Information technology report FY 2009 [Jan. 2010]

State of Georgia Information Technology Report
For Fiscal Year 2009
ENTERPRISE GOVERNANCE AND PLANNING

Georgia State Information Technology Report 2009
Table of Contents
Purpose................................................................................................................................ 1 Executive Summary ............................................................................................................ 2 FY2009 Accomplishments.................................................................................................. 6
Georgias Information Technology Transformation (GAIT2010) ............................. 6 Governance ................................................................................................................. 7 Strategic Planning for Information Technology ......................................................... 7 Information Security ................................................................................................... 8 PeopleSoft Program .................................................................................................... 8 Key Investments in Technology ....................................................................................... 10 Key Investments in Technology ....................................................................................... 10 Project Portfolio ........................................................................................................ 11 Application Portfolio ................................................................................................ 14 Challenges and Opportunities ........................................................................................... 18 Issue 1 -- Business Expectations for IT have outstripped IT's Internal Capability to Deliver....................................................................................................................... 18 Issue 2 -- How to More Rapidly Modernize Infrastructure and Operations and Reduce Costs............................................................................................................. 19 Issue 3 -- Business Accountability for Security and Risk Management................... 20 Issue 4 -- Lack of Business Intelligence Sponsorship .............................................. 21 Issue 5 -- How Do I Get My Vendor to Deliver What I was Promised? .................. 22 Issue 6 IT Turf Control .......................................................................................... 22 Issue 7 -- Should We Modernize Applications? If So, When? ................................. 23 Issue 8 -- To Whom Should Business Process Professionals Report?...................... 24 Issue 9 -- How Much Formal Process is Needed for Program and Portfolio Management? ............................................................................................................ 24 Opportunities for Improvement - Lessons Learned from Projects 2006 - 2009 ........... 25 Plans for FY2010 and Beyond .......................................................................................... 28 IT Transformation to a Sustainable Service Delivery Model ................................... 28 Enterprise Performance Management Framework for Technology.......................... 29 Online Customer Service Experience ....................................................................... 29 Appendices........................................................................................................................ 30 Appendix A Data Tables from Agency Information Security Report ....................... 31 Section 1: Agency Participation.................................................................................... 31 List of agencies that formally completed FY09 AISR.............................................. 31 Section 2: Information Security Program Management ............................................... 35 List of Moderate Impact agencies with named SAISO ............................................ 36 List of Low Impact agencies with named SAISO .................................................... 37 List of High & Medium agencies without named SAISO ........................................ 37 List of agencies with named Privacy Officer............................................................ 38 List of agencies without named Privacy Officer....................................................... 38 Security Governance - agencies that follow Enterprise PSGs................................. 39 Security Governance - agencies that follow augmented Enterprise PSGs .............. 39 Security Governance - agencies that develop & maintain own PSGs ..................... 41 Security Governance - agencies with no formal framework .................................... 41 Security Governance - Others ................................................................................... 41 Section 4: Security Risk & IT Portfolio Management.................................................. 43
i

Georgia State Information Technology Report 2009 Agencies by Impact Categorization .......................................................................... 43 Section 5: Business Continuity Planning...................................................................... 47 Agencies with Emergency Support Functions (ESF) ............................................... 47 Business Continuity Planning ................................................................................... 47 Business Continuity Planning Tool (Other than Enterprise LDRPS) ....................... 48 Emergency Preparedness .......................................................................................... 49 Section 6: Incident Response & Reporting (appendix-6) ............................................. 50 Agencies that have documented Incident Response Plan with GTA........................ 50 Appendix B - Enterprise IT Maturity in 3 Areas .............................................................. 51 Appendix C Largest State Applications by Spend......................................................... 67 Appendix D - Strategic Planning for Information Technology ........................................ 68 Appendix E IV&V Case Studies Summary ................................................................... 70 Appendix F - State Application Inventory........................................................................ 71 Appendix G - State Project Inventory............................................................................... 93 Appendix H Critical Projects Completed in 2009 ....................................................... 104
ii

Georgia State Information Technology Report 2009
Purpose
"Technology is the underpinning of a well-run, modernday enterprise. It is the cornerstone of making decisions
that will lead our state to the best-managed state." - Governor Sonny Perdue
O.C.G.A 50-25-7.10. Annual state information technology report; requirements; standards
(a) The [Georgia Technology Authority] executive director shall publish an annual state information technology report that shall include:
(1) A report on the state's current and planned information technology expenditures, in cooperation with the Office of Planning and Budget and the state accounting officer, that shall include, but not be limited to, line-item detail expenditures on systems development, personal services, and equipment from the previous fiscal year and anticipated expenditures for the upcoming fiscal year;
(2) A prioritization of information technology initiatives to address unmet needs and opportunities for significant efficiencies or improved effectiveness within the state information technology enterprise; and
(3) A prioritized funding schedule for all major projects or initiatives, as well as cost estimates of the fiscal impact of the recommended information technology initiatives. The state information technology report shall be submitted to the Governor, the General Assembly, and the board on or before October 1 of each year. The authority may adopt an accrual method of accounting. The authority shall not be required to distribute copies of the annual report to members of the General Assembly, but shall notify the members of the availability of the report in the manner in which it deems to be the most effective and efficient.
(b) Agencies shall be required to submit information technology reports to the authority not more than twice annually and with such content as the board shall define. The authority shall establish standards for agencies to submit the reports or updates. Standards shall include, without limitation, content, format, and frequency of updates.
The Georgia Technology Authority (GTA) provides annually to the Governor, the Legislature, and to the Office of Planning and Budget a report on information technology in the State of Georgia based on reports provided by all agencies to GTA except those:
- Within the Judicial Branch of Government, - Within the University System of Georgia, - Under the direct control of the General Assembly, - Under the direct control of statewide elected officials other than the Governor.
Page 1 of 104

Georgia State Information Technology Report 2009
Executive Summary
Technology has become an integral part of our everyday lives. More products and services are being offered to consumers online. Those products and services can be purchased by anyone anywhere in the world through the Internet or with "smart phones" that more closely resemble powerful computers than phones. Large organizations cannot operate without technology, and the best managed organizations view their technology investments as assets, not mere expense items. Those same organizations understand the need to keep up with technological change and manage their technology investments as they would manage investments in a new product.
Government relies on technology as much as any large company. In fact, with $17 billion in revenue, Georgia would rank 137 if it were a Fortune 500 company. The state's 116 departments and other organizational entities serve one of the fastest growing populations in the nation, currently 9.7 million an 18.3 percent increase since 2000. From delivering food stamps to policing our state highways, the cornerstone for providing good customer service is a modern, secure, reliable and cost-effective technology infrastructure. Yet we do not treat our state's technology as an investment, and we have fallen far behind in managing our IT assets. Many states face a similar situation.
We are working to reverse a decades-long approach to managing technology that has resulted in: a sprawling, poorly planned and aging infrastructure, multiple points of failure leading to frequent outages, inadequate security, duplicate spending, an inability to document the benefits of IT expenditures, and a failure of IT projects to be completed on time, within budget and to meet business needs.
In compiling information from 71 state agencies, this report tracks the progress we made during FY 2009 in closing many of these gaps. In doing so, it also helps us to identify areas where we continue to be deficient and underscores additional actions we need to take. This comprehensive, critical view is at the center of viewing IT expenditures as an investment as important to the future of our state and its citizens as any other.
Privatizing the State's IT Operations
Infrastructure is one piece of the investment puzzle. In FY 2009 alone, the state of Georgia spent a total of $942.7 million1 on information technology with $274.8 million going toward operating IT infrastructure. Despite such large expenditures, serious deficiencies in the state's IT infrastructure have been well documented in recent years, and leaders have come to realize that the operation and delivery of technology services is not a core competency for state government.
Both the Governor's Commission for a New Georgia and an independent assessment determined that Georgia was carrying too much risk, and its IT problems were too great for the state to solve on its own. The problems have been widespread and deep: PCs running operating systems too old to support current anti-virus software, service interruptions due to inadequate backup power
1 This amount is only for the 71 reporting agencies and does not include expenditures by some large organizations such as the University System of Georgia, and the Department of Transportation.
Page 2 of 104

Georgia State Information Technology Report 2009
for critical IT systems, failure to backup important data due to broken servers, and underfunding of disaster recovery and security. In particular, inadequate security has had a tangible effect on Georgians. Since 2005, more than 4.5 million notification letters have been sent to people whose private information may have been exposed from state computers.
Correcting problems of this magnitude required decisive action. After what was arguably the most competitive and transparent procurement in the history of Georgia state government, the state outsourced IT infrastructure services to IBM beginning April 1, 2009, and managed network services to AT&T beginning May 1, 2009. In addition, the Georgia Technology Authority (GTA) which provided technology services to state and local government agencies was reorganized, downsizing from 600 employees to about 170. GTA shifted its focus to managing the delivery of services and, prior to contract signing, fully staffed its Service Management Organization to prepare GTA and other agencies for service transition and to oversee service delivery. Tools such as service level agreements, operational metrics and opinion surveys are now assisting in day-today management as the initiative begins to deliver positive, measureable results for the state.
The business model projects savings of $203 million over the life of the IBM and AT&T contracts, and during the next two years, Georgia will see the cost efficiencies made possible by modern technology. At the same time, the state is already benefiting from private-sector best practices and improving its ability to secure citizens sensitive information. By partnering with the private sector, Georgia has made significant progress in building a sustainable model for longterm investments in critical technology infrastructure.

Program and Project Management
Planning and implementing IT projects is another piece of the investment puzzle. In FY 2009, state agencies reported expenditures totaling $284.3 million on IT projects. Ensuring the money is well spent and the projects are successful are the goals of program and project management. At the same time we were working to transition technology services to IBM and AT&T, we were also making progress in these two areas.

100%

Project Delivery Effectiveness
by $

Benchmarks

Georgia Actuals

GTA conducted project management training and developed enterprise-wide

90%

standards and processes

80%

with a focus on project

70%

assurance. According to

60%

Risk

industry metrics, less than

50%

40 percent of private-

40%

sector projects and 20

30%

percent of government-

20% 10%
0%

Industry

Gov't

2007

2008

2009

Failure Challenge Success

sector projects earn a rating of success (labeled Benchmarks in the figure). Even worse,

nearly 20 percent of

private-sector and 30 percent of government-sector projects are rated as failures. Thanks to our

efforts in project management, Georgias success rating is near 90 percent with no failures.

Page 3 of 104

Georgia State Information Technology Report 2009
In program management, GTA tested the use of an IT governance methodology to oversee the state's investment in PeopleSoft Financials and Human Capital Management systems. The PeopleSoft governance organization established the state's priorities, managed conflicts between different agencies and projects, and successfully delivered several major initiatives while avoiding waste. All projects in the governance organization's portfolio were successful.
Application Maintenance and Support: The Next Opportunity
The final piece of the investment puzzle is application development and support, which accounted for $383.6 million in spending during FY 2009. It is the largest, least managed and least understood of the state's technology investments. Consequently, it is also the next area of focus for GTA and the state's leadership.
Each application operated by the state has three key factors to be considered: Business value; Cost; Risk to the state and its constituents.
For application portfolio management, our goals are to: Maximize business value (defined as return minus related expenses) for each application and the entire portfolio of applications; Manage the cost; and Manage the risk.
This sounds like common sense. However, the state must take some initial steps before it can see the complete application portfolio and reap the benefits of improved application management.
First, we need a single portfolio of applications that includes key pieces of information about the application and the business functions it supports. Each agency currently maintains its own portfolio or list of applications.
Second, we need to use standard measures and terminology to develop and define the portfolio view. Each application must have its business value evaluated on a regular basis with a common methodology. Such an approach will enable agency and state leaders to identify applications with issues and take appropriate action to continue delivering the needed services or functions.
Third, we need to identify and manage risks, including risks associated with information confidentiality, integrity, availability and service delivery. Empirically, money is wasted when risks associated with applications are not properly managed.
While the information reported by agencies in the area of application governance is not complete, the data we do have reveals that the state spends significant amounts of money for duplicate applications such as e-mail, identity management and document imaging. By continuing to allow agencies to maintain utility or easily shared applications in independent silos, the state is wasting even more money.
Page 4 of 104

Georgia State Information Technology Report 2009
Within each agency, there must be application governance that uses standard methods for measuring and documenting the characteristics of each application. These standard measures must then be used to identify and manage the costs, risks and the business value of each application. When the risks are too high to accept, state leaders must be made aware so we can take appropriate action to protect the state while delivering effective constituent services.
Moving Forward Technology can make government more effective and more efficient. It can help us deliver services to our customers in a timely, cost effective manner and it can help us streamline processes that will allow us to cut costs when times are tough. But technology evolves too fast for government to keep up with. For the state to benefit from technologys promises three things must take place:
1. Technology must have a seat at the planning and decision making table. This must occur at the agency and enterprise level;
2. The State of Georgia must view technology as an investment rather than an expense. Until we make a conscious decision to maintain technological currency, we will never be able to keep up with our customers;
3. The State of Georgia must strengthen and adhere to a strong governance model. Governance sets standards and ensures a return on technology investments. It gives business owners and decision makers a full view of technology investments and the outcomes of those investments.
The State of Georgias technology transformation is moving our state government towards a model that will better serve our government and will allow our government to better serve our customers. We still have much work ahead of us but we are finally on a path that will allow us to use technology as it was intended.
Page 5 of 104

Georgia State Information Technology Report 2009
FY2009 Accomplishments
With the challenges of the worldwide banking and financial markets at the end of 2008, Georgia faced declining revenues and expanding demand for constituent services. During this time, almost all of the technology initiatives underway maintained their course while addressing changes and challenges to their budgets and resources.
While there were many technology projects that were successfully executed, some to completion during 2009 (see Appendix H Critical Projects Completed in 2009), the following highlights some of the most significant achievements that improved the ability to deliver business services in the state of Georgia.
Georgia's Information Technology Transformation (GAIT2010)
This initiative has been the largest technology investment project in the history of the state of Georgia. This effort began in 2007 with an assessment of the existing computing technology infrastructure and managed network services. The assessment resulted in a recommendation to consolidate and outsource these respective areas across 12 state agencies. The basis for this recommendation was that the state of Georgia showed a substantially low level of maturity and capability in managing its computing and network infrastructure and that there was imminent and substantial risk if no action was taken. In the words of Governor Perdue at the time, "I cannot even assure Georgians that we have the basic, essential security and disaster recovery levels worthy of a 24-hour-aday, 7-day-a-week operation serving the needs of over nine million Georgians."
The transition to a new service delivery model was completed in the first half of 2009, and this transition occurred without any additional costs to the agencies. The most significant part of the transition occurred with the outsourcing of technology computing infrastructure services and managed network services (including telecom) to industry leaders, IBM and AT&T, respectively. The transition accomplished all of its major objectives on schedule, including a consolidated service desk to support all the included agencies, transfer of over 679 positions2 to the service providers, the establishment of a set of service levels and standards, and creation of a new service management organization to monitor, measure and manage the delivery of technology services to customer agencies.
This transition to a new service delivery model incorporates some fundamental changes in the way technology services will be delivered in the future, but the primary point of change is that agencies will pay market-comparable rates for the services they receive. This has required changes in the way IT services are identified, packaged, requested, delivered and paid for. During the latter half of 2009 and through 2010, the transformation effort will begin to leverage the service providers corporate capabilities to enable significant benefits in the infrastructure and network platforms leading to more
2 Positions: State Employees 389, Vacant positions 162, Contractors 128
Page 6 of 104

Georgia State Information Technology Report 2009
secure, reliable and effective services for all participants. For more information, see State Technology Transformation (GAIT 2010).
Governance
The ability to effectively manage information technology across a state enterprise requires a framework for decision rights and accountability. During 2009, GTA established this framework based around Enterprise Performance Management (EPM), a consistent set of processes that help organizations optimize their business performance. EPM consists of a minimal set of practices in the form of Policies, Standards and Guidelines (PSGs) that agencies can use to measure their compliance with industry practices and a predictable path or lifecycle, which can be used to regulate investment decisions.
GTA has created the Enterprise Performance Lifecycle (EPLC) management process, which will be used to monitor and control the states IT investments and to ensure continuous improvements in and maturity of practices. It will also become the basis for certifying and accrediting applications and systems deployed in support of the states business. Integral to this approach is the ,,birth-to-death concept for IT investments, which includes key deliverables, measurements, and participants and each stage in the ownership of the application or system. Reviews conducted at each stage will ensure that IT investments have the right level of resources to be successful and effective. In this manner, business owners will have the best information needed to make informed decisions on behalf of the state business at the point in time it is needed. For more information, see Governance.
Strategic Planning for Information Technology
Information technology supports and enables business, but it cannot drive business. Every dollar spent on IT must be considered for the business function it delivers. GTAs IT strategic planning process works seamlessly with the strategic planning process managed by Georgias Office of Planning and Budget (OPB) to map projected benefits of business intentions to the capabilities required for their realization. There are three parts to GTAs IT strategic planning process:
1. Understanding agency business need, 2. Understanding IT capability and direction, 3. Marrying business need to IT capability. GTAs planning process does this by working with agencies through the normal OBPmanaged strategic planning process to understand agency business needs. We work with our external service providers to define the technology plan for the state. Our service providers are industry-leading experts in data services and managed network operations. Finally, the GTA strategic planning team works with GTAs service management
Page 7 of 104

Georgia State Information Technology Report 2009
organization to coordinate the smooth blending of technology capability with business needs. Knowledge of agency business needs and Georgias technology capabilities gained in GTAs IT strategic planning process enables the rest of GTAs activities. It allows sensible parameters in stage gates, defines resource demand to facilitate portfolio prioritization, and feeds capacity planning and demand forecasting activities in operations. While it consumes very little GTA resources, IT strategic planning is essential to for Georgia to become the best managed state, and it is even more important to sustain the gains. For more information on the State of Georgia, Information Technology Strategic Plan, see State Technology Planning.
Information Security
Governor Perdues Executive Order regarding information technology security reporting requires GTA to develop the format and required content for annual agency information security reports (AISRs). With his Executive Order, Governor Perdue took the leadership role in addressing the information security needs of the state. Agencies produce uniform AISRs which GTA compiles into the annual Enterprise Information Security Report, which will allow senior state leaders and citizens alike to measure the effectiveness of the states information security efforts.
The vision of the information security program is, "That each state information system has an owner that has made an informed decision to accept the risks associated with operating that system." Therefore, the practice of information security is to identify those associated risks and properly manage them. It is not an absolute science, but it should reflect fact-based decisions and processes.
While our primary focus within information security is on risk management, the current Information Security Strategic Plan includes other areas of focus: business continuity planning, workforce training and awareness, standardization and collaboration. GTA will constantly evaluate the risk landscape and consult with industry and state agencies to develop new strategic focuses for state security improvements. By continually adjusting our focus areas and measuring and reporting on our progress in these areas, information security will be a strength in Georgias government.
For more information of the State Security Program, see Enterprise Information Security.
PeopleSoft Program
The State Accounting Office manages the States financial and personnel management systems through one enterprise resource planning (ERP) system, PeopleSoft. Initially deployed in 1999 as part of a ,,Year 2000 (Y2K) initiative at an investment of $70
Page 8 of 104

Georgia State Information Technology Report 2009
million, the PeopleSoft system represents a significant accomplishment that very few states have replicated. The system, costing approximately $14 million each year, still has significant challenges and has progressed toward a comprehensive, programmatic approach in managing the number of projects and changes required to make this an effective and reliable system for all the agencies that use it. In Fiscal Year 2009, the PeopleSoft Governance Council was in the second year of operation. Early in the fiscal year, the Governance Council established a process for new project requests and approval. To support this initiative, they approved the implementation of a project prioritization approach that would assist in determining staffing and resource assignments for projects in support Georgia's "Best Managed State Initiatives". The Governance Council also approved the customization approval process which limited the number of customizations and helped to lower the `Total Cost of Ownership'. The PeopleSoft Program Office conducted on-going cross-team meetings and provided oversight of the projects within the program, which led to six successful project implementations during FY09. These projects included:
Financial system 9.0 upgrade Team Georgia Marketplace procurement project pilot ePerformance rollout to 91 agencies Health and Human Services reorganization Technical colleges consolidation Department of Transportation Project Funding Control For more information, see Enterprise Financial and Human Capital Management Systems.
Page 9 of 104

Georgia State Information Technology Report 2009

Key Investments in Technology

This section aggregates information collected from agencies reports to GTA. While GAIT2010 provided the most detailed view of the computing services and network environment, especially in support of those participating agencies, the data collected from the agencies on projects and applications is incomplete and inconsistent. This report provides the most comprehensive and complete view to date, although there is more work needed in providing an accurate view of the states investment in technology.3

An examination of the investments in technology is required to answer the four basic questions of any business: 1) Are we doing the right things? 2) Are we doing them the right way? 3) Are we getting them done well? 4) Are we getting the benefits? This report begins the process of answering these questions by first providing information on what we have and what we are doing. Strategic Planning helps align what we are doing with the business objectives. Governance aligns doing things the right way and achieving benefits. Based on the current data, the portfolio of IT investments totals $943 million. While significant effort has been made to transition and transform the infrastructure (computing services and managed network services), this represents only 29% of the total current investment in information technology.

The current portion of the projects that are currently under direct oversight by GTA, either through the independent verification and validation (IV&V) process4 or through the Critical Project Panel Review process, is $211 million or about 74% of the known projects. This area is examined in more detail below in the Project Portfolio section.

$450,000,000 $400,000,000 $350,000,000 $300,000,000 $250,000,000 $200,000,000 $150,000,000 $100,000,000
$50,000,000 $-

Projects, $284,343,895
Projects

Applications, $383,655,398
Applications

Figure 1 - IT Investments for State of Georgia

Infrastructure, $274,804,757
Infrastructure

The largest single portion of the IT portfolio is the Applications Portfolio which accounts for $384 million. This area is examined in more detail below in Application Portfolio section.

3 Reference Appendix A for information on Agency data submissions and data completeness. 4 For more information on the IV&V Process, see: http://gta.georgia.gov/00/channel_modifieddate/0,2096,1070969_144323748,00.html
Page 10 of 104

Georgia State Information Technology Report 2009

Project Portfolio

The current project data reflects an incomplete picture of the known and active project

initiatives, but the information provided reveals definite trends. Based on the Strategic

Plan information collected with the Office of Planning & Budget, the majority of new IT

initiatives proposed, and in some cases funded, for FY 2010 and beyond will be web-

based enablement of business

functions (47%), applications

Project-type Breakout

enhancements (16%) and data

analysis/ data

warehousing/business

Applications 16%

intelligence (14%). BC/DR 3%

The remaining areas comprise

Web

less that 25% of the proposed

47%

Communications 1%

spend across productivity tools,

Data manipulation 14%

network, equipment, ERP,

business continuity/disaster recovery and communications.
Project Effectiveness

Document Management 4%
Equipment 4%
Productivity tools Network ERP Systems
Figure 2 - State of Georgi4a% Pro3%jecy-4t%ype Breakout

During 2009 there was a continued improvement in overall ability to deliver IT projects

reliably and effectively based on the tracking of enterprise critical projects. The state of Georgia uses a current measure of effectiveness5 in delivering successful IT projects

based on the Standish

100%

Project Delivery Effectiveness
by $

Benchmarks

Georgia Actuals

Groups CHAOS Report, which tracks technology projects across multiple

90%

industries, organization

80%

sizes and varying

70%

complexity.

60%

Risk

50%

The chart illustrates that the

40%

state of Georgia has

30%

20%

Failure delivered projects more

10%

Challenge effectively than the

0%

Success benchmarks for all

Industry Gov't

2007

2008

2009

industries (the government

segment in particular) over

the last three years. It also depicts that the ability to deliver projects has improved each

Figure 3 - Project Delivery Effectiveness

year since 2007.

5 Project Effectiveness will be measured as the IT Enterprise Proposed Project Portfolio $ Value / (Cancelled Projects $ Cost + Completed Projects Total $ Cost).
Page 11 of 104

Georgia State Information Technology Report 2009

Of particular significance is the area of the 2009 column shown with the bracket of ,,Risk. This represents the portion of projects that would be Challenged (yellow) or Failed (red) as compared to the Government benchmark column, if we did not apply mature practices and methodologies within the state of Georgia. Without project management maturity, the current portfolio of $332 million would deliver only 71% of the functionality planned and would cost the state $488 million, based on the Standish research.

Portfolio Trends

Breakdown of Projects by $ Size

The current portfolio of projects reflects 355

projects with zero $ value, 162, 46%

active projects across

all the agencies

providing data, with a

total project portfolio

value of $332 million dollars, up 24% from

less than $100k, 81, 23%

greater than $1m, 48, 13%

$268 million in 2008.

betwn $100k & $1m, 65, 18%

During 2009, projects totaling $142 million

Figure 4 - Breakdown of Projects by Size

were delivered or removed from the portfolio and $52 million of new projects were

identified through the standard Agency Project Request (APR) process, which leaves

$147 million of newly identified and previously unreported projects in the current project

portfolio. Within the portfolio, 162 projects, or 46%, have zero dollars associated with

them.

Total Project Costs as a Percentage by Agency

TRS 2%
DoAg 2%
GBA 2%

SAO 1%
All Others 10%

GDC 2%

DCH 23%

Of the existing projects with dollar values, 81 projects are valued at less than $100k, 65 projects valued between $100k and $1 million

SBWC 2%

and 48 projects are

GTA 3%

valued at greater than

GBI

$1 million in total cost.

4%

DOR 5%

CNG 6%

DOE

6%

SRTA

Figure 5 - Project Cost by Agency8%

DDS 15%
DHS 9%

costs or 41% of the portfolio value.

There are currently 7 projects valued at greater than $10 million, which by themselves represent $135 million of total

Page 12 of 104

Georgia State Information Technology Report 2009 Observations on Project Portfolio
Project management methodologies and practices have improved significantly since the EPMO was formed in 2001. Project effectiveness for critical projects is `high' relative to industry practices, but the risks of significant project failure or challenges to either budget or schedules still exist, so diligence in project management methodologies is still required to maintain effectiveness. Opportunities exist to reduce redundant project spending, consolidate project efforts across organizations and reduce overall costs. Opportunities exist to leverage key systems to enterprise level capability across multiple agencies, especially for web technologies, data manipulation and application support processes.
Page 13 of 104

Georgia State Information Technology Report 2009

Application Portfolio

The application portfolio is composed of the systems and applications identified and managed by the state agencies. This area is the largest portion of the states IT investment and, with one notable exception, the agency that uses the application is also responsible for managing the application, which describes a decentralized model of application management. The notable exception is the PeopleSoft Financials, Human Capital Management, and Procurement system which is used by most state agencies and is managed by the State Accounting Office.

In this years data collection, 43 agencies listed a total of 519 systems/applications6. Of these, 197 (38%) are listed as mission critical to the agencys business, while 217 (42%) are listed as important to the agencys business.

Agency Application/Systems by Criticality

Critical, 197, 38%

Important, 217, 42%

Critical Systems

Of the critical application/systems, 27 or 14% are more than 10 years

General, 105,
Figure 6 - Applications by2C0%riticality

old and 33 or 28% are between 5

and 10 years old. Only 29 systems

have been deployed within the last 2 years.

Critical Applications by Age Group

Less than 2 years old 22%

Greater than 10 years old 21%

Btwn 2 & 5 years old 29%

Btwn 5 & 10 years old 28%

Of the critical applications, 148 or 76% are custom code and 38 or 19% are commercial-off-the-shelf (COTS) systems. Also, of those critical applications that are customer-coded, the breakdown by age shows that 49% are 5 or more years old.
Of the 8 agencies that labeled themselves as high impact, there are 73 critical application/systems.

6 For this data collection exercise, there was a distinction made between systems and applications but the data collected showed that the agency representatives providing the data did not perceive a difference between a system and an application. This report treats the collected information as an Application, which will be the reference used throughout the remainder of the report, except in the appendices, where the data is reported as collected.

Page 14 of 104

Georgia State Information Technology Report 2009

Operating/Database Systems

There are three basic types of operating system platforms being generally used: Windows

(376), UNIX (124) and some type of mainframe

Database Systems by Vendor

(55). Within the Windows

and UNIX platforms, there is a wide variation on the version levels, with no apparent consistency.

Other, 37
Paradox, 3 Filepro, 4

MS SQL, 57

DB2, 7

The various database

systems used by

Access, 22

applications also show a

strong grouping among two

major platforms and then a

Oracle, 76

wide distribution and

variation for a significant portion of the systems implemented. Figure 7 - Critical Applications by Age Group

Support Costs/Maintenance

The support cost data is not complete or accurate yet, but there have been improvements in the information provided by the agencies. At the core of the data collection problem is that agencies do not currently track their spending reliably against individual applications or systems. The summary views are better but still should not be taken as totally accurate.

What we can demonstrate to some

degree is the high level spending

that occurs across all agencies.

Based on defined spend

Personnel

categories, contracts and

Operations Equipment Telecom (GTA)

personnel represent 62% of the total spend. This generally

Telecom (Non-GTA) Contracts

represents the costs inside the agency rather than the telecom,

equipment and operations costs

which are supporting elements.

This also reflects a balance

between in-house staff and outside vendor/contract support, which is leaning more

towards outside support.

Page 15 of 104

Georgia State Information Technology Report 2009

Maturity Assessment

Improving the maturity of information technology management has been a strategic aim for GTA. Initially, a focus was on project management, which based on project effectiveness, has greatly improved. More recently, the focus was on the infrastructure, specifically computing and network services, which are being improved through the states infrastructure transformation initiative (GAIT).
In a maturity assessment of the agencies application support efforts7, specifically focusing on the areas of security, reliability and effectiveness, the ratings on a fivepoint scale, were 1.8, 1.4 and 1.2, respectively (where 5 is the highest and 0 is the lowest value).

The enterprise appears on the surface to have an

State of Georgia - IT Maturity

organizational focus on

security and IT processes with named SAISO and

Effectiveness

business continuity

Maturity

coordinators, but it has failed to fully embrace the concepts

Reliability

throughout all components of

the organization. Nearly half Security
of the agencies do not

reinforce security roles with role-based training. This provides everyone exposure

0

0.5

1

1.5

2

2.5

3

3.5

4 4.5

5

Rating

training on security concepts, Figure 8 - IT Maturity Evaluation

but does not provide role-

specific, detailed training for those in specialty jobs to do their work.

The enterprise recognizes the need for and has supported security policies, but individual organizations have not extended support for these policies throughout their organizations by making them fully available to employees, nor has each organization developed and implemented procedures to provide appropriate training or to keep records of needed or completed training.

While recognizing critical risk on applications, the enterprise as a whole has not provided procedural evidence of risk management programs. Over half of agencies cannot provide FTE usage on applications, do not report any security plans and have not engaged a third party for a security assessment, which is required.

The state of Georgia appears poorly positioned to ensure reliability of services. Wide results were reported for agencies maturities in key processes such as continuity, availability, incident reporting and management, problem management and configuration

7 For additional details see report in Appendix B Enterprise IT Maturity in 3 Areas

Page 16 of 104

Georgia State Information Technology Report 2009 management. However, judging from the reported current status of business continuity and disaster recovery activities approximately half of the underlying organizations in the enterprise are now in planning stages. The state enterprise has partially evolved toward IT strategic planning based business need and resource application. Other parts of the organization remain naively low on scale of business justified system/project requests. The enterprise demonstrates some efforts to utilize functional and operational requirements for solutions. However, many organizations have not provided procedural evidence of such. Observations on Application Portfolio
Application maintenance/support maturity is very low for the enterprise, which requires more focus and effort on basic methods, practices and processes, such as user support, testing, and training. There is a significant exposure to the state of Georgia due to:
o Many critical systems with high impact to the state's business are old, outdated in terms of basic software, and being run on antiquated platforms and/or databases.
o Personnel costs are relatively high in terms of overall support costs which reflect the wide variances of operating systems and databases being used.
The recommendation is to conduct assessments of all critical applications and determine initiatives or remediation activities that are needed to modernize these systems.
Page 17 of 104

Georgia State Information Technology Report 2009
Challenges and Opportunities
In October of 2008, Gartner, Inc. said in a published article8, "Growing global economic instability is putting increasing pressure on IT departments to support crucial business goals. At a time when there is little in the way of additional budget available, CIOs need to know where and when to focus to best assist and improve enterprise performance." Gartner also predicted that over the next two years, IT's greatest opportunity to significantly improve overall enterprise operational performance will unfold from resolving these nine most contentious issues or challenges:
1. Business Expectations for IT 2. Responsiveness in Modernization & Cost Reduction 3. Business Accountability for Security & Risk Management 4. Business Intelligence Sponsorship 5. Vendor Management 6. IT "Turf" Control 7. Aging Applications 8. Business Process Alignments 9. Program and Portfolio Management
Many different actions may be taken by an IT organization to improve its enterprise performance in response to these issues; certainly, an organization as large and as complex as the state of Georgia should examine its position to ensure that it can respond in the near future. We will treat these issues as current and future challenges and examine in the paragraphs below, both Gartners nine issues, and immediately following the issue statement, GTAs positioning to improve the enterprise performance of the state of Georgia.
Issue 1 -- Business Expectations for IT have outstripped IT's Internal Capability to Deliver. In recent years, enterprises have wanted their IT departments to increase their external focus on customers, new products and services, new geographies and business processes. Unfortunately, few CIOs have the staff with the skill sets to adequately meet these externally focused demands and there has been little remaining funding for additional hires. Gartner recommends that CIOs recognize the skills gap, refrain from solely hiring staff with IT backgrounds in the future and focus on identifying and delivering distinctive solutions for the business.
The state of Georgia, through GTA's positioning, was instrumental in addressing many current challenges in the IT domain by bringing these issues to the business and then setting expectations for changes that needed to occur. This was most prevalent in the GAIT effort, which consolidated and outsourced computing and networking services for
8 Gartner: Nine Most Contentious IT Issues for the Next Two Years, Oct 13, 2008, News Report, Government Technology.
Page 18 of 104

Georgia State Information Technology Report 2009
the largest IT organizations. More importantly, GTA began a new approach for responding to business demands for IT by changing the conversation from one about products and solutions to service delivery. The change to service delivery simplifies the management control of IT through consistent processes and cost structures that allow business executives to concentrate on their customer base.
Challenges still exist in the agency expectations for IT services, such as alignment of costs, responsiveness of services, reliability of systems, and skill sets within the available resources allocated to the IT groups. Agencies are responsible for their own IT projects and applications, which still require level-setting of expectations with business owners and executives. With better information and understanding of the IT initiatives and systems required across the business areas, this problem can be addressed more easily in the future.
Issue 2 -- How to More Rapidly Modernize Infrastructure and Operations and Reduce Costs Infrastructure and Operations (I&O) leaders recognize that accelerating modernization is the only way to deal with rapid increases in demand growth and the need to respond more rapidly to the business but must balance this against unrelenting pressure to reduce costs. Gartner recommends emphasizing modernization projects that can be 'selffunding,' that is, pay for themselves, which can often be achieved through I&O consolidation and virtualization.
The state of Georiga, through GTA's positioning, undertook the largest, most comprehensive restructuring of infrastructure and operations, beginning in 2007. The business case supporting this effort was based on being able to complete the modernization without any additional costs to the agencies or the state of Georgia. While the transition to a new model has been completed, the transformation, which is required to achieve the cost reductions, has just begun. GAIT provides for infrastructure modernization without the pressure of agency budget requests; vendors will take full control and ownership of the infrastructure and any necessary modernization. Then two mechanisms will guide modernization: 1) A Technical Review Board allows routine discussion and planning between service vendors and GTA, and 2) Since the vendor is following a transition schedule for the consolidated infrastructure, the vendor is responsible for all modernization in this area, without additional expense to the state.
Challenges still exist in the agency application domain, as can be seen from the data collected, analyzed and reported in the section on Application Portfolio. Critical business systems are outdated, not secure and run on unreliable platforms. There is no consistency in processes for supporting these critical systems, which leads to costly vendor and contractor support. Additional analysis should begin to reveal further opportunities for consolidation.
Page 19 of 104

Georgia State Information Technology Report 2009
Issue 3 -- Business Accountability for Security and Risk Management Security and risk management is not just an IT issue. It is essential that the IT risk manager, using effective communications skills, persuade the appropriate IT owners and line-of-business managers to accept explicit, written responsibility for residual risk impacting their systems and processes, on either a direct or a dotted-line basis. Risk managers should develop mechanisms for assignment and acceptance of residual risk and risk decisions -- for example, signature forms, processes and policies that address the requirement and execution of risk acceptance. The risk manager should also develop mechanisms to convey residual risk levels that remove reference to technology but still support good risk-based decisions at a business level that may result in the implementation of technical controls.
The state of Georgia, through GTA's efforts, has been broad and comprehensive in changing how the business addresses IT security and risk management, starting with establishing a framework of policies and standards modeled from the Federal Information Security Management Act (FISMA) and based on National Institute of Standards and Technology (NIST), a federal technology agency that develops and promotes measurement, standards, and technology. GTA specified over 80 security policies and standards based on the governmental standards published by NIST. Another focus from GTA has been on business managers taking responsibility for participating in project decisions related to IT. As IT conducts turnovers of projects into production, processes have been modified to include written security certification and acceptance of risk by business owners. New integrated enterprise security processes require agency business and security managers to sign off on project designs.
GTA also produced a security training video for use by agencies to annually reinforce security knowledge of employees and published the first Enterprise Information Security Report, as a result of the Executive Order on Information Security Reports (March 2008). Information security reports are required from agencies and then compiled into a statewide version. GTA has posted resources such as "IT for State Executives" on its public-facing web site to strengthen awareness of security. Other IT resources posted on the site include:
o Information Security Guide for State of Georgia Government Executives (May 2008)
o Cost of a Data Breach (February 2009)
Challenges still exist within the enterprise for security and risk management, specifically in the implementation of security practices within the agencies. As the Enterprise Information Security Report for 2009 will expand on in detail and as the Appendix A Data Tables from the Agency Information Security Report support, the agencies have limited evidence of practice and documentation, indicating a very low level of maturity.
Many federal laws and rules now provide guidance on information security and form the basis for the state of Georgias policies and standards. As one example, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 was enacted by Congress to create a national standard for protecting the privacy of patients' personal health
Page 20 of 104

Georgia State Information Technology Report 2009
information. The law requires healthcare entities that use electronic means to process transactions, which include health information, to use standardized forms and a universal code system for illnesses and treatments. The regulation also requires new safeguards to protect the security and confidentiality of an individual's protected health information. HIPAA calls for civil and criminal penalties for privacy and security violations, including $50,000 per violation, with an annual maximum of $1.5 million for a civil penalty and fines up to $250K and/or imprisonment up to 10 years for knowing misuse of individually identifiable health information.
The state of Georgia receives on average of 1.2 million detectable intrusion attempts per day against the state's IT infrastructure and assets. Georgia currently maintains federally regulated records for about 10 million people, and information security breaches at state agencies are jeopardizing constituents' private information and costing agencies millions of dollars each year. A 2009 study by the Ponemon Institute calculates the average cost of a security breach per record at:
$8 for detection $15 for notifying affected individuals $39 for post-incident response
A total of 81,742 records were exposed in security breaches at four state agencies in 2008. Using the estimated costs from the study, those agencies experienced over $5 million worth of unplanned expenses due to the breaches. In addition, some constituents were exposed to a higher level of risk for identify fraud.
A year earlier, almost 3 million records were exposed during a single security breach by a service provider to one of the state's high-profile agencies. The agency risked incurring potential federal fines of $225 billion based on penalties of $75,000 per day of exposure per record. Only strong follow-up actions by the agency, including the implementation of a remediation plan with the vendor, convinced federal officials that fines were not appropriate.
Issue 4 -- Lack of Business Intelligence Sponsorship Many IT leaders lament about issues such as the lack of a business intelligence (BI) vision and strategy; and overall business sponsorship and ownership for BI. Meanwhile, many business people believe there is little or no difficulty with BI as they continue using ad hoc methods to make business decisions. Gartner advises clients to use its 'Business Intelligence and Performance Management Framework' model together with its 'Four Worlds' model to build a more complete and integrated plan for BI initiatives and to yield greater returns from related business and IT investments.
The state of Georgia has many business intelligence initiatives underway (generally referred to as data warehouses) but does not have a strategy or approach for aligning approaches or utilizing common processes. While GTA has laid a foundation for enterprise performance management through the performance life cycle, this remains a future opportunity.
Page 21 of 104

Georgia State Information Technology Report 2009
Issue 5 -- How Do I Get My Vendor to Deliver What I was Promised? Opportunities for dispute abound when it comes to sourcing contracts. While users bear a responsibility to be competent buyers of sourcing services, both sides need to be more flexible in laying out a range of conditions and options that should be addressed in the contract. Vendors have seen most conditions and could therefore alert users when they are about to demand an incomplete or wrong contractual term or condition.
The state of Georgia has created a Vendor Management Office, within the GTA Service Management Organization (SMO), for the technology infrastructure being delivered by the two outsourcing partners as part of the GAIT project. GAIT, with the support of the Department of Administrative Services (DOAS), introduced a procurement process that was comprehensive, data-driven, and structured with agency input. The vendors are being managed for performance via service level agreements (SLAs) which were jointly created during contracting phases by agencies, vendors and GTA. The process includes 1) a step-threshold mechanism allowing lower level managers to correct issues within specified authorities 2) escalation mechanisms and 3) financial penalties for noncompliance with SLAs.
Among the key improvements with this procurement and contracting process are the ability to negotiate with prospective vendors during the procurement and the development of measurements that regulate both parties and adjust payments based on performance. The negotiation process during procurement allows all parties to engage in conversations about requirements, instead of simply passing documents, which often leads to misunderstandings and contracting problems.
Challenges still exist across the enterprise for both the procurement process and vendor management processes. One key to ensuring better procurements, contracts and vendor delivery is better planning. Lessons learned9 over several years show that many projects become challenged or fail due to a lack of initial planning. The enterprise performance life cycle (EPLC) and related stage gate review (SGR) processes provides a reasonable point in time for the business owner to ensure a project has a reasonable plan and business case to support the procurement and contract execution. More importantly, it is at this point that the business requirements are developed that will be used to conduct procurement and secure support from the vendor community.
Issue 6 IT Turf Control Control and ownership-related friction that often exists between various IT groups and the enterprise architecture group becomes especially notable when multiple IT groups maintain high-level planning functions. Gartner recommends focusing on three core IT management disciplines - Enterprise Architecture, Business Process Management and
9 See Opportunities for Improvement - Lessons Learned from Projects 2006 - 200909, page 2
Page 22 of 104

Georgia State Information Technology Report 2009
Service Management -- to streamline different viewpoints and provide the architectural guidance required to build solutions.
The state of Georgia has struggled with each of these three areas described by Gartner. Currently, the service management is being developed and delivered through GAIT, while the business process management is being addressed solely through efforts related to business continuity and disaster recovery. Enterprise architecture will, in part, be addressed through GAIT with the development and publication of the technology plan, a responsibility of the computing services infrastructure vendor, IBM. These current efforts will act as guides across the enterprise for agencies to align their independent IT plans with enterprise IT services.
Issue 7 -- Should We Modernize Applications? If So, When? Many mission-critical, high-risk business functions continue to rely on code developed decades ago by programmers and vendors who have long since left the company. Business applications, which run on hardware and other infrastructure that is reaching or past obsolescence, must be migrated. Strong drivers for modernization are offset by strong inhibitors, so the debate either rages on or is naively ignored. The decision on when to modernize will be strongly influenced by shareholder interests and investor confidence. Some applications may need to be replaced, while renovation may be sufficient for others, but the complexity and magnitude of the task far exceeds the ability to fund and manage such an effort with existing operating budgets and teams. A one-time restructuring-style budget set-aside will be necessary.
The state of Georgia, through the state's IT transformation initiative (GAIT), is beginning the process for modernization of application infrastructure, first with the server and storage consolidation projects and with the agency-coordinated effort to conduct application remediation.
The most significant challenge for the state of Georgia will be during the transformation of the infrastructure services which will require changes to agency applications and projects. During this transformation, many GAIT agencies will be required to update their application and systems to new technology standards in order to take advantage of the improved delivery platforms which will drive savings to the enterprise.
The next most significant challenge for the state of Georgia will be faced by all agencies that must comply with the new policies, standards and guidelines related to enterprise performance life cycle, enterprise operating environment, security practices and the certification/accreditation of applications. Each of these areas will require effort on the part of agency IT groups, but the effort will be necessary to reduce costs and establish secure, reliable and effective applications and systems.
Page 23 of 104

Georgia State Information Technology Report 2009
Issue 8 -- To Whom Should Business Process Professionals Report? Gartner recommends that business process experts be placed in a new 'hybrid' organization such as a business process competency center that reports to a chief operating officer. In this scenario, the competency center would be made up of relatively few employees but would be joined by the business domain experts, process experts and IT professionals for the duration of a project, only to return to their respective departments upon completion of the project.
The state of Georgia has not yet begun to address the idea of an enterprise-wide business process competency, but it should. At present, the only enterprise-wide process activity is the rapid process improvement program run by the Governors Office of Customer Service a one-process analyst office. The hybrid organization Gartner describes is not the same as assigning a project manager it is an organization that identifies needed process improvement projects across the enterprise and funnels them to the EPLC.
Issue 9 -- How Much Formal Process is Needed for Program and Portfolio Management? Many believe that increased levels of process and oversight will lessen an organization's agility to deliver projects. Those in favor of more formal process and oversight of project-related tasks take the position that such increased discipline will yield far better results than experienced in the past. The future of Program and Portfolio Management (PPM) will actually take a different route than either of the opposing sides. In the future, changes in a project will become normal, expected and accepted. Consequently, PPM methods will adopt smaller and smaller units of work to allow such project "midcourse corrections" to take place.
The state of Georgia, through GTA, has recently introduced standards to specify common processes related to program and portfolio management as well as investment management. The investment management (enterprise performance life cycle management) provides for as many as 10 stages of management to control investment and development risks and ensure that IT investments deliver projected value. This approach allows the business owner and the project manager flexibility within each stage as well as the ability to decompose project efforts.
Page 24 of 104

Georgia State Information Technology Report 2009
Opportunities for Improvement - Lessons Learned from Projects 2006 - 2009
Part of the project management methodology is conducting ,,lessons learned exercises during and at the end of project efforts. These lessons learned have been compiled and summarized into a list of seven key topic areas. The following list describes challenges found during the past three to four years in the following areas that typify what has consumed resources, time, money and effort to address (these are listed in no particular order). These areas provide key opportunities for improvement in future efforts.
Licensed Software Agency IT groups license software to support the applications and systems in support of the business. These frequently require multi-year agreements to lock in support and upgrades. The challenge occurs when the software component is a critical part of a system that cannot be easily replaced. In one example, the Cincom database annual software license went from $500,000 to $8 million with no immediate alternatives but to shut down. There is also no centralized approach to tracking and managing licenses for common software, such as Oracle or Microsoft, which creates risk and exposure for the state. Opportunity exists to centralize the tracking of common software licensing in order to leverage better rates, ensure consistent platforms for support and limit legal and financial compliance exposures.
Budget Cycles Information technology investments can often be large, complex project initiatives which span multiple budget cycles. This creates challenges in planning since much of the information required to fully cost an effort is not known until the effort has at least gone through the planning stage. Also, complicated, large, multi-year development projects, such as the Integrated Tax System, create huge spikes in the technology budgets, which undermines the potential long term value to the state and business case justification. Opportunity exists to develop a more flexible funding model that allows concepts to be developed with seed money and incrementally funded as projects justify their continued investment. IT budgets would be pooled into a single investment fund and allocated based on a governance review board. Federal funds would follow the process with pools based on the associated federal program and joint participation by the federal authority. A model of this type would reflect industry practices that both safeguard and maximize investments by allowing healthy competition for continued funding and assurance that acceptable practices are followed to minimize risk. This also allows the business to throttle the investment pipeline up or down as needed by the business.
Page 25 of 104

Georgia State Information Technology Report 2009
Cascading Systems Many applications/systems are interdependent systems which pass data or communicate critical information between them. These interdependencies are often not well documented or known, which can cause cascading support and delivery issues due to original failures, such as an example with Vital Records caused by a drive unit swap problem and a lack of adequate back-up and recovery. The real support costs and response efforts are often masked or hidden. Opportunity exists for the application portfolio management process to document all interdependencies and use the information as part of the change control and configuration management for the systems.
Policy Changes The business environment often does not have a clear line of sight between its mission and the supporting systems that enable the business mission. When policy decisions are made it is difficult to see the full impact of the changes that will occur, which can lead to hidden costs or unfunded mandates for change. In the example of the Fuel Tax System, legislative changes created significant system changes which were cost prohibitive. Opportunity exists for developing a model of system impact or changes with cost estimates based on requests to evaluate policy development.
Application Management A significant portion of the money and resources are devoted to maintaining and supporting the existing application platforms (see section on Application Portfolio). Many of these applications/systems run on a wide variety of platforms and databases. The specific technical knowledge and skill required to ensure these critical systems meet the business expectations is at risk due to the age of systems, complexity of their environments, skills required, limited resources available and adequacy of the processes and practices. One example, the Women, Infants and Children (WIC) application, written in the 1980s using COBOL and RPG, now stretches across one mainframe, three midranges (including a System 36 and an AS/400), and many PCs, file servers, and web servers. It uses proprietary software and specialized knowledge to maintain and support an antiquated system. Opportunity exists to assess application support costs based on industry practices and cost estimates, and then determine appropriate sourcing strategies for these legacy systems. These efforts would develop into business cases for modernization.
Requirements Management Infrequent and isolated project efforts indicate a lack of skill and capability to manage the business requirements needed to properly define the solution. Business owners and analysts are not trained in defining and writing requirements that can be used to develop new or replacement systems. Without proper training and experience, the agency business owners are often
Page 26 of 104

Georgia State Information Technology Report 2009 at the mercy of vendors to drive the requirements, often leading to procurements and vendor contracts that do not deliver the expected benefits and are difficult to manage. Opportunity exists for developing education and training programs for business analysts, similar to training classes developed for project managers in prior years. This education would develop criteria for certifying business requirements based on accepted practice by certified business analysts. Turn-key Solutions There has been a progression from custom or locally developed application systems to turn-key solutions, which includes a family of products called enterprise resource planning (ERP) software. Turn-key systems usually require some level of configurability by the business owner in order to ensure the functions meet the local needs of the business. Over time, as part of maintenance, these systems are upgraded with new features or functions, but the configured or customized portions require extra support to reach the new release levels, which can be expensive if there are many configurations. In one example, PeopleSoft circa 2000, vendors provided a solution that was able to ,,go live to meet the Y2K challenge but then agencies were locked in to longterm support, upgrade costs and maintenance issues. Opportunity exists to create standards and procedures for configuration, which would require cost-case projections.
Page 27 of 104

Georgia State Information Technology Report 2009
Plans for FY2010 and Beyond
While the state of Georgia has made significant improvements in managing technology services and its portfolio of technology investments, there are serious challenges to the business and much work still must be accomplished in order to support the Governors vision of the "best managed state". In evaluating what has been accomplished, the current state of the IT investments and the challenges and opportunities that have been described in this report, there are three key goals for GTA going forward:
- Complete the transformation to Georgias new service delivery model - Continue the establishment of IT governance to enable Georgia agencies - Improve the online customer service experience for Georgia
IT Transformation to a Sustainable Service Delivery Model
Transformation is always challenging. This transformation requires changes, not only to the infrastructure for computing and network services, but also the way agencies identify, plan, develop and deliver their technology services to their users and constituencies. New processes and tools will take many months for agency customers to get used to but will ultimately become the new de facto standard of business.
Many of the benefits from consolidating and outsourcing will not be realized until the completion of major transformation projects, such as server and storage consolidation, which will also require the agencies to make decisions about the changes required for existing applications to work within the new computing and network platforms.
Server and storage consolidation has often been cited as one of the major activities for modernizing the states IT operations and ensuring greater reliability of the applications that support essential state services.
We are now beginning to work with agencies to prepare for relocating servers and the applications running on them to the State Data Center. In many instances, these servers are operating in state office buildings without adequate backup for electrical power or cooling, physical security or alarms in case something goes wrong. A large number of these servers are old and technically obsolete.
During the states comprehensive IT assessment in 2007, Technology Partners International (TPI) took a look at agency data centers and found that none came close to the technical and operational standards the state should be using. On a scale of 1 to 5, the highest-scoring agency data center received 2.59. In contrast, the State Data Center scored 4.91. The most advanced and comprehensive features of modern IT operations are built into the state facility. It provides a state-of-the-art environment for protecting servers, applications and information - all strategic state assets.
Page 28 of 104

Georgia State Information Technology Report 2009
About 2,000 servers will be reviewed for consolidation, but there is a critical first step we must take before actually beginning to consolidate servers. That step is application remediation. It refers to documenting all the applications that are currently running on agency servers and the dependencies among those applications.
Server and storage consolidation and application remediation are major undertakings, but these efforts will deliver the technology transformation benefits needed to strengthen the IT enterprise and make it possible for agencies to continue delivering on their missions; securely, reliably and effectively.
Application remediation will also be a key step toward the maturing of the application platform and ultimately the certification and accreditation of critical application systems.
Enterprise Performance Management Framework for Technology
While the governance framework has been defined, operationalizing this framework will become the next significant priority. While the application remediation project will provide foundational information about the operations of the applications in the agencies, significant changes are needed in the processes and methodologies used to support and maintain these applications.
The operational assessment of the critical applications will look for the necessary and vital actions required by agencies to bring their systems up to minimal operational standards. These assessments will continue to focus initially on the security, reliability and effectiveness of the operations and support. Any gaps identified will become part of an agencys planning and improvement program. Business owners and agencies will take steps to evaluate and prioritize their needs within the business objectives as a whole. GTA will continue to collect, analyze and report on their progress, providing visibility and accountability to risks and issues.
Online Customer Service Experience
As application assessments are conducted and as the project portfolio develops, GTA will be able to begin aligning initiatives across agencies, looking for opportunities to combine functional needs and gain cost efficiencies of scale. The area with the greatest potential is web or portal development services. Most new IT projects for new or upgraded applications require web or portal features.
Page 29 of 104

Georgia State Information Technology Report 2009
Appendices
Page 30 of 104

Georgia State Information Technology Report 2009

Appendix A Data Tables from Agency Information Security Report
Section 1: Agency Participation
For FY2009, GTA identified 118 organizations. They break down into the following groupings:
- Thirty-three (33) mostly small agencies reported in FY08 that they do not have their own information security program. They instead participate in and report through a larger agency's program.
- Sixty-five (65) agencies completed reports, 11 of which were from organizations not required to report.
- 5 agencies are not required to report and decided not to participate. Three of these agencies provided statements, which are included in appendix A.
- Fifteen (15) agencies failed to report as required by law.
Small organizations that outsource their IT program
Agencies reported in FY08 that they do not have their own information security program. They instead participate in and report through a larger agency's program. Since many of the larger agencies stated they did not know of these arrangements, these agencies were asked to confirm these arrangements with MOUs during FY09. Only the GA Commission on the Holocaust did so.

Outsourcing Agency 1 Aviation Hall of Fame 2 Brain and Spinal Injury Trust Fund Authority 3 Composite Board of Medical Examiners 4 Drugs and Narcotics Agency 5 GA Radio Reading Service 6 GA Board for Physician Workforce 7 GA Commission on the Holocaust 8 GA Council for the Arts 9 GA Environmental Protection Division 10 GA Fire Academy 11 GA Housing and Finance Authority 12 GA Information Sharing & Analysis Center 13 GA Office of Homeland Security 14 GA Police Academy 15 GA State Financing and Investment
Commission 16 GA Supreme Court 17 Governor's Developmental Disabilities Council 18 Governor's Office for Children and Families

Outsourced To Golf Hall of Fame
Dept. of Community Health
GA Public Broadcasting Dept. of Community Health DeKalb County GA Public Broadcasting Dept. of Natural Resources GA Public Safety Training Center Dept. of Community Affairs GA Bureau of Investigation GA Emergency Management Agency GA Public Safety Training Center GA Building Authority
Court of Appeals Dept. of Human Resources Dept. of Juvenile Justice

Page 31 of 104

Georgia State Information Technology Report 2009

19 Governor's Office of Student Achievement 20 Housing Trust Fund for the Homeless 21 Music Hall of Fame 22 Nonpublic Postsecondary Education
Commission 23 North GA Mountains Authority 24 Oconee River Greenway Authority 25 Office of Child Advocacy 26 Office of Inspector General 27 Office of the Governor 28 Office of Treasury and Fiscal Services 29 OneGeorgia Authority 30 Seed Development Commission 31 Southwest GA Rail Excursion Authority 32 State Medical Education Board 33 State Properties Commission

Dept. of Education Dept. of Community Affairs Dept. of Economic Development GA Student Finance Commission
Dept. of Natural Resources GA Military College
GA Technology Authority
Dept. of Community Affairs Dept. of Agriculture Dept. of Natural Resources Dept. of Community Health GA Building Authority

A total of 65 security programs participated in this year's reporting efforts.

Agency 1 Administrative Office of Georgia Courts 2 Cancer Advisory Committee/Cancer Coalition 3 Commission on Equal Opportunity 4 Council of Juvenile Court Judges 5 Court of Appeals 6 Criminal Justice Coordinating Council 7 Department of Administrative Services 8 Department of Agriculture 9 Department of Audits and Accounts 10 Department of Banking and Finance 11 Department of Community Affairs 12 Department of Community Health 13 Department of Corrections 14 Department of Defense 15 Department of Driver Services 16 Department of Early Care and Learning 17 Department of Economic Development 18 Department of Education 19 Department of Human Resources 20 Department of Insurance 21 Department of Juvenile Justice 22 Department of Labor 23 Department of Law 24 Department of Natural Resources 25 Department of Public Safety 26 Department of Revenue 27 Department of Transportation

Page 32 of 104

Georgia State Information Technology Report 2009
28 Department of Veterans Services 29 Employees' Retirement System 30 Georgia Building Authority 31 Georgia Bureau of Investigation 32 Georgia Development Authority 33 Georgia Emergency Management Agency 34 Georgia Environmental Facilities Authority 35 Georgia Firefighter Standards and Training Council 36 Georgia Forestry Commission 37 Georgia Military College 38 Georgia Police Officer Standards and Training Council 39 Georgia Ports Authority 40 Georgia Public Safety Training Center 41 Georgia Public Telecommunications Commission 42 Georgia Regional Transportation Authority 43 Georgia Sports Hall of Fame Authority 44 Georgia Student Finance Commission 45 Georgia Technology Authority 46 Georgia World Congress Center Authority 47 Governor's Office of Consumer Affairs 48 Governor's Office of Highway Safety 49 Herty Advanced Materials Development Center 50 Jekyll Island State Park Authority 51 Lake Lanier Islands Development Authority 52 Office of Planning and Budget 53 Office of State Administrative Hearings 54 Prosecuting Attorneys' Council 55 Secretary of State 56 State Accounting Office 57 State Board of Pardons and Paroles 58 State Board of Workers' Compensation 59 State Personnel Administration 60 State Road and Tollway Authority 61 State Soil and Water Conservation Commission 62 Stone Mountain Memorial Association 63 Subsequent Injury Trust Fund 64 Teachers' Retirement System 65 Technical College System of Georgia
Of the 65 that participated, 11 organizations volunteered to participate although they were not required by law to do so. This is one less than last year when the Public Service Commission decided to report. GTA appreciated the support for this program by these agencies:
Agency 1 Administrative Office of Georgia Courts
Page 33 of 104

Georgia State Information Technology Report 2009
2 Council of Juvenile Court Judges 3 Court of Appeals 4 Department of Agriculture 5 Department of Audits and Accounts 6 Department of Education 7 Department of Insurance 8 Department of Labor 9 Department of Law 10 Prosecuting Attorneys' Council 11 Secretary of State
Agencies that are not required to report and decided not to participate
Agency 1 Board of Regents of the University System of Georgia 2 Georgia Lottery Corporation 3 Legislative Branch 4 Public Service Commission 5 Superior Court
Agencies that Declined to Report
Three agencies declined to submit reports as allowed by statute but they provided the following statements:
Board of Regents of the University System of Georgia: The University System of Georgia and its 35 member institutions have a mature and robust information risk management program focused on the needs of the system, our faculty and staff, and our students. Our program has different but related metrics for measuring the effectiveness and year over year improvements. Information on our program is available on our website, www.usg.edu.
The Georgia Lottery Corporation: The Georgia Lottery Corporation has respectfully declined to participate in the Georgia Technology Authority Information Security Report. Due to the unique nature of the Lottery's operations and transactions, highly secure information and system security best practices are critical to the continued confidence of Georgia's citizens who play the lottery. That confidence in our integrity and security ultimately ensures the success of the Georgia Lottery Corporation's endeavors to support education in the state. The Georgia Lottery Corporation maintains an active information security awareness program and maintains an information security department, both of which are actively supported by the CEO. The Georgia Lottery Corporation also conducts an information and network security audit schedule utilizing highly respected and experienced companies within the IS industry.
Page 34 of 104

Georgia State Information Technology Report 2009

The Georgia General Assembly Legislative Information Technology: The Georgia General Assembly has respectfully declined to participate in the Georgia Technology Authority Information Security Report. Due to the unique nature of the Georgia General Assembly's operations, secure information and system security best practices are critical to the production of legislation on a vast range of subject matter. The Georgia General Assembly maintains an active information security policy which is actively supported by House and Senate Leadership. The Georgia General Assembly also conducts a network security audit schedule utilizing respected and experienced companies within the IS industry.

Agencies that are required to report and did not participate

Agency 1 Civil War Commission 2 Council on American Indian Concerns 3 Georgia Agricultural Exposition Authority 4 Georgia Agrirama Development Authority 5 Georgia Environmental Training and Education Authority 6 Georgia Golf Hall of Fame Authority 7 Georgia Medical Center Authority 8 Georgia Professional Standards Commission 9 Georgia Public Defender Standards Council 10 Georgia Rail Passenger Authority 11 Georgia Real Estate Commission & Appraisers Board 12 Georgia State Games Commission 13 Health Planning Review Board 14 Military Affairs Coordinating Committee 15 State Ethics Commission

Reported in 2008 No No Yes Yes No Yes Yes Yes No No Yes Yes No Yes Yes

Section 2: Information Security Program Management
Central to an effective information security program is the security management organization which is responsible for setting the tone and direction for the rest of the organization. This requires having a Senior Agency Information Security Officer (SAISO) to oversee the program and represent the agency head by identifying areas requiring formal policy. The SAIOS also ensures that goals of the agency executives are communicated, implemented and adhered to through effective governance. Where it is appropriate, effective communication may also include identifying a Privacy Officer to ensure that privacy issues and laws are adequately addressed.
Agencies were asked to provide the names of their Senior Agency Information Security Officers and Privacy Officers as well as report on the depth and breadth of formal security governance used within their organizations.
List of High Impact agencies with named SAISO
AGENCY

Page 35 of 104

Georgia State Information Technology Report 2009
1 Department of Defense 2 Department of Human Resources 3 Department of Community Affairs 4 Georgia Bureau of Investigation 5 Department of Revenue 6 Department of Driver Services 7 Department of Transportation
List of Moderate Impact agencies with named SAISO
AGENCY 1 Office of State Administrative Hearings 2 Criminal Justice Coordinating Council 3 Georgia Emergency Management Agency 4 Governor's Office of Consumer Affairs 5 Office of Planning and Budget 6 Georgia Firefighter Standards and Training Council 7 Georgia Police Officer Standards and Training Council 8 Georgia Public Safety Training Center 9 Department of Administrative Services 1 0 Department of Audits and Accounts 1 1 Department of Banking and Finance 1 2 State Accounting Office 1 3 Department of Insurance 1 4 Technical College System of Georgia 1 5 Employees' Retirement System 1 6 Prosecuting Attorneys' Council 1 7 Court of Appeals 1 8 Department of Labor 1 9 State Personnel Administration 2 0 Department of Juvenile Justice 2 1 State Board of Pardons and Paroles 2 2 Department of Public Safety 2 3 Department of Corrections 2 4 Georgia Student Finance Commission 2 Secretary of State
Page 36 of 104

Georgia State Information Technology Report 2009
5 2 6 State Soil and Water Conservation Commission 2 7 Teachers' Retirement System 2 8 Subsequent Injury Trust Fund 2 9 State Board of Workers' Compensation 3 0 Georgia Building Authority 3 1 Herty Advanced Materials Development Center 3 2 Georgia Ports Authority 3 3 Georgia World Congress Center Authority 3 4 State Road and Tollway Authority 3 5 Georgia Environmental Facilities Authority 3 6 Georgia Public Telecommunications Commission 3 7 Georgia Technology Authority
List of Low Impact agencies with named SAISO
AGENCY 1 Cancer Advisory Committee/Cancer Coalition 2 Department of Agriculture 3 Georgia State Financing and Investment Commission 4 Department of Education 5 Department of Economic Development 6 Council of Juvenile Court Judges 7 Department of Law 8 Department of Natural Resources 9 Department of Early Care and Learning 1 0 Stone Mountain Memorial Association 1 1 Lake Lanier Islands Development Authority 1 2 Georgia Regional Transportation Authority
List of High & Medium agencies without named SAISO
- 1 HIGH Impact Agency (Department of Community Health) reported NOT having an SAISO
Page 37 of 104

Georgia State Information Technology Report 2009

- 1 MEDIUM Impact Agency (Department of Administrative Services) reported NOT having an SAISO * As of the release of this report DOAS now has a SAISO

List of agencies with named Privacy Officer

AGENCY 1 Department of Community Health 2 Department of Human Resources 3 Georgia Bureau of Investigation 4 Department of Transportation 5 Criminal Justice Coordinating Council 6 Department of Banking and Finance 7 State Personnel Administration 8 Georgia Student Finance Commission 9 Teachers' Retirement System 10 State Road and Tollway Authority

IMPACT CATEGORIZATION High High High High Medium Medium Medium Medium Medium Medium

List of agencies without named Privacy Officer

AGENCY 1 Department of Defense 2 Department of Community Affairs 3 Department of Revenue 4 Department of Driver Services 5 Office of State Administrative Hearings 6 Georgia Emergency Management Agency 7 Governor's Office of Consumer Affairs 8 Office of Planning and Budget 9 Georgia Firefighter Standards and Training Council 10 Georgia Police Officer Standards and Training Council 11 Georgia Public Safety Training Center 12 Department of Administrative Services 13 Department of Audits and Accounts 14 State Accounting Office 15 Department of Insurance 16 Technical College System of Georgia 17 Employees' Retirement System 18 Prosecuting Attorneys' Council 19 Court of Appeals 20 Department of Labor 21 Department of Juvenile Justice 22 State Board of Pardons and Paroles 23 Department of Public Safety 24 Department of Corrections 25 Secretary of State 26 State Soil and Water Conservation Commission

IMPACT CATEGORIZATION High High High High Medium Medium Medium Medium Medium Medium Medium Medium Medium Medium Medium Medium Medium Medium Medium Medium Medium Medium Medium Medium Medium Medium

Page 38 of 104

Georgia State Information Technology Report 2009

27 Subsequent Injury Trust Fund 28 State Board of Workers' Compensation 29 Georgia Building Authority 30 Herty Advanced Materials Development Center 31 Georgia Ports Authority 32 Georgia World Congress Center Authority 33 Georgia Environmental Facilities Authority 34 Georgia Public Telecommunications Commission 35 Georgia Technology Authority 36 Cancer Advisory Committee/Cancer Coalition 37 Department of Agriculture 38 Georgia State Financing and Investment Commission 39 Department of Education 40 Department of Economic Development 41 Council of Juvenile Court Judges 42 Department of Law 43 Department of Natural Resources 44 Department of Early Care and Learning 45 Stone Mountain Memorial Association 46 Lake Lanier Islands Development Authority 47 Georgia Regional Transportation Authority

Medium Medium Medium Medium Medium Medium Medium Medium Medium Low Low Low Low Low Low Low Low Low Low Low Low

Security Governance - agencies that follow Enterprise PSG's
AGENCY 1 Department of Agriculture 2 Department of Insurance 3 Department of Law 4 Department of Natural Resources 5 Georgia Firefighter Standards and Training Council 6 Georgia Police Officer Standards and Training Council 7 Georgia Technology Authority 8 Governor's Office of Consumer Affairs 9 State Road and Tollway Authority

Security Governance - agencies that follow augmented Enterprise PSG's
AGENCY 1 Court of Appeals 2 Criminal Justice Coordinating Council 3 Department of Administrative Services 4 Department of Audits and Accounts 5 Department of Banking and Finance 6 Department of Community Affairs 7 Department of Community Health

Page 39 of 104

Georgia State Information Technology Report 2009
8 Department of Corrections 9 Department of Driver Services 1 0 Department of Early Care and Learning 1 1 Department of Education 1 2 Department of Human Resources 1 3 Department of Juvenile Justice 1 4 Department of Labor 1 5 Department of Public Safety 1 6 Department of Revenue 1 7 Department of Transportation 1 8 Employees' Retirement System 1 9 Georgia Building Authority 2 0 Georgia Bureau of Investigation 2 1 Georgia Environmental Facilities Authority 2 2 Georgia Military College 2 3 Georgia Public Safety Training Center 2 4 Georgia Public Telecommunications Commission 2 5 Georgia Regional Transportation Authority 2 6 Georgia State Financing and Investment Commission 2 7 Georgia Student Finance Commission 2 8 Office of State Administrative Hearings 2 9 Secretary of State 3 0 State Accounting Office 3 1 State Board of Pardons and Paroles 3 2 State Board of Workers' Compensation 3 3 State Personnel Administration 3 4 State Soil and Water Conservation Commission 3 5 Subsequent Injury Trust Fund
Page 40 of 104

Georgia State Information Technology Report 2009

Security Governance - agencies that develop & maintain own PSG's

AGENCY 1 Administrative Office of Georgia Courts 2 Department of Economic Development 3 Georgia Ports Authority 4 Georgia World Congress Center Authority 5 Jekyll Island State Park Authority 6 Teachers' Retirement System 7 Technical College System of Georgia
Security Governance - agencies with no formal framework

AGENCY 1 Council of Juvenile Court Judges 2 Georgia Development Authority 3 Herty Advanced Materials Development Center 4 Lake Lanier Islands Development Authority 5 Office of Planning and Budget 6 Prosecuting Attorneys' Council

Security Governance - Others
AGENCY Cancer Advisory Committee/Cancer Coalition Department of Defense
Department of Education
Georgia Emergency Management Agency Stone Mountain Memorial Association Total: 5 agencies

OTHER (Agency Remarks)
We are a non-profit organization. We do not have highly confidential information.
Information security governance is controlled by Federal Guidelines through the National Guard Bureau from the Department of the Army. Our agency is currently in the process of re-writing our entire set of security policies and standards. The plan is to align the agency with the GTA Enterprise Security Policies and Standards, and augment them with internal policies, procedures, and guidelines to meet agency specific security objectives. Currently, there are no security policies or standards officially "in force", with valid effective dates. GEMA has developed and maintains agency security policies and standards. GEMA is integrating Enterprise Security Polices as applicable.
Our agency systems are internal and not accessed outside the internal network.

Page 41 of 104

Georgia State Information Technology Report 2009

5 6

Security Governance
9

7

Follow Ent. PSGs

Follow augmented Ent. PSGs

Develop & Maintain own PSGs

No formal framework

35

Others

Page 42 of 104

Georgia State Information Technology Report 2009

Section 4: Security Risk & IT Portfolio Management
Agencies by Impact Categorization

High Impact

8

Moderate Impact

37

Low Impact

12

Total

57

Agency Impact Categorization

12

8

37

High Impact Moderate Impact Low Impact

Page 43 of 104

Georgia State Information Technology Report 2009

Number of Systems/Applications by Agency and Criticality (High Impact Agencies highlighted in Bold)

Agency Court of Appeals Criminal Justice Coordinating Council Department of Administrative Services Department of Agriculture Department of Banking and Finance Department of Community Affairs Department of Community Health Department of Defense Department of Driver Services Department of Early Care and Learning Department of Education Department of Human Resources Department of Insurance Department of Juvenile Justice Department of Labor Department of Law Department of Public Safety Department of Revenue Department of Transportation Employees' Retirement System Georgia Building Authority Georgia Bureau of Investigation Georgia Emergency Management Agency Georgia Firefighter Standards and Training Council Georgia Police Officer Standards and Training Council Georgia Public Safety Training Center Georgia Public Telecommunications Commission Georgia Regional Transportation Authority Georgia State Financing and Investment Commission Georgia Student Finance Commission Georgia World Congress Center Authority Governor's Office of Consumer Affairs Office of Planning and Budget Office of State Administrative Hearings Prosecuting Attorneys' Council State Accounting Office State Board of Pardons and Paroles State Board of Workers' Compensation State Personnel Administration State Road and Tollway Authority State Soil and Water Conservation Commission Subsequent Injury Trust Fund Teachers' Retirement System Grand Total

Critical 1 3 4
8 7 2 2 17 3 3 14 42 2 5
2 7 16 1 4 8 3 1

Important
3 2
18
3 46
3 3 5
3 29 37
11 1 3

General
3 23
5 4 2 35 2

Total 1 3 4 3
10 7 2 2
38 3
29 65 45
5 14
2 5 36 88 3 15 9 6 1

1

1

4

4

3

3

4

1

5

2

6

1

9

8

1

9

1

1

1

9

10

3

3

6

1

1

1

1

2

2

4

17

18

39

1

1

2

5

10

17

3

3

3

1

4

5

5

2

2

197

217

105

519

Page 44 of 104

Georgia State Information Technology Report 2009

System/Application Operating Costs by Agency with Employee/Contractor Totals (GAIT Agencies Highlighted)

Agency
Court of Appeals Criminal Justice Coordinating Council Department of Administrative Services Department of Agriculture Department of Banking and Finance Department of Community Affairs Department of Community Health Department of Defense Department of Driver Services Department of Early Care and Learning Department of Education Department of Human Resources Department of Insurance Department of Juvenile Justice Department of Labor Department of Law Department of Public Safety Department of Revenue Department of Transportation Employees' Retirement System Georgia Building Authority Georgia Bureau of Investigation Georgia Emergency Management Agency Georgia Firefighter Standards and Training Council Georgia Police Officer Standards and Training Council Georgia Public Safety Training Center Georgia Public Telecommunications Commission Georgia Regional Transportation Authority Georgia State Financing and Investment Commission Georgia Student Finance Commission Georgia World Congress Center Authority Governor's Office of Consumer Affairs Office of Planning and Budget Office of State Administrative Hearings Prosecuting Attorneys' Council State Accounting Office State Board of Pardons and Paroles State Board of Workers' Compensation State Personnel Administration State Road and Tollway Authority State Soil and Water Conservation Commission

2008 Total Costs
0 0 $ 12,016,713 0 0 $ 786,783 $271,985,751 0 $ 10,710,837 0 0 $ 60,089,767 0 $ 2,031,642 0 0 0 0 $ 1,853,396 $ 4,177,638 0 0 0
0
$ 30,292
0
0
0
0
$ 4,017,312 0 0 0 0 0 0
$ 2,433,832 $ 1,958,266
0 0
0

2009 Total Costs
$ 15,000 0
$ 226,200 0
$ 41,226 0
$ 30,002,500 0 0 0
$ 2,660,777 0 0
$ 1,400,000 0
$ 105,786 0 0 0
$ 1,486,888 $ 117,600 $ 140,000 $ 177,800

Empl. Total
3.00 5.00 3.15 16.00 12.00 0.00 32.00 0.00 0.00 3.00 2.90 9.00 96.00 10.00 0.00 0.66 2.70 154.00 0.00 15.10 22.00 17.00 1.86

Contr. Total
1.00 3.00 2.96 0.00 0.00 0.00 3.00 0.00 0.00 0.00 18.10 3.00 36.00 17.00 0.00 0.00 0.00 9.00 0.00 2.20 1.00 12.00 0.25

$

5,000 10.00

0.00

$

3,000

0

2.00

0.00

3.00

0.00

$ 66,221

$

580

4.20

0.40

0.40

1.20

$ 412,503

7.50

1.00

$ 2,395,000

13.00

0.00

$

9,800

0.00

2.00

0

0.00

0.00

0

0.00

0.00

0

2.00

0.00

$

5,000

1.50

2.00

$ 7,818,510

64.00

0.00

$ 103,706

4.36

0.00

$ 576,504

6.00

3.00

0

1.00

3.00

$ 1,165,962

10.00

6.00

$

1,642

1.00

0.00

Page 45 of 104

Georgia State Information Technology Report 2009

Subsequent Injury Trust Fund Teachers' Retirement System DBF DECAL Department of Natural Resources Department of Corrections DTAE DVs Georgia Department of Economic Development GOHS Georgia Public Broadcasting JIA Secretary of State Grand Total

0 0 0 $ 1,640,646 0 $ 4,136,000 $ 5,060,000 0 0

$

35,471

$ 676,496

$

13,967

0

$ 383,655,398

$ 81,600 $ 844,544
0 0 0 0 0 0
0 0 0 0 0 $ 49,863,349

10.00

0.00

19.00

3.00

564.33 130.11

Page 46 of 104

Georgia State Information Technology Report 2009

Section 5: Business Continuity Planning

Agencies with Emergency Support Functions (ESF)

Agency Department of Administrative Services Department of Agriculture Department of Banking and Finance Department of Community Affairs Department of Community Health Department of Corrections Department of Defense Department of Driver Services Department of Education Department of Human Resources Department of Insurance Department of Juvenile Justice Department of Transportation Georgia Building Authority Georgia Bureau of Investigation Georgia Emergency Management Agency Georgia Public Safety Training Center Georgia Public Telecommunications Commission Georgia Technology Authority Office of Planning and Budget State Board of Pardons and Paroles

Business Continuity Planning

Q.2

Q.4

Q.5

Q.6

Q.7

Q.8

Ye s N o Unknown Ye s N o Unknown Ye s N o Unknown Ye s N o Unknown Ye s N o Unknown Ye s N o Unknown

34 21 6 42 10 7 37 14 8 42 12 5 31 21 7 21 33 6
Q.2: Does your agency have a policy requiring an actionable plan for continuing critical business processes during an emergency?
Q.4: Has your agency identified, defined and documented the processes that achieve its core business functions?
Q.5: Has your agency ranked the criticality of the processes that support its core business functions (those processes that MUST be performed in the event of an emergency)?

Page 47 of 104

Georgia State Information Technology Report 2009
Q.6: Has your agency identified the key personnel that are tied to each of the critical business processes? Q.7: Has your agency identified an alternate work site or location to conduct business in the event your building is destroyed?
Q.8: Is your agency documenting BC information using the enterprise business continuity and disaster recover planning tool (LDRPS) offered by GTA?
Business Continuity Planning
45 40 35 30 25 20 15 10
5 0

Yes No
Unknown Yes No
Unknown Yes No
Unknown Yes No
Unknown Yes No
Unknown Yes No
Unknown

Q.2

Q.4

Q.5

Q.6

Q.7

Q.8

Business Continuity Planning Tool (Other than Enterprise LDRPS)

Type of tool Commercial Tool Custom Developed Tool MS Office or similar office tools Hardcopy Files Scramble Plans

Agency Count 12 4 22 11 17

Page 48 of 104

Georgia State Information Technology Report 2009

BCP Tools (Other than Enterprise LDRPS)

12 17

Commercial Tool

4

Custom Developed Tool

MS Office or similar office tools

Hardcopy Files

Scramble Plans

11

22

Emergency Preparedness
Emergency Preparedness Fully documented & tested BC procedures Fully documented but not tested BC procedures BCP in development using GTA's BCP services BCP in development independent of GTA's BCP services Adhoc or scramble plans. No formal BC procedures
9 16

Agency count
9 8 16 10 16

8

Fully documented & tested BC

procedures

Fully documented but not tested BC procedures

BCP in development using GTA's BCP services

BCP in development independent of GTA's BCP services

10

Adhoc or scramble plans. No formal

BC procedures

16

Page 49 of 104

Georgia State Information Technology Report 2009
Section 6: Incident Response & Reporting (appendix-6)
Agencies that have documented Incident Response Plan with GTA
Agency Department of Audits and Accounts Department of Banking and Finance Department of Community Affairs Department of Corrections Department of Driver Services Department of Human Resources Department of Insurance Employees' Retirement System Georgia Bureau of Investigation Georgia Emergency Management Agency Georgia Public Safety Training Center Georgia Student Finance Commission Georgia Technology Authority State Accounting Office State Board of Pardons and Paroles State Personnel Administration
Page 50 of 104

Georgia State Information Technology Report 2009
Appendix B - Enterprise IT Maturity in 3 Areas
SECURITY, RELIABILITY AND EFFECTIVENESS10
INTRODUCTION
This paper provides results of an analysis performed in 2009 to characterize Enterprise procedural maturity for IT security, reliability and effectiveness from information provided by agencies for Georgias 2009 Enterprise Information Security Report and 2008 ITIL Self-Assessment. Agency information was analyzed and aggregated, and extended forward as a judgment of enterprise maturity.
For each of the three areas, one or more best practice control objectives were identified from the COBIT Framework1 which applied directly to the areas processes. Then, the information provided by agencies for the 2009 Enterprise Information Security Report2 was correlated to the COBIT control objectives and scored from 0 to 5, using COBIT methodology. Each agency was scored individually with the resulting scores used to assemble an enterprise score. The scoring process examined each agencys information to determine if the information provided sufficient procedural evidence to indicate an awarded score level description as wholly true, except that totally immaterial conditions within a control objective were disregarded, because, if left in the analysis, no agency could obtain that level. Agency scores were captured as a whole number (i.e. 1, 2, 3) while Enterprise scores were permitted at one more significant digit due to rounding (i.e. 1.2, 1.8, etc). Note that stringent application of scoring methodology would normally require Enterprise scoring at the whole number level as well, but the utilized methodology appeared to allow demonstration on annual progress more readily.
Results from this analysis are provided in two levels, as follows: Interpretation of Enterprise Results. Maturity appraisals are presented on an enterprise level for each of the three areas of Security, Reliability and Effectiveness. In addition, within each of the three areas, appraisals are provided for each specific measure used as components of the enterprise appraisal. Details from Agency Results. No maturity appraisals for specific agencies are discussed, however, in some areas one or more agency appraisals may be used, without identification of the agencies, for illustrative purposes.
10 Prepared by Enterprise Policies, Standards and Architecture Section, Enterprise Governance and Planning Division, Georgia Technology Authority
Page 51 of 104

Georgia State Information Technology Report 2009
INTERPRETATION OF ENTERPRISE RESULTS
Enterprise Results will be provided for each of the areas of interest of IT Security, IT Reliability and IT Effectiveness. The beginning and end of each section provides a mathematically generated composite maturity for the area.
IT SECURITY MATURITY SCORE = 1.8
1.8

M3 M1 M2 1.5 1.8 2.1

0

1

2

3

4

5

This score was generated through three measures:
Measure 1: Is the Enterprise Organized to Accomplish IT Security?
Has the enterprise defined the IT organization by considering requirements for staff, skills, functions, accountability, authority, roles and responsibilities and supervision? Is the organization embedded into an IT process framework that ensures transparency, control, involvement of senior executives and business management? Is there evidence of a strategy committee ensures board oversight of IT, and one or more steering committees in which business and IT participate determine the prioritization of IT resources in line with business needs? Are processes, administrative policies and procedures are in place for all functions, with specific attention to control, quality assurance, risk management, information security, data and systems ownership, and segregation of duties? Is IT involved in relevant decision processes?
Characterization: The Enterprise appears on the surface to have an organizational focus on security and IT processes with named SAISO and Business Continuity Coordinators, but has failed to fully embrace the concepts down through all components of the organization. Nearly half of agencies do not reinforce security roles with role based training. This provides everyone exposure training on security concepts, but does not provide role specific, detailed training for those in specialty jobs to do their work. Two thirds of agencies have determined those business functions critical to achieving core business and less than that have identified key personnel tied to those critical business functions.

Page 52 of 104

Georgia State Information Technology Report 2009
Average maturity score for Enterprise (average of all agencies): 1.8
M1 1.8

0

1

2

3

4

5

Measure 2: Has Management Communicated it Aims and Direction Related to IT Security?
Has Management developed an enterprise IT control framework, and defined and communicated policies? Is there an ongoing communication plan implemented to articulate the mission, service objectives, policies and procedures, etc., approved and supported by management? Does communication supports achievement of IT objectives and ensures awareness and understanding of business and IT risks, objectives and direction? Does the process ensure compliance with relevant laws and regulations?
Characterization: The Enterprise recognizes the need for and has supported security policies, but individual organizations have not extended support for these policies down through each organization by making them fully available to employees, nor has each organization developed and implemented procedures to provide appropriate training or to keep records of needed or completed training.
Average maturity score for Enterprise (average of all agencies): 2.1
M2 2.1

0

1

2

3

4

5

Measure 3: Assessment and Management of Risk
Has a risk management framework been created to document a common and agreedupon level of IT risks, mitigation strategies and residual risks? Are any potential impacts on the goals of the organization caused by an unplanned event identified, analyzed and assessed? Are risk mitigation strategies in place to minimize residual risk to an accepted level? Are assessment results available to and understood by stakeholders and expressed in financial terms, to enable stakeholders to align risk to an acceptable level of tolerance?
Page 53 of 104

Georgia State Information Technology Report 2009
Characterization: While recognizing critical risk on applications, the Enterprise as a whole has not provided procedural evidence of risk management programs. Over half of agencies can not provide FTE usage on applications, report no security plans and have not engaged a third party security assessment.
Average maturity score for Enterprise (average of all agencies): 1.5
M3 1.5

0

1

2

3

4

5

Composite Maturity Score for Enterprise for Security: 1.8
(Sum of the Enterprise Scores for Security, Communication and Risk divided by 3)
IT RELIABILITY MATURITY SCORE = 1.4
1.4

M1 1.4

0

1

2

3

4

5

This score was generated with one measure:
Measure: Can the Enterprise Provide Continuity of IT Services? Has the Enterprise developed, maintained and tested IT continuity plans? Does Enterprise periodically provide continuity plan training? Does Enterprise utilize offsite backup storage and alternate processing sites? Has the Enterprise developed planned recovery methods for major service interruptions (disaster recovery)? Does the Enterprise utilize appropriate processes for incident reporting and management, and for problem management?
Characterization: The Enterprise appears poorly positioned to ensure reliability of services. Wide results were reported for agencies' maturities in key processes such as "continuity", "availability", "incident reporting and management", "problem management" and "configuration management". However, judging from the

Page 54 of 104

Georgia State Information Technology Report 2009
reported current status of business continuity and disaster recovery activities approximately half of the underlying organizations in the Enterprise are now in planning stages.
Composite maturity score for Enterprise for Reliability: 1.4
M1 1.4

0

1

2

3

4

5

(No math required as only one measure used)

IT EFFECTIVENESS MATURITY SCORE = 1.2
1.2
M1 1.2
M2 1.2

0

1

2

3

4

5

This score was generated through two measures:
Measure 1: Does the Enterprise Employ Strategic IT Planning?
Are IT resources managed and directed in line with the business strategy and priorities? Have IT function and business stakeholders accepted responsibility for ensuring that optimal value is realized from project and service portfolios? Are business strategies and priorities reflected in portfolios and executed by the IT tactical plan(s)?
Characterization: The enterprise has partially evolved toward IT strategic planning based business need and resource application. Other parts of the organization remain naively low on scale of business justified system/project requests.
Average maturity score for all agencies: 1.2

Page 55 of 104

Georgia State Information Technology Report 2009
M1 1.2

0

1

2

3

4

5

Measure 2: Is the Enterprise Effective at Identification of Automated Solutions and Managing the IT Investment?
Do new applications or systems require analysis before acquisition or creation to ensure that business requirements are satisfied in an effective and efficient approach? Is there evidence of portfolio, lifecycle and project techniques related to solution identification? Is there evidence of definition of the needs, consideration of alternative sources, review of technological and economic feasibility, execution of a risk analysis and cost-benefit analysis, and conclusion of a final decision to `make' or `buy'?

Characterization: The Enterprise demonstrates some efforts to utilize functional and operational requirements for solutions. However, many organizations have not provided procedural evidence of such.
Average maturity score for all agencies: 1.2
M1 1.2

0

1

2

3

4

5

Composite maturity score for Enterprise for Effectiveness: 1.2n
(Sum of the Enterprise Scores for Planning and Identifying Solutions divided by 2)

Page 56 of 104

Georgia State Information Technology Report 2009
DETAILS FROM AGENCY RESULTS
The following is presented concerning each of the three areas of examination. A. The COBIT control definition for the area and associated scoring B. Specific agency provided information which was used to evaluate the area. D Reported information used for analysis in this area E. Range of reported information. F. Characterization of enterprise maturity based on reported data
Security
This section discusses the three measures that were used to evaluate the apparent maturity of Agencies' IT Security:
Agencies' Definition of and Organization to Accomplish IT Security, Management's Communication of its Aims and Direction Related to IT Security, and Agencies' Evidence of Assessment and Management of Risk.
Agencies' Definition of and Organization to Accomplish IT Security
A. COBIT control definition1: "An IT organization is defined by considering requirements for staff, skills, functions, accountability, authority, roles and responsibilities, and supervision. This organization is embedded into an IT process framework that ensures transparency and control as well as the involvement of senior executives and business management. A strategy committee ensures board oversight of IT, and one or more steering committees in which business and IT participate determine the prioritization of IT resources in line with business needs. Processes, administrative policies and procedures are in place for all functions, with specific attention to control, quality assurance, risk management, information security, data and systems ownership, and segregation of duties. To ensure timely support of business requirements, IT is to be involved in relevant decision processes."
Scores1: "0 - The IT organization is not effectively established to focus on the achievement of business objectives. "1 - IT activities and functions are reactive and inconsistently implemented. IT is involved in business projects only in later stages. The IT function is considered a support function, without an overall organization perspective. There is an implicit understanding of the need for an IT organization; however, roles and responsibilities are neither formalized nor enforced "2 - The IT function is organized to respond tactically, but inconsistently, to customer needs and vendor relationships. The need for a structured organization and vendor management is communicated, but decisions are still dependent on the knowledge and skills of key individuals. There is an emergence of common techniques to manage the IT organization and vendor relationships. "3 - Defined roles and responsibilities for the IT organization and third parties exist. The IT organization is developed, documented, communicated and aligned with the IT strategy. The internal control environment is defined. There is formalization of relationships with other parties, including steering committees, internal audit and vendor
Page 57 of 104

Georgia State Information Technology Report 2009
management. The IT organization is functionally complete. There are definitions of the functions to be performed by IT personnel and those to be performed by users. Essential IT staffing requirements and expertise are defined and satisfied. There is a formal definition of relationships with users and third parties. The division of roles and responsibilities is defined and implemented."
B. Type of Information Used to Evaluate this Area: Roles of Senior Agency Information Security Officer, Privacy Officer and Business Continuity Coordinator/Planner filled Agency use of role-based security education for specific information security responsibilities. Percentage of roles uniquely trained for their role and security issues. Acceptance of IT and process risks by business owners Process analysis to identify processes to achieve core business and rank their criticality to business. Identification of key personnel tied to critical business processes
C. Agency Reported Information Used for Analysis in this Area 10 agencies have named SAISO 2 agencies have named Privacy Officer 9 agencies have named Business Continuity Coordinator 5 agencies do not reinforce security roles via role based training 8 agencies have examined processes to identify those necessary to achieve core business functions 8 agencies have ranked business functions by criticality 7 agencies have identified key personnel tied to critical business functions 8 agencies have reported that business owners have accepted risks for their operations.
D. Range of Reported Information 2 agencies provided NULL or no responses to all questions - rated 0 3 agencies have not completely addressed organizational issues related to security. i.e. business owners have not accepted risks, processes have not been examined for criticality, no assigned SAISO - rated 1 5 agencies provided yes or positive responses to 7 of 8 questions - rated 3
E. Characterization of Enterprise Maturity Based on Reported Data The Enterprise appears on the surface to have an organizational focus on security and IT processes with named SAISO and Business Continuity Coordinators, but has failed to fully embrace the concepts down through the organization. Nearly half of agencies do not reinforce security roles with role based training. This provides everyone exposure training on security concepts, but does not provide role specific, detailed training for those in specialty jobs to do their work. Two thirds of agencies have determined those business functions critical to achieving core business and less than that have identified key personnel tied to those critical business functions.
Page 58 of 104

Georgia State Information Technology Report 2009
Average maturity score for Enterprise (average of all agencies): 1.8
Management's Communication of its Aims and Direction Related to IT Security
A. COBIT control definition1: "Management develops an enterprise IT control framework and defines and communicates policies. An ongoing communication plan is implemented to articulate the mission, service objectives, policies and procedures, etc., approved and supported by management. The communication supports achievement of IT objectives and ensures awareness and understanding of business and IT risks, objectives and direction. The process ensures compliance with relevant laws and regulations."
Scores1: "0 - Management has not established a positive IT control environment. There is no recognition of the need to establish a set of policies, plans and procedures, and compliance processes. "1 - Management is reactive in addressing the requirements of the information control environment. Policies, procedures and standards are developed and communicated on an ad hoc basis as driven by issues. The development, communication and compliance processes are informal and inconsistent. "2 - The needs and requirements of an effective information control environment are implicitly understood by management, but practices are largely informal. The need for control policies, plans and procedures is communicated by management, but development is left to the discretion of individual managers and business areas. Quality is recognized as a desirable philosophy to be followed, but practices are left to the discretion of individual managers. Training is carried out on an individual, as-required basis. "3 - A complete information control and quality management environment is developed, documented and communicated by management and includes a framework for policies, plans and procedures. The policy development process is structured, maintained and known to staff, and the existing policies, plans and procedures are reasonably sound and cover key issues. Management addresses the importance of IT security awareness and initiates awareness programs. Formal training is available to support the information control environment but is not rigorously applied. While there is an overall development framework for control policies and procedures, there is inconsistent monitoring of compliance with these policies and procedures. There is an overall development framework. Techniques for promoting security awareness have been standardized and formalized"
B. Type of Information Used to Evaluate this Area: Agency's description of its information security governance. Availability of agency security policies and standards. Agency practices of recording needed and completed security training. Agency use of role based security education.
C. Agency Reported Information Used for Analysis in this Area 11 agencies endorse enterprise security policies and may or may not supplement them with their own policies. 9 agencies make policies readily available for their employees via multiple methods of communication.
Page 59 of 104

Georgia State Information Technology Report 2009
7 agencies support security with role based training and keep records of employees' needed or completed security training.
D. Range of Reported Information 1 agency provided NULL or no responses to all questions, and 1 agency provided NULL or no response to all questions except for a positive response to divulge that its endorsement of enterprise security policies - rated 0 7 agencies provides yes or positive responses to all questions - rated 3
E. Characterization of Enterprise Maturity Based on Reported Data The Enterprise recognizes the need for and has provided supporting security policies, but individual organizations have not extended support for these policies down through the organization by making them fully available to employees. Nor has each organization developed and implemented procedures to provide appropriate training and to keep records of needed or completed training. Average maturity score for Enterprise (average of all agencies): 2.1
Agencies' Evidence of Assessment and Management of Risk
A. COBIT control definition1: "A risk management framework is created and maintained. The framework documents a common and agreed-upon level of IT risks, mitigation strategies and residual risks. Any potential impact on the goals of the organization caused by an unplanned event is identified, analyzed and assessed. Risk mitigation strategies are adopted to minimize residual risk to an accepted level. The result of the assessment is understandable to the stakeholders and expressed in financial terms, to enable stakeholders to align risk to an acceptable level of tolerance."
Scores1: "0 - Risk assessment for processes and business decisions does not occur. The organization does not consider the business impacts associated with security vulnerabilities and development project uncertainties. Risk management is not identified as relevant to acquiring IT solutions and delivering IT services. "1 - IT risks are considered in an ad hoc manner. Informal assessments of project risk take place as determined by each project. Risk assessments are sometimes identified in a project plan but are rarely assigned to specific managers. Specific IT-related risks, such as security, availability and integrity, are occasionally considered on a project-by-project basis. IT-related risks affecting day-to-day operations are seldom discussed at management meetings. Where risks have been considered, mitigation is inconsistent. There is an emerging understanding that IT risks are important and need to be considered. "2 - A developing risk assessment approach exists and is implemented at the discretion of the project managers. The risk management is usually at a high level and is typically applied only to major projects or in response to problems. Risk mitigation processes are starting to be implemented where risks are identified. "3 - An organization-wide risk management policy defines when and how to conduct risk assessments. Risk management follows a defined process that is documented. Risk management training is available to all staff members. Decisions to follow the risk
Page 60 of 104

Georgia State Information Technology Report 2009
management process and receive training are left to the individual's discretion. The methodology for the assessment of risk is convincing and sound and ensures that key risks to the business are identified. A process to mitigate key risks is usually instituted once the risks are identified. Job descriptions consider risk management responsibilities."
B. Type of Information Used to Evaluate this Area: Agency's description of its security governance Application criticality assessments Number and percentage of systems with security plans (or Number and percentage of systems with plans in development) Compliance with FISMA type 3rd party review requirement Application portfolio risks (currency, resource requirements, platform currency, database currency) Employee versus contractor FTE usage
C. Agency Reported Information Used for Analysis in this Area 8 agencies have ranked applications by criticality 6 agencies provided NULL responses to FTE counts of employees and contractor support 7 agencies provided NULL responses to application commission dates 7 agencies divulged less than half of applications had security plans, or provided NULL responses 11 agencies reported no FISMA type assessment on their applications, or provided NULL responses
D. Range of Reported Information 4 agencies provided NULL responses, or no responses to all questions - ranked 0 Many others provided only sporadic responses to questions - ranked 1 and 2 depending on answers.
E. Characterization of Enterprise Maturity Based on Reported Data While recognizing critical risk on applications, the Enterprise as a whole has not provided procedural evidence of risk management programs. Over half of agencies can not provide FTE usage on applications, report no security plans and have not engaged a third party security assessment. Average maturity score for all agencies: 1.5
Reliability
This section discusses the one measure is used to evaluate the apparent maturity of reliability of agencies' IT Services:
Agency Provided Procedural Evidence of its Efforts to Ensure Continuous Service.
A. COBIT control definition1:
Page 61 of 104

Georgia State Information Technology Report 2009
"The need for providing continuous IT services requires developing, maintaining and testing IT continuity plans, utilizing offsite backup storage and providing periodic continuity plan training. An effective continuous service process minimizes the probability and impact of a major IT service interruption on key business functions and processes."
Scores1: "0 - There is no understanding of the risks, vulnerabilities and threats to IT operations or the impact of loss of IT services to the business. Service continuity is not considered to need management attention. "1- Responsibilities for continuous service are informal, and the authority to execute responsibilities is limited. Management is becoming aware of the risks related to and the need for continuous service. The focus of management attention on continuous service is on infrastructure resources, rather than on the IT services. Users implement workarounds in response to disruptions of services. The response of IT to major disruptions is reactive and unprepared. Planned outages are scheduled to meet IT needs but do not consider business requirements. "2- Responsibility for ensuring continuous service is assigned. The approaches to ensuring continuous service are fragmented. Reporting on system availability is sporadic, may be incomplete and does not take business impact into account. There is no documented IT continuity plan, although there is commitment to continuous service availability and its major principles are known. An inventory of critical systems and components exists, but it may not be reliable. Continuous service practices are emerging, but success relies on individuals. "3- Accountability for the management of continuous service is unambiguous. Responsibilities for continuous service planning and testing are clearly defined and assigned. The IT continuity plan is documented and based on system criticality and business impact. There is periodic reporting of continuous service testing. Individuals take the initiative for following standards and receiving training to deal with major incidents or a disaster. Management communicates consistently the need to plan for ensuring continuous service. High-availability components and system redundancy are being applied. An inventory of critical systems and components is maintained."
B. Type of Information Used to Evaluate this Area: Agency roles contributing to agency reliability are filled (SAISO, Privacy Officer) Management of risks (core processes are identified, criticality analysis performed, key personnel analysis) Agency self assessment results for processes (ITIL 2008) Agency Business Continuity plan (agency has BC plan, percentage of systems with DR plans, are plans tested, business owner risk acceptance) Business Continuity Considerations (alternate work site, tool facilitated processes, accessible plan)
C. Agency Reported Information Used for Analysis in this Area ITIL Self Assessment Scores for all agencies. 5 agencies reported no business continuity plans, 2 reported plans in development 9 agencies report no disaster recovery plans covering their systems, or provided NULL response
Page 62 of 104

Georgia State Information Technology Report 2009
D. Range of Reported Information 3 agencies have no business continuity plan and none in progress, and no disaster recovery plans covering their systems - score 0 Various agencies reported inconsistently to measures of having fully documented and tested BC plan, but not having identified cored business processes nor assigning criticality to business processes - score 2
E. Characterization of Enterprise Maturity Based on Reported Data The Enterprise appears poorly positioned to actually recover from a disaster should it be required. However, judging from the reported current status of business continuity planning, approximately half of the organizations are in planning stages. Average maturity score for all agencies: 1.4
Effectiveness
This section discusses the two measures that were used to evaluate the apparent effectiveness of agencies' IT Services:
Agency Procedural Evidence of Strategic IT Planning Agency Procedural Evidence of Effective Identification of Automated Solutions and Ability to Manage IT Investments.
Agency Provided Procedural Evidence of Strategic IT Planning
A. COBIT control definition1: "IT strategic planning is required to manage and direct all IT resources in line with the business strategy and priorities. The IT function and business stakeholders are responsible for ensuring that optimal value is realized from project and service portfolios. The strategic plan improves key stakeholders' understanding of IT opportunities and limitations, assesses current performance, identifies capacity and human resource requirements, and clarifies the level of investment required. The business strategy and priorities are to be reflected in portfolios and executed by the IT tactical plan(s), which specifies concise objectives, action plans and tasks that are understood and accepted by both business and IT."
Scores1: "0 - IT strategic planning is not performed. There is no management awareness that IT strategic planning is needed to support business goals. "1 - The need for IT strategic planning is known by IT management. IT planning is performed on an as-needed basis in response to a specific business requirement. IT strategic planning is occasionally discussed at IT management meetings. The alignment of business requirements, applications and technology takes place reactively rather than by an organization-wide strategy. The strategic risk position is identified informally on a project-by-project basis. "2 - IT strategic planning is shared with business management on an as-needed basis. Updating of IT plans occurs in response to requests by management. Strategic decisions are driven on a project-by-project basis without consistency with an overall organization strategy. The risks and user benefits of major strategic decisions are recognized in an intuitive way.
Page 63 of 104

Georgia State Information Technology Report 2009
"3 - A policy defines when and how to perform IT strategic planning. IT strategic planning follows a structured approach that is documented and known to all staff. The IT planning process is reasonably sound and ensures that appropriate planning is likely to be performed. However, discretion is given to individual managers with respect to implementation of the process, and there are no procedures to examine the process. The overall IT strategy includes a consistent definition of risks that the organization is willing to take as an innovator or follower. The IT financial, technical and human resources strategies increasingly influence the acquisition of new products and technologies. IT strategic planning is discussed at business management meetings." B. Type of Information Used to Evaluate this Area: Application portfolio risks (currency, resource requirements, platform currency, database currency) Project portfolio assessment (apparent strategy of project list)
C. Agency Reported Information Used for Analysis in this Area 9 agencies provided null or inadequate response to questions concerning system lifetime cost / lifecycle concept 3 agencies' responses appeared to be based on strategic approach to planning.
D. Range of Reported Information 8 agencies scored "0" and "1" due to weakness of answers or missing answers (no procedural evidence of strategic planning, i.e. FTE counts, lifetime costs, tactical project lists, no project list) 4 agencies reported score "2" and one with "3" primarily due to business orientation of project list indicative of business strategy.
E. Characterization of Enterprise Maturity Based on Reported Data The enterprise has partially evolved toward IT strategic planning based upon business need and resource application. Other parts of the organization remain naively low on scale of business justified system/project requests. Average maturity score for all agencies: 1.2
Agencies' Procedural Evidence of Effective Identification of Automated Solutions and Ability to Manage IT Investments.
A. COBIT control definition1: "The need for a new application or function requires analysis before acquisition or creation to ensure that business requirements are satisfied in an effective and efficient approach. This process covers the definition of the needs, consideration of alternative sources, review of technological and economic feasibility, execution of a risk analysis and cost-benefit analysis, and conclusion of a final decision to `make' or `buy'. All these steps enable organizations to minimize the cost to acquire and implement solutions while ensuring that they enable the business to achieve its objectives."
Scores1: "0 - The organization does not require the identification of functional and operational requirements for development, implementation or modification of solutions, such as
Page 64 of 104

Georgia State Information Technology Report 2009
system, service, infrastructure, software and data. The organization does not maintain an awareness of available technology solutions potentially relevant to its business. "1 - There is an awareness of the need to define requirements and identify technology solutions. Individual groups meet to discuss needs informally, and requirements are sometimes documented. Solutions are identified by individuals based on limited market awareness or in response to vendor offerings. There is minimal structured research or analysis of available technology. "2 - Some intuitive approaches to identify IT solutions exist and vary across the business. Solutions are identified informally based on the internal experience and knowledge of the IT function. The success of each project depends on the expertise of a few key individuals. The quality of documentation and decision making varies considerably. Unstructured approaches are used to define requirements and identify technology solutions. "3 - Clear and structured approaches in determining IT solutions exist. The approach to the determination of IT solutions requires the consideration of alternatives evaluated against business or user requirements, technological opportunities, economic feasibility, risk assessments, and other factors. The process for determining IT solutions is applied for some projects based on factors such as the decisions made by the individual staff members involved, the amount of management time committed, and the size and priority of the original business requirement. Structured approaches are used to define requirements and identify IT solutions."
C. Type of Information Used to Evaluate this Area: Apparent strategy of project list Approaches to project work Projects application to business critical areas
D. Agency Reported Information Used for Analysis in this Area 5 agencies provided null or inadequate response to questions related to this topic 3 agencies project selections appear based on tactical requirements without analysis of critical core businesses. 4 agencies provided procedural evidence of strategic selection of automated solutions
E. Range of Reported Information 5 agencies provided null or inadequate responses - scored 0 1 agency provided procedural evidence of planning via project progression - score 3
F. Characterization of Enterprise Maturity Based on Reported Data The Enterprise demonstrates evidence to identify IT automated solutions from functional and operational requirements. However, many organizations have not provided procedural evidence of such. Average maturity score for all agencies: 1.2
Page 65 of 104

Georgia State Information Technology Report 2009 Footnotes: 1. "Control Objectives for Information and related Technology (COBIT) 4.1", 2007, IT Governance Institute, Rolling Meadows, IL 60008. 2. "Information Security Reporting", Standard SS-08-053.02, March 31, 2009, Georgia Technology Authority,
Page 66 of 104

Georgia State Information Technology Report 2009
Appendix C Largest State Applications by Spend

There are 23 applications that spend over $1 million annually on operational support and maintenance, based on data in the IT Expenditures Report 2008.

80 70 60 50 40 30 20 10
0 Application Costs ($Ms)

DCH Medicaid/Peachcare DCH ESI Pharmacy Benefits DHR Success SAO PeopleSoft DHR STARS DDS Drivers License DOAS Team GA MktPlace DHR BioTerrorism ERS PARIS DOR Corp Tax DOR Centralized Taxpayer Acctg MH/MR Community IS DHR SACWIS/Shines DOR Individual Tax SBWC Workers Comp DJJ Juevenile Tracking DOR Gratis DOR Remittance GDoC SCRIBE DCH GRITS BH Sunrise DHR PIE DHR AIMS

Page 67 of 104

Georgia State Information Technology Report 2009
Appendix D - Strategic Planning for Information Technology
In the long run, IT Strategic Planning is about enabling agencies to provide services to citizens as efficiently as possible. While GTA IT transformation addresses making infrastructure secure and efficient and IT Governance addresses using that infrastructure to get the most out of agency applications, IT Strategic Planning seeks to understand each agency's vision and guide the agency in improving the business processes underlying service provision. Given efficient infrastructure and well-governed applications, it is IT Strategic Planning that enables effective use of appropriate it-enabled business models. Simply put, effective use of IT in business processes lets agencies to provide higher quality services less expensively. GTA is working closely with OPB and the other Enterprise Service Agencies to institute a comprehensive multi-year strategic planning process. The process repeats on an annual cycle, calling for the review and when necessary the revision of the agency's mission and vision along with an extension of the plan to encompass the upcoming three fiscal years. Our Enterprise IT Strategic Planning process will roll out in three, overlapping phases. Each phase will take about 18-24 months to complete, but overlap allows the entire strategic planning process to be in place in less time than the sum of the phases. The final phase will continue indefinitely using a continuous process improvement approach.
Phase 1: Startup GTA began its current Enterprise Strategic Planning approach mid-way through FY08 and this phase is well underway. We expect to complete Phase 1 by the end of the next planning cycle (July 2010). Startup consists of the following:
1. Communicate Process to Agencies
Page 68 of 104

Georgia State Information Technology Report 2009
a. OPB took the lead on this with formal communications to all state agencies
b. EGAP began to establish relationships with strategic planners in all agencies this year. These peer to peer relationships among executive level planners helps establish a rapport based on mutual respect and proven reliability. As these relationships mature, there many agencies will have strong planning advocates.
c. EGAP planning experts provide one-on-one guidance on how to get the benefits from strategic planning.
2. Establish Value a. Value to agencies from planning process b. Value to GTA in providing appropriate services c. Value to Georgia leadership in supporting decision making
3. Document Baseline a. Establish key metrics b. Determine starting values
Phase 2: Grow Although the Startup phase has not been completed, GTA has begun to place emphasis on the Grow phase. Grow consists of Startup consists of the following:
1. Increase Participation a. Increase the number of agencies participating b. Increase the quality of participation
2. Broaden Planning Knowledge a. Provide training and mentoring to agency planners b. Established a shared view and expectation for the information produced by the planning process c. Provide guidance to agencies in how to use planning information in prioritizing agency actions
3. Measure Agency Impact a. Working with agency planners, establish methods for quantifying agency results b. Establish individual agency tracking and reporting activities
4. Assess effectiveness and modify process as needed
EGAP began to establish relationships with strategic planners in all agencies this year.
Phase 3: Mature 1. Decrease Planning Effort a. As the process becomes familiar across agencies, the effort needed goes down. b. Annual improvements in the process make it easier and more valuable. 2. Unify Planning Activities 3. Quantify Enterprise Results 4. Activate continuous process improvement
Page 69 of 104

Georgia State Information Technology Report 2009
Appendix E IV&V Case Studies Summary
During 2008, IV&V has made the following tangible, positive impacts worth an estimated $29.6 million: 1. TRS/DIS - $2.6mk at risk and saved; recovery plan and recommendations saved
expenditures that would have been wasted. 2. DCH/HITT - $8.2m at risk and saved; early escalation and recommendations saved
expenditures that would have been wasted. 3. DCH/MEMS - $1.5m at risk and saved; early adoption of recommendations saved
delivery schedule and expenditures. 4. DOAS/TGM - $10.9m at risk and savings of $2.5m; early adoption of
recommendations saved delivery schedule and wasted expenditures. 5. DCH/MMIS - $34.9m at risk with savings of $3.5m; early adoption of
recommendations saved procurement and contracting, and efforts on requirements and risk management 6. DDS/DLS/EDIS Program - $20.0m at risk with savings of $4.5m; recommendations and changes averted potentially fatal problems during procurement and execution. 7. DHR/SHINES - $16.0m at risk with savings of $3.8m; recommendations in final phases of delivery and transition averted costly testing and roll-out problems. 8. DCH/Data Broker - $5.0m at risk with savings of $2.4m; recommendations created project recovery and averted significant issues and risks. 9. DOR/IT/DW Program - $63.3m at risk creating savings of $0.6m; recommendations and changes in early assessment discussions improved overall performance/success.
Page 70 of 104

Georgia State Information Technology Report 2009
Appendix F - State Application Inventory
Page 71 of 104

Georgia State Information Technology Report 2009

Agency ID
202 234 234 234 239 239 239 239 239 239 242 242 242 242 242 242 242 242 242

Agency Office of State Administrative Hearings Criminal Justice Coordinating Council Criminal Justice Coordinating Council Criminal Justice Coordinating Council Georgia Emergency Management Agency Georgia Emergency Management Agency Georgia Emergency Management Agency Georgia Emergency Management Agency Georgia Emergency Management Agency Georgia Emergency Management Agency Governor's Office of Consumer Affairs Governor's Office of Consumer Affairs Governor's Office of Consumer Affairs Governor's Office of Consumer Affairs Governor's Office of Consumer Affairs Governor's Office of Consumer Affairs Governor's Office of Consumer Affairs Governor's Office of Consumer Affairs Governor's Office of Consumer Affairs

Application Case Tracker Grants Management Information System Fiscal Administration Claims Management Information System Tracking System 3 Mail and Database Statewide Messaging System Notification System Tracking System 1 Tracking Database 2 Intranet Quorum (IQ) Time Card Mythics Data Analyzer Messaging Encase Microsoft Office Device Seizure Forensic Toolkit Imager (FTK) CD/DVD Inspector

Criticality Critical Critical Critical Critical Important Critical Important Critical Important Critical Critical Important Important Important Important Important Important Important Important

Commission Date
1/1/00 9/1/96
7/1/95 7/1/96 7/1/03 7/1/05 7/1/05 7/1/08 2/1/09 4/1/09 6/1/09

FTE to Support
2.00 2.00 2.00 1.00 0.01 0.30 0.25 0.25 1.00 0.05 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00

Contractors 0.00 1.00 1.00 1.00 0.00 0.00 0.00 0.00 0.00 0.25 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00

Operating Cost $0.00 $0.00 $0.00 $0.00 $0.00
$2,800.00 $20,000.00 $90,000.00
$0.00 $65,000.00
$0.00 $0.00 $0.00 $0.00 $0.00 $0.00 $0.00 $0.00 $0.00

Page 72 of 104

Georgia State Information Technology Report 2009

Governor's Office of Consumer 242 Affairs
243 Office of Planning and Budget
243 Office of Planning and Budget
243 Office of Planning and Budget
243 Office of Planning and Budget
243 Office of Planning and Budget
243 Office of Planning and Budget Georgia Firefighter Standards and
287 Training Council Georgia Police Officer Standards
288 and Training Council Georgia Public Safety Training
290 Center Georgia Public Safety Training
290 Center Georgia Public Safety Training
290 Center Georgia Public Safety Training
290 Center
402 Department of Agriculture
402 Department of Agriculture
402 Department of Agriculture Department of Administrative
403 Services Department of Administrative
403 Services Department of Administrative
403 Services Department of Administrative
403 Services Department of Banking and
406 Finance Department of Banking and
406 Finance
406 Department of Banking and

Knowledgebase BudgetTool Budget Appropriations Tracking System BudgetNet Governor's Legislative Information Syste Capital Outlay Budget System Horizon
Microsoft Office
Records System Student Registration and Lodging
Budget System
GPSTC Inventory
Online Registration All agency applications Exchange Multiple
Georgia Procurement Registry
PayPilot
Oasis
eQuote
Web Financial Institutions
Web Money Service Business Web Mortgage

Important Critical
Critical Critical
Important Important Important
Critical
Critical
Critical
Critical
Critical
Critical Important Important Important
Critical
Critical
Critical
Critical
Critical
Critical Critical

1/1/00 7/1/93 7/1/87 7/5/90 7/1/93 7/1/07 1/1/07 1/1/07 1/1/07 1/1/99 1/1/99 1/1/99 1/9/04

0.00 0.00
0.00 0.00
0.00 0.00 0.00
10.00
2.00
1.00
0.50
0.50
1.00 8.00 3.00 5.00
0.40
0.48
1.35
0.92
1.00
1.00 1.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$5,000.00

0.00

$3,000.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.68

$0.00

0.22

$7,700.00

0.91

$218,500.00

1.15

$0.00

0.00

$687.00

0.00

$687.00

0.00

$687.00

Page 73 of 104

Georgia State Information Technology Report 2009

Finance Department of Banking and 406 Finance Department of Banking and 406 Finance Department of Banking and 406 Finance Department of Banking and 406 Finance Department of Banking and 406 Finance Department of Banking and 406 Finance Department of Banking and 406 Finance
407 State Accounting Office
407 State Accounting Office 408 Department of Insurance 408 Department of Insurance
408 Department of Insurance
408 Department of Insurance
408 Department of Insurance
408 Department of Insurance
408 Department of Insurance 408 Department of Insurance
408 Department of Insurance 408 Department of Insurance
408 Department of Insurance 408 Department of Insurance

Money Services Business Inhouse

Critical

Mortgage - Inhouse

Critical

Financial Instiutions - Inhouse Critical

Human Resources - Inhouse Important

Equipment

Important

Genesys

Critical

Alert PeopleSoft Human Capital Management PeopleSoft Financial Supply Chain Manage
I-SITE NAIC Software
Web Site CASA Federal Government Software PEOPLESOFT Thrid Party Software SIRCON for States Company Admissions Mod SIRCON for States Producer Licensing Mod SERFF Rate and Form Filing Third Party S
USA Software - Third Party Rate and Form Filing Recording & Trackin
Fire Department Tracking TEAMMATE PWC Thrid Party Software
Automobile Mileage Tracking

Critical
Important
Important Critical Critical
Critical
Critical
Critical
Critical
Critical Critical
Critical Critical
Critical Critical

7/1/99
7/1/99 4/1/98 1/2/98
1/2/99
1/2/00
1/2/04
1/2/04
1/2/06 1/2/08
1/2/05 3/1/05
4/1/03 3/1/05

1.00 1.00 1.00 1.00 1.00 2.00 2.00 24.00 40.00 0.00 1.00 1.00 0.00 7.00 7.00 0.00 0.00 2.00 1.00 0.00 1.00

0.00

$1,441.00

0.00

$5,013.00

0.00

$2,945.00

0.00

$877.00

0.00

$1,065.00

0.00

$13,912.00

0.00

$13,912.00

0.00 $2,814,663.60

0.00 $5,003,846.40

3.00

$0.00

0.00

$0.00

3.00

$0.00

3.00

$0.00

3.00

$0.00

0.00

$0.00

3.00

$0.00

3.00

$0.00

0.00

$0.00

0.00

$0.00

3.00

$0.00

0.00

$0.00

Page 74 of 104

Georgia State Information Technology Report 2009

408 Department of Insurance
408 Department of Insurance
408 Department of Insurance
408 Department of Insurance 408 Department of Insurance
408 Department of Insurance
408 Department of Insurance
408 Department of Insurance
408 Department of Insurance 408 Department of Insurance
408 Department of Insurance 408 Department of Insurance 408 Department of Insurance
408 Department of Insurance
408 Department of Insurance
408 Department of Insurance 408 Department of Insurance 408 Department of Insurance
408 Department of Insurance 408 Department of Insurance 408 Department of Insurance 408 Department of Insurance 408 Department of Insurance 408 Department of Insurance

Open Records Request Processing Company Annual Report Recording Payments Recording and Reporting Manufactured Housing Licensing
Ad Hoc Reports SIRCON for States Revenue Tracking Modul SIRCON for States Consumer Complaints M SIRCON for States Regulatory Exams Modul SIRCON for States Enforcement Module
Automobile Mileage Tracking Payments Recording and Reporting
Ad Hoc Reports
Ad Hoc Reports Payments Recording and Reporting Employee Recording, Tracking and Reporti Adjuster Permit Allocation/Tracking
Insurance Loss Tracking
Web Services Fire Symposium Registration/Tracking
Hazardous Materials Licensing
Explosives Licensing
Engineering Permitting
Sprinkler Licensing
Document Management

Critical
Critical
Critical
Critical Important
Critical
Critical
Critical
Critical Critical
Critical Important Important
Critical
Critical
Critical Critical Critical
Critical Critical Critical Critical Critical Critical

3/1/05

1.00

0.00

$0.00

3/1/05

2.00

0.00

$0.00

3/1/05

1.00

0.00

$0.00

3/5/05

1.00

0.00

$0.00

5/1/08

4.00

0.00

$0.00

5/1/09

7.00

3.00

$0.00

5/1/09

7.00

0.00

$0.00

5/1/09

7.00

3.00

$0.00

5/1/09

7.00

0.00

$0.00

4/1/05

1.00

0.00

$0.00

4/1/05

1.00

0.00

$0.00

6/1/09

3.00

0.00

$0.00

6/1/09

3.00

0.00

$0.00

4/1/05

2.00

0.00

$0.00

6/1/06

1.00

0.00

$0.00

8/1/06

1.00

0.00

$0.00

9/6/06

1.00

0.00

$0.00

5/1/07

1.00

0.00

$0.00

8/1/07

1.00

0.00

$0.00

12/1/07

1.00

0.00

$0.00

12/1/07

2.00

0.00

$0.00

1/2/08

2.00

0.00

$0.00

1/2/08

1.00

0.00

$0.00

2/1/08

1.00

0.00

$0.00

Page 75 of 104

Georgia State Information Technology Report 2009

408 Department of Insurance
408 Department of Insurance
408 Department of Insurance 408 Department of Insurance 408 Department of Insurance 408 Department of Insurance 408 Department of Insurance
408 Department of Insurance
408 Department of Insurance Georgia State Financing and
409 Investment Commission Georgia State Financing and
409 Investment Commission Georgia State Financing and
409 Investment Commission Georgia State Financing and
409 Investment Commission Georgia State Financing and
409 Investment Commission Georgia State Financing and
409 Investment Commission Georgia State Financing and
409 Investment Commission Georgia State Financing and
409 Investment Commission Georgia State Financing and
409 Investment Commission 411 Department of Defense 411 Department of Defense 414 Department of Education 414 Department of Education 414 Department of Education 414 Department of Education

Intranet INSource PWC Thrid Party Software Audit Recording, Tracking and Reporting
Company Licensing
Annual Tax Return Processing
Extinguisher Licensing
Audit Scheduling SERFF Rate and Form Filing Third Party S SIRCON for States Taxes and Assessments

Critical
Critical
Critical Critical Critical Critical Critical
Critical
Critical

Microsoft Exchange

Critical

Sage Timberline

Important

Fortis

Critical

eBONDS/FIDS

General

Centric

Important

Time Matters

Important

GSFIC PM Database

Important

Kronos

Important

BLIIP Business Software GKO Chronicle Pilot Bus Bid Facility and School Registry Class Size

Important Critical Critical General General General General

2/1/08

1.00

11/1/02

0.00

8/1/08

2.00

11/1/08

2.00

12/1/08

1.00

1/2/09

2.00

2/1/09

2.00

12/1/08

0.00

7.00

1/1/07

0.50

1.00

1.00

1.00

1.00

1.00

1.00

1.00

0.00

7/1/03

0.00

7/1/03

0.00

0.00

0.00

0.30

0.00

0.00

$0.00

3.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

3.00

$0.00

3.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$156,128.00

1.00

$42,619.00

0.00

$57,025.00

0.00

$0.00

0.00

$51,000.00

0.00

$15,374.00

0.00

$90,357.00

0.00

$0.00

0.00

$0.00

0.20

$27,577.00

0.00

$1,604.00

0.90

$132,890.00

0.00

$6,273.00

Page 76 of 104

Georgia State Information Technology Report 2009

414 Department of Education 414 Department of Education 414 Department of Education 414 Department of Education 414 Department of Education
414 Department of Education 414 Department of Education
414 Department of Education 414 Department of Education 414 Department of Education 414 Department of Education 414 Department of Education 414 Department of Education 414 Department of Education 414 Department of Education
414 Department of Education 414 Department of Education 414 Department of Education 414 Department of Education 414 Department of Education 414 Department of Education 414 Department of Education 414 Department of Education
414 Department of Education 414 Department of Education 416 Employees' Retirement System 416 Employees' Retirement System 416 Employees' Retirement System 418 Prosecuting Attorneys' Council 419 Department of Community Health

Budget Amendment Early Intervening Services Bus Liability Survey Dispute Resolution Audit Findings Application 21st Century Complaint and Resolution EDEN Data Submission Certified / Classified Personnel Informa Financial Reporting Applications Orchestrator Data Warehouse Focused Monitoring Career Tech Reporting Contracts Management Application Monitoring Assessment and Accountability Surveys Free and Reduced Meals Consolidated Application Central Directory .NET Charter Schools Reporting Financial Review Bus Accidents Adequate Yearly Progress Capital Outlay Program System - Financia Full Time Equivalent PRTNR PARIS PeopleSoft Pensions Tracker Membership Enrollment

General General General General General
General General
Important General General General General General General General
General General Important General General Important General Critical
Critical Critical General Critical General Critical Critical

8/1/03 7/27/81

0.00 0.00 0.00 0.00 0.00
0.00 0.10
0.50 0.00 0.00 0.00 0.00 0.00 0.10 0.00
0.00 0.00 0.30 0.00 0.00 0.00 0.00 0.00
0.60 1.00 0.00 15.00 0.10 1.50 8.00

Page 77 of 104

0.10

$9,060.00

0.00

$5,771.00

0.00

$1,979.00

0.10

$13,071.00

0.30

$46,608.00

0.20

$34,071.00

0.30

$38,164.00

0.30

$42,752.00

0.10

$19,831.00

0.20

$30,966.00

1.40

$203,894.00

0.10

$18,945.00

0.50

$68,477.00

1.70

$246,977.00

0.30

$46,786.00

0.00

$5,466.00

0.00

$1,785.00

2.90

$422,534.00

0.20

$31,326.00

0.10

$17,206.00

0.00

$4,437.00

0.00

$3,464.00

2.30

$330,310.00

5.20

$749,485.00

0.70

$99,068.00

0.10

$36,688.00

2.00 $1,447,200.00

0.10

$3,000.00

2.00

$5,000.00

3.00

$2,500.00

Georgia State Information Technology Report 2009

419 Department of Community Health 427 Department of Human Resources
427 Department of Human Resources
427 Department of Human Resources 427 Department of Human Resources 427 Department of Human Resources 427 Department of Human Resources
427 Department of Human Resources 427 Department of Human Resources 427 Department of Human Resources
427 Department of Human Resources
427 Department of Human Resources 427 Department of Human Resources 427 Department of Human Resources
427 Department of Human Resources
427 Department of Human Resources 427 Department of Human Resources
427 Department of Human Resources 427 Department of Human Resources 427 Department of Human Resources 427 Department of Human Resources 427 Department of Human Resources 427 Department of Human Resources
427 Department of Human Resources 427 Department of Human Resources

Management System
Medicaid Management Information System
MH WORx Pharmacy Investigative Services Information Syste Web Enabled Ad Hoc Reporting System
Time Accounting
Inspector General
Budget Allocation System Constituent Services Information System
Waiver Information System
I Hear You PURCHASING AND REPORTING SYSTEM $TARS Support Track Accounting and Repor
MS SharePoint Portal Server
AEGIS Aging Information Management System Online Directives Information System
Report of Critical Incidents Vital Records Information System (VRIS)
SUCCESS
CSPP
Grant Acts Reporting System
COMPASS
Wednesdays Child Statewide Automated Child Welfare Inform
Electronic Benefits Transfer

Critical Important
Important
General Important Important Important
Important Important Important
Important
Critical Critical Critical
Critical
Critical Critical
Critical Critical Critical Critical Critical Critical
Critical Critical

4/1/03

24.00 0.00
1.00
0.00 3.00 0.00 0.00
4.00 0.00 1.00
0.00
0.00 0.00 0.00
0.00
0.00 0.00
0.00 0.00 0.00 0.00 0.00 0.00
0.00 0.00

0.00 $30,000,000.00

0.00

$0.00

3.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

Page 78 of 104

Georgia State Information Technology Report 2009

427 Department of Human Resources
427 Department of Human Resources 427 Department of Human Resources 427 Department of Human Resources
427 Department of Human Resources
427 Department of Human Resources
427 Department of Human Resources 427 Department of Human Resources 427 Department of Human Resources 427 Department of Human Resources 427 Department of Human Resources 427 Department of Human Resources 427 Department of Human Resources 427 Department of Human Resources 427 Department of Human Resources 427 Department of Human Resources 427 Department of Human Resources
427 Department of Human Resources 427 Department of Human Resources
427 Department of Human Resources 427 Department of Human Resources 427 Department of Human Resources
427 Department of Human Resources 427 Department of Human Resources
427 Department of Human Resources 427 Department of Human Resources

(EBT)
Web Facility Search and Location Case Planning Reporting System
CareWare
PH Lab W4 Employer New Hire Reporting Database and Collection of Lab Informati ENERGY ASSISTANCE 6714
Foster Care Recruitment
ACO Regulatory Needs
WebEOC
OFS Debt Set-Off
ESAR VHP
Womens Right to Know
Avatar
RevMax
DFCS Statistics
Adoption System (ADAM) Portal - Quick Hits ORS ECommerce
Exit Interview Vital Events Information System (VEIS)
Contract Tracking System
Service Payment Perpetual Inventory Control System
Contract Reporting System Regional Offices Contracting System
UAS REPORTS 67-14

Important
Important Important Important
Important
General
Important Important Important Important Important Important Important Important Important Important Important
Important Important
Important Important Important
Important Important
Important Important

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

Page 79 of 104

Georgia State Information Technology Report 2009

427 Department of Human Resources 427 Department of Human Resources
427 Department of Human Resources 427 Department of Human Resources
427 Department of Human Resources 427 Department of Human Resources
427 Department of Human Resources 427 Department of Human Resources 427 Department of Human Resources
427 Department of Human Resources 427 Department of Human Resources
427 Department of Human Resources 427 Department of Human Resources
427 Department of Human Resources 427 Department of Human Resources
428 Department of Community Affairs 428 Department of Community Affairs 428 Department of Community Affairs 428 Department of Community Affairs 428 Department of Community Affairs 428 Department of Community Affairs 428 Department of Community Affairs 432 Court of Appeals 440 Department of Labor 440 Department of Labor 440 Department of Labor 440 Department of Labor

Portal - Quick Hits ORS Report Filing
FAMILY PLANNING 49-09 Portal - Quick Hits EMS Certification
Vehicle Insurance Georgia Registration for Immunization Tr
Learning Management System Mental Health/Mental Retardation Informa
Teen Work 2006
Patient Inventory and Tracking State Electronic Notifiable Disease Surv
Request Management System Perpetual Inventory Control System
Debt Setoff Mental Health CRS - Client Registration System
Litigation Tracking System Housing Trust Fund for the Homeless
LOL
LSAMS
Grants Management System
MST
AOD
FundWare
DOCKET
System 12
System 13
System 14
System 5

Important General
Important Important
Important Important
Important Important Important
Important Important
General Important
Important General
Critical Critical Critical Critical Critical Critical Critical Critical Critical Critical Critical General

0.00 0.00

0.00 0.00

0.00 0.00

0.00 0.00 0.00

0.00 0.00

0.00 0.00

0.00 0.00

1/2/95

0.00

1/2/98

0.00

1/2/98

0.00

1/3/95

0.00

5/14/99

0.00

5/30/91

0.00

0.00

10/15/06

3.00

0.00

0.00

0.00

0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

1.00

$15,000.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

Page 80 of 104

Georgia State Information Technology Report 2009

440 Department of Labor 440 Department of Labor 440 Department of Labor 440 Department of Labor 440 Department of Labor 440 Department of Labor 440 Department of Labor 440 Department of Labor 440 Department of Labor 440 Department of Labor 442 Department of Law
442 Department of Law 460 State Personnel Administration 460 State Personnel Administration 460 State Personnel Administration 460 State Personnel Administration 460 State Personnel Administration 460 State Personnel Administration
460 State Personnel Administration 460 State Personnel Administration 460 State Personnel Administration 460 State Personnel Administration 460 State Personnel Administration
460 State Personnel Administration
460 State Personnel Administration 460 State Personnel Administration
460 State Personnel Administration 460 State Personnel Administration 460 State Personnel Administration

System 6 System 7 System 8 System 9 System 10 System 11 System 15 System 16 System 17 System 18 Case Management System Document Management System EXAM ADMINISTRATION Applicant Maintenance SPA WEBSITE Kronos / PATS DRUG TESTING SYSTEM GMSDATA FAITHFUL SERVICE AWARD SYSTEM Flex Enrollment - Web GMSNet Email-Exchange Active Directory CAREERS WEB APPLICATION FLEXIBLE BENEFITS SYSTEM FLEXHELP ONLINE PeopleSoft ePerformance Management ESS Employee Self Service File Transfer Server

Critical Critical General Important Important General General Important Important Important General
General General General Important General General Important
General General General Important Important
Critical
Critical General
Important General General

0.00

0.00

0.00

0.00

0.00

0.00

0.00

0.00

0.00

0.00

1/2/00

0.33

7/1/00

0.33

0.00

0.00

0.00

0.00

0.00

0.00

0.00 0.00 0.00 0.00 0.00

0.00

1.00 0.00

0.00 0.00 0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$49,222.00

0.00

$56,564.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

1.00

$0.00

2.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

Page 81 of 104

Georgia State Information Technology Report 2009

461 Department of Juvenile Justice
461 Department of Juvenile Justice
461 Department of Juvenile Justice
461 Department of Juvenile Justice
461 Department of Juvenile Justice State Board of Pardons and
465 Paroles State Board of Pardons and
465 Paroles State Board of Pardons and
465 Paroles State Board of Pardons and
465 Paroles State Board of Pardons and
465 Paroles State Board of Pardons and
465 Paroles State Board of Pardons and
465 Paroles State Board of Pardons and
465 Paroles State Board of Pardons and
465 Paroles State Board of Pardons and
465 Paroles State Board of Pardons and
465 Paroles State Board of Pardons and
465 Paroles State Board of Pardons and
465 Paroles State Board of Pardons and
465 Paroles State Board of Pardons and
465 Paroles State Board of Pardons and
465 Paroles State Board of Pardons and
465 Paroles

Juvenile Tracking System JTS DJJ External Web Site KRONOS OQA / Incidents Sharepoint

Critical Important Critical Important Important

Lotos Notes mail

General

Barney

Critical

Jabber

General

GRS

Important

Help Desk

Important

Time sheets/leave sheets

Important

Notification

Important

Thor

Important

PAR

Important

Certificate Authority

General

Telecom

General

vpn

Important

Information System

General

Blackberry server

General

Paporion

General

dns

Important

Interstate parole notifications Important

1/2/00

5.00

1/1/00

1.00

1/3/08

1.00

7/1/00

1.00

7/1/08

2.00

1/1/95

0.20

2/1/01

0.15

1/1/07

0.05

0.10

0.10

0.10

0.10

0.25

0.10

0.05

0.10

0.05

0.10

0.10

0.05

0.05

0.10

8.00

$700,000.00

2.00

$150,000.00

1.00

$300,000.00

1.00

$50,000.00

5.00

$200,000.00

0.00

$7,000.00

0.00

$1,000.00

0.00

$0.00

0.00

$700.00

0.00

$4,500.00

0.00

$1,000.00

0.00

$0.00

0.00

$3,000.00

0.00

$875.00

0.00

$0.00

0.00

$575.00

0.00

$0.00

0.00

$1,050.00

0.00

$1,500.00

0.00

$0.00

0.00

$0.00

0.00

$2,000.00

Page 82 of 104

Georgia State Information Technology Report 2009

State Board of Pardons and

465 Paroles

Dhcp

General

0.10

State Board of Pardons and

465 Paroles

Ras1

General

0.01

State Board of Pardons and

465 Paroles

Stats

Important

0.25

State Board of Pardons and

465 Paroles

Fee/Restitution

Important

0.25

State Board of Pardons and

465 Paroles

Omtool Faxserver

Important

0.05

State Board of Pardons and

465 Paroles

Vehicle

General

0.10

State Board of Pardons and

465 Paroles

Utility

General

0.10

State Board of Pardons and

465 Paroles

Parole Notifications

Important

0.10

State Board of Pardons and

465 Paroles

Travel

Important

0.10

State Board of Pardons and

465 Paroles

Ters

Important

0.10

State Board of Pardons and

465 Paroles

All agency operations

Critical

0.15

State Board of Pardons and

465 Paroles

Active directory Services

Important

0.25

State Board of Pardons and

465 Paroles

Purchase request

General

0.15

State Board of Pardons and

465 Paroles

EPO

Important

0.10

State Board of Pardons and

465 Paroles

Patchlink

General

0.10

State Board of Pardons and

465 Paroles

Print server

General

0.10

State Board of Pardons and

465 Paroles

Blink

General

0.10

State Board of Pardons and

465 Paroles

REM

General

0.10

State Board of Pardons and

465 Paroles

Victims

Critical

0.10

State Board of Pardons and

465 Paroles

Case Management System

Critical

0.25

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$1,755.00

0.00

$0.00

0.00

$1,000.00

0.00

$1,500.00

0.00

$2,000.00

0.00

$0.00

0.00

$5,000.00

0.00

$0.00

0.00

$500.00

0.00

$10,000.00

0.00

$14,000.00

0.00

$0.00

0.00

$11,000.00

0.00

$7,000.00

0.00

$3,400.00

0.00

$16,000.00

Page 83 of 104

Georgia State Information Technology Report 2009

State Board of Pardons and 465 Paroles
State Board of Pardons and 465 Paroles 466 Department of Public Safety 466 Department of Public Safety 466 Department of Public Safety
466 Department of Public Safety 466 Department of Public Safety
Department of Early Care and 469 Learning
Department of Early Care and 469 Learning
Department of Early Care and 469 Learning
471 Georgia Bureau of Investigation 471 Georgia Bureau of Investigation 471 Georgia Bureau of Investigation 471 Georgia Bureau of Investigation
471 Georgia Bureau of Investigation 471 Georgia Bureau of Investigation 471 Georgia Bureau of Investigation 471 Georgia Bureau of Investigation 471 Georgia Bureau of Investigation 474 Department of Revenue 474 Department of Revenue 474 Department of Revenue 474 Department of Revenue 474 Department of Revenue 474 Department of Revenue 474 Department of Revenue 474 Department of Revenue

Adtran Atlas

General

loglogic Roster Leave Accounting DPS Helpdesk OTIS (Overweight Truck Info Syst.) CRMS

General Important Important Important
Critical Critical

Pre-K

Critical

Nutrition

Critical

Child Care Services Automated FP Identication System Sex Offender Registry Uniform Crime Reporting LIMS-Plus Georgia Protective Order Registry JIMNET GBI/GCIC CJIS GBI WAN Computerized Criminal History Sales Tax MotorFuel CTS IRP DCS TCS2000 GEICS CORP EFS

Critical
Critical Critical Important Critical
Critical Critical Critical Critical Critical Critical Important Important Important Important Important Important Important

12/1/03
8/1/87 3/18/98
1/1/76 1/1/00 7/1/02 1/1/05
4/1/09 6/1/04

0.00
0.05 0.54 0.54 0.54
0.54 0.54
1.00
1.00
1.00
0.00 3.00 2.00 2.00
2.00 3.00 5.00 0.00 0.00 12.00 2.00 5.00 4.00 5.00 2.00 6.00 4.00

0.00

$2,000.00

0.00

$5,351.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

3.00

$0.00

0.00

$0.00

0.00

$0.00

6.00

$140,000.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

3.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

Page 84 of 104

Georgia State Information Technology Report 2009

474 Department of Revenue

IATS

Important

6.00

0.00

$0.00

474 Department of Revenue

CTAB

Important

4.00

0.00

$0.00

474 Department of Revenue

IRMF

Important

1.00

0.00

$0.00

474 Department of Revenue

PTS

Important

2.00

0.00

$0.00

474 Department of Revenue

ATSP

Important

1.00

0.00

$0.00

474 Department of Revenue

IRMF Inquiry

Important

2.00

0.00

$0.00

474 Department of Revenue

WTS

Important

6.00

0.00

$0.00

474 Department of Revenue

IITS

Important

5.00

0.00

$0.00

474 Department of Revenue

Fed/State Partnership

Important

2.00

0.00

$0.00

474 Department of Revenue

ELF

Important

3.00

0.00

$0.00

474 Department of Revenue

FITS

Important

2.00

0.00

$0.00

474 Department of Revenue

TCDW

Important

5.00

0.00

$0.00

474 Department of Revenue

Sales Tax

Critical

12.00

0.00

$0.00

474 Department of Revenue

Check21

Critical

9.00

5.00

$0.00

474 Department of Revenue

RPS

Critical

14.00

0.00

$0.00

474 Department of Revenue

DCS

Critical

5.00

0.00

$0.00

474 Department of Revenue

EFT

Critical

2.00

0.00

$0.00

474 Department of Revenue

GRATIS

Important

13.00

4.00

$0.00

474 Department of Revenue

Composite

Important

1.00

0.00

$0.00

474 Department of Revenue

CPD

Important

1.00

0.00

$0.00

474 Department of Revenue

DRCAD

Important

1.00

0.00

$0.00

474 Department of Revenue

CTA

Important

5.00

0.00

$0.00

474 Department of Revenue

RAR/CP2000

Important

2.00

0.00

$0.00

474 Department of Revenue

INDIV Deliquents

Important

1.00

0.00

$0.00

474 Department of Revenue

IFTA

Important

2.00

0.00

$0.00

474 Department of Revenue

Composite

Important

1.00

0.00

$0.00

474 Department of Revenue

Mailcash

Critical

3.00

0.00

$0.00

474 Department of Revenue

CTR

Important

3.00

0.00

$0.00

475 Department of Driver Services

Permanent License Print

Critical

12/31/90

0.00

0.00

$0.00

475 Department of Driver Services

Reinstatements

Critical

1/26/00

0.00

0.00

$0.00

475 Department of Driver Services

Driver Record Maintenance

Critical

7/25/00

0.00

0.00

$0.00

475 Department of Driver Services

Driver History for Law

Important

1/1/00

0.00

0.00

$0.00

Page 85 of 104

Georgia State Information Technology Report 2009

Enforcement

475 Department of Driver Services

Internet Motor Vehicle Reports

(MVR)

Critical

10/1/01

0.00

0.00

$0.00

475 Department of Driver Services

SharePoint

General

1/1/07

0.00

0.00

$0.00

475 Department of Driver Services

Teen Drivers

Important

1/1/07

0.00

0.00

$0.00

Problem Driver Pointer System

475 Department of Driver Services

(PDPS)

Critical

12/1/01

0.00

0.00

$0.00

Commercial DL Info System

475 Department of Driver Services

(CDLIS)

Critical

12/31/01

0.00

0.00

$0.00

475 Department of Driver Services 475 Department of Driver Services 475 Department of Driver Services

Mail-In Renewals Social Security Online Verif (SSOLV) Georgia Electronic Conviction Processing

Critical Critical Critical

4/3/02

0.00

0.00

$0.00

8/3/03

0.00

0.00

$0.00

11/10/03

0.00

0.00

$0.00

475 Department of Driver Services 475 Department of Driver Services

Footprints Help America Vote Verif (HAVV)

Important Important

3/1/07

0.00

0.00

$0.00

3/17/00

0.00

0.00

$0.00

475 Department of Driver Services

Driver Testing

Important

3/17/05

0.00

0.00

$0.00

475 Department of Driver Services

Motorcycle Safety

Important

3/17/08

0.00

0.00

$0.00

475 Department of Driver Services 475 Department of Driver Services

Kronos Digital Image for Law Enforcement

Important Important

4/1/07

0.00

0.00

$0.00

4/7/09

0.00

0.00

$0.00

475 Department of Driver Services

DDS Schools

Important

6/1/06

0.00

0.00

$0.00

475 Department of Driver Services

OnBase

Important

6/8/09

0.00

0.00

$0.00

475 Department of Driver Services

Internet Renewals

Critical

12/7/05

0.00

0.00

$0.00

475 Department of Driver Services

License Replacements

Critical

12/7/05

0.00

0.00

$0.00

475 Department of Driver Services

Q-Matic

Important

7/1/02

0.00

0.00

$0.00

475 Department of Driver Services

DDS Intranet

Important

7/1/05

0.00

0.00

$0.00

475 Department of Driver Services 475 Department of Driver Services

DDS Internet Systematic Alien Verif for Entitlements

Important Critical

7/1/05

0.00

0.00

$0.00

1/1/08

0.00

0.00

$0.00

475 Department of Driver Services 475 Department of Driver Services

Motor Vehicle Reports (MVR) Motor Voter Confirmations (MVC)

Important General

8/14/00

0.00

0.00

$0.00

10/2/08

0.00

0.00

$0.00

475 Department of Driver Services

Reservations

Important

10/16/01

0.00

0.00

$0.00

475 Department of Driver Services

Personal Password

Important

11/1/05

0.00

0.00

$0.00

Page 86 of 104

Georgia State Information Technology Report 2009

475 Department of Driver Services
475 Department of Driver Services
475 Department of Driver Services
475 Department of Driver Services
475 Department of Driver Services
475 Department of Driver Services
475 Department of Driver Services
475 Department of Driver Services Georgia Student Finance
476 Commission Georgia Student Finance
476 Commission Georgia Student Finance
476 Commission Georgia Student Finance
476 Commission Georgia Student Finance
476 Commission Georgia Student Finance
476 Commission Georgia Student Finance
476 Commission Georgia Student Finance
476 Commission Georgia Student Finance
476 Commission State Soil and Water Conservation
480 Commission State Soil and Water Conservation
480 Commission State Soil and Water Conservation
480 Commission State Soil and Water Conservation
480 Commission
482 Teachers' Retirement System

Case Mgmt System Document Management System (DMS) Applicant Verification Module (AVM) Examiner Login Location (WALDO) Personal Motor Vehicle Report (MVR) Scan Header Print Health Data Interim License Print
CRM
Loan Servicing General Ledger and Accounts Payable
IVR
S&G
GAcollege411 Document managements system GSFApps Online Application System Transcript Exchange and HOPE GPA
E&S Certification Database
Ag Water Metering Database Microsoft Small Business Server
LIA/MOA Database Great Plains

Important Critical Critical Critical Important Critical General Critical Important Critical Critical Critical Critical Critical Critical Critical Critical Important Important Important General Critical

11/17/08

0.00

6/8/09

0.00

6/22/09

0.00

6/22/09

0.00

12/9/05

0.00

6/22/09

0.00

12/31/03

0.00

6/22/09

0.00

6/1/05

0.00

7/1/99

2.00

1/1/00

1.00

11/1/03

0.00

1/1/04

1.00

2/1/05

2.00

6/1/06

1.00

11/1/06

2.00

1/1/07

4.00

3/24/06

0.00

4/23/07

0.00

2/15/05

1.00

5/21/09

0.00

7/1/02

1.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$20,000.00

0.00

$260,000.00

0.00

$25,000.00

0.00

$20,000.00

0.00

$0.00

0.00 $1,500,000.00

0.00

$100,000.00

0.00

$370,000.00

0.00

$100,000.00

0.00

$547.40

0.00

$547.40

0.00

$0.00

0.00

$547.40

0.00

$74,334.00

Page 87 of 104

Georgia State Information Technology Report 2009

482 Teachers' Retirement System 484 Department of Transportation 484 Department of Transportation 484 Department of Transportation 484 Department of Transportation 484 Department of Transportation 484 Department of Transportation 484 Department of Transportation 484 Department of Transportation 484 Department of Transportation 484 Department of Transportation
484 Department of Transportation 484 Department of Transportation 484 Department of Transportation 484 Department of Transportation
484 Department of Transportation
484 Department of Transportation 484 Department of Transportation 484 Department of Transportation
484 Department of Transportation
484 Department of Transportation 484 Department of Transportation 484 Department of Transportation 484 Department of Transportation 484 Department of Transportation
484 Department of Transportation 484 Department of Transportation 484 Department of Transportation

PASS
Clearcase ClearQuest Data Dictionary
HMMS BIMS
SharePoint 2007 planetIRM
Cash Flow Forecasting (CCF) Trns*Port Client/Server RequisitePro Crash Application Reporting System(CARS) TRAQs
Tpro Fleet Anywhere Crash Accident Reporting System Consultant Management Information System Data Warehouse 1625 Construction Submittal Interface (CSI) Workforce Timekeeper (WFTK) Tpro SQL (Scenerios)
Traffic Interruption Report (tir) FlightRequest PublicOutreach Incident Report Application (IRA) PropertyDamage
Contactlist

Critical General General Important Critical Critical Critical General General Critical General
Critical Critical Critical Critical
Critical
Critical Critical Critical
Critical
Critical Critical Critical General General
Important Important General

5/1/04

18.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
0.00 0.00 0.00 0.00
0.00
0.00 0.00 0.00
0.00
0.00 0.00 0.00 0.00 0.00
0.00 0.00 0.00

3.00

$770,210.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

Page 88 of 104

Georgia State Information Technology Report 2009

484 Department of Transportation
484 Department of Transportation 484 Department of Transportation 484 Department of Transportation 484 Department of Transportation 484 Department of Transportation 484 Department of Transportation 484 Department of Transportation 484 Department of Transportation 484 Department of Transportation 484 Department of Transportation 484 Department of Transportation
484 Department of Transportation 484 Department of Transportation
484 Department of Transportation 484 Department of Transportation 484 Department of Transportation
484 Department of Transportation 484 Department of Transportation
484 Department of Transportation
484 Department of Transportation 484 Department of Transportation 484 Department of Transportation 484 Department of Transportation 484 Department of Transportation 484 Department of Transportation 484 Department of Transportation 484 Department of Transportation

herodispatch Vehicle Detail Analysis Report (VDAR) Concrete
OTC DetailsEstimate TEAM
RCX Web Explorer PitQurry
weighStation BookInvoice
FastHire Recruitment Module AMPS Local Assistance Road Program (LARP) Motor Vehicle Usage (MVU) Signal Pemits Application (SPA) WECS
SMARTFORM Motor Vehicle Assignment System (MVA)
The Source State Highway Map Photo Contest (temap) Contract Payable Ledger (CPL) Blackberry Application
Auto Traffic Record Polling Urbantis
Aviation RC Applets Qualified Product Lists
DPSWSOR

General
General General General Important General Important General General General Important Important
Important Important
Important General Important
Important Important
General
General General Important General Important Important Important General

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

Page 89 of 104

Georgia State Information Technology Report 2009

484 Department of Transportation 484 Department of Transportation 484 Department of Transportation 484 Department of Transportation 484 Department of Transportation
484 Department of Transportation
484 Department of Transportation 484 Department of Transportation 484 Department of Transportation 484 Department of Transportation
484 Department of Transportation 484 Department of Transportation 484 Department of Transportation 484 Department of Transportation 484 Department of Transportation 484 Department of Transportation
484 Department of Transportation 484 Department of Transportation 484 Department of Transportation 484 Department of Transportation 484 Department of Transportation 484 Department of Transportation 484 Department of Transportation
484 Department of Transportation
484 Department of Transportation
484 Department of Transportation 484 Department of Transportation 484 Department of Transportation

MyNavigator
WorkAway
RoadDetailPlanSearch
NavigatorUtilities
CMODS Chemical Hazard Training_RTK Remedy Action Request System (Remedy)
Navigator Display Wall
PCARD
SCB Outdoor advertising sign information sys
MobileManager
JobVacancy
CTSA_LARP
SignalApp
Exit Interview Advanced Transportation Controller Prog
AirTrans
DRIVE
ROADNAME_Resolution
Quest
PublicOutreach
ActiveReporting Construction Project Web Page (CWP) Program of External Audits&Reports -PEAR Field Data Collection System (FDCS)
ARMS
ContractsAdministration

Important General Important Important General
General
General Important Important Important
Important General General Important Important General
Important General Important Important General General General
Important
Important
General Important General

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

0.00

0.00

$0.00

Page 90 of 104

Georgia State Information Technology Report 2009

484 Department of Transportation
484 Department of Transportation
484 Department of Transportation 484 Department of Transportation
484 Department of Transportation 489 Subsequent Injury Trust Fund 489 Subsequent Injury Trust Fund 489 Subsequent Injury Trust Fund 489 Subsequent Injury Trust Fund 489 Subsequent Injury Trust Fund
State Board of Workers' 490 Compensation 900 Georgia Building Authority 900 Georgia Building Authority 900 Georgia Building Authority 900 Georgia Building Authority 900 Georgia Building Authority 900 Georgia Building Authority 900 Georgia Building Authority 900 Georgia Building Authority
900 Georgia Building Authority 900 Georgia Building Authority 900 Georgia Building Authority 900 Georgia Building Authority 900 Georgia Building Authority 900 Georgia Building Authority 900 Georgia Building Authority
Georgia World Congress Center 922 Authority 927 State Road and Tollway Authority

Automated Routing & Permitting System Transportation Explorer (TREX) Georgia Utility Permit System (GUPS)
SafeTrack Rail road management system (rrms)
Claims Processing
Assessment Process
Reimbursement Processing
Disaster Recovery
Imaging

Important
Important
Important Important
Important Critical Critical Critical Critical Critical

ICMS Apogee TrackIT Helpdesk Microsoft Exchange 2003 viaWARP Blackberry Enterprise Server Amano Solomon/Dynamics/SL IIS Stonegate Management Center BackupEXEC SQL Server 2005 Sharepoint Keystone Maximo Quickbase

Critical Critical Important Critical Important Important Critical Critical Important
Important Important Important Important Important Important Important

ConCentRICs TCSWebInternal

Critical Critical

0.00

0.00

0.00 0.00

0.00

7/1/85

2.00

7/1/85

2.00

7/1/85

2.00

7/1/04

2.00

7/1/04

2.00

10/1/05

6.00

2.00

3.00

1.00

1.00

1.00

5.00

1.00

1.00

1.00 1.00 2.00 1.00 1.00 0.00 1.00

7/1/97

0.00

5/30/03

4.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$38,300.00

0.00

$0.00

0.00

$38,300.00

0.00

$0.00

0.00

$5,000.00

3.00

$576,504.00

1.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$22,600.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$0.00

0.00

$70,000.00

0.00

$25,000.00

2.00

$9,800.00

2.00

$336,490.47

Page 91 of 104

Georgia State Information Technology Report 2009

927 State Road and Tollway Authority
927 State Road and Tollway Authority Georgia Regional Transportation
976 Authority Georgia Regional Transportation
976 Authority Georgia Regional Transportation
976 Authority Georgia Regional Transportation
976 Authority Georgia Regional Transportation
976 Authority Georgia Public
977 Telecommunications Commission Georgia Public
977 Telecommunications Commission Georgia Public
977 Telecommunications Commission

TCSWebExternal Violations Image Review American Fundware Fleetwise MIVA MERCHANT Exchange Content Management Enco Pro Track Team Approach

Critical Critical Important Important General Important Important Critical Critical Critical

5/30/03

4.00

7/12/05

2.00

1/1/99

0.15

1/1/05

0.10

1/1/05

0.00

7/1/99

0.15

7/1/08

0.00

1.00

1.00

2.20

2.00

$291,490.47

2.00

$537,980.95

0.00

$0.00

0.20

$400.00

0.50

$180.00

0.00

$0.00

0.50

$0.00

0.00

$22,771.00

0.20

$7,810.00

0.20

$35,640.00

Page 92 of 104

Georgia State Information Technology Report 2009

Appendix G - State Project Inventory

Agency BOR BPW CJCC CNG
CoA CoA CoA CoA CoA CoA CoA CoA CommOfIns CommOfIns CommOfIns CommOfIns
DBF DBF
DBF DBF DBF DBF DBF DBF
DCA DCA DCA DCA DCA DCA

Project Business Intelligence Software Web-based Matching Services Program Agency Modernization Project (AMP) Customer Service Initiative
EFAST New Docket Audio Streaming Oral Arguments Employee Portal/Social Networking Site Teleconferencing Oral Arguments Work Flow Docket Upgrade E-File Applications Electronic Signature System Data and trend analysis development. Electronic reporting and analysis Electronic rate and form filing
Intrusion Protection System New Examiner IT Needs
Active Directory Firewall Upgrades PGP Encryption New online applications/payment options Online Application Enhancements Nationwide Mortgage Licensing System (NMLS)
Deployment of new web server Enterprise Deployment of Microsoft Office SharePoint Server Exchange Server 2007 Deployment RAD Automation Modernization(RADAM) RAD Video Conferencing Project SHM Servicing System

Phase Initiation Planning Concept Develop
Acquisition Acquisition Concept Concept Concept Initiation Planning Planning Initiation Planning Planning Transition
Acquisition Execution/Control
Implementation Implementation Implementation Planning Planning Transition
Acquisition Acquisition Acquisition Concept Concept Concept

Priority
High High
High Medium Medium High
High High Medium

Start Date 1/9/09
06/15/2009 7/1/06
09/15/2010 12/31/2010
12/01/2009 11/01/2009 02/01/2010 07/01/2009 09/01/2009 03/01/2010

Cost $320,000
$50,000 $850,000 $17,900,000
$0 $147,500
$0 $0 $0 $0 $0 $0 $100,000 $100,000 $0 $0
$14,450 $40,000
$20,700 $23,800 $18,800 $50,000 $50,000 $10,000
$4,300 $111,005
$19,012 $698,206 $250,500 $250,000

Page 93 of 104

Georgia State Information Technology Report 2009

DCA
DCA DCH DCH DCH DCH DCH DCH
DCH DCH DCH DCH
DDS DDS DDS DDS DDS DDS DDS DDS DDS DDS DDS
DDS DDS DDS
DDS DDS DDS DDS DDS DDS
DECL DECL

Housing Allocations
Hard Disk Encryption Software Deployment Medicaid Management Information System Pre-Claim Edit System Provider License Verif Provider Linkage Sysytem GRITS Upgrade ASO Level of Care
CMO CMO 1a Data Broker Services MRDD Waiver Project
DLS (Driver's License System) DLS Iteration 4 Electronic Certified Mail KRONOS Upgrade Online Certification Reporting Application (OCRA)- Phase 3, RRP/DDC Systematic Alien Verification for Entitlement System (SAVE) R1.4 Web3 Interface CDLIS 5.0 eADAP Legislation (HB1111, SB448, HB160) Web Reservations Written Test Upgrade
Digitized License EDIS-Phase Two SAFFE DL
On-Base Rollout to CSCs Comprehensive Training Program Continue to Develop and Enhance Website Services Quality Assurance System Case Management Continue to develop and enhance services via Web and Phone
KOALA Technical Assistance Repository

Execution/Control
Implementation Acquisition Concept Concept Concept Design Develop
Execution/Control Execution/Control Execution/Control Planning
Acquisition Acquisition Acquisition Acquisition Acquisition Acquisition Concept Concept Concept Concept Concept
Execution/Control Execution/Control Execution/Control
Implementation Initiation Initiation Initiation Planning Planning
Concept Concept

High High
High High High Medium Medium High High Medium High
High
High Medium

3/15/08 11/01/2009 07/01/2010
7/1/07 7/1/07 7/1/07 6/1/09 5/1/07 03/17/2008 05/02/2008 08/24/2006 12/1/07 09/01/2009 03/01/2010 12/31/2009 12/31/2009 12/31/2009 02/28/2010 03/31/2010 12/31/2009 06/30/2010 1/1/08 7/1/08 09/20/2005 09/24/2007 02/01/2007 08/31/2009
11/1/07

$320,000
$0 $37,000,000
$2,800,000 $300,000
$1,900,000 $0
$1,100,000
$0 $0 $17,264,364 $4,974,457
$0 $0 $0 $0 $0 $0 $0 $0 $0 $196,450 $149,760
$20,000,000 $7,672,000
$13,944,000
$0 $0 $0 $0 $395,000 $0
$0 $0

Page 94 of 104

Georgia State Information Technology Report 2009

DECL DECL DECL DECL DED DHS DHS DHS DHS DHS DHS DHS DHS DHS DHS DHS
DJJ DJJ DJJ
DJJ DJJ DJJ DJJ DJJ DJJ DJJ DJJ DJJ DNR
DoA DoA DoA DoA DoAcctAud

Professional Development Registry Sanswrite Upgrades TA repository Nutrition Tablet PC Leisure Travel Vision $TARS System Upgrade ARRA - DFCS Document Imaging FED INC-Data Warehouse Georgia COMPASS - Enhancements State Electronic Notifiable
VEIS Vital Event Info Sys Video Streaming DFCS Food Stamp Portal MHDDAD Hospital MH Data Warehouse
WIC Develop Software to support Safe Crisis Managment Initiative DJJ Automate victim notification
Finish Kronos Implementation at 12 of 26 sites Implement Youth Enahanced Service Plan as a part of Juvenile Tracking System Implementfor DJJ schools PACE student learning software at one new YDC this year KRONOS Time/Attendance/Leave managment Report Card Measures Dashboard development Enhance tracking of youth services CRN audit Graduated Sanctions Waste Reduction
Pesticides Field Force Automation Animal Protection Field Force Automation Version 2 Fuel Lab sample entry system Livestock Poultry field Force Inspection Automation Version 2 Develop an Information System to Track Audit Findings

Initiation Initiation Initiation Planning Planning Concept Concept Concept Concept Concept
Concept Concept Develop Execution/Control Planning

09/01/2009 02/01/2010 02/01/2010 03/02/2009
01/29/2007 7/1/07 7/1/06 7/1/08 2/1/07

Acquisition Develop Execution/Control
Implementation Implementation Implementation Initiation Initiation Planning Planning Transition

High
High High Low

09/01/2009 7/1/06
07/01/2008 01/01/2010 07/01/2009

Initiation
Acquisition Concept Concept Concept Execution/Control

High Medium Medium Medium

01/01/2010 06/01/2010 07/01/2010 07/01/2010

$0 $0 $0 $0 $0 $1,600,000 $1,200,000 $2,500,000 $340,000 $751,718
$5,000,000 $1,276,400 $1,725,045 $6,133,141 $4,000,000
$0 $150,000 $500,000 $400,000
$300,000 $200,000
$30,000 $100,000
$50,000 $50,000
$0 $25,000
$0 $0
$0 $0 $0 $0 $0

Page 95 of 104

Georgia State Information Technology Report 2009

DoAcctAud DoAg DoAg DoAg DoAg
DOAS DOAS DOAS DOAS DOAS DOAS DOAS DOAS DOAS DOAS DOAS
DOC DoC DoC DoC DoC DoC DoC DoC DoC DoC DoC DoC
DOC DoC DoC
DOC DoD
DOE

Conduct a Pilot Program that would Reduce Costs of Operating Regional Offices. Energy Independence Promotion Inspection Capability Customer service Licensing Technology
DOAS Web Portal Phase II Team Georgia Marketplace Enhancements IT Site and IES migration to Sharepoint. IT Staff training and retooling. Mail & Courier System Replacement system for Oasis claims management system. Surplus system enhancements. Quickbase OFM Maintenance Management Project PeopleSoft Billing Electronic Time Sheet
DOC Wiring Update Autry State Prison Infirmary Dental health enhancement Disaster Recovery (DR) Planning EMR GDC Training academy relocation to Tift College Campus, Fosryth Georgia Headquarters Relocation to Tift College Campus, Fosryth Georgia Pharmaceutical Tracking employment rate of released offenders. Capital Improvement (bond funded initiatives) Computers for DRCs Electronic time keeping
eMR - Electronic Medical Record project * Centralized Offender Scheduling Offender Transportation
OTIS Replacement Distance learning
Chronicle Pilot

Planning Initiation Initiation Planning Planning
Acquisition Acquisition Concept Concept Concept Concept Concept Execution/Control Initiation Initiation Planning
Concept Execution/Control Execution/Control Execution/Control Execution/Control Execution/Control Execution/Control Execution/Control Execution/Control Initiation Initiation Initiation
Planning Planning

High High Medium High Medium Medium Medium

09/01/2009 12/31/2011 03/30/2010 12/31/2009 12/31/2009 12/31/2010 11/30/2009
07/14/2006

$0 $1,500,000
$700,000 $1,000,000 $1,500,000
$50,000 $60,000
$0 $5,000
$0 $0 $0 $100,000 $1,000,000 $500,000 $100,000
$1,162,400 $0 $0 $0 $0 $0 $0 $0
$50,000 $0 $0 $0
$0 $0

Planning Concept

High

07/01/2011

$5,038,000 $50,000
$0

Page 96 of 104

Georgia State Information Technology Report 2009

DOE DOE DOE
DOE DOE DOE DOE DOE DOE DOE DOE DOE DOE DOE DOE DOE DOE DOE DOE DOE DOE DOE
DOE DOE DOE DOL DOL
DOR DOR
DOT DOT DOT DOT DOT

Chronicle Pilot Chronicle Pilot Online Learning Mgmt
ARRA Transparency Central Directory .NET Charter Schools Entity Codes Georgia Standards Project Billing Reading First Professional Development SharePoint Infrastructure Contracts Management Learning Village MSIX Data Submission Portal User Registration Business Continuity Local Fund Accounting System Special Education Induction Resources Data Utilization to Guide Decision Making IE2 system and Charter System data reporting LEA Code availability for state approved charter schools Reading First and Credit Recovery Learning Management System Capital Outlay Database
Consolidated Application - School Improvement Consolidated Application - School Improvement (ARRA) School Nutrition 9iAS Interactive Voice Response (IVR) Labor Exchange (LEx)
Check 21 ITS/TCWD
BIMS CivilRights & LaborManagement Implementation CMIS Electronic Invoicing Enhancements CMIS Utilities FieldManager & FieldNet Implementation

Concept Concept Concept Development Development Development Development Development Development Development Implementation Implementation Implementation Implementation Initiation Initiation Initiation Planning Planning Planning Planning
Planning
Implementation Transition Acquisition Acquisition Acquisition Acquisition Acquisition

High High Low Low Medium High High Medium Medium High Medium Low Medium
High
Medium
High High Medium Medium Medium

07/01/2011 07/01/2011
6/1/07 07/01/2009 07/01/2009 07/01/2009 07/01/2005 07/01/2007 07/01/2009 07/01/2008 07/01/2008 07/01/2008 07/01/2009 07/01/2004
6/1/06 07/01/2008 07/01/2008 07/01/1996
11/01/2009 7/14/08

$0 $27,577 $918,000
$682,644 $31,326 $13,791
$555,953 $87,047
$146,442 $69,851
$246,977 $95,227 $314 $30,035
$2,880,000 $8,000,000
$40,000 $1,000,000
$275,000 $900,000 $700,000 $1,440,000
$0 $15 $9,295
$0 $0
$0 $15,231,020
$0 $0 $0 $0 $0

Page 97 of 104

Georgia State Information Technology Report 2009

DOT DOT DOT DOT DOT DOT DOT DOT DOT DOT DOT DOT DOT DOT DOT DOT DOT DOT DOT
DOT DOT DOT DOT DOT DOT DOT DOT DPS
DPS DTAE DTAE DTAE DTAE

FRED GDOT Report Conversion Project GFARS Project GUPS InRoads ITS Navigator Maintenance Support Tool (NSMST) ITS Webforms and Dashboard Single Sign On (SSO) Systems Integration TRANSPORT (Site Manager - Materials) ALADS CMDB EGIS Enterprise Geospatial NaviGator Project Prioritization Project (PrPP) Road Design Moving to SharePoint DOT VoIP Upgrades to the ELM system
ARPS Routing Component Implementation Crash Analysis and Reporting System CTSA CMAQ Microsoft Project OASIS Retirement Of Applications TPRO VMS Project Records Management System (RMS) - Computer Aided Dispatch (CAD) - Motobridge (Communications Connectivity).
Procure Equipment for the CTTF and JTTF Heart of GA Technical Moultrie Technical College Proofpoint Email Security Purewire Web Control Access

Acquisition Acquisition Acquisition Acquisition Acquisition Acquisition Acquisition Acquisition Acquisition Acquisition Concept Concept Concept Concept Concept Concept Concept Develop Execution/Control
Implementation Implementation Implementation Implementation Implementation Implementation Implementation Implementation Execution/Control

High Low Medium Medium Medium Medium Medium High Medium Low Medium Low Medium Medium Medium High Medium
High High Medium Medium Low High High Low

Planning Develop Initiation Initiation Initiation

3/1/08

$0 $0 $0 $0 $0 $0 $0 $0 $0 $0 $0 $0 $0 $0 $0 $0 $0 $1,802,768 $500,000
$0 $0 $0 $0 $0 $0 $0 $0 $0

11/1/07 8/1/06 7/1/09 7/1/09

$0 $260,000 $225,000 $140,000 $260,000

Page 98 of 104

Georgia State Information Technology Report 2009

DTAE DVetSrvc DVetSrvc
ERS FSTC GAPOST
GBA GBA
GBA GBA GBA
GBA GBA GBA GBA
GBI GBI GBI GBI GBI GBI GBI GBI GCDD GDC GDC GEFA GEMA GFC GFC GFC GFC GFC

WINS for WorkKeys IT Enhancement SAA IT Project
SharePoint Web-Based Testing Training Records
Disaster Recovery Maximo upgrade
Implement Security Plan T2 Parking System Done: Develop Plan and funding requests for Demolition of DOT Building/Design New Parking Deck
Demolition of GDOT and relocation of IT fiber Develop Online Card Request System for Access Control Coordinators. Imaging System Parking and Access Control Self Service
Automated Fingerprint Identification System (AFIS) Upgrade Biometric ID Laboratory Information Management System (LIMS) update Division of Forensic Sciences LIMS Forensic Sciences LIMS Hiring of 1 FTE to serve as webmaster for GBI Website Mobile Biometric Fingerprint Identification GA Terrorism Intelligence Real Communities OTIS Replacement v4 Business Intelligence Software Web developer Agency Migration from Lotus Notes to Microsoft Office Arson Investigation Automated Burn Permits Build IMT Membership Carbon Registry Certified Forests

Initiation Initiation Initiation
Implementation Initiation

Medium

Acquisition Execution/Control
Implementation Implementation Initiation

Medium
Medium High

2/1/07
04/01/2009 8/1/06
01/01/2010 01/01/2009 09/01/2010

$500,000 $500,000 $250,000
$84,000 $10,000 $294,584
$0 $0
$10,000 $85,000
$0

Planning Planning Planning Planning
Acquisition Acquisition Acquisition Concept Initiation Initiation Initiation Planning Planning Develop

High High High

Planning Initiation Execution/Control Execution/Control Execution/Control Execution/Control Execution/Control

1/1/09 10/01/2009 04/01/2010 07/01/2009
7/1/09
4/1/09 1/1/08
7/1/06 3/1/08

$5,000,000 $10,000 $0 $0
$7,600,000
$1,200,000 $140,000 $280,000 $280,000 $0
$1,284,227 $834,000 $0
$5,038,000 $210,000 $0 $0 $200,000 $100,000 $50,000 $100,000 $200,000

Page 99 of 104

Georgia State Information Technology Report 2009

GFC GFC GFC GFC GFC GFC GFC GFC GFC GFC
GFIC GFIC GFIC
GFIC GFIC GFIC GFIC GOCF
GPOSTC GPTC GPTC GPTC GPTC GPTC GPTC GPTC GPTC GRTA
GSFC GSFC GSFC GSFC GSFC GSFC

GIS layers -CWPP Radio-Com Optimization Regional Wildfire Dispatch & Burn Authorization Employee Development Crosswalk to Resource Ordering Status System (ROSS) GIS - Conservation GIS - Reforestation GPS Tracking for Firefighting Resources Intranet based Exam Three Strikes
Disaster Recovery Kronos Digital File Conversion
Document Imaging Implement Security Plan Development of Integrated Web-based System GSFIC - Business Continuity and Disaster Recovery Plan Web-Based Grantee Reporting
Records System Upgrade Upgrade 14th Street Broadcast Infrastructure GPB IT Business Continuity project GPB IT Digital Distribution project GPB IT HS Graduation project GPB IT Signal Coverage project IT Adult and Family Literacy project GPB IT Additional Revenue project GPB IT Website project Scenario Development - Travel Demand Forecasting
Enhance STARS Implement Hosted Learning Management System Complete a SAS70 Review Expand Use of Document Management System Prepare for Impact of FFEL Changes Redesign Service Cancelable Loan System

Execution/Control Execution/Control Execution/Control Initiation Planning Planning Planning Planning Planning Planning
Acquisition Acquisition Execution/Control
Implementation Implementation Initiation Initiation Execution/Control
Acquisition Implementation Initiation Initiation Initiation Initiation Initiation Planning Planning Initiation
Acquisition Acquisition Concept Concept Concept Concept

Medium High High Medium
High High
Medium Medium High High High Medium

01/01/2010 09/01/2010 06/01/2009
11/01/2009
04/01/2010 06/01/2010 01/01/2010 01/01/2011 07/01/2010 09/01/2010

$0 $0 $200,000 $0 $0 $0 $0 $0 $5,000 $0
$0 $45,000
$0
$97,000 $10,000 $300,000 $200,000 $450,000
$235,000 $300,000
$0 $0 $0 $0 $0 $0 $0 $0
$25,000 $20,000 $80,000 $75,000 $200,000 $150,000

Page 100 of 104

Georgia State Information Technology Report 2009

GSFC GSFC GSFC GSFC GSFC GSFC GSFC GTA GTA GTA
GTA OCA OCA OCA OCA OCS
OPB OSAH OSAH
PAC PAP PAP PAP PAP PAP POSTC POSTC POSTC POSTC PSC PStdCmm PStdCmm PStdCmm PStdCmm

Conduct Loan Sales Develop online loan service application Enhance SURFER Enhanced Security System Expand use of CRM for Trouble Tickets Migrate GAcollege411 to Transitions Online PMF System Vignette (PORTAL) project Consolidate application and database servers GAIT 2010
Wireless Communities Georgia Client Security Disaster Recovery Upgrades Install Exchange 2007 Enterprise SAN Upgrade Knowledge Base
NADC Relocation eCourt Case Management System Web-based case management system
Event Impact Registration System Disaster Recovery Clemency Navigation System An agency business continuity/disaster recovery plan Process Improvement Electronic personnel records New Database/Application System Customer Satisfaction Survey Helpdesk New Website and Applications Video web casts Website Redesign Analysis Datamart Support Certification Transaction Automation TeachGeorgia Alt Prep Support

Implementation Implementation Implementation Implementation Implementation Implementation Implementation Execution/Control Planning Transition
Transition Implementation Implementation Implementation Implementation

High Medium High High Medium High Medium
Medium Medium Medium High

01/15/2009 08/15/2009 09/01/2009 04/01/2010 03/01/2010 08/01/2009 09/30/2010
12/18/07

Implementation Implementation Transition
Implementation Acquisition Develop Execution/Control Execution/Control Planning Execution/Control Initiation Initiation Planning

High High
Low High

12/01/2009
10/01/2009 09/01/2010
1/1/07

Execution/Control Initiation Initiation Initiation

$50,000 $25,000 $50,000 $80,000
$5,000 $600,000
$60,000 $1,287,713
$0 $8,493,264
$0 $0 $0 $0 $0 $1,316,409
$55,000 $0
$600,000
$10,000 $139,000 $2,686,461 $500,000
$50,000 $6,000
$300,000 $0 $0
$15,000 $0
$10,000 $0
$10,000 $50,000

Page 101 of 104

Georgia State Information Technology Report 2009

PStdCmm PStdCmm PStdCmm PStdCmm
SAO SAO SAO SAO SAO SAO
SAO SAO SAO SAO
SBWC SBWC SBWC SORB
SOS SOS SOS SOS
SOS SOS SOS SOS
SPA SPA SPA SPA SPA SPA SPA SPA

Ethics database Modified versions of PAAR for RESAs and school districts PAAR Version 3 Paperless Certification
Financial application archiving of data. Foundational accounting. Financial bundle updates. Soil and Water SPA Hewitt/Flex outsourcing project PeopleSoft Program
PeopleSoft - PBB Foundation Hyperion Implementation Payroll Shared Services Statewide ARRA Data Warehouse
ICMS Software development Electronic Data Interchange (EDI) SORRB Database
SOS Archives License 2000-MyLicense Office Upgrade Voter Registration System Study Enhance voting accessibility for military / overseas voters VR Upgrade Archives DAG Digital Imaging Improve voter outreach and education
Hewitt Implementation Careers Phase 2 ePerformance Strategic Recruitment WebSite & Application Tool Redesign Next Generation Flex System Integration Sharepoint Applicant Assessment Services Strategic Recruiting (careers.ga.gov)

Planning Planning Planning Planning
Acquisition Acquisition Concept Concept Concept Develop
Execution/Control Initiation Initiation Planning
Concept Initiation Transition Planning
Concept Implementation Implementation Initiation Initiation Planning Planning Planning
Acquisition Concept Develop Execution/Control Initiation Initiation Planning Transition

Medium High Medium Medium High
High Medium
High High

08/01/2009 07/01/2010 11/01/2009 08/01/2009 01/01/2010
1/1/09
9/1/09
10/01/2005
06/01/2006 01/14/2010 09/01/2009
10/1/07
07/01/2009 10/01/2009
9/1/07

$10,000 $10,000 $10,000 $50,000
$0 $0 $0 $0 $0 $2,206,000
$0 $0 $1,000,000 $1,000,000
$3,304,135 $0
$2,500,000 $200,000
$3,000,000 $100,000 $0 $0 $0 $117,000 $0 $0
$0 $0 $703,045 $100,000 $0 $100,000 $0 $0

Page 102 of 104

Georgia State Information Technology Report 2009

SPC SPC SPC
SRTA SRTA SRTA SRTA SRTA SRTA SRTA SRTA SRTA
SWCC SWCC SWCC TCSG TCSG TCSG TCSG TRS
TRS

Lease Administration System Offering Memorandum Template On-line Transaction Services
Data Storage Record Retention Disaster Recovery & Business Continuity (local fail over) OSAH Tracking System PCI Data Security Standard (PCI DSS) SRTA Tolling Infrastructure Refit Time Attendance and Project Billing Data Center Infrastructure HOV-HOT Tolling Systems
Data Warehouse and Management Dashboard GIS/GPS data collection and mapping Agency webpage Emergency Communication System Restoration of IT systems w/n BC planning Develop IT Solutions to Form Partnership with TCSG, DOE, and USG Major Gifts Campaign Multi Currency Portfolio Mgmt
Web Retirement

Initiation Initiation Initiation
Acquisition Acquisition Concept Concept Concept Concept Concept Develop Planning
Concept Execution/Control Planning Initiation Initiation Planning Planning Develop
Implementation

High Medium High Medium Medium Low
Medium
High

09/01/2009 07/01/2009 09/01/2009 04/01/2009 08/01/2009 08/01/2007 01/01/2010
10/31/07 7/1/09
04/01/2010
11/01/2006

$100,000 $0 $0
$65,000 $32,000 $12,000 $14,700 $100,000 $7,900,000 $14,700 $607,000 $14,000,000
$20,000 $0 $0 $0 $0 $0 $0
$4,000,000
$296,368

Page 103 of 104

Georgia State Information Technology Report 2009

Appendix H Critical Projects Completed in 2009

Responsible Program or Agency Project Name DHR Emergency Preparedness Program

Target or

GTA Program

Actual Original Current

/Project Target Actual Finish Project Budget Project Budget Project to

Lead Start Date Start Date Date

($)

($)

Date Spend

12/1/05 7/15/09 $11,500,000 $5,500,000 $4,691,130

DOAS Team Georgia Reilly,Teresa 5/31/06 8/27/07 7/7/09 $10,951,200 $10,951,200 $6,346,306 Market Place

Agency Project Health

Projected Success

Rating

(Successful, Earned Value Other

IV&V Project Challenged, Vs. Original Participating

Health

Failed)

Scope Agencies

NA

S

TBD

S

SPI = .98 SAO, GTA

GTA GAIT 2010 Elia, Kriste 12/18/07 12/18/07 9/30/09 $5,959,976 $8,493,264 $7,101,727 Transition & Transformation

DCH Health Information Technology & Transparency

6/3/08 5/29/09 6/30/09 $5,199,890 $6,560,255 $5,358,987

C

N/A

S

N/A

Page 104 of 104