16E.04 Information and communications technology policy. 

    Subdivision 1.    Development.  The office shall 
 coordinate with state agencies in developing and establishing 
 policies and standards for state agencies to follow in 
 developing and purchasing information and communications systems 
 and training appropriate persons in their use.  The office shall 
 develop, promote, and coordinate state technology, architecture, 
 standards and guidelines, information needs analysis techniques, 
 contracts for the purchase of equipment and services, and 
 training of state agency personnel on these issues. 

    Subd. 2.    Responsibilities.  (a) In addition to other 
 activities prescribed by law, the office shall carry out the 
 duties set out in this subdivision. 

    (b) The office shall develop and establish a state 
 information architecture to ensure that further state agency 
 development and purchase of information and communications 
 systems, equipment, and services is designed to ensure that 
 individual agency information systems complement and do not 
 needlessly duplicate or conflict with the systems of other 
 agencies.  When state agencies have need for the same or similar 
 public data, the commissioner, in coordination with the affected 
 agencies, shall promote the most efficient and cost-effective 
 method of producing and storing data for or sharing data between 
 those agencies.  The development of this information 
 architecture must include the establishment of standards and 
 guidelines to be followed by state agencies. 

    (c) The office shall assist state agencies in the planning 
 and management of information systems so that an individual 
 information system reflects and supports the state agency's 
 mission and the state's requirements and functions. 

    (d) The office shall review agency requests for legislative 
 appropriations for the development or purchase of information 
 systems equipment or software. 

    (e) The office shall review major purchases of information 
 systems equipment to: 

    (1) ensure that the equipment follows the standards and 
 guidelines of the state information architecture; 

    (2) ensure that the equipment is consistent with the 
 information management principles adopted by the Information 
 Policy Council; 

    (3) evaluate whether the agency's proposed purchase 
 reflects a cost-effective policy regarding volume purchasing; 
 and 

    (4) ensure that the equipment is consistent with other 
 systems in other state agencies so that data can be shared among 
 agencies, unless the office determines that the agency 
 purchasing the equipment has special needs justifying the 
 inconsistency. 

    (f) The office shall review the operation of information 
 systems by state agencies and provide advice and assistance to 
 ensure that these systems are operated efficiently and 
 continually meet the standards and guidelines established by the 
 office.  The standards and guidelines must emphasize uniformity 
 that encourages information interchange, open systems 
 environments, and portability of information whenever 
 practicable and consistent with an agency's authority and 
 chapter 13.  

    (g) The office shall conduct a comprehensive review at 
 least every three years of the information systems investments 
 that have been made by state agencies and higher education 
 institutions.  The review must include recommendations on any 
 information systems applications that could be provided in a 
 more cost-beneficial manner by an outside source.  The office 
 must report the results of its review to the legislature and the 
 governor. 

    Subd. 3.    Risk assessment and mitigation.  (a) A risk 
 assessment and risk mitigation plan are required for an 
 information systems development project estimated to cost more 
 than $1,000,000 that is undertaken by a state agency in the 
 executive or judicial branch or by a constitutional officer.  
 The commissioner of administration must contract with an entity 
 outside of state government to conduct the assessment and 
 prepare the mitigation plan for a project estimated to cost more 
 than $5,000,000.  The outside entity conducting the risk 
 assessment and preparing the mitigation plan must not have any 
 other direct or indirect financial interest in the project.  The 
 risk assessment and risk mitigation plan must provide for 
 periodic monitoring by the commissioner until the project is 
 completed. 

    (b) The risk assessment and risk mitigation plan must be 
 paid for with money appropriated for the information systems 
 development project.  No more than ten percent of the amount 
 anticipated to be spent on the project, other than the money 
 spent on the risk assessment and risk mitigation plan, may be 
 spent until the risk assessment and mitigation plan are reported 
 to the commissioner of administration and the commissioner has 
 approved the risk mitigation plan.  

    HIST: 1997 c 202 art 3 s 10; 1999 c 250 art 1 s 114; 2000 c 
 488 art 12 s 17; 2001 c 7 s 11; 1Sp2001 c 10 art 2 s 45