This policy is to help insure a disciplined approach for acquiring and implementing computer systems (both hardware and software).
To help insure a disciplined approach for acquiring and implementing computer systems (both hardware and software).
Agencies are required to enhance efficiency and to implement programs that support District and agency objectives. Computer hardware and system solutions are a primary vehicle for meeting this requirement. However, there is a discipline and there are rules that govern the acquisition of these systems. Many implementations failed to produce the benefits predicted at the initiation of the project. These failures waste time and thousands or millions of dollars. To enhance the cost-effective and timely expenditure of the public's funds for computer systems, OCTO was granted the authority to exercise oversight of system acquisitions. This policy exercises that oversight by instituting evaluation criteria when a project is initiated or before implementation. If these crucial factors are considered, the possibilities of a successful project are increased significantly.
Principles for Use
- The principal customers for the product or service provided by the acquired systems are the users and line managers acting on behalf of the District taxpayer.
- The System must be responsive and adaptive to customer needs, concerns and feedback.
- Agencies do not exist in a vacuum; they are part of the District government with common needs such as identifying residents, businesses and specifying addresses. The increasing use of systems in every agency increases the need for information sharing across agency boundaries
- The District is lawfully required to know the financial condition of the government at all times. This means that the core financial systems must have access to current accurate data from any other system that produces any results that impact the ledger balances of the city.
- OCTO is authorized to review and approve all IT procurements.
The following list, although not all-inclusive, are the criteria used to evaluate proposed computer systems by DC government agencies:
"Investments in major information systems proposed for funding in the District's budget should:
- Support core/priority mission functions that need to be performed by the District Government;
- Be undertaken by the requesting agency because no alternative private sector or governmental source can support the function more efficiently;
- Support work processes that have been simplified or otherwise redesigned to reduce costs, improve effectiveness, and make maximum use of commercial, off-the-shelf technology;
- Demonstrate a projected return on the investment that is clearly equal to or better than alternative uses of available public resources. Return may include: improved mission performance in accordance with measures developed pursuant to the Government Performance and Results Act; reduced cost; increased quality, speed, or flexibility; and increased customer and employee satisfaction. Return should be adjusted for such risk factors as the project's technical complexity, the agency's management capacity, the likelihood of cost overruns, and the consequences of under- or non-performance;
- For information technology investments, be consistent with District and agency information architectures which: integrate agency work processes and information flows with technology to achieve the agency's strategic goals; reflect the agency's technology vision and year 2000 compliance plan; and specify standards that enable information exchange and resource sharing, while retaining flexibility in the choice of suppliers and in the design of local work processes;
- Reduce risk by: avoiding or isolating custom-designed components to minimize the potential adverse consequences on the overall project; using fully tested pilots, simulations, or prototype implementations when necessary before going to production; establishing clear measures and accountability for project progress; and, securing substantial involvement and buy-in throughout the project from the program officials who will use the system;
- Be implemented in phased, successive segments as narrow in scope and brief in duration as practicable, each of which solves a specific part of an overall mission problem and delivers a measurable net benefit independent of future segments, unless it can be demonstrated that there are significant economies of scale at acceptable risk from funding more than one segment or there are multiple units that need to be acquired at the same time;
- Employ an acquisition strategy that appropriately allocates risk between the Government and the contractor, effectively uses competition, ties contract payments to accomplishments, and takes maximum advantage of commercial technology;"
- Have a clear view of the existing processes that are subject to automation and a well-conceived view of the resulting flow of work and the staff that will support the system;
- Include a full-time experienced project manager;
- Involve a DC employee in the management of the project at a level where he or she is accountable for the success of failure of the project;
- .Include systematic interfaces to the appropriate core financial system if the system processes information that impacts the ledger balances of the city; and
- Employ a solution to the documented business problem that is both appropriate and effective.
The following are specifically prohibited uses of computer systems:
- Any purpose which violates a DC government law, code or policy, standard or procedure.
- Purposes not directly related to the mission, charter or work tasks of a DC government agency.
- Private business, including commercial advertising.
- Transmitting information or statements that contain profane language, panders to bigotry, sexism or other forms of prohibited discrimination or can in any way be construed as intending to harass or threaten another individual.
- Disrupting, obstructing or burdening network resources.
- Disseminating or soliciting information that would reflect negatively on or damage the public image of the DC government or its agencies.
- Any activity meant to foster personal gain.
- Religious or political activity.
- Making unauthorized purchases.
- Transmitting confidential or sensitive information (e.g., medical information, information considered privileged under an attorney-client relationship, information subject to the Privacy Act, proprietary information or other information which must be protected from unauthorized disclosure) unless protected by an approved encryption mode (refer to applicable information security policies, standards and procedures). Such messages will be clearly identified immediately below the message header (i.e., the Subject, Data, From, and To lines) as "CONFIDENTIAL/SENSITIVE INFORMATION [or ATTORNEY/CLIENT PRIVILEGED INFORMATION] - DO NOT RELEASE TO UNAUTHORIZED PERSONNEL." In such cases, the sender must also be certain that the recipient is properly authorized to receive and view the information.
- Section 1808 and 1815 transferred to OCTO all positions, property, available funds, etc., for information technology and telecommunications purposes and functions that had formerly been included in the powers given to the DC Department of Administrative Services.
- Mayor's Order 90-178, Delegation of Contracting Authority, issued November19, 1990
- Agency CIO's.
- Agency Directors.
- Any employee involved in the design and/or acquisition of computer systems.
- Any contractor involved in the design and/or acquisition of computer systems.
None. OCTO will consider granting exceptions on a case-by-case basis requested in writing by the head of an agency.
Roles & Responsibilities
DC government agencies
Each agency is responsible for understanding and the enforcement of the policy documented above. Agencies are also responsible for any investigation of alleged or suspected non-compliance of the policy.
- OCTO is responsible for the developing complete and current policies regarding system implementation and acquisition. OCTO is also responsible for disseminating this information throughout all of the agencies and the Executive staff. OCTO reserves the right to review District system projects at any time to determine compliance with this and related policies. Any violations of policy discovered by OCTO will be referred to the affected agency for corrective action.
Roles and Responsibilities: All DC Government Email Users
- Users of DC email must use the service only for the Allowable Uses defined above and refrain from any of the Prohibited Uses defined above.
- Users must change passwords with regular frequency, in accordance with applicable agency and OCTO standards and recommendations.
Roles and Responsibilities: DC Government Agencies
- Each agency is responsible for its employees' and contractors' compliance with this policy and is expected to familiarize each user with this policy.
- Because transmission of email may involve routing over an unsecured network, it is the responsibility of each agency to protect sensitive (i.e., confidential) information from intentional, inappropriate, or accidental disclosure, and to protect the DC government and individual users from loss or harm.
- Agencies are responsible for the investigation of alleged or suspected violations of this policy, and the referral of violations to OCTO for suspension of service to users.
Roles and Responsibilities: OCTO
- The OCTO Director of IT Security must develop and update email security policy and maintain awareness of email-related threats, vulnerabilities, and security issues.
- The Director of IT Security will maintain a content filtering system which scans the contents of messages on the DC Government email system, rejects messages containing content that may violate this policy, and issue the sender a notification advising that the message has been rejected, and why, so that the message can be corrected and resent.
- However, neither OCTO nor any agency or instrumentality of the DC Government undertakes to protect users from receiving electronic mail they may find offensive, or to guarantee that electronic mail received was in fact sent by the purported sender.
- Because email is public, not private communication, OCTO may monitor any or all DC Government email traffic to determine compliance with this and related policies.
Disclaimer of Legal Rights
Nothing in this statement of policy shall be deemed to create any legal right on the part of a user of the email system, nor any legal obligation on the part of OCTO or any person having authorized access to search or review email correspondence in the system.