, Standard or Guideline A Requestor may be Agency personnel, the State CIO and/or other staff of GTA. The Requestor submits a new and/or revised policy, standard or guideline (PSG) request to the Georgia
Page 5

Technical Authority`s Information Technology Planning Office (ITPO). Although the ITPO will respond to a verbal request, requestors are urged to use the Policy, Standard and Guideline "Development Worksheet" that is posted on http://gta.ga.gov and submit electronically as directed at http://gta.ga.gov. ITPO will acknowledge receipt of the request via email, assign a control number to the request, and proceed to evaluation of the request. Initial review has an anticipated (5) day or less turnaround time.
Step 2. ITPO Evaluates Request & Appoints Subject Matter Experts (SMEs)
ITPO Management and the ETPD Senior Technology Planning Officer shall screen and evaluate PSG requests in a Concept Review. The reviewer shall consider the impact or relationship of the proposed item on existing policies, standards and guidelines, the value of the item being proposed, and the thoroughness of the documentation being presented. If development is not recommended, the request shall be returned to the Requestor with an explanation. Concept Review has an anticipated (5) working day or less turnaround time. At this point in the process, the Concept Review decision may be to:
A) Return to the PSG Requestor for rework, or
B) Disapprove the PSG Request altogether and withdraw it from further consideration, or
C) Proceed to Impact Analysis
Step 3. SME Impact Analysis
If the development of the requested PSG is approved at the initial review, one or more SMEs are appointed to perform an Impact Analysis of the proposed PSG and a lead SME-POC (point of contact) is designated in the case of multiple SME involvement. Impact Analysis has an anticipated (5) working day or less turnaround time. If Impact Analysis indicates that the state should not proceed with implementation the PSG Request, the Requestor is notified.
Step 4. SME-POC Drafts Policy, Standard or Guideline Statement (PSG Statement)
Assuming the Impact Analysis evaluation indicates that the state should proceed with implementation of the PSG Request, the SME-POC drafts the PSG Statement (actual policy standard or guideline to be implemented and published) for ITPO Management and GTA Senior Management to review/approve. PSG Statement development has an anticipated (5) working day or less turnaround time.
Step 5. Implementation Review
The draft PSG Statement is reviewed by ITPO Management and GTA Senior Management in the
Page 6

Implementation Review for implementation approval. Unless the PSG Statement is a "Policy" development, the Implementation Review decision will determine whether the PSG Request is approved or not. Non-policy approvals proceed to Step 7. PSG Statement development has an anticipated (5) working day or less turnaround. At this point in the process, the Implementation Review decision may be to:
A) Return to the PSG Requestor or SME-POC for rework, or B) Disapprove the PSG Request altogether and withdraw it from further consideration, or C) Approve the PSG Request (forwarding for GTA Board review if "Policy")
Step 6. GTA Board Review In the event of "Policy" development, an approval in the Implementation Review will lead to a review for approval by the GTA Board. It is anticipated that Fast Track approval decisions will be accomplished in 15 days or less turnaround time, however it could be up to 90 days. At this point in the process, the GTA Board decision may be to:
A) Return to the PSG Requestor or SME-POC for rework, or B) Disapprove the PSG Request altogether and withdraw it from further consideration, or C) Approve the PSG Request
Step 7. Publish Within (5) work days following the approval of the GTA Board, ITPO shall prepare the approved PSG for publication and distribution. ITPO shall initiate publication via GTA's Communication Office to all stakeholders.
3.3 PROCESS FLOW MAIN & EMERGING TRACKS
This section and 3.4 provide a step-by-step explanation of how Main & Emerging Track IT policies, standards and guidelines are introduced, developed, reviewed and approved in Georgia. The descriptions below identify the tasks involved in Main & Emerging Track development of technology policies, standards and guidelines.
Page 7

Requestor (Any State Agency /
GTA personnel)

Enterprise Technology
Planning Division

GTA Senior Officers

Enterprise IT Policies, Standards and Guidelines Introduction, Development, Review and Approval

MAIN & EMERGING TRACKS

Requestor Submits Policy,
Standard or Guideline Request

Requestor

Notification

No

Concept Review: Submission is Screened for Completeness / Soundness / Decision to Continue / SME Appointment

Continue?

Appointed SMEs

Yes

Draft Impact Analysis & Recommend

Proceeding or Not

No

Continue?

Appointed

Yes

SMEs Draft PSG

Statement

Yes No
Implementation Review:
ITPO Director Senior
Technology Planning Officer
State CTO Deputy State
CIO State CIO

Proceed? Yes

CIO Council Review /
Recommendation

Notify Requestor

No Yes

Accept?

No

Sort

Standards Guidelines

State CIO Signs

No

Yes

No

Policy

Yes

Recommend?

GTA Board Review

Approve?

Publish to GTA
Website

CIO Council

GTA Board

GTA Communications

3.4 DESCRIPTION OF FLOW FOR MAIN & EMERGING TRACKS
Step 1. Requestor Submits Policy, Standard or Guideline
A Requestor may be Agency personnel, the State CIO and/or other staff of GTA. The Requestor submits a new and/or revised policy, standard or guideline (PSG) request to the Georgia Technical Authority`s Information Technology Planning Office (ITPO). Although the ITPO will respond to a verbal request, requestors are urged to use the "Policy, Standard and Guideline Development Worksheet" that is posted on http://gta.ga.gov and submit electronically as directed at http://gta.ga.gov. ITPO will acknowledge receipt of the request via email, assign a control number to the request, and proceed to evaluation of the request. Initial review has an anticipated (5) working days or less turnaround time.
Step 2. ITPO Evaluates Request & Appoints Subject Matter Experts (SMEs)
ITPO staff and the ETPD Senior Technology Planning Officer shall screen and evaluate PSG requests in a Concept Review. The reviewer shall consider the impact or relationship of the proposed item on existing policies, standards and guidelines, the value of the item being proposed, and the thoroughness of the documentation being presented. If development is not
Page 8

recommended, the request shall be returned to the Requestor with an explanation. Concept Review has an anticipated (10) working days or less turnaround time. At this point in the process, the Concept Review decision may be to:
A) Return to the PSG Requestor for rework, or
B) Disapprove the PSG Request altogether and withdraw it from further consideration, or
C) Proceed to Impact Analysis
Step 3. SME Impact Analysis
If the development of the requested PSG is approved at the initial review, one or more SMEs are appointed to perform an Impact Analysis of the proposed PSG and a lead SME-POC (point of contact) is designated in the case of multiple SME involvement. Impact Analysis has an anticipated (10) to (20) working days turnaround time for Main Track requests and (20) to (48) working days for Emerging Track requests. If Impact Analysis indicates that the state should not proceed with implementation the PSG Request, the Requestor is notified.
Step 4. SME-POC Drafts Policy, Standard or Guideline Statement (PSG Statement)
Assuming the Impact Analysis evaluation indicates that the state should proceed with implementation of the PSG Request, the SME-POC drafts the PSG Statement (actual policy standard or guideline to be implemented and published) for ITPO Management and GTA Senior Management to review/approve. PSG Statement development has an anticipated (10) to (20) working days turnaround time for Main Track requests and (20) to (48) working days for Emerging Track requests.
Step 5. Implementation Review
The draft PSG Statement is reviewed by ITPO Management and GTA Senior Management in the Implementation Review for implementation approval. The Implementation Review decision will determine whether the PSG Request advances to CIO Council consideration. Implementation Review has an anticipated (5) to (10) working days for turnaround. At this point in the process, the Implementation Review decision may be to:
A) Return to the PSG Requestor or SME-POC for rework, or
B) Disapprove the PSG Request altogether and withdraw it from further consideration, or
C) Approve the PSG Request (forwarding for CIO Council review)
Page 9

Step 6. CIO Council Review
With Implementation Review approval, the SME-POC, on behalf of GTA, shall present the proposed PSG Statement and substantive comments concerning the item to the CIO Council for review and live discussion until the issues are resolved to a solid recommendation. When process is complete, the POC will compile all comments from the discussion, along with any recommendations of the CIO Council. In cases where a specific question or issue deserves or requires a more in-depth response than can reasonably concluded in a single meeting, the document shall summarize the response as well as acknowledge a need for a more detailed response. At the discretion of ITPO, documents shall be reposted for review if there are material changes as a result of the live discussion. Subsequent meetings may be held, with required additional analysis performed, until the issues are resolved and a vote is taken to recommend the PSG statement or not. If the PSG Statement is not a "Policy" item and the CIO Council recommendation is affirmative, the PSG Statement is fully approved and published. CIO Council Review has an anticipated (30) to (60) working days turnaround time unless the CIO council requests changes to be made. At this point in the process, the CIO Council decision may be to:
A) Return to the PSG Requestor or SME-POC for requested rework, or
B) Recommend disapproval of the PSG Request altogether
C) Recommend approval of the PSG Request
Step 7. GTA Board Review
In the event of "Policy" development, an approval recommendation by the CIO Council will lead to a review for approval by the GTA Board. It is anticipated that Main and Emerging Track approval decisions will be accomplished in (90) calendar days or less turnaround time unless the Board requests changes to be made. At this point in the process, the GTA Board decision may be to:
A) Return to the PSG Requestor or SME-POC for rework, or
B) Disapprove the PSG Request altogether and withdraw it from further consideration, or
C) Approve the PSG Request
Step 8. Publish
Within (5) work days following the approval of the GTA Board, ITPO shall prepare the approved PSG for publication and distribution. ITPO shall initiate publication via GTA's Communication Office to all stakeholders.
Page 10