16E.04 Information and telecommunications technology policy.
Subdivision 1. Development. The office shall develop, establish, and enforce policies and standards for state agencies to follow in developing and purchasing information and telecommunications technology systems and services and training appropriate persons in their use. The office shall develop, promote, and manage state technology, architecture, standards and guidelines, information needs analysis techniques, contracts for the purchase of equipment and services, and training of state agency personnel on these issues.
Subd. 2. Responsibilities. (a) In addition to other activities prescribed by law, the office shall carry out the duties set out in this subdivision.
(b) The office shall develop and establish a state information architecture to ensure that state agency development and purchase of information and communications systems, equipment, and services is designed to ensure that individual agency information systems complement and do not needlessly duplicate or conflict with the systems of other agencies. When state agencies have need for the same or similar public data, the chief information officer, in coordination with the affected agencies, shall manage the most efficient and cost-effective method of producing and storing data for or sharing data between those agencies. The development of this information architecture must include the establishment of standards and guidelines to be followed by state agencies. The office shall ensure compliance with the architecture.
(c) The office shall assist state agencies in the planning and management of information systems so that an individual information system reflects and supports the state agency's mission and the state's requirements and functions. The office shall review and approve agency technology plans to ensure consistency with enterprise information and telecommunications technology strategy.
(d) The office shall review and approve agency requests for funding for the development or purchase of information systems equipment or software before the requests may be included in the governor's budget.
(e) The office shall review major purchases of information systems equipment to:
(1) ensure that the equipment follows the standards and guidelines of the state information architecture;
(2) ensure the agency's proposed purchase reflects a cost-effective policy regarding volume purchasing; and
(3) ensure that the equipment is consistent with other systems in other state agencies so that data can be shared among agencies, unless the office determines that the agency purchasing the equipment has special needs justifying the inconsistency.
(f) The office shall review the operation of information systems by state agencies and ensure that these systems are operated efficiently and securely and continually meet the standards and guidelines established by the office. The standards and guidelines must emphasize uniformity that is cost-effective for the enterprise, that encourages information interchange, open systems environments, and portability of information whenever practicable and consistent with an agency's authority and chapter 13.
(g) The office shall conduct a comprehensive review at least every three years of the information systems investments that have been made by state agencies and higher education institutions. The review must include recommendations on any information systems applications that could be provided in a more cost-beneficial manner by an outside source. The office must report the results of its review to the legislature and the governor.
Subd. 3. Risk assessment and mitigation. (a) A risk assessment and risk mitigation plan are required for all information systems development projects undertaken by a state agency in the executive or judicial branch or by a constitutional officer. The chief information officer must contract with an entity outside of state government to conduct the initial assessment and prepare the mitigation plan for a project estimated to cost more than $5,000,000. The outside entity conducting the risk assessment and preparing the mitigation plan must not have any other direct or indirect financial interest in the project. The risk assessment and risk mitigation plan must provide for periodic monitoring by the commissioner until the project is completed.
(b) The risk assessment and risk mitigation plan must be paid for with money appropriated for the information and telecommunications technology project. The chief information officer must notify the commissioner of finance when work has begun on a project and must identify the proposed budget for the project. The commissioner of finance shall ensure that no more than ten percent of the proposed budget be spent on the project, other than the money spent on the risk assessment and risk mitigation plan, is spent until the risk assessment and mitigation plan are reported to the chief information officer and the chief information officer has approved the risk mitigation plan.