16E.04 INFORMATION AND TELECOMMUNICATIONS TECHNOLOGY POLICY.
    Subdivision 1. Development. The office shall develop, establish, and enforce policies
and standards for state agencies to follow in developing and purchasing information and
telecommunications technology systems and services and training appropriate persons in their
use. The office shall develop, promote, and manage state technology, architecture, standards and
guidelines, information needs analysis techniques, contracts for the purchase of equipment and
services, and training of state agency personnel on these issues.
    Subd. 2. Responsibilities. (a) In addition to other activities prescribed by law, the office shall
carry out the duties set out in this subdivision.
(b) The office shall develop and establish a state information architecture to ensure that state
agency development and purchase of information and communications systems, equipment, and
services is designed to ensure that individual agency information systems complement and do not
needlessly duplicate or conflict with the systems of other agencies. When state agencies have
need for the same or similar public data, the chief information officer, in coordination with the
affected agencies, shall manage the most efficient and cost-effective method of producing and
storing data for or sharing data between those agencies. The development of this information
architecture must include the establishment of standards and guidelines to be followed by state
agencies. The office shall ensure compliance with the architecture.
(c) The office shall assist state agencies in the planning and management of information
systems so that an individual information system reflects and supports the state agency's mission
and the state's requirements and functions. The office shall review and approve agency technology
plans to ensure consistency with enterprise information and telecommunications technology
strategy.
(d) The office shall review and approve agency requests for funding for the development or
purchase of information systems equipment or software before the requests may be included in
the governor's budget.
(e) The office shall review major purchases of information systems equipment to:
(1) ensure that the equipment follows the standards and guidelines of the state information
architecture;
(2) ensure the agency's proposed purchase reflects a cost-effective policy regarding volume
purchasing; and
(3) ensure that the equipment is consistent with other systems in other state agencies so that
data can be shared among agencies, unless the office determines that the agency purchasing the
equipment has special needs justifying the inconsistency.
(f) The office shall review the operation of information systems by state agencies and ensure
that these systems are operated efficiently and securely and continually meet the standards and
guidelines established by the office. The standards and guidelines must emphasize uniformity
that is cost-effective for the enterprise, that encourages information interchange, open systems
environments, and portability of information whenever practicable and consistent with an
agency's authority and chapter 13.
(g) The office shall conduct a comprehensive review at least every three years of the
information systems investments that have been made by state agencies and higher education
institutions. The review must include recommendations on any information systems applications
that could be provided in a more cost-beneficial manner by an outside source. The office must
report the results of its review to the legislature and the governor.
    Subd. 3. Risk assessment and mitigation. (a) A risk assessment and risk mitigation plan
are required for all information systems development projects undertaken by a state agency in
the executive or judicial branch or by a constitutional officer. The chief information officer must
contract with an entity outside of state government to conduct the initial assessment and prepare
the mitigation plan for a project estimated to cost more than $5,000,000. The outside entity
conducting the risk assessment and preparing the mitigation plan must not have any other direct or
indirect financial interest in the project. The risk assessment and risk mitigation plan must provide
for periodic monitoring by the commissioner until the project is completed.
(b) The risk assessment and risk mitigation plan must be paid for with money appropriated
for the information and telecommunications technology project. The chief information officer
must notify the commissioner of finance when work has begun on a project and must identify
the proposed budget for the project. The commissioner of finance shall ensure that no more than
ten percent of the proposed budget be spent on the project, other than the money spent on the
risk assessment and risk mitigation plan, is spent until the risk assessment and mitigation plan
are reported to the chief information officer and the chief information officer has approved the
risk mitigation plan.
History: 1997 c 202 art 3 s 10; 1999 c 250 art 1 s 114; 2000 c 488 art 12 s 17; 2001 c 7 s
11; 1Sp2001 c 10 art 2 s 45; 2005 c 156 art 5 s 13