1 CCR 106-1
STATE OF COLORADO MICROCOMPUTER POLICY INTRODUCTION Microcomputers have become a very important part of modern business technology, serving needs that range from specialized analytical problem solving to entire office automation functions. Many users of microcomputers advocate them as the answer to almost every business and technical automation requirement and, to be sure, those who develop and market microcomputer hardware and software are striving to meet all needs.
State officials, including the data processing professionals, face the problem of determining whether microcomputers are the appropriate answer for their particular automation applications. If microcomputers are determined to be the right choice, then effective management of this resource becomes the issue. This document sets forth guidelines to assist in the decision process that must precede the acquisition of a microcomputer and defines criteria for the effective and consistent management of installed microcomputer systems.
The State has a responsibility to provide effective and economical services to its citizens. Microcomputer systems have the potential to increase the efficiency and effectiveness of employees through data storage/retrieval, decision-making, data processing, word processing and other administrative and technical end-user computing functions. The current and projected levels of microcomputer system use within the State mandate the existence of a Microcomputer Policy. State agencies are encouraged to work together in the area of microcomputer policy development and implementation. The formation of general and specific user groups is encouraged as a means of transferring knowledge and skills between agencies in this ever increasing arena. Note: The term “agency” when used by this policy is defined to mean all State branches, agencies, departments, and institutions.
Purpose It is the purpose of this policy to ensure that all State branches, agencies, and institutions develop and implement adequate microcomputer policies. Such policies, if appropriately developed and implemented will assist agencies in better carrying out their data processing planning and acquisition activities, specifically allowing for better justification of proposed acquisitions. The Governor's Commission on Information Management and the Joint Budget Committee, as participants in the funding process, are necessarily interested in appropriate justification for proposed acquisitions. It is also the purpose of this policy to require the establishment of a single responsible point of control over microcomputer systems within each agency to oversee the acquisition and management of these resources.
Definition of Microcomputer Systems For the purpose of this policy, the term “microcomputers” are defined as integrated units with microprocessor, memory, storage, display, and keyboard. They are usually desktop size and intended for use by one person at a time. They may be part of a local area network or may be used as a terminal to a minicomputer or mainframe. “Microcomputer systems” are defined to encompass the software components as well as the hardware.
The use of the term “microcomputer” is not meant to imply any specific brand of microcomputer system. In the language of today, the term “microcomputer” is widely and commonly interchanged with the term “PC”.
Definition of End-User Computing The term “end-user computing” is defined for the purposes of this policy to mean the distribution or decentralization of computing resources to a business unit to enable individuals to perform a specific function or activity.
RESPONSIBILITY FOR POLICY The Governor's Commission on Information Management is responsible for the issuance of this policy. It is the responsibility of all Department, Agency, or Institution Heads to ensure that his/her organization is in adherence with this policy.
EFFECTIVE DATE OF POLICY This policy is effective November 25, 1988. Branches, agencies, departments, and institutions are hereby given six months from the effective date to comply with the policy. POLICY COMPLIANCE All State agencies are expected to comply with the terms of this policy. If an agency has an existing microcomputer policy, it should be reviewed to ensure that it meets the intent of this policy and revised as necessary. Agencies who do not have an existing microcomputer policy are required to develop and implement one. A “base” Microcomputer Policy is provided as an appendix to this policy which agencies can use to formulate their own microcomputer policy.
An agency's microcomputer policy must be made available upon request. Anticipated requests would include the Governor's Commission on Information Management who will review agency policies to ensure compliance and members of the State Auditor's Office or their designees for their use in performing financial and performance audits.
DESCRIPTION OF POLICY Responsibility of Branches, Departments, Agencies and Institutions It is the responsibility of each State of Colorado branch, department, agency, and institution to develop and adopt its own comprehensive microcomputer policy to govern the acquisition, use, maintenance, management, and support of its microcomputer systems. Specifically, agencies acquiring microcomputer systems are fully responsible for:
● Evaluating the system's effectiveness in meeting agency requirements of quantitative and qualitative benefits.
● Safeguarding the physical security of the equipment and software, and the security of the data maintained on this equipment.
Agency Policy Elements An agency's microcomputer policy must, at a minimum, contain reference to, and policy on the following elements:
1. Purpose The microcomputer policy is intended to encourage the efficient and effective use of microcomputers while providing appropriate management, fiscal control, and security of State information (see specific responsibilities above).
2. Responsibility The policy must provide for a single point of responsibility and contact regarding its issuance, maintenance, and compliance. The primary official responsible to ensure the success of the policy is the Agency Head. He/she may deligate authority as appropriate.
3. Planning An agency's planning policy as it relates to microcomputer systems must be addressed. Long-range planning for the automation needs of the agency is a key element in the successful implementation of any computer system since only by understanding the organizational objectives can effective choices be made. The decision to select microcomputer or any other alternative automation solution should be based on planning which considers all relevant needs and looks at the long-range picture. As with any planning, the goals and objectives must precede the solution. Too often, microcomputers are perceived as an inexpensive stopgap answer to an urgent unanticipated requirement when, in fact, the requirements would have been anticipated if a planning process had been in effect. Under these conditions, better solutions might have been found.
Planning for microcomputers should look at ways of sharing the system to benefit the greatest number of users. Factors to consider include location of the equipment, commonly useful software, and storage requirements for the collective users. Keyboard time requirements will need to be considered in planning sharing arrangements. Local area networks, or in some cases, simple switching devices can permit peripherals such as a printer or plotter to be shared by several microcomputers. Database designs and other file designs should consider multiple user needs so that they may also be shared. Planning should lead to identification of needs, fully supported budget requests that cover staffing as well as equipment, and a strategy that insures a long-range solution with the greatest economy. Quite often this solution will involve microcomputers, but it should be based on sound plans.
4. Justification The Agency Head or his/her designee should judge the business or service value of each request for acquisition based on the justification provided. This justification should include a definition of the business objectives to be achieved, planned applications, cost/benefit analysis, and any business related benefits. It should be noted that budget availability is not considered justification in itself.
5. Acquisition Approval Approval of microcomputer hardware and software requests is the responsibility of the Agency Head or his/her designee. The approval process should ensure that there is a multilevel technical and business review of the intended acquisition. The approval process should ensure that the acquisition is appropriately consistent with agency hardware and/or software standards as well as the agency's long- range information systems plan. It is not intended that all new requests be of the same specifications as existing equipment. Requests should be consistent with the gradual migration to new technology while remaining consistent with the base of current technology.
6. Acquisition/Procurement There are several procurement options that may be used to obtain microcomputer systems. The primary alternatives are: existing State awards, price agreements, and formal competitive bids. An agency's microcomputer policy and procedures must appropriately address the State's purchasing mechanisms, rules and regulations as well as their own internal purchasing operations.
7. Microcomputer System Inventory Microcomputer components, both hardware and software in nature, represent State assets. As such, an agency must maintain a current inventory of such items. These inventories must be available on request and provide a sufficient level of detail to determine hardware/software characteristics, location, and method of acquisition.
Agencies are encouraged to use existing State or Agency systems which control capital assets where appropriate.
8. Managing the System As more and more activities of state government are performed on microcomputers, it becomes increasingly important to safeguard the stored data and the programs that process it. With users of microcomputers often scattered throughout an organization and often away from the influence of professional data processing staff, it is difficult to establish workable controls. Supervisors must be reminded that they bear the primary responsibility for the accuracy and integrity of information produced under their control as well as for the appropriate and efficient use of the manpower and equipment resources assigned to them. Assigned duties and responsibilities of supervisors and staff should be spelled out in the performance plans of each individual. An agency's microcomputer policy must address the security, reliability, and efficiency components of microcomputer system usage. Specific areas would include: physical security and data safeguarding, downloading/uploading, end user programming, contingency planning/disaster recovery, supplies, and training and user support.
9. User Responsibilities Microcomputer users should be reminded that since the equipment, software, and data are state property, certain legal restrictions apply. No use of any of these for personal purposes or for any purpose not authorized by the State is permitted. Use of a microcomputer to obtain unauthorized access to other data files is improper and can also be a violation of the law, subject to severe penalty. In addition, most computer software is covered by copyright law and in purchasing it, the State and its employees agree to abide by the terms of a licensing agreement. These agreements should be adhered to scrupulously so as to protect the State and its officials from violation and possible legal action. An agency's microcomputer policy should cover these items as well as the related area of user-developed software. Generally, the State retains propriety rights on all microcomputer software developed by its employee in the course of their duties. Exceptions to this can exist in situations where the ownership of any such development is negotiated with the State prior to the actual development.
10. Enforcement and Non-Compliance An agency's microcomputer policy should include reference as to how it will enforce the policy as well as consequences of non-compliance.
STATE OF COLORADO “BASE” MICROCOMPUTER POLICY This “base” Microcomputer Policy is meant to provide a starting point from which an agency could develop its own comprehensive policy. It is not meant to be an all inclusive policy, nor does it set standards for format or content. Its only purpose is to provide a framework on which an agency could build its own policy.
This document is an appendix to CIM Policy 88-11, State of Colorado Microcomputer Policy. STATE OF COLORADO MICROCOMPUTER POLICY FOR ___________________ AGENCY
1.0 PURPOSE
The purpose of this document is to define the policy on the acquisition, operation, and management of all personal computer systems in the control of the ____________________ Agency. The State and this Agency have a responsibility to provide effective and economical services to its citizens. Microcomputer systems have the potential to increase the efficiency and effectiveness of employees. Through this Microcomputer Policy, ____________________ Agency establishes the guidelines which will enable it to procure, use, and manage microcomputer systems to the benefit of the Agency and the State.
2.0 RESPONSIBILITY FOR THE POLICY
The Director of ____________________ Agency has overall responsibility for managing the adoption and adherence to this policy. Authority for the enforcement of this policy has been delegated to ____________________ in order to establish a single point of contact for the administration of the terms of this policy. In addition, all employees of ____________________ Agency have the responsibility to become knowledgeable of this policy and adhere to it.
3.0 DEFINITION OF MICROCOMPUTER SYSTEMS
For the purpose of this policy, the term “microcomputer system” will encompass the following microcomputer related items:
4.0 EFFECTIVE DATE
The policy becomes effective upon issue.
5.0 ACQUISITION OF MICROCOMPUTER SYSTEMS
5.1 Acquisition Objective/Justification
The agency's long-range information systems plan will provide a framework for the acquisition of microcomputer systems. All requests for procurement of such system components must include a statement on “how” such a procurement fits into the objectives on the plan and “why” such components are necessary (i.e., statement of problem and objectives). The benefits and justification of the requested purchase must also be stated. Possible benefits can include: — Work elimination;
The following guidelines will be used in judging the business or service level of each microcomputer request:
1. Justification should include a definition of the business objectives to be achieved, planned applications, cost/benefit analysis and any business related benefits. Cost/benefit analysis must be realistic and quantifiable.
2. Justification directly related to achieving specific State or agency service strategies and business objectives is encouraged.
3. Justification should include an explanation of the budget impact for the current and future years.
4. Justification for each proposed purchase should include the execution of a checklist similar to that attached in Exhibit A. The objective is to ensure that each checklist element is addressed and acknowledged. Agency data processing technical staff will provide support as needed in the completion of the checklist.
5.2 Approval of Microcomputer Requests
The ____________________ Agency has established a three-level approval process to ensure that microcomputer system requests receive the appropriate technical and business reviews. The following tests will be employed during the approval process:
1. The requested hardware, software, or upgrade feature is more appropriate than alternatives, such as using one of the State's mainframe computers or sharing other State owned microcomputer equipment or software.
2. The cost of the requested item will be offset by a specific cost reduction in the agency's operating budget, result in improved productivity of personnel, result in improved quality of work, or offset a cost associated with a new legislative or regulatory requirement.
3. The requested item is compatible with the agency's information systems plan.
5.3 Acquisition of Hardware
Hardware refers to the microcomputer system units, disks, printers, monitors, modems, and other equipment which make up the system.
While the Agency has established PC Hardware Standards, it is not intended that all new requests be of the same specifications as existing equipment. Requests should be consistent with the gradual migration to new technology while remaining consistent with the base of current technology. All acquisition requests for computer hardware must follow the Agency's Procedure for Acquisition of Computer Hardware. This procurement procedure adheres to all State purchasing rules and regulations. All approval signatures specified in the procedure must be obtained during the procurement process.
5.4 Acquisition of Software
Microcomputer software refers to both application packages and programming languages that operate on microcomputer hardware.
____________________ Agency has established software standards for common applications (e.g., word processing, spreadsheet). These standards are to be followed unless sufficient justification can be presented for an alternative. All software acquisition requests must follow the Department's Procedure for Acquisition of Computer Software. This procurement process adheres to State Purchasing rules and regulations. All approval signatures specified in the procedure must be obtained during the procurement process.
6.0 MAINTENANCE OF MICROCOMPUTER SYSTEMS
The ____________________ Division will coordinate all maintenance/service contracts for the Department. Division managers are responsible for establishing problem report policies and procedures for their microcomputer system users.
7.0 INVENTORY OF MICROCOMPUTER SYSTEMS
7.1 Purpose
Microcomputer components represent capital assets belonging to the agency. Therefore, a current inventory of microcomputer system components will be maintained by the Agency for the purposes of recording, tracking, and controlling all microcomputer system components.
7.2 Responsibility for Inventory
The ____________________ Division has responsibility for establishing and maintaining the PC system inventory. The inventory will be updated when each additional PC system component is installed. The inventory listing must be made available upon request by agency management or other State personnel.
7.3 Hardware Inventory Elements
The following elements will be maintained for all microcomputer hardware components by item type (system unit, printer, modem, etc.):
7.4 Software Inventory Elements
The following elements will be maintained for all microcomputer software by type (word processing, spreadsheet, graphics, programming language, database, etc.): — Vendor — Version/Release number — License agreement number — Date received — Purchase price — Acquisition method — Division — Contact Person — Location
8.0 DOCUMENTATION
Proper placement, handling, and care of microcomputer system component related documentation is the responsibility of the receiving division. Normally, such documentation should be either located in a central documentation library for the division or placed readily accessible to the users of the components. See Section 9.0, Use of Licensed Software, for further policy information relating to documentation accompanying licensed software.
9.0 USE OF LICENSED SOFTWARE
It is the policy of ____________________ Agency to comply with all contractual obligations contained in license agreements to which it is a party. As a result:
1. All purchased software shall be registered, as applicable, with the vendor;
2. Licensed computer software and accompanying documentation in the Department shall not be duplicated, modified, sold, traded, or otherwise disseminated by any employee if contrary to vendor's license agreement with the Department;
3. Copies of computer software shall not be purchased or otherwise accepted by any employee from any source if it is known, or reasonably should have been known, that such copies were made contrary to legally enforceable provisions of a vendor's license agreement; and 4. All copies of licensed computer software shall be secured when not in use. Each division manager is responsible for the computer software in their custody and should ensure adherence to all terms and provisions of relevant license agreements.
10.0 ACCEPTABLE/UNACCEPTABLE APPLICATIONS
When evaluating the use of a microcomputer system versus other computerized alternatives (e.g., agency's mainframe), factors such as the following must be considered: — Volume of data;
Division managers are responsible for ensuring that microcomputer systems in their domain are used for acceptable applications.
11.0 USER-DEVELOPED SOFTWARE
____________________ Agency retains propriety rights on all microcomputer software developed by its employees in the course of their duties unless such other rights have been negotiated prior to the development effort. This includes applications generated from spreadsheet or database packages. All software developed internally must be fully documented, including: — Functional description (including calculations);
Division managers are responsible for ensuring that any software developed by their employees is adequately documented, tested, operated, and managed.
12.0 LOCAL AREA NETWORKS (LANs) AND MULTIUSER NETWORKS
There are many complex issues to be addressed by the Agency before local area networks or multiuser networks can be established. If such a network is part of a requisition request, appropriate Agency management will address these issues at such time via the approval process.
13.0 DOWNLOADING/UPLOADING
“Downloading” of information involves transferring data maintained on the Agency's mainframe to a microcomputer system (e.g., accessing external databases); “uploading” is the opposite activity. Downloading/uploading is permitted on a controlled basis. Contact the ____________________ Division for information on the downloading/uploading policies and procedures of the agency.
14.0 BACKUP
Backup provides a method to recover data which has been destroyed, lost, or stolen. The frequency of backup will depend on several factors, including:
It is the responsibility of each microcomputer system user to make, at a minimum weekly (or at a more frequent interval for more frequently edited data) backup copies of all applications programs and data and to ensure such backups are secure. Backup of hard disk data is to be made either to floppy diskette or an alternate hard disk.
Division managers are responsible for determining the on-site versus off-site storage needs for backups.
15.0 SECURITY
The transportable size and nature of microcomputer system components creates unique physical security needs. Information created on a microcomputer system and stored on diskettes or a fixed disk must be controlled to ensure data accuracy and integrity and to minimize the possibilities of theft, loss, or destruction.
15.1 Physical Security
The physical security of microcomputer systems is the responsibility of the primary user and user division management. Each microcomputer system work area must provide physical security from unauthorized use, vandalism, or theft during non-working hours or when PC systems are unattended. Keyboard and/or system locks must be utilized when available.
The safeguarding of software applications and data is included in the arena of mirco-computer system physical security. Floppy disks should be adequately stored to ensure access only by authorized employees. Output produced by microcomputer systems should be controlled according to its nature. Material of a sensitive or confidential nature must be handled and stored to adequately ensure access only by appropriate individuals.
15.2 Password Protection
The use of password protection will be determined as appropriate, by Agency and/or Division management for systems assessed as critical.
15.3 Off-site Use of Microcomputer Systems
While the agency's microcomputer systems will generally be operated on-site, occasions may arise requiring use of the systems off-site. Permission to take a microcomputer system off-site must be approved by Division management prior to any removal. The microcomputer system user is responsible for the proper handling and care of the components taken off-site.
16.0 CONTINGENCY PLANNING/DISASTER RECOVERY
The goals of a contingency plan are to:
● Establish alternative means of operation in advance.
● Train personnel and familiarize them with emergency procedures. ● Provide rapid and smooth restoration of service.
● Minimize economic impact.
Emergency policies and procedures to be followed in the event of a disaster are set forth under separate cover. Microcomputer system users and their division management are responsible for adhering to these policies and procedures in the event of a disaster.
Note: For agencies who have not yet developed a contingency plan covering microcomputer systems now is the time to do so. It can easily be appended to the agency's Microcomputer System Policy.
17.0 SUPPLIES
Microcomputer system supplies include such items as diskettes, printer ribbons, printer cartridges, paper, graphic pens, etc. Supply needs will be coordinated through the Purchasing Division to ensure standardization where appropriate and to take advantage of volume buying.
18.00 TRAINING AND SUPPORT
The ____________________ Division is responsible for supporting the Department's software training needs on its standard packages (refer to software standards). Training and support on all software is the responsibility of the Division acquiring the software.
Division managers are responsible for ensuring that staff are appropriately cross-trained to ensure adequate coverage if the primary user(s) of an application are unable to support the use of the application. At a minimum, two (2) employees should be trained on every microcomputer system application.
19.0 PERSONAL USE OF MICROCOMPUTER SYSTEMS
Agency-owned microcomputer systems shall not be used for the benefits of any other organization or individual except as authorized by management. Software not purchased by the Agency or otherwise appropriately acquired will not be loaded onto Agency microcomputer systems.
20.0 END USER PROGRAMMING
In order to realize full advantages of microcomputers and associated package software, end user personnel generally should not develop their own programs. However, end user program development may be appropriate when:
21.0 ENFORCEMENT AND NON-COMPLIANCE
The ____________________ Agency intends to enforce all aspects of this policy using all legal and reasonable means available to it. These means could include operational audits and spot checks of physical and data security procedures by Agency and division management. Non-compliance with this policy by any employee can lead to possible appropriate legal action, as well as being grounds for disciplinary action up to and including termination. EXHIBIT A MICROCOMPUTER USER RESPONSIBILITY CHECKLIST MICROCOMPUTER USER RESPONSIBILITY CHECKLIST (Answer Each Question in Anticipation of Approval)
General 1. Planned Location _________________________ _________________________ Make______________ Model______________ Primary User______________________________________________ (Name) (Dept.) (Ext.) Alternate User______________________________________________ (Name) (Dept.) (Ext.)
2. Have primary and alternate users read and understood the Agency's Microcomputer Policy? 3. Are the supplies necessary to support the microcomputer and peripheral equipment included in your budget? 4. Is your microcomputer covered by a maintenance contract? 5. If not, have you made arrangements for maintenance? Training 6. Will users be adequately trained and proficient? 7. Will at least two people within the organization be cross-trained on all applications for which the microcomputer is being utilized? 8. Have detailed operating instructions and systems descriptions been properly prepared and users trained in their use? Security 9. Will this microcomputer and all the peripheral equipment be adequately secured from theft or unauthorized use during non-working hours, when not in use, or when work area is unattended? 10. Have you provided a lockable container, cabinet or desk drawer to secure and limit access to the floppy disk library that houses software and data files? 11. Have you developed a logging system to control access to the floppy disk library? 12. Is it a defined responsibility of the Agency's security officer to monitor the effectiveness of the microcomputer internal controls? 13. Will all off-site use of the microcomputer equipment, software, or data base be controlled by written authorization and logged? Back up 14. If your microcomputer is necessary for the timely completion of your work, has a backup location been identified that meets your time requirements and equipment configuration? 15. Has a formal agreement been made regarding the backup of software and data bases? 16. Will special backups be made for critical software or data bases and then stored in a fire resistant location other than your primary work area? 17. Are your programs included as part of the Department-wide library of software programs, publications, and supporting documentation? 18. Do locally developed programs conform to existing department microcomputer program development standards? 19. Are users aware of copyright laws applicable to purchased software? Policy Title: DIGITAL DATA NETWORK POLICY Issued by: COLORADO COMMISSION ON INFORMATION MANAGEMENT Effective Date: 01-07-90 Revised Date:
The Colorado Commission on Information Management (IMC) is requiring all State branches, agencies, departments, and institutions to use the Digital Data Network (DDN) supplied by the Division of Telecommunications (DOT), Department of Administration, for all current and future wide area data communication networks. The Director of the Division of Telecommunications will determine the technical feasibility and cost effectiveness of employing the DDN for these purposes. Those State entities with current networks will be expected to establish a plan for migrating to the Digital Data Network as soon as practical. The Commission is not encouraging the incurring of additional expense in making this migration, but rather expects the move to take place within the normal changes which occur within any existing network.
The Division of Telecommunications has responsibility for the management of the DDN equipment and software. As such, the Planning Procedures and Problem Resolution Policies issued by the Director of the Division are incorporated by reference within this policy. The Commission on Information Management also requires that the Division of Telecommunications have ownership of the digital modems employed on both ends of any telecommunications data line. Those agencies which may have already acquired this equipment must have it formally accepted by the DOT. The Division of Telecommunications may at its option allow separate ownership with their express approval of any and all acquisitions and additions to the network. This policy becomes effective as of the date shown above and will remain in effect until the Commission shall rescind or alter such policy.
Policy Title: NETWORK MAINTENANCE CONTRACTS Issued by: COLORADO COMMISSION ON INFORMATION MANAGEMENT Effective Date: 01-07-90 Revised Date:
The Colorado Commission on Information Management (IMC) is requiring that any network maintenance contracts which are signed by any State branch, agency, department, or institution be renewable on an annual basis. A network maintenance contract might include such items as installation of telecommunications equipment; maintenance of modems, multiplexers, controllers, etc.; and cabling for data processing equipment.
The Commission is currently exploring establishing State wide contracts to provide these services and wishes to avoid any cancellation penalties that might be inherent in a multi-year agreement. This policy becomes effective as of the date shown above and will remain in effect until the Commission shall rescind or alter such policy.
Policy Title: EDP Standards Issued By: Colorado Commission on Information Management Effective Date: 01-07-90 The Colorado Commission on Information Management (IMC) is requiring that any State branch, agency, department or institution which supports or uses automated systems, whether hardware, software or telecommunications, create, maintain, and adhere to written standards for EDP administration and operation.
Standards should be established for any of the following areas relevant to the branch, agency, department or institution, under the following guidelines:
1. Hardware/Software Procurement: Standards should be developed which govern annual operating plans and budgets. Compatibility should be considered a high priority in procurement.
2. Systems Development Methodology: A methodology which describes the areas that must be addressed in the systems development process should be implemented to provide a logical framework for the efficient and effective deployment of automated systems. (See separate policy entitled `Systems Development Methodology'.)
3. Documentation Standards: Standards that describe the documentation required for automated systems should be developed and implemented. (See separate policy entitled `Systems Documentation'.)
4. Contingency Planning/Disaster Recovery: Plans should be developed, tested, and implemented which address the need for backup and recovery capabilities to be used in the event of a disaster involving the State data processing resources. (See separate policy entitled `Contingency Planning/Disaster Recovery'.)
5. Programming Standards: Standards to guide program planning, design, coding, conventions and testing should be established and monitored.
6. Data Security Standards: Standards addressing data security including safety and environmental considerations, equipment and data access, password security backup and recovery and incident reporting should be established and monitored.
7. EDP Administration Standards: Standards addressing general EDP administration including the development of procedures for areas such as application change control, control of new release implementation, and project management should be established and adhered to. The above items comprise only the minimum compliance areas. It is expected that there will be additional topics in some agencies or departments that should also be covered by appropriate policies and that the departments will exercise good judgement in developing the needed policies. It is expected that all branches, agencies, departments, and institutions will comply with this policy by developing and implementing standards by July 1, 1991.
This policy becomes effective as of the date shown above and will remain in effect until the Commission shall rescind or alter such policy.
Policy Title: Systems Development Methodology Issued By: Colorado Commission on Information Management Effective Date: 01-07-90 The Colorado Commission on Information Management (IMC) is requiring all State branches, agencies, departments, and institutions to develop and maintain a structured systems development methodology. The methodology should provide appropriate procedures and forms to deliver properly functioning, documented, and completed systems and provide for the on-going maintenance of these systems. Appropriate methodology will cover new application development, application maintenance or modifications/enhancements, and/or new software acquisitions. Each branch, agency, department, or institution may develop or adopt their own methodology provided the methodology meets the requirements of this and all related policies. The methodology should at a minimum include standards and procedures and documentation for the following activities:
1. Project Request and Feasibility: In response to a request from a user, limited data gathering or evaluation of the extent of the effort and a cost/benefit analysis should be required for acceptance of the request. The request should also be evaluated against plans and goals in the Operational Plan as well as Budget Requests. This activity should conclude with the acceptance and scheduling of the project request.
2. System Requirements Analysis: This activity consists of establishing user needs, modeling the functions and data required to support automation of the needs, and analyzing alternatives to meet these requirements. The definition of the objectives and features of the proposed system is completed. Any changes to the scope or requirements as originally set down by the user should be identified here. The user should approve this comprehensive system requirements definition document.
3. Product Evaluation, Acquisition and Installation: If predeveloped software can possibly be used, this activity should include procedures for identification of vendors, request for proposal, proposal evaluation procedures, software demonstrations, and contract negotiation. In addition, procurement of the product and management of the delivery and installation including testing of the product, tuning and integration into the environment must be planned and performed.
4. System Delivery Specification: This activity consists of the definition of the conceptual model of the new system including user interfaces, subsystems, data requirements, and conversion specification. This activity results in the definition of the system architecture and the external interfaces that will exist.
5. Technical System Design: This activity consists of the technical design of the system including design of procedures, data files and databases, conversion systems, operational requirements, and test procedures.
6. Technical Procedure Development: Programs are coded and unit tested according to specifications in the technical design document. Departmental programming and testing standards are followed. In addition, integration testing is performed, technical documentation is completed, and operations procedures are completed. The result of this activity is a system that is ready for system and acceptance testing and which includes necessary technical documentation.
7. User Procedure Development: This activity includes development and documentation of any necessary user procedures, acquisition of required user resources including people and/or equipment, and development of user training. User training is conducted as part of this activity.
8. System and Acceptance Testing: This activity includes creation of the system and acceptance test environments, performance of system and acceptance testing, and preparation of the production environment. The result of the activity is a system that has been accepted by the users and the operations staff.
9. Implementation: This activity includes converting the existing system to the new system per the conversion plan. Data is converted and all manual and automated procedures are established. The project should conclude with a post implementation review of the success of the development effort and should plan for the next activity of the system's life which may be either maintenance or enhancement.
Maintenance and enhancement of systems should follow an abbreviated set of the above activities. The extent to which the process can be abbreviated will depend on the situation. Good management judgement should be used keeping in mind that the object is a thorough, organized process which will maximize the probability that the system will meet the needs of the users and other interested groups. This policy becomes effective as of the date shown above and will remain in effect until the Commission shall rescind or alter such policy. Development or acquisition of a methodology for the system development lifecycle should begin immediately. Any development projects beginning after January 1, 1991 should be administered using the new methodology.
Policy Title: Systems Documentation Issued By: Colorado Commission on Information Management Effective Date: 01-07-90 The Colorado Commission on Information Management (IMC) is requiring all State branches, agencies, departments, and institutions to develop and maintain documentation standards and, in addition, that all new or modified system applications, whether purchased as a pre-developed package or developed using State resources, will be documented at the system, operations, and user levels prior to becoming operational.
Further, the Commission expects each State branch, agency, department, or institution to establish a plan and set priorities for completing the documentation of all systems either currently installed or pending installation in accordance with the standards outlined in this policy. The Commission expects that reasonable judgement will be used in the determination of which systems to document, omitting those, for instance, which will be replaced shortly. Also, the Commission is not encouraging the incurrence of additional expense for documenting, but rather expects that progress will be made against the established plan.
The Commission suggests the following guidelines to management:
1. Systems Manual: The Systems Manual should be minimal in length, summary in nature, and easy to use and update. Processing concepts, system flows, hardware and software requirements, and general information regarding installation and maintenance should be discussed.
2. Programming Documentation: The programming documentation should be prepared for all developed or modified systems. The programming manual should include sufficient detail and content to enable a qualified programmer to understand, enhance, and maintain the system. It should be minimal in length and rely on current computer stored information where feasible.
3. Operator Manual: For some application software, the user is the “operator.” For those systems, the user documentation must include all necessary operations documentation. For applications processed on systems which require attended operations by a computer operator, a separate manual should be prepared to document the procedures required to fulfill the processing requirements.
The operator manual should be very specific in content and enable the operator to understand and process the steps required. Details should be provided for dataflow, setup and initiation, and control procedures including recovery, restart, normal and abnormal termination.
4. User Manual: The User Manual should be structured as a training tool as well as an easy reference guide for infrequent users. It should be minimal in length, easy to maintain, and should utilize on- line help capabilities of the system whenever feasible. At a minimum the documentation should include input, run and output procedures, restrictions on modification and use, and specific corrective actions for error handling, recovery and hardware and software malfunctions. It is expected that all branches, agencies, departments, and institutions will have completed the plan for the development of the required documentation by January 1, 1991. This policy becomes effective as of the date shown above and will remain in effect until the Commission shall rescind or alter such policy.
Policy Title: Contingency Planning/Disaster Recovery Issued By: Colorado Commission on Information Management Effective Date: July 1, 1990 The Colorado Commission on Information Management (IMC) is requiring all State branches, agencies, departments, and institutions to prepare and test disaster recovery plans that will be maintained and used in the event of a disaster.
The following guidelines will be used to develop the Plan:
1. A Disaster Recovery Team should be established with a designated Coordinator. Team members and key user personnel should be identified and their responsibilities defined. Plans should be developed to provide for the rotation of team members both within and on and off the team in order to assure that the expertise gained in any particular area of disaster recovery planning does not become concentrated in one person.
2. Recovery Requirements by Application should be established. At a minimum, these requirements will address physical space, hardware, software, communications, personnel support, supplies, and the prioritization of the applications to specify the order of restoration. Based upon these requirements, appropriate backup procedures and site criteria should be developed.
3. Recovery Requirements by Time Frame should be established outlining both recovery requirements and user procedures to be effective within the first 24 hours, next 48 hours, 4th through 7th days and extended disaster period.
4. Disaster Recovery Procedures should be finalized based upon the requirements addressing implementation of hot site recovery, warm site or cold site recovery, and return to permanent site. Appropriate user notification procedures should be included. Procedures should be accepted by systems and user management.
5. The Plan Should be Tested yearly using a segment of the Plan or specific applications. The test should include the move, a validation of the procedures and validation of the accuracy of the application processing and data recovered. Care should be taken to incorporate the testing of new applications or major enhancements in the yearly test process to assure that the plan for the new or enhanced systems is effective.
6. Maintaining the Plan should include procedures to maintain or modify the Plan for personnel changes, for new system development and update of documentation. It is expected that all branches, agencies, departments, and institutions will comply with this policy by producing a workplan for the development of these contingency plans by January 1, 1991. In addition, it is expected that the branches, agencies, departments, and institutions will be able to demonstrate tested and effective contingency plans by the end of FY 92-93 or sooner as addressed by the State of Colorado Strategic Information Management Plan.
This policy becomes effective as of the date shown above and will remain in effect until the Commission shall rescind or alter such policy.
Policy Title: Addendum to Micro Computer Policy Topic: Planning, Development, Testing and Documentation of Application The Colorado Commission on Information Management (IMC) is requiring that any State branch, agency, department or institution which supports or uses micro computer based systems establish procedures to adequately plan for, test, document and train users on the proper operation of these systems. This policy, while not intended to apply to such things as one-time analyses, should apply to any application which involves financial controls or which supports department management decisions. Micro Computer technology and applications should be subject to the same EDP standards as other systems and technology. Branches, agencies, departments or institutions may establish the appropriate level of implementation of these standards for micro computers. The Commission suggests the following guidelines to management:
1. The use of an appropriate subset of Systems Methodology should be established. Emphasis should be placed upon user participation in, and acceptance of, the system definition and testing activities. In those cases where the user is the developer, thought should be given to providing for independent review by someone (perhaps an auditor) not involved in the development. It is expected that good judgement will be used in the selection of the appropriate subset of the methodology keeping in mind the ramifications to State business if error is introduced due to inadequate definition, design, development, or testing. A greater impact of errors on financial control or management decision making should result in a more complete portion of the methodology being used to reduce the probability of those errors occurring. The attached matrix gives guidelines for determining the appropriate level of activity.
2. Documentation should be developed in accordance with the Policy for Documentation Standards with consideration for the complexity of the system, the frequency of use, and the importance of the output. Because of possible direct user interaction with the processor and peripheral devices, adequate system and operations documentation should include detailed startup, shutdown, and system failure procedures. Standard user documentation should function as a complete training and reference guide supporting the need for explanation of the derivation of the output or for it's reproduction.
3. User training should be completed at a level which ensures that the user can function independently. This policy becomes effective as of the date shown above and will remain in effect until the Commission shall rescind or alter such policy.
State Of Colorado Micro - Computer Application Evaluation Matrix Application ______________________