Executive Orders

EO 1-44

 

Information Technology (IT) Governance

December 20, 2012

 

 

 

 

1. AUTHORITY
1.1     Article VI, Section 7a, of the City Charter of the City of Houston.

 

 

2. PURPOSE                                    
2.1     The City of Houston seeks to provide citizens with the highest quality of service at the lowest possible cost: therefore, optimizing services through the various departments charged with their delivery is of key importance to the public. Information Technology is an important tool which will be deployed to deliver optimized service.

 

IT Governance exists to support the mission of the departments to deliver those public services while ensuring cost effective coordination of large scale IT initiatives and expenditures.

 

This Executive Order defines the scope of IT Governance and respective roles for the City.

 

To further such purpose, this Order establishes:

2.1.1      IT Governance Objectives
2.1.2      IT Governance Committee Structures
2.1.3      IT Governance Principles
2.1.4      IT Governance Roles and Responsibilities

 

3. OBJECTIVES
3.1     Establish the approach through which the City will prioritize and guide Citywide and/or multi-department IT investments and services.

 

3.2     Determine the approach and measures that will be used to determine the efficiency and effectiveness of IT support services.

 

3.3     Define the scope of accountability for the Chief Information Officer (CIO), the Chief Information Security Officer (CISO), the Deputy CIOs, Chief Technology Officer (CTOs) and Assistant Directors of IT, under the guidance of the governance bodies.

 

3.4     Create a process through which IT policies and IT standards are developed and approved.

 

3.5     Establish and implement procedures to ensure that all licensing requirements are complied with.

 

 

4. SCOPE
4.1     All City departments and divisions are required to adhere to this procedure.

 

 

5. PROCESS OVERVIEW
5.1     IT Governance is the overall framework within which the City specifies decision rights and accountabilities for large scale IT services and products. IT Governance provides a process for consistent and objective decision making, supporting the mission of the departments. The following are key components of the City’s IT Governance process:

5.1.1      Business Alignment: All IT initiatives are prioritized to directly support the business needs of the department(s) and the City’s strategic priorities, paying particular attention to prioritization, the capability and capacity of the City.
5.1.2      Investment Management: Investments are prioritized by fund source based on business need, expected benefits, and potential risks. Funding is allocated to appropriate IT operational and capital expenditures, oversight of delivery against approved funds and visibility into the procurement and vendor management processes required to deliver approved projects and services.
5.1.3      Risk Management: The identification, assessment, and prioritization of risks and controls which ensures appropriate visibility and oversight in the management of IT related risks on large scale IT projects (risks will include but not be limited to information security, operational, financial, vendors, and capital projects).
5.1.4      Performance Management: Active monitoring of the leading and lagging indicators that underpin effective, timely, cost effective delivery of large scale IT projects and services, with the evolution of IT capability and capacity.
5.1.5      Compliance Management: Maintains compliance, security and confidentiality of sensitive areas of operations, including but not limited to, law enforcement sensitive information systems, including those which may be driven by federal, state or local regulation or direction. Ensures that all software licensing obligations and requirements are complied with.

 

6. COMMITTEE STRUCTURES 
6.1     The City will establish the following IT governance committees:

6.1.1      IT Governance Board (overall oversight of large scale IT services and spending)
6.1.2      IT Operating Committee (operational governance of IT services)

6.2     IT Governance Board

 

6.2.1      Purpose
       6.2.1.1      Establish priorities for Citywide and shared services IT investment projects.
       6.2.1.2      Provide oversight of performance of IT projects and programs.
       6.2.1.3      Monitor and establish goals for overall IT service delivery and IT investment performance.

       6.2.1.4      Oversee development of management action plans related to key IT risks.
       6.2.1.5      Review and approve IT recommendations defined by the Operating Committee as appropriate for IT services, policies and procedures.

6.2.2      Attendees (10 total, appointed by the Mayor)
       6.2.2.1      Chair - Mayor’s office designee.    
       6.2.2.2      Voting Members – Nine, including the Finance & Human Resources Directors, who are standing members.
       6.2.2.3      Non-Voting Members – Chief Information Officer (CIO).
6.2.3      Frequency
        6.2.3.1      Budget cycle (x2) or as needed by the Citywide budgeting cycle.
        6.2.3.2      Monthly/Quarterly or as directed by the Chair.

6.3     IT Operating Committee

 

6.3.1      Purpose
        6.3.1.1      Define Citywide IT policies, procedures and standards, including procedures to ensure that software licensing requirements are complied with, to be approved by the IT Governance Board.
        6.3.1.2      Define scope of IT services, to be approved by the IT Governance Board.
        6.3.1.3      Review IT service delivery standards, large scale project portfolio, and cost performance on a monthly basis.
        6.3.1.4      Define IT capabilities required to meet the ongoing needs of each IT department for core and shared services across the City.
        6.3.1.5      Oversee asset life-cycle of business applications and technology architecture appropriate for the deployment to the City. Define Citywide IT architectural standards.
        6.3.1.6      Define improvement initiatives related to operation of IT services.
        6.3.1.7      Approve Citywide IT security policies, standards and processes as proposed by the CISO.
6.3.2      Attendees
        6.3.2.1      Chair - Chief Information Officer (CIO).
        6.3.2.2      Chief Information Security Officer (CISO).
        6.3.2.3      CTOs, Deputy CIOs, Assistant Directors of IT.
        6.3.2.3      Non-voting legal advisor appointed by City Attorney.
        6.3.2.4      Not to exceed eleven members (plus legal representative).
6.3.3      Frequency
        6.3.3.1      Monthly or as directed by the Chair.

6.4     IT Governance Committees Voting Principles

 

6.4.1      The following voting principles will be established:
        6.4.1.1      Agenda of topics to be addressed by each meeting will be issued, by the Chair, at least two business days in advance of the meeting; and proposed decisions for the committees will be issued at least two business days in advance of the meeting.
         6.4.1.2      Proxies for committee members have the ability to vote – proxies for the IT Governance Board must be alternate department directors.
         6.4.1.3      No quorum will be required for action to take place as departments are expected to attend.


7. PRINCIPLES

7.1     The City’s IT organizations function in a federated model where all departmental IT organizations participate in the governance process with the CIO and governance bodies. In a federated model, the Citywide IT unit has responsibility for architecture, common infrastructure, standards and shared services, while department IT organizations have responsibility for application resources and services that directly impact their business.

 

7.2     The CIO receives general direction from the IT Governance Board regarding the Citywide and/or multi-department IT business requirements of the City.

 

7.3     The IT Governance Board drives the decision making around business needs and policies and seeks to maximize the performance of departmental services to the public using IT and other tools.

 

7.4     The City shall offer IT Services in three distinct models:

7.4.1      Citywide (Core) Services – These include information management functions common to the entire City as an enterprise and managed by one department or entity on behalf of all departments. Their performance is overseen by the Governance Board.
7.4.2      Shared Services (multiple departments) – These are typically created and maintained by one department to service multiple departments with similar functions to facilitate sharing of applications and data. Their performance is overseen by the departments that utilize the shared service and delivered by the center of excellence.
7.4.3      Departmental Services – These are services and process that meet the needs of individual departments. While these services must also adhere to the City policy and standards driven by best practices, they are typically delivered by departments and are overseen by their department director.

7.5     Primary decision making related to IT investment, service and goal priorities will be directed by the IT Governance Board.

 

7.6       A secondary IT Operating Committee will manage implementation of the policies, investment priorities and operational performance goals approved by the IT Governance Board, and will develop proposed policies, standards and processes for review and approval by the IT Governance Board.

 

7.7     A three year rolling IT Strategic Plan, which will be created by the governance bodies, is mandated that articulates the large scale IT investment strategy and activities for the City. The IT Strategic Plan shall be reviewed annually to reflect changes in departmental objectives.

 

7.8     Where appropriate IT management standards do not exist, the governance bodies will drive the standard, provided that the standard is reached in accordance with mandatory policies approved by the IT Governance Board and Citywide procurement policy.

 

7.9     City of Houston departments will seek to leverage existing technology investments when buying additional products, in an effort to move toward Citywide standard and effective re-use of existing acquisitions.

 

7.10   Where new or additional capabilities are required, package solutions are preferred over building custom solutions.

 

7.11   Financial transparency will be sought for large-scale IT investments. Allocation of costs must comply with federal regulations (i.e. revenue diversion) and bond covenants.

 

7.12   Career development and progression programs will be developed for all IT professionals employed by the City; led by the CIO with collaboration from IT departments.

 

7.13   IT Citywide and shared services will be delivered pursuant to service level agreements entered into by supported and supporting departments and delivery will be continuously assessed against the standards of the agreements and leading practices. These will be implemented on an as needed basis. Structured improvement plans will be agreed as a core component of the IT operational plans.

 

7.14   Good practice risk and control frameworks will be defined and implemented across the City of Houston IT assets and processes leveraging international standards such as Common Objects for Information and Related Technology (COBIT) and Information Technology Infrastructure Library (ITIL).

 

7.15   For security and operational purposes, law enforcement technology services and projects, especially those operating with or under Homeland Security, FBI, Texas DPS or other federal, state or law enforcement agencies or affecting the security of police operations, remain under the supervision and control of the Chief of Police. In addition, the Houston Police Department, through the Chief of Police, shall continue to deliver IT products and services to other law enforcement and justice agencies throughout the region in accordance with the security, operational and performance standards applicable. However, the Houston Police Department, through the auspices of its Chief Technology Officer, shall be required to operate wherever possible or feasible within all standards, policies and practices as established by the governance process and shall seek to fully participate in all City of Houston IT related activities.

 

 

8. RESPONSIBILITIES
8.1     Information Technology in the City of Houston will be delivered in a federated model under the policies set by the IT Governance Board under the general direction and coordination of the CIO. Alignment between the operational departments and the CIO will be overseen by the IT Governance Board. Each operational department will have an individual (shared in the case of smaller departments) who will be directly responsible for IT delivery in the business department.

 

8.1.1      Department Directors
                          8.1.1.1      Oversee and prioritize demand for IT solutions and IT services.
                          8.1.1.2      Ensure the overall alignment of IT solutions with citizen service processes.
                          8.1.1.3      Oversee the implementation of appropriate controls related to IT delivery and IT investment management.
                          8.1.1.4      Budget for resources necessary to operate and maintain IT investments throughout the system life cycle, including replacement of assets.
                          8.1.1.5      Account for the development of IT strategic plans as a component of the overall department business strategy.
                          8.1.1.6      Assist the CIO in the oversight of IT service delivery performance and IT cost optimization delivered by the central IT department.
                          8.1.1.7      Oversee departmental IT investments and service delivery across the department.

 

8.1.2      Chief Information Officer (CIO)
                          8.1.2.1      Operate under the general direction of the IT Governance Board and in accordance with the IT Governance Principles.
                          8.1.2.2      Oversee of all large scale IT investment service delivery across the City which central IT may operate.
                          8.1.2.3      Account for the development of IT strategy for the City, as approved by the IT Governance Board.
                          8.1.2.4      Account for development of professional IT staff, standards and policies, with input from departmental IT. Recommend standards for IT customer service for IT services across the City.
                          8.1.2.5      Facilitate planning for innovation and use of IT across the City of Houston.
                          8.1.2.6      Facilitate cost effective deployment and operation of high performance IT services.
                          8.1.2.7      Manage Citywide IT risk as directed by the IT Governance Board.
                          8.1.2.8      Deliver IT Services provided by IT within the federated model to agreed levels of performance, budget and policies.
                          8.1.2.9      Maintain all Citywide IT policies, standards and compliance.
                          8.1.2.10    Develop and deliver IT services initiatives across the City as approved by the IT Governance Board.
                          8.1.2.11    Plan, secure required funding and executes the maintenance and sustainment of the IT products and services.
                          8.1.2.12    Report on a regular basis to the IT Governance Board on the performance of IT services.

 

8.1.3      Chief Information Security Officer (CISO)
                          8.1.3.1      Report to the CIO.
                          8.1.3.2      Develop, coordinate, and implement policies, standards and procedures for the management of Citywide security risks, IT security and compliance in accordance with the IT Governance Board’s direction.
                          8.1.3.3      Propose and maintain IT security standards and controls for approval by the IT Governance Board.
                          8.1.3.4      Verify compliance with approved IT security controls and software licensing requirements.
                          8.1.3.5      Provide guidance on IT security and compliance related policies, processes and standards.
                          8.1.3.6      Work with specific departments which may have specialized security requirements to 1) ensure that conflicts do not arise between specialized security requirements and other security or proposed City policies; 2) coordinate any and all security compliance efforts with all departments before carrying out any verifications that take place within said department facilities or on or with said department equipment, personnel or services; and 3) coordinate with all specialized departments prior to implementation of mitigation efforts or security changes on systems, equipment or services used by specific department.

 

8.1.4      CTOs, Assistant Directors of IT, Deputy CIOs
                          8.1.4.1      Collaborate with the CIO, CTOs and Assistant Directors of IT for planning and delivery of cost effective, high performance services to the City.
                          8.1.4.2      Ensure that their department delivers IT products and services that are in compliance with the IT Governance Board approved citywide policies and processes.
                          8.1.4.3      Account for and manage IT financial and IT procurement related to their department and ensuring appropriate transparency of IT costs and IT suppliers within their department in accord with the standards and policies and IT Governance principles.
                          8.1.4.4      Manage departmental IT demand.
                          8.1.4.5      Develop IT strategy relevant to their function.
                          8.1.4.6      Develop professional IT staff within their division.
                          8.1.4.7      Deliver IT services to a level that is acceptable and appropriate to the needs of the department and comply with Citywide policies.
                          8.1.4.8      Manage cost effective deployment and operation of high performance IT services.

                          8.1.4.9              Provide visibility into large scale IT projects, through the IT Operating Committee for discussion by the IT Governance Board. Visibility should include all large-scale IT projects, but should not limited to only those that require City Council authorization.
                          8.1.4.10    Guide unique departmental procurement requirements, in compliance with Citywide procurement policy.
                          8.1.4.11    Protect information and resources within their purview.

 

9. CONFLICT AND REPEAL
9.1     This Executive Order supersedes Executive Order 1-44, Policy to Direct and Monitor Technology Efforts, signed November 25, 2002, which shall be of no further force or effect.