2018 Information Resources Deployment Review
2018 Information Resources Deployment Review
Instructions
Guidance for Texas State Agencies and
Institutions of Higher Education
Submission Deadline, March 31, 2018
Texas Department of Information Resources
1
2018 Information Resources Deployment Review
Contents
What’s New
Introduction
Reminder
General Instructions
Part 1 - Agency Environment
Section 1.01 - Information Resources Management
Section 1.02 - Information Security
Section 1.03 – Electronic and Information Resources (EIR) Accessibility
Section 1.04 - Continuity of Operations
Section 1.05 - Electronic Records Management & Digital Data Storage
Section 1.06 - Contracting
Section 1.07 - Hardware/Software Environment
Section 1.08 - E-Learning
Section 1.09 - Geographic Information Systems
Section 1.10 - Legacy Applications
Section 1.11 - Project Delivery
Section 1.12 - Digital Services
Section 1.13 - Shared Networks
Section 1.14 - Data Management
Part 2 – Compliance with State Standards
Section 2.01 - Security
Section 2.02 - State Websites
Section 2.03 - Electronic and Information Resources (EIR) Accessibility
Section 2.04 - Geographic Information Systems
Section 2.05 - Electronic Records Management
Section 2.06 - Additional Standards
Section 2.07 - Optional Comments on Compliance
Part 3 - State Strategic Plan for Information Resources Management
Section 3.01 - Alignment with 2018-2022 SSP Technology Focus Areas
Section 3.02 - Progress toward 2016-2020 State Strategic Plan Focus Areas
Part 4 – IT Inventory
Section 4.01 – Server Inventory
Section 4.02 – Cloud Services Inventory
Section 4.03 – Managed Infrastructure
Section 4.04 – Mainframe Inventory
Section 4.05 – Major Databases Inventory
Part 5 – Optional Maturity Evaluations
Glossary
What’s New
Submission Deadline
The submission deadline for the Information Resources Deployment Review (IRDR)is now March 31, 2018. S.B. 532 85(R) amended Section 2054.0965, Government Code, to change the statutory deadline of the IRDR from December 1, odd-numbered years to March 31, even-numbered years. However, with additional reporting requirements, agencies are encouraged to begin the reporting process as early as possible. Although the data collection portal is intended to be available beginning in January 2018, DIR has provided additional resources such as this instructional document so that agencies may begin to plan and collect the necessary data for their submissions.
Part 4 Changes: Information Technology Inventory
S.B. 532 85(R) and Section 9.12 of the General Appropriations Act require DIR to collect an inventory of agency servers, mainframes, cloud services, vendors that manage the agency’s IT infrastructure, and other IT equipment as determined necessary to fulfill statutory requirements. To fulfill these requirements, DIR has consolidated the data collection effort to occur within the IRDR.
The Statewide Portal for Enterprise Cybersecurity Threat, Risk and Incident Management (SPECTRIM) portal will offer an additional module called the “IT Inventory,” which will be formatted similarly to the current IRDR structure with tabs separating the various sections. To ease the reporting burden, DIR will populate the current inventory-related data available. However, agencies should verify all data submitted. Data Center Services (DCS) agencies’ server inventory will be mostly populated from the DCS Content Management Database (CMDB), but there will be additional fields that need to be completed to constitute a complete submission.
In addition, the existing Major Databases and Information Systems inventory (2015 IRDR Part 4) has been shortened and will be prepopulated with the information provided from the last iteration of the IRDR. Again, the agency should ensure that the information presented is current, complete, and accurate.
One major consideration for the inventory components is that of the associated business applications. DIR has begun the process of asking agencies to validate the business applications that exist within the SPECTRIM portal. Within the inventory, the agency will be asked to associate this validated list of business applications to each component within the inventory (server, database, etc.). Therefore, it is important that the business application validation and assessment process is completed prior to completing the IT Inventory.
DIR will provide a Microsoft Excel template for the agency’s convenience for information gathering, but the actual submission must be completed in the SPECTRIM portal.
Agencies that participated in the 2014 Legacy Systems Study may request a copy of their historic inventory by emailing . Some of the information collected through the study may be helpful to agencies for completing this section, but due to the amount of time elapsed since data collection, DIR has decided to provide the information only on request.
Part 5OptionalTechnology Maturity Assessments
In 2015, DIR began to offer an optional component of the IRDR designed to help agencies assess their maturity levels on a couple of technology topics. Since that iteration, several more maturity templates have been developed. The optional maturity evaluations will continue to be offered. An agency may elect to use the templates for internal use only, or submit the template as part of their IRDR. This information will be used by DIR only for benchmarking purposes, and submission is entirely up to the agency. The maturity topics for the 2018 IRDR are cloud, data management & analytics, and digital services.
IR-Corrective Action Plans (IR-CAP/Remediation plans)
The IR-CAP process will now be launched upon submission of the agency’s IRDR. IRDR reporting agencies are required tocomplete a remediation plan for each instance of non-compliance that an agency reports in Part 2 of the IRDR. The agency may complete that remediation plan immediately, or by the deadline to be determined by DIR.
FY 18-19 General Agency Reporting
The following graphic provides a brief overview of the responsibilities and timelines for state agencies reporting requirements. Most of the reporting processes are to be conducted through the SPECTRIM portal. Users must have active credentials and be assigned the appropriate permissions to edit or review the information within the portal. Primary communication concerning each of the following processes will be to the Information Resources Managers via the tx-irm list. For more information on general agency reporting requirements, visit the DIR website or contact .
1
2018 Information Resources Deployment Review
1
2018 Information Resources Deployment Review
Introduction
Background
The Information Resources Manager (IRM) of each Texas state agency and institution of higher education (IHE) is required by law (Section2054.0965,Gov. Code) to conduct an IRDR every two years. Agencies that are not IHEs are required to sendthe resultsof their review to the Quality Assurance Team (QAT) for review. The QAT comprises representatives from DIR, the Legislative Budget Board, and the State Auditor’s Office.
DIR develops instructions for the content of the IRDR. This document constitutes those instructions. DIRprovidesa web-based collection tool to assist agencies in collectingand submitting their responses. DIR will compile and distribute the submissions to the other QAT members; therefore, the online submission through the SPECTRIM portal constitutes a complete submission.
Purpose
The IRDR provides a review of the operational aspects of each agency’s information resources (IR) deployment in support of the agency’s mission, goals, and objectives. In addition, it illustrates how the agency’s IR deployment supports the state’s IR direction as described in the State Strategic Plan for Information Resources Management (SSP). Finally, the review provides confirmation by the agency of compliance with the state’s IR-related statutes, rules, and standards.
DIR will review responses in the compliance section of the IRDR to determine which agenciesare not in full compliance. Agencies determined to be out of compliancein one or more areas are required to submit an IR-CAP for approval by DIR. The IR-CAP should detail the steps and timeframe for which the agency intends to achieve compliance. Agencies that fail to submit and obtain approval of their IR-CAPs to DIR are reported to state leadership regarding their inability to develop a plan to reach compliance. Note that if an agency has each IR-CAP approved they will not be reported in the letter.
Organization
The 2018 IRDR is organized intofiveparts:
- Part 1: Agency Environment provides general information about the agency’s information resources environment.
- Part 2: Compliance with State Standards describes the status of the agency’s compliance with key IR-related statutes, rules, and standards.
- Part 3: Alignment with State Technology Goalsasks agencies the degree of alignment between their IT initiatives and the statewide technology focus areas. Some goals may not be applicable to all agencies. Note that the focus areas are taken from the State Strategic Plan for Information Resources Management. Part 3 also asks agencies to identify the amount of progress made on prior statewide technology priorities.
- Part 4: IT Inventoryasks agencies to provide an inventory of their servers, cloud services, vendors that manage agencies’ IT infrastructure, and major databases. Part 4 is available through the SPECTRIM portal as its own module.
- Part 5: Optional Maturity Assessmentprovides optional assessments on select technology topics.
New Questions
Throughout the instructions, bold question numbers indicate items added since the 2015 IRDR.
Reminder
Higher Education Exemption
Section 51.406,Education Code,exempts IHEs from the requirements of IRDR reporting, Section 2054.097, Government Code, which means they are no longer required to:
- submitthe results of their IRDR, or
- develop IR Corrective Action Plans to address non-compliance with state IR requirements.
Note that Section 2054.0965,Government Code, still applies to IHEs, which means they are still required to conduct a biennial review of their information resources based on instructions developed by DIR. IHEswill continue to have the option to submit IRDR results through DIR’s data collection tool. If an IHE wishes to voluntarily submit results, please email for instructions.
Health and Human Services Agencies.
In addition to state-level review of the IRDRs, Section 531.0273(a)(3), Government Code requires that IRDRs prepared by the Health and Human Services (HHS) agencies be reviewed and approved by the Health and Human Services Commission (HHSC). HHS agencies will receive additional instructions from HHSC concerning the timing of their submissions and the review process.
General Instructions
Definitions
Throughout the questions in this document, all references to agencies apply to both state agencies and IHEs, unless otherwise indicated. Definitions of technical terms used in this document are provided in the glossary.
Sensitive and Confidential Information
The questions included in this document are intended to serve as both an internal review of an agency’s IT environment and an overview to state leadership of the state’s aggregate IT environment. Due to the inherently sensitive nature of system-level cybersecurity information, S.B. 532, 85(R) grants an exception under Chapter 552, Government Code relating to security-related confidential information provided for the purposes of the report. DIR will treat the information collected in Part 4 – IT inventory as confidential.
DIR will comply with the Texas Public Information Act for public information requests for the general content of the IRDR, excluding the IT Inventory. DIR will take the necessary steps to ensure that agencies’ systems vulnerabilities are not exposed through this process.
Collection Tool
To access the SPECTRIM portal navigate to the following URL and enter your appropriate credentials. Internet Explorer or Microsoft Edge best support the functionality of the collection tool. Each Information Resources Manager’scredentials will be reactivated before deployment of the collection tool. If the IRM does not log in to the portal within 24 hours of a password reset or reactivation, the account will become inactive. If your account has become inactive, or you need a password reset, please email or for assistance.
- URL:
- User Name: your agency email address
- Instance number: 20224
Data can be entered in multiple sessions from variouscomputers, but not with the same user account simultaneously. Only one user will be able to edit a record at a time. All data entered is saved in a central database and may be viewed and updated in future sessions during the reporting period.
Delegate Function: The IRM is the default owner of the IRDR submission process. However, DIR understands that there is often a need for collaboration in completing the IRDR.
IRMs may find it easier to obtain staff input by distributing this instructions document and entering responses through their account, rather than granting delegation rights to many users.
An IRM may elect to delegate responsibility to one or more individuals with the appropriate SPECTRIM credentials. It should be noted that only one user will be able to edit an IRDR record at a time. At the top of the IRDR data entry page, there is a section marked “Delegate to.” To delegate to a person, select the ellipses, and then the appropriate user from the dialogue box. If the IRM wishes to delegate to someone not listed in the dialogue box, new credentials need to be obtained for that person in SPECTRIM. To make this request, please email or for assistance.
Review Function: Additionally, agencies may elect to assign a reviewer to an individual IRDR. This process follows the same steps as the delegate to function, but will require the reviewer to change the reviewer status to “completed” before allowing the IRM to ultimately submit the IRDR.
For Part 4 – IT Inventory, agencies will use a different module for reporting their inventory information. This module can be found by navigating the to “IT Inventory” dashboard at the same directory level as the IRDR/IR-CAP. DIR intends to provide an additional spreadsheet that will assist with information gathering. This spreadsheet will be available through the portal, but submission should be completed using the portal itself.
DIR recommends that the agency IRM and any additional staff delegated to develop and enter IRDR responses keep this instruction document open while performing their review. This document contains guidance, links, and definitions that do not appear in the collection tool or inventory spreadsheet.
Submission
No signature or hardcopy submission is required. Each IRM is responsible for coordinating the IRDR development and approval process within the agency using established agency practices.
Unless otherwise indicated, a response is required to each question. In somecases, an appropriate response to a question may be “None” or “Not applicable.”By statute, the submission deadline for the IRDR is Saturday, March 31, 2018.
Support
DIR staff is committed to providing support to agencies during the IRDR reporting period. DIR staff will strive to answer all inquiries within one business day. IRMs are encouraged to submit inquiries whenever they do not understand a question or are uncertain how to respond to it.
For general inquiries about IRDR content (e.g. question clarification, process questions) please .
For support with the SPECTRIM portal (e.g. password resets, obtaining credentials) email .
Additional Information
Throughout the instructions there are guidance statements providing background information, definitions of terms, and links to related information on the Internet. These guidance statements appear in italics. An extensiveglossary is also provided at the end of this instruction document.
Please visit DIR’s IRDR page periodically to check for any new announcements, updates, or frequently asked questions. DIR may also post information and reminders about the IRDR on the tx-irm mailing list.
Part 1 - Agency Environment
Section 1.01 - Information Resources Management
1.01.01What role does the Information Resources Manager play in development of the Agency Strategic Plan?
○Involved in development of agency strategies and how IT can best support those strategies
○Role limited to IT section of the plan
○No significant role
○ Other:______
1.01.02What role does the Information Resources Manager play in development of Biennial Operating Plan for Information Resources and the Legislative Appropriations Request?
○ Involved in decisions to produce the BOP and LAR
○ Limited role
○No significant role
○ Other: ______
1.01.03Does the agency develop a technology roadmap/tactical plan?
○ Yes
○ In planning
○ No
1.01.04Describe current technology collaborations with other agencies, institutions of higher education, or local governments.
<text>
1.01.05Does the agency stream audio or video of board meetings on the internet?
○Yes, audio only
○Yes, video
○No, but plan to stream board meetings in the future
○ No, and no plans to stream board meetings in the future
○The agency does not have a board
1.01.06Does the agency allow board members to virtually participate in board meetings?
○Yes, audio only
○Yes, video
○No, but plan to allow virtual participation in the future
○ No, and no plans to allow virtual participation in the future
○The agency does not have a board
1.01.07Does theagency provide veteran's-related services or benefits?
○Yes
○No(skip 1.01.07a)
1.01.07aAre the agency’s veteran’s-related services or benefits referenced or described on the Texas Veterans Portal?
○Yes
○Some, but not all
○No
1.01.08Per the Governor’s 2016 directive, all state agencies must display a link to the Texas Veterans Portal on the agency’s homepage. Does the agency currently fulfill this directive?
○Yes
○ Yes, but not on the homepage
○No
1.01.09How does the agency plan to deliver or obtain IT services over the next three years? Choose all that apply.
□ Maintain the status quo
□ Introduce outsourcing as a new service model
□ Expand outsourcing
□ Introduce a managed services model
□ Expand existing managed services model
□ Introduce an IT shared services model
□ Expand existing IT shared services model
□ Outsource business applications through a SaaS model
□ Increase IT staff
1.01.10Who manages the agency's primary e-mail service?
○Agency staff
○Currently agency staff, but planning to outsource
○Managed by another agency
○Outsourced or managed service
1.01.11For which of the following categories does the agency evaluate maturity levels? Choose all that apply.