Information Technology Management

As the Small Business Administration (SBA) tries to transform itself into a 21st century leading edge financial institution, it needs to identify and address operational problems that have agencywide implications. Although SBA plans to improve its key information technology process, many of the agency's policies and procedures for managing this critical area are now in draft form or not yet developed. SBA intends to pursue best practices for information technology planning, monitoring, and evaluation, but its current practices do not generally adhere to defined processes. In particular, investment management efforts are limited largely to reviewing information technology proposals, architecture related activities are carried out without a defined process, and software development and acquisition practices are often ad-hoc. In the information security area, SBA lacks centralized oversight of the activities of its field and program offices. Also, periodic risk assessments have not been done on all mission-critical systems and security training has not been given to employees and contractor staff. Human capital management efforts are limited to a non-information technology training needs survey, and a human capital assessment has not been done to identify short- and long-term information technology knowledge skills and requirements. GAO summarized this report in testimony before Congress; see: Information Technology Management: Small Business Administration Needs Policies and Procedures to Control Key IT Processes, by Joel C. Willemssen, Director of Civil Agencies Information Systems Issues, before the Senate Committee on Small Business. GAO/T-AIMD-00-260, July 20.

GAO noted that: (1) although SBA plans to improve its key IT processes, many of SBA's policies and procedures for managing IT are in draft form or not yet developed; (2) SBA has not yet established policies to manage IT investments and human capital; (3) procedures for maintaining SBA's enterprisewide IT architecture and for implementing information security policies are still in draft form and incomplete; (4) also, standards and procedures to support new software development are being adopted, and IT guidance for software acquisition is obsolete; (5) in each of these areas, SBA intends to implement needed policies and procedures; (6) while SBA intends to pursue best practices for IT planning, monitoring, and evaluation, its current practices do not generally adhere to defined processes; (7) in particular, investment management activities are limited largely to reviewing IT proposals, architecture related activities are performed without a defined process, and software development and acquisition are predominately ad hoc; (8) in the information security area, SBA lacks centralized oversight of the activities of its field and program offices; (9) risk assessments have not been performed periodically on all mission-critical systems and security training has not yet been provided to employees and contractor staff; (10) human capital management activities are limited to a non-IT-specific training needs survey, and a human capital assessment has not been performed to identify short- and long-term IT knowledge and skills requirements; and (11) to its credit, SBA recognizes many of these IT management weaknesses and plans to make improvements in each key process area.

Recommendations

Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.

Director: Team: Phone: