8 CCR 1501-7
OFFICE OF THE GOVERNOR Governor’s Office of Information Technology RULE IN SUPPORT OF CENTRALIZED IT MANAGEMENT AND CREATION OF ENTERPRISE ARCHITECTURE OFFICE AND DATA MANAGEMENT PROGRAM 8 CCR 1501-7 [Editor’s Notes follow the text of the rules at the end of this CCR Document.] _________________________________________________________________________ 1 Authority This rule is adopted pursuant to § 24-37.5-104 CRS and the State Administrative Procedure Act § 24-4- 101 et seq. CRS.
2 Scope and Purpose A. This regulation shall govern every State agency ("Agency") as defined in C.R.S 24-37.5-102(4), and all of its respective officers, departments, divisions, commissions, boards, bureaus, and institutions.
B. The purpose is to formalize strategic alignment of IT investments with state policy priorities, IT policy and standards, while reducing duplication and overlap, pursuant to § 24-37.5-105(9) CRS. 3 Applicability The provisions of this section shall be applicable to state agencies as defined above that manage and administer Information Technology intended to capture, store, process, manage, or transmit data. 4 Definitions A. Chief Information Officer – see § 24-37.5-102(1) CRS B. Chief Information Security Officer – see § 24-37.5-403(1), (2) CRS C. Office of Enterprise Architecture– The Office of Enterprise Architecture (OEA) is the unit within the Governor’s Office of Information Technology that will manage both the Enterprise Architecture and Data Management programs.
D. Enterprise Architecture (EA) is a comprehensive framework used to manage and align an organization's IT assets, people, operations, and projects with its operational characteristics. In other words, the enterprise architecture defines how information and technology will support the business operations and provide benefit for the business. E. Information Technology (IT) – see § 24-37.5-102(2)
F. Data Management (DM) is an ongoing, centralized administrative function that consists of the planning and execution of policies, practices, and projects that acquire, control, protect, deliver, and enhance the value of data and information assets. Responsibilities typically assigned to this function include data and information strategy planning; data governance; data architecture management; data development; database operations management; data security management; reference and master data management; data warehousing and business intelligence Code of Colorado Regulations 1 management; document and content management; meta-data management; and, data quality management.
5 Responsibilities and Requirements A. The purpose of the OEA within the Governor’s Office of Information Technology (OIT) is to deliver agile business solutions enabling connected government services. (1) The OEA has the following responsibilities:
a. Develop a comprehensive EA framework and repository across the agencies to ensure the alignment between the business strategy and the supporting technical and data architectures;
b. Develop processes and procedures to review agency architectural documentation as deemed necessary;
c. Review agency architectural documentation and provide feedback to agencies in a timely manner;
d. Set enterprise standards for all technical domains;
e. Establish processes necessary for implementing new technologies and systems in response to the State’s changing business needs;
f. Coordinate and leverage existing state investments in information technology infrastructure;
g. Identify interdependencies between enterprise projects; h. Establish collaborative and cooperative relationships with public and private sector organizations to invest strategically in enterprise technology assets and promote reusability;
i. Enforce architectural standards across the enterprise; and, j. From time to time review its mission and update policies and standards as deemed necessary.
(2) State Agency Requirements a. Each agency shall provide baseline architectural documentation based on OEA templates and guidelines within 180 business days of delivery of templates; b. Agencies shall go through an architectural documentation update and review process based on process and procedures determined by the OEA;
c. Agencies shall implement new, modified or updated functionality, applications, technologies and systems in accordance with standards, policies, and guidelines developed by the OEA.
d. Agencies shall comply with other data management policies, procedures and standards as developed by the OEA.
Code of Colorado Regulations 2 B. The purpose of the DM Program within the OEA is to leverage data and information as enterprise assets and to establish standards and processes to enable more agile solutions and government services.
(1) The Data Management Program has the following responsibilities: a. Ensure that data and information assets are known, usable, reusable, and can be accessed when and where needed;
b. Develop processes and procedures to review agency data documentation as deemed necessary;
c. Review agency data documentation and provide feedback to agencies in a timely manner;
d. Establish common policies, procedures and standards to maximize the sharing and investment in information resources;
e. Coordinate and leverage existing state investments in data and information resources; f. Create policies and procedures to facilitate data and information sharing among the various agencies.
g. Develop appropriate security and privacy policies to protect data assets, by working in conjunction with the Office of Cyber Security on data security management and the Attorney General’s Office on privacy concerns;
h. Establish collaborative and cooperative relationships with public and private sector organizations to invest strategically in data and information assets and promote reusability; and, i. From time to time review its mission and update policies and standards as deemed necessary.
(2) State Agency Requirements a. Each agency shall provide baseline data documentation based on OEA templates and guidelines within 180 business days of delivery of templates; b. Agencies shall go through a data documentation update and review process based on process and procedures determined by the OEA;
c. Agencies shall implement data management standards in accordance with standards, policies, and guidelines developed by the Governor’s Office of Information Technology.
d. Agencies shall comply with the metrics and reporting requirements developed by the OEA.
e. Agencies shall comply with other data management policies, procedures and standards as developed by the OEA.
C. Request for Extension of Time - If any agency finds that they are unable to complete the requirements set out in section 5 A and B within the 180 day requirement, they may request an extension of time. The request for an extension must be made in writing, and submitted to the CIO or his/her Code of Colorado Regulations 3 designee no later than 60 days before the 180 day time period expires. The request must state the reason for the delay and the anticipated timeframe for completion. Such a request does not guarantee an extension of time. The agency should continue to work within the 180 day timeframe until they hear from OIT. An extension of time will not be unduly withheld. The CIO or his/her designee will work with the agency to assure compliance with the rule. 6 Requests for Exemption Should an agency find that a Federal program with which it must comply requires an exemption from this rule, a formal request in writing shall be submitted to the State CIO for review and determination. A The agency exemption request must be submitted prior to developing, procuring, or deploying any technology or failing to comply with a requirement specified by OIT. B The exemption shall only be for the portion of the Federal requirement that falls outside of the State policies and standards.
C Exemptions will only be made on a requirement-by-requirement basis for a project or program, and will not automatically cover an entire project.
D Considerations to be weighed by the State CIO or their designee in evaluating an agency request for exemption to enterprise architecture or data management standards include, but are not limited to:
(1) Agency business rationale for use of non-standard;
(2) The degree to which the requested non-standard would materially inhibit the State from ensuring that its information resources fit together in a statewide system capable of providing ready access to and sharing of information, computing or telecommunications resources;
(3) The degree to which the requested non-standard would interfere with the State’s goal of acquiring and using enterprise information technology resources in the most integrated, interoperable, efficient and economical manner possible; and, (4) Other factors deemed to be relevant by the State CIO. _________________________________________________________________________ Editor’s Notes History Entire rule eff. 01/30/2010.
Code of Colorado Regulations 4