16E.04 Information and communications technology policy.
Subdivision 1. Development. The office shall coordinate with state agencies in developing and establishing policies and standards for state agencies to follow in developing and purchasing information and communications systems and training appropriate persons in their use. The office shall develop, promote, and coordinate state technology, architecture, standards and guidelines, information needs analysis techniques, contracts for the purchase of equipment and services, and training of state agency personnel on these issues.
Subd. 2. Responsibilities. (a) In addition to other activities prescribed by law, the office shall carry out the duties set out in this subdivision.
(b) The office shall develop and establish a state information architecture to ensure that further state agency development and purchase of information and communications systems, equipment, and services is designed to ensure that individual agency information systems complement and do not needlessly duplicate or conflict with the systems of other agencies. When state agencies have need for the same or similar public data, the commissioner, in coordination with the affected agencies, shall promote the most efficient and cost-effective method of producing and storing data for or sharing data between those agencies. The development of this information architecture must include the establishment of standards and guidelines to be followed by state agencies.
(c) The office shall assist state agencies in the planning and management of information systems so that an individual information system reflects and supports the state agency's mission and the state's requirements and functions.
(d) The office shall review agency requests for legislative appropriations for the development or purchase of information systems equipment or software.
(e) The office shall review major purchases of information systems equipment to:
(1) ensure that the equipment follows the standards and guidelines of the state information architecture;
(2) ensure that the equipment is consistent with the information management principles adopted by the information policy council;
(3) evaluate whether the agency's proposed purchase reflects a cost-effective policy regarding volume purchasing; and
(4) ensure that the equipment is consistent with other systems in other state agencies so that data can be shared among agencies, unless the office determines that the agency purchasing the equipment has special needs justifying the inconsistency.
(f) The office shall review the operation of information systems by state agencies and provide advice and assistance to ensure that these systems are operated efficiently and continually meet the standards and guidelines established by the office. The standards and guidelines must emphasize uniformity that encourages information interchange, open systems environments, and portability of information whenever practicable and consistent with an agency's authority and chapter 13.
(g) The office shall conduct a comprehensive review at least every three years of the information systems investments that have been made by state agencies and higher education institutions. The review must include recommendations on any information systems applications that could be provided in a more cost-beneficial manner by an outside source. The office must report the results of its review to the legislature and the governor.
Subd. 3. Risk assessment and mitigation. (a) A risk assessment and risk mitigation plan are required for an information systems development project estimated to cost more than $1,000,000 that is undertaken by a state agency in the executive or judicial branch or by a constitutional officer. The commissioner of administration must contract with an entity outside of state government to conduct the assessment and prepare the mitigation plan for a project estimated to cost more than $5,000,000. The outside entity conducting the risk assessment and preparing the mitigation plan must not have any other direct or indirect financial interest in the project. The risk assessment and risk mitigation plan must provide for periodic monitoring by the commissioner until the project is completed.
(b) The risk assessment and risk mitigation plan must be paid for with money appropriated for the information systems development project. No more than ten percent of the amount anticipated to be spent on the project, other than the money spent on the risk assessment and risk mitigation plan, may be spent until the risk assessment and mitigation plan are reported to the commissioner of administration and the commissioner has approved the risk mitigation plan.