Information Technology Strategic and Security Plan

Information Technology Strategic and Security Plan INSTRUCTIONS Agency Guidelines Agency for Enterprise Information Technology Office of Information Security Fiscal Years 2007 thru 2008-2009 August 2007 TABLE OF CONTENTS PROLOGUE 1. OVERVIEW 2. STRATEGIC PLAN INSTRUCTIONS AND PERFORMANCE REVIEW STANDARDS 3. SECURITY PLAN INSTRUCTIONS AND PERFORMANCE REVIEW STANDARDS 4. TRENDS AND CONDITIONS ANALYSIS APPENDIX A: SUGGESTED IT SECURITY STRATEGIC PLAN FORMAT… APPENDIX B: GLOSSARY OF TERMS 1 SECTION I: OVERVIEW The State Office of Information Security (OIS) Strategic Plan (SP) is a plan developed and or revisited on an annual basis. Primarily the OIS strategic plan sets the direction for the member agencies over a three year timeframe. Strategic issues are identified that are critically important to meet the needs of Floridians and stakeholders. Although broad goals are defined and intermediate objectives and strategies are specified, agencies are still required to develop strategic plans unique to agency IT security needs. The IT security strategic plan is understood as a model and/or template only. Agencies can request a review by the OIS upon submittal of their strategic plans via the FL ISAC Portal. The OIS will then review each strategic plan to ensure the IT security portion of the plan is consistent with the OIS Security Strategic Plan direction and statewide policies. Comments and recommendations will be sent back for revision. Strategic Planning Philosophy Strategic security planning is an explicit long-term, iterative, future-oriented process of assessment, goal setting, and decision-making that maps an explicit path between the present and the future. The strategic planning process identifies critical focus issues that must be addressed for the agency to either succeed or prevent failure, and sets direction for the eventual security plan in terms of the operations of the agency. This involves an implicit understanding that aspects of the future will be influenced and changed by what the agency plans and does now. The strategic planning process helps an agency not only to plan for the future, but more importantly to influence the future. This process requires the identification of critical focus issues and setting of goals and objectives and their attainment within specified periods of time to reach the planned future state. These targets must be developed within the context of the desired future state of the agency, must be realistic, objective, and attainable. The strategic focus issues, goals, objectives and strategies developed within the strategic planning process provide the agency with its core direction and priorities and set guidelines for strategic managerial decisions as well as the operational security plan. The ultimate goal of strategic planning is to focus on the quality of security service provided and the results or benefits of these services to Floridians. Strategic planning for state government serves distinct, interrelated purposes, including the following: • To establish direction in key security policy or strategic service areas in order to move away from crisis driven decision-making; • To assess the needs of stakeholders and the external and internal environments to understand how the agency can address problems and opportunities within existing capabilities; • To provide a basis for aligning resources in a logical manner to address the critical Focus issues facing the agency now and in the future; 2 • To make state government more responsive to the needs of Floridians by placing greater emphasis on performance-benefits, results and outcomes of services rendered rather than just service efforts and workload; • To bring selected focus issues to policy-makers for review, discussion and potential legislative and budgetary support; • To provide a context to link the budget process and other legislative processes with priority focus issues, and to improve accountability for the use of state resources; • To establish a means of coordinating the policy concerns of public officials with implementation efforts and to build interagency, intergovernmental, and public/private/nonprofit partnerships; and, • To provide a forum for communication between service providers and constituents. Strategic planning relies on careful consideration of the agency capabilities and environment and leads to priority-based allocation of fiscal, human, technological, capital and other resources. The IT security strategic plan defines what an agency security program intends to become. It outlines the goals and objectives and produces strategies that lead to priority-based resource allocation decisions the agency plans to follow to achieve its goals. It includes a multi-year view of objectives and strategies for the accomplishment of agency goals. Clearly defined outcomes provide feedback that permits program performance to influence future planning, resource allocation and operational decisions. Successful strategic planning is characterized not only by compliance but also by commitment on the part of the leadership, the entire management team and all employees. Ultimately, strategic planning will succeed or fail according to how well the process results in quality service. Producing identifiable and meaningful results is essential to a successful strategic planning process. The information technology strategic security plan is a document that communicates goals, directions and outcomes of the ISM leadership to various audiences, including the Governor and the Legislature, client and constituency groups, the general public and employees of the member agencies. Strategic planning is a process of self-examination, the confrontation of difficult choices and the establishment of priorities. This self-examination is accomplished through a Strength, Weakness, Opportunity, and Threat (SWOT) Analysis. A SWOT analysis is an assessment of stakeholders and the external and internal environments. It is the foundation of the performance evaluation and planning process, and it begins the strategic planning process cycle. The analysis assesses the external environment to determine futureoriented opportunities and threats, assesses the internal environment to determine present strengths, weaknesses and capabilities, and assesses stakeholders to determine needs and key success factors. The analysis provides critical information by identifying issues important to stakeholders, formulating specific actions to deal with threats and weaknesses, and building on strengths and takes advantage of opportunities. The end result of the SWOT analysis is the identification of strategic focus and issues, associated goals, objectives and the strategies needed to achieve the 3 goals and objectives. Strategic issues must be developed using information from a SWOT analysis conducted by the agency or the Office of Information Security. Strategic goals must provide statewide policies needed to address the strategic issues. Strategic objectives must be Specific, Measurable, Achievable, Responsible, and Time Certain (SMART) and include projection tables. Strategies must be written in sufficient detail to ensure state agencies and staffs clearly understand their responsibilities with respect to implementing timecertain projects, initiatives, or activities. Because the SWOT analysis is conducted on a cyclic basis, it also aids the agency in validating information developed in previous analyses and confirms the selection of strategic focus issues, goals and objectives. In addition, the analysis confirms or rejects the continued validity and appropriateness of the selected issues, goals, and objectives. Without a thorough SWOT analysis, either the plan and/or products of the analysis are likely to be flawed. The analysis is not used to justify or explain programs or processes. Because the SWOT analysis is a global assessment of the agency and its environment and stakeholders, it provides the foundation for the Trends and Conditions Analysis (TCA). The Trends and Conditions Analysis contains summaries of selected portions of the SWOT analysis tailored to set up strategic focus issues and the associated goals and objectives. Strategic planning and strategic management, which is the day-to-day implementation of the strategic plan, are some of the most important, never ending tasks of management, especially Information Security Managers. Once a strategic plan is developed, the task of management is to ensure its implementation and to assess the current situation. The future, by definition, always faces us; thus agencies must always be in the simultaneous processes of planning, evaluating, and implementing plans. 4 Figure 1. Strategic Planning Process shows the flow of the planning and evaluation process, and the major components of the SWOT analysis of the IT Strategic Security Plan. 5 SECTION II: INFORMATION TECHNOLOGY STRATEGIC PLAN INSTRUCTIONS AND PERFORMANCE REVIEW STANDARDS The purpose of the information technology strategic security plan is to identify the strategic priority directions an agency will take to fulfill its mission within the context of the Strategic Security Plan, Florida Statutes, and other statutory mandates or authorizations directed by the Governor’s Office and Legislature. This plan must be written in a clear, concise style that will be understandable to the public, stakeholders, agency employees, the Office of Information Security, and to the Legislature. The presentation of information must be displayed in a user-friendly manner and explain the plan's intent and direction. In addition, each strategic security plan must accurately identify the agency's priorities to state policy-makers. The IT strategic security plan must contain all components listed in this section. These components will be evaluated using the performance review standards identified in these Instructions. Each required component is described below, followed by a performance review standard(s). Some type of numbering or alphanumeric system must be employed for focus issues, goals, objectives and strategies to provide for easy reference. Executive Overview The executive overview must provide a brief summary and current background of IT Security in general including an explanation of risks and conditions that lead eventually to the strategic focus issues and the major directions the agency will have to take to address these issues. An agency must also indicate major policy or strategic issue changes from the previous year’s strategic plan, including deletions, additions, or revisions to issues, goals, and objectives. Performance Review Standards: 1. Current conditions that could lead to focus issues and major agency directions must be explained briefly. 2. Major changes from the previous year's strategic plan must be identified and explained. (Exempt for first year effort) Table of Contents A table of contents by page number must be included in the opening of an IT Strategic Security Plan. Additionally, it must include a listing of figures or exhibits with appropriate page numbers. Performance Review Standard: 1. A complete table of contents, including a listing of figures and exhibits, with page numbers, must be located at the beginning of the plan. Vision/Mission Statement Whereas the Vision statement is short and succinct and represents an overall initiative, the mission statement is a series of enduring statements of purpose that describes what the agency does, for whom it does it, and how it does it. It answers the question, “Why does the security program exist?” An ideal mission statement is concise, and provides the framework for the agency’s priorities. Mission statements that are too complex to be committed to memory are of limited use for planning, daily decision making, or public accountability purposes. 6 Performance Review Standard: 1. The most effective vision statements are less than 50 words. Statutory references or operational statements are not appropriate for inclusion in the vision statement The vision statement can be a single statement that encapsulates a meta goal 2. The mission statement must briefly describe what the agency does, for whom it does it, and how it does it. Security Principles - Many approaches and methods can be used to secure IT systems; however, certain intrinsic expectations must be met whether the system is small or large or owned by a government agency or by a private corporation. The intrinsic expectations are described in this document as generally accepted system security principles. The principles address computer security from a very high-level viewpoint. The principles are to be used when developing computer security programs and policy and when creating new systems, practices or policies. Principles are expressed at a high level, encompassing broad areas, e.g., accountability, confidentiality, integrity, availability, cost effectiveness, and Integration. Performance Review Standards: 1. Each principle must be known an accepted within the IT security community especially nationally. Governance – The word derives from Latin origins that suggest the notion of 'steering'. Governance is that separate process or leadership process that makes decisions that define expectations, grant power, or verify performance. Frequently a public CIO or council is established to administer these processes. IT governance implies a system in which all stakeholders, including the business managers, internal customers and related areas such as finance, human resources, not just Information Technology leaders have the necessary input into the decision making process. This prevents a single stakeholder, typically IT, being blamed for poor decisions. It also prevents users from later complaining that the system does not behave or perform as expected. The discipline of information technology governance derives from corporate governance and deals primarily with the connection between business focus and IT management of an organization. It highlights the importance of IT related matters in contemporary organizations and states that IT strategic plan decisions should be owned by the corporate management, rather than by the chief information officer or other IT managers. The primary goals for information technology governance are to (1) assure that the investments in IT generate business value, and (2) mitigate the risks that are associated with IT. This can be done by implementing a Strategic Plan with well-defined goals, objectives and roles for the responsibility of information security, business processes infrastructure etc…. Performance Review Standard: 1. Complete list of stakeholders, internal groups, partnerships must be included that identify purpose and linkage to focus issue information. Conclusion - A conclusion is the final section of Strategic Plan in which the agency ties together what was presented earlier, summing up the main point, successfully closing the discussion. The conclusion is often the most positive part of the strategic plan stating the role of the agency as the chosen one to implement the strategic focus issues. Remember, the conclusion is often the part of the strategic plan that a reader remembers best, and thus must be effective to be strong. Performance Review Standard: 1. Agency must self nominate as the primary role enabler to implement strategic plan. 7 SECTION III: INFORMATION TECHNOLOGY SECURITY PLAN INSTRUCTIONS AND PERFORMANCE REVIEW STANDARDS The security plan defines the operational effort for implementing the focus issues listed in the strategic plan. The best way to deploy the selected focus issues is to implement an IT security plan based upon: • • • • Prioritizing the Focus Issues via a Customer Survey Further detailing SMART Utilizing Project Management Methods Utilizing NIST performance metrics where appropriate The preparation of security plans and procedures is a critical element of an agency’s overall security program. Security Plans are taken from the IT Strategic Plan creation stage through implementation to routine maintenance and updating and returned the following year completing the strategic life cycle. The purpose of the security plan (SP) is to provide an operational strategy, based upon defined objectives and describe controls and tasks in place (Work Breakdown Structure) or planned responsibilities and expected behavior of all individuals (Responsibilities Assignment Matrix) participating in the implementation of selected focus issues. It is the body component of the Strategic Plan. The agency security plan should be viewed as documentation of the structured process of planning adequate, cost-effective security protection for the focus issues. It should reflect input from various managers with responsibilities concerning the particular focus issue, including information owners, the system operator, and the system security manager. Additional information may be included in the basic security plan and the structure and format organized according to agency needs, so long as the major focus issues described in this document are adequately covered and readily identifiable. Prioritization of Selected Focus Issues Customer Survey – In order to assess the buy-in of agencies in terms of services received in the past and to align relevant services to customer satisfaction in the future a short survey becomes necessary on at least an annual basis. The OIS will indicate responsibilities under six (6) service programs called focus issues. These programs are essentially understood as multiple security services found within the existing federated environment requiring buy-in by all stakeholders but especially agencies as the primary customer and the agency information security manager (ISM) as the primary consumer. Performance Review Standard: 1. Agency must develop a customer survey assessing satisfaction across selected focus issues as service programs. SMART – Agencies need to either adopt existing Focus Issues and Strategic objectives from the uniform framework of the OIS Strategic Plan or create their own subscribing to the formula they must be Specific, Measurable, Achievable, Responsible, and Time Certain (SMART) and include projection tables. 8 Strategic objectives must now be written in sufficient detail to ensure state agencies and staffs clearly understand their responsibilities with respect to implementing time-certain projects, initiatives, tasks or activities as contained and derived from their initial Strategic Plan. Performance Review Standard: 1. Agency must adopt existing focus issues and strategic objectives or develop their own and further apply objectives to SMART for the Security Plan. Project Management Methods WBS - Work Breakdown Structure - Allows the ISM to define the scope as well as the detail of all of the work of the Security Plan based upon the selection of focus issues and strategic objectives. All of the defined work must be decomposed, planned, estimated, assigned and scheduled, and authorized with the use of a detailed integrated management control process called the WBS. Decomposition involves subdividing the major strategic objectives and deliverables into smaller, more manageable components until the objectives and tasks are defined in sufficient detail to schedule duration and make assignments in support of the development of an Agency Security Plan. Decomposition involves the following major steps: (1) Identify the major strategic objectives and deliverables of the Security Plan under each Strategic Issue. (2) Decompose objectives into activities and tasks appropriately (3) Decide if adequate cost and duration estimates can be developed at this level of detail for each objective or deliverable. The meaning of adequate may change over the course of the strategic objective—decomposition of a deliverable that will be produced far in the future may not be possible. Performance Review Standard: 1. Agency must decompose existing focus issues and strategic objectives into activities and tasks for assignment for the Security Plan. NIST Performance Metric NIST - Founded in 1901, National Institute of Standards and Technology is a non-regulatory federal agency within the U.S. Commerce Department's Technology Administration. NIST mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life. The NIST Computer Security Division is especially dedicated to IT Security in the form of a series of Special Publications. The primary publication for this exercise is: Special Publication 800-80, Guide for Developing Performance Metrics for Information Security Adobe PDF (762 KB) This guide is intended to assist organizations in developing metrics for an information security program. The methodology links information security program performance to 9 agency performance. It leverages agency-level strategic planning processes and uses security controls from NIST SP 800-53, Recommended Security Controls for Federal Information Systems, to characterize security performance. To facilitate the development and implementation of information security performance metrics, the guide provides templates, including at least one candidate metric for each of the security control families described in NIST SP 800-53. Performance Review Standard: 1. Agency must use SP800-80 in selecting appropriate performance metrics for each focus issue, strategic objective, and/or decomposed activity or task for assignment for the Security Plan. Trends and Conditions Analysis (TCA) The Agency has the flexibility in choosing any strategic focus issue and may identify as many issues as necessary in order to fulfill unique agency need, but must focus on critical issues. The agency could also adopt the OIS Strategic Plan containing six focus issues deemed critical state wide in part or in total. Remember each focus issue was subjected to the SWOT, TCA and initial SMART at least four times over the duration of the past six years. 1. 2. 3. 4. 5. 6. IT Security Policy Audit Compliance IT Training & Consulting IT Domestic Security Coordination and Outreach IT Security Incident Response IT Security Survivability Planning Agency unique focus issues or additions to the above six in any combination must be subjected to the same methodology. The trends and conditions analysis (TCA) is derived from the Strength, Weakness, Opportunity and Threat (SWOT) analysis depicted in Figure 1. A SWOT analysis is a global assessment of stakeholders as well as external and internal environments. This analysis provides information about the needs of stakeholders and the success factors (criteria) they will use to judge performance. Further, the analysis examines strengths and weaknesses in relation to the opportunities and threats it faces. Strengths and weaknesses are usually internal and refer to the present state of the agency and its capabilities, while opportunities and threats are typically external and future oriented. The end result of the SWOT analysis is the identification of strategic issues, associated goals and objectives, and strategies to achieve the goals and objectives. The trends and conditions analysis is a summary of selected portions of the SWOT analysis that is tailored to set up strategic focus issues and the associated goals and objectives. Each trends and conditions analysis must identify and analyze the factors observed by the agency that impact the agency ability to perform its mission and meet the needs of its stakeholders in relation to the strategic focus issues. Strategic focus issues are generally focused on public conditions and the factors that contribute to those conditions. For example, the Governor’s Office may be concerned with the public condition or critical need for IT security policy uniformity. The effectiveness of Agency Policy Development would be a contributing factor in addressing the condition, while the Effectiveness of enterprise policy 10 templates as part of the solution. The Strategic Focus Issue selection is based on a critical need that affects or impacts the nature of a public condition in a way that benefits Floridians. The trends and conditions analysis includes an analysis of past and current conditions and trends, and forecasting of future conditions and trends. Projections or forecasts will be presented as either opportunities or threats/problems for the agency. Agency strengths and weaknesses are identified to determine capabilities that can be used to capitalize on the opportunities or combat threats. A trends and conditions analysis must answer the questions, “What has Florida looked like in this focus issue area in the past five to ten years?” and “What will Florida look like in this issue area in the next two to five years?” Changes or modifications to prior year strategic issues should also be described and explained. In addition, an analysis of the agency's capital facilities and information resources needs as they relate to addressing the strategic focus issue may be included. Each agency must determine how much trends and conditions analysis information to include. A separate trends and conditions analysis is preferred for each strategic focus issue, but an agency may use one trends and conditions analysis to set up all focus issues in the strategic plan or more than one issue in the plan. Adequate trends and conditions analysis information must be provided for decision makers and interested readers to understand the agency’s strategic issue(s) and to “set up” every associated goal and objective. Condition - A prevailing set of circumstances in Florida’s recent past and present, such as a change of legislative mandate, accomplishment of an objective, lack of available resources, major disaster, or change in policy direction affecting or influencing the agency or its customers/clients. Factors to be considered are changes and/or attitudes affecting demographic data, and political, economic, societal and technological forces. Trend - A general movement in the course of time of a statistically detectable change. In addition, it can be a prevailing tendency or inclination of related historical or projected changes in forces that impact the agency. Trends and conditions analysis narrative must describe observations of directions or trends of development regarding elements or circumstances associated with the strategic focus issue(s) and must also provide an understanding of what has happened in the past and what is projected for the future. An understanding of trends aid decision-makers by placing the agency's strategic focus issue(s) in context. Significant trends and continued or anticipated changes in the factors relating to these trends help define or describe the significance of a strategic focus issue(s). Projections and Forecasts - A projection is an estimate of future possibilities based on current trends. A forecast is a prediction of some future event or condition based on an analysis of available pertinent data and correlated observations over time. As the agency tracks trend data over time, statistical analysis and historical comparisons of trend data will allow the agency to describe scenarios of future events, conditions, and possibilities. Using scenarios, an agency can develop strategic focus issues that are future-oriented (2-5 years), and goals, objectives and strategies to address the issues. Strategic issues also can be developed separately using other analytical methods and scenarios as alternate courses of action to address them. Performance Review Standards: 1. Each trends and conditions analysis must address or describe conditions, trends, opportunities and threats/problems that relate to the agency’s strategic issue(s), goal(s), and objective(s). 11 2. Each trends and conditions analysis must identify trends and conditions that affect agency outcomes in order to address the question “What has Florida looked like in this issue area in the past five or ten years?” 3. Each trends and conditions analysis must forecast or project the future direction/condition of an issue in order to answer the question “What will Florida look like in the next two to five years?” 4. Each trends and conditions analysis must provide an understanding of why the particular strategic issue(s) is important to the Agency. 5. Each trends and conditions analysis must “set up” or provide supporting data for goals and objectives associated with a strategic issue. Endnotes Sources of information and data must be identified in endnotes, which are to be presented in a format similar to footnotes. They may be located at the end of each strategic plan chapter/section or at the end of the plan. Endnotes must contain adequate information to allow state and agency policy-makers, staff, and other interested readers to locate the source of data or information presented in the trends and conditions analysis. This provides credibility to the information in the analysis. Performance Review Standard: 1. Complete endnotes must be included that identify data sources and other references to important information. Strategic Focus Issue The substance of the strategic plan is based on a set of “strategic focus issues,” which are the premises of the plan. They are developed by agency decision-makers and serve to identify the most significant opportunities and/or threats/problems that must be addressed in the next five years to help the agency succeed or to prevent the agency from failing in its mission. Strategic focus issues are critical challenges or fundamental policy concerns that affect the nature of a public condition or factors that contribute to a condition. They may address a public condition, but usually address a contributing factor to a public condition. To be considered critical, an issue must significantly impact the health, safety or welfare of the public. If not addressed, the agency can expect undesirable results from a threat, missed opportunity, or both. Each agency will be responsible for identifying issues based on its particular constitutional and statutory responsibilities, including the State Comprehensive Plan, and an evaluation of trends and conditions affecting an agency’s mission. Issues may change from year to year, as necessary, to reflect the agency’s priorities based on observed trends and conditions or changes mandated by the Legislature. Strategic issues are written in the form of a statement, a question or a topical phrase that challenges the agency. For example: Statement - The existing policy development system and processes are not meeting State needs for uniformity and minimum policy requirements across all agencies Question - What must be done to improve the State’s policy uniformity and processes? Topical Phrase – Uniform Policy Templates as developed by Governor’s initiative 12 The preferred method for identifying strategic focus issues is the statement and agencies are encouraged to use this method. The focus issue statement encapsulates the indicators of the problem and describes the strategic focus issue. For the example the trends and conditions analysis should then detail trends and conditions surrounding (A) The lack of Policy Uniformity, (B) Number of Agencies; (C) Key Policies. By using the issue statement form, the agency states the issue in a descriptive fashion rather than simply asking a brief question or giving a topical phrase. The Question and Topical Phrase forms require the Trends and Conditions Analysis to specifically address and detail the language of the issue. Performance Review Standard: 1. Strategic issues that address a public condition and/or a contributing factor must be identified. Strategic Goal Strategic goals are long-term ends toward which an agency directs its efforts by stating policy intentions. Achievement of a strategic goal moves the agency closer to realizing/resolving the strategic issue. Goals are consistent with the agency mission usually requiring a substantial commitment of resources and achievement of short-term (2-3 years) and mid-term (4-5 years) objectives. Each goal must include a set of indicators. Indicators are a single quantitative or qualitative statement that reports information about the nature of conditions and/or activity influencing the goal. Goal indicators may include high-level outcome and/or output measures. Each indicator is associated with baseline data that can be used for comparison purposes when the indicator is measured. When the indicators are compared to baseline information over time and viewed in the aggregate, the overall progress or lack of progress may be determined in achieving the associated goal. Each strategic goal must include at least one indicator with baseline data and year and the current year data. An example of a strategic goal is: increase use of templates. Example of an indicator: Baseline Data Current Data Indicator (FY 2007-2008) (FY 2010-2011) Governor’s Initiative (11 templates) 11 Policies N/A Performance Review Standards: 1. At least one goal must be provided for each strategic issue. 2. At least one indicator, with baseline data, must be provided for each goal. Strategic Objective A strategic objective is a measurable, short-term (2-3 years) or mid-term (4-5 years) performance or improvement target that is achievable and supports the strategic goal. It provides a means of defining in quantifiable, measurable and time-related terms what will be done to achieve a strategic goal. Each objective contains baseline data that can be used for comparison purposes when the objective is measured. Strategic objectives should not be limited only to what an agency has control over; rather they should be more global and written to include what an agency may only partially influence. Global objectives are the result of two or more agencies integrating their efforts to solve a problem or capitalize on an opportunity in addressing the needs of Floridians. Objectives are outcome, rather than output, oriented. Outcomes describe the benefit of agency program outputs on or to people, organizations and conditions. Outcomes are the end results achieved on behalf of an agency's stakeholders or all Floridians, while outputs are the results or products of agency programs. For example an outcome would be the percent increase in accuracy of evidence analysis and an output would be the number of laboratory analyses processed. Objectives must identify what the result to those being served will be rather than how many were 13 served by a program. Measures must have a clear, logical relationship to the objective and provide targets or results to be attained. Objectives should not include all activities carried out by an agency. Instead, they should identify high priority, intermediate strategic destinations toward which an agency strives. Projection Table An agency determines an outcome(s) it wants to achieve to meet the future and/or continuing needs of a customer group based on its SWOT analysis. The outcome(s) is written as an objective adding a date to make it time certain, baseline information to provide information for comparison when measured, and a specific target(s). To aid the agency in forecasting future requirements and measuring performance, a Projection Table is added, as a part of the objective, to show annual objective targets. These incremental outcome projections help to link the strategic objective to annual agency program budgeting and performance reporting. When an objective becomes part of the strategic plan, the agency selects one of its programs to use as the implementation and funding mechanism to address the strategic objective. The Projection Table allows the agency to predetermine its annual targets for budget request purposes. The following is an example of an objective and its accompanying projection table: OBJECTIVE: By 2007, increase uniformity of Policy across all agencies PROJECTION TABLE FY 2007 FY 2008 FY 2009 FY 2010 FY 2011 65% 70% 80% 80% 80% All objectives must be SMART (Specific, Measurable, Achievable, Responsible, and Time certain). Because the scope of the plan is five years, agencies need to think beyond program outputs, which are often the only types of targets that an agency can achieve over the short term. Instead, strategic plans must include objectives with a variety of anticipated completion dates. Proposed fixed capital outlay/facility needs and information resource needs that an agency defines as necessary to address a particular strategic focus issue also may be included as an agency objective. Only the highest priority capital and information resource needs should be included in an objective. An agency may decide that more than one objective is appropriate to adequately address capital and/or information resource needs. While these needs may be included as objectives, generally they are written more appropriately as strategies. Performance Review Standards: 1. At least one objective, including baseline data, must be developed for each agency strategic goal. 2. Each objective must set explicit, measurable targets -- quantitative, actual outcome or results/effectiveness oriented measure(s) that may be examined, on an interim basis, to adequately measure or evaluate progress toward implementing the goal. 3. Each objective must include a projection table that shows annual targets to be achieved. 4. Each objective must be time certain -- identifying its anticipated date of completion. 5. Each objective must indicate the overall impact or outcome of agency efforts for Floridians rather than the accomplishments of an agency activity. Strategy 14 A strategy is a methodology or means of achieving a strategic goal and its objectives. While objectives show what is to be achieved, strategies show how the goals and objectives will be achieved. Generally, strategies are used as the means to achieve a goal and its associated objectives. However, strategies may be written in global terms that address the strategic issue, rather than specific goals and objectives. The preferred method is for strategies to address goals and objectives. Strategies are not in themselves operational, but they are the link between the goals and objectives and the action/operational plans and activities of an agency. Rather than being a short term "action step" that is completed rather quickly, a strategy usually comprises many action steps and directs agency staff in accomplishing an objective, often at the program level. Strategies may address agency outputs, available funding, and may relate to internal actions that need to be taken to make the agency more efficient. However, strategies are not required to be measurable. When an agency develops a strategic objective, it also must develop strategies or methodologies to implement the objective and/or associated goal. Many strategies include outputs. Outputs are actual services or products delivered by a state agency through its programs. These outputs are associated with continued, improved or new services, functions or activities in programs. For the strategic plan, there are four basic types of strategies. Goals and objectives may be addressed using one or more of these types of strategies depending on the nature of the goal and/or objective. The four types are: • Global - These are overarching methodologies that include multiple divisions/bureaus within the agency or methodologies that include agencies and/or organizations outside of the agency to achieve a goal or an objective. Example - Work with the departments of Corrections, Juvenile Justice, Education, the Florida Parole Commission and public interest groups to identify training and skills necessary to reduce recidivism. • Service, Program, and Business Process - These are primarily internal methodologies that are oriented towards reorganization and/or service and process improvements that would aid in achieving a goal or objective. Example – Increase the number of DNA samples added to the DNA database from 1996 levels of 2,633 to 21, 500 by 1999. • Functional - These are finance, staffing, facility, information technology or procurement methodologies that would aid in achieving a goal or an objective. Example - Fully automate and integrate all Executive Investigations databases and link them to other appropriate remote databases to increase investigative efficiency. Performance Review Standards: 1. At least one strategy must be included for each agency objective. 2. Each strategy must explain how a goal and associated objective(s) is to be achieved. Consistency with OIS Strategic Issues and Goals Agency must also indicate whether or not their strategic focus issues, goals, and objectives are consistent with the OIS goals established by the Office of Information Security. The matrix shown below should be included in the appendix of an Agency IT Security Strategic Plan. FORM MATRIX Security Policy Security Audit Compliance Training & Consulting on Information Technology Security issues Domestic Security Coordination and Outreach Incident Response Survivability Planning Yes/No Yes/No Yes/no Yes/No Yes/No Yes/No 15 Statutory Mandates or Authorizations Each agency must identify the constitutional and other statutory and/or legislative mandates or authorizations necessary to implement the elements of the Agency Strategic and Security Plans. This requirement may be satisfied by adding a paragraph in the trends and conditions analysis narrative that identifies the mandate or authorization and explains how it relates to a strategic issue or adding an appendix to the ITSP. Constitutional or Statutory Mandates or Authorizations do not negate or supersede other planning information requirements. Projects mandated by law are subject to the same planning and analyses as projects proposed by the agency. If an agency chooses a strategic focus issue or objective for which it does not have constitutional or legislative authority, the ITSP must include an explanation in the trends and conditions analysis of how and when the agency will seek that authorization. Each agency must also identify conflicts with constitutional and other statutory mandates or authorizations that may occur as a result of pursuing the implementation of any element of the State Comprehensive Plan. This requirement may be satisfied by adding a paragraph in the trends and conditions analysis narrative or in an appendix to the ITSP. Performance Review Standards: 1. A list of constitutional and other statutory mandates and authorizations listed. 2. An appendix must be included that shows the relationship between new constitutional and/or statutory authority, including key budget issues, to implement the ITSP and the affected goal(s), objective(s) and/or strategy (ies). 16 APPENDIX A: SUGGESTED INFORMATION TECHNOLOGY STRATEGIC PLAN FORMAT I: Table of Contents II: Overview (Executive Summary). III: Vision, Mission and Guiding Principles IV: Governance V: Strategic Focus Issues (SWOT, TCA) Strategic Issue A A. Strategic Goal I. 1. Strategic Objective 1. i. Strategy a. ii. Strategy b. 2. Strategic Objective 2. i. Strategy a. ii. Strategy b. B. Strategic Goal II. 1. Strategic Objective 1. i. Strategy a. ii. Strategy b. 2. Strategic Objective 2. i. Strategy a. ii. Strategy b. V: Conclusion VI. Endnotes VI. Appendices A. Consistency with OIS Strategic Plan B. IT Project Matrix and IT Project Overview Forms C. Explanation of Significant Modifications to Previous ITSP D. Agency Authorizing Statutes E. Glossary 17 APPENDIX B: GLOSSARY OF TERMS Activity – A specific component or set of tasks within a program. Analysis – The examination and evaluation of an issue, condition, circumstance or problem, its elements and their relationships. The results of this examination may include assumptions about the issue, condition, circumstance or problem; explanations; conclusions and potential solutions. Baseline – A set of critical data used for comparison or control when measuring indicators, objectives and performance measures. The baseline remains fixed in time and does not change. Budget Issue – Separately identifiable decision packages which are used as building blocks to explain expenditures in program components. Conditions – A prevailing set of circumstances in Florida's recent past and present affecting or influencing the agency or its customers/clients. Factors to be considered are changes and/or attitudes affecting demographic data, and political, economic, societal, technological, educational, and/or physical forces. Contributing Factor – A variable that impacts a public condition. These variables can be either an opportunity that positively impacts a public condition or a threat that negatively impacts a public condition. Decision-Makers – The executive leadership of an agency, who establish strategic and operational direction, control and allocate resources and manage the major functional or business units of the organization within the authority granted by the Legislature. Distinct Competencies – The abilities, strategies, and actions the agency is particularly good at or the resources (broadly construed) on which it can draw easily to perform well. Endnote – A note placed at the end of a chapter or text that documents the source of a quotation or information. Enterprise Resource Planning and Management – the planning, budgeting, acquiring, developing, organizing, directing, training, control, and related services associated with government information technology. The term encompasses information and related resources, as well as the controls associated with their acquisition, development, dissemination, and use. External Environmental Assessment – An assessment that primarily explores the environment outside the agency in order to identify the opportunities and threats the agency/state faces. There are four major categories that must be monitored in such an exploration: 1) public conditions and the factors that contribute to the conditions, 2) forces and trends, 3) competitors and collaborators, and 4) mandates. Facilitating Factors – An external or internal variable that contributes to the production of a result or aids the agency in implementing its strategies and accomplishing its objectives. Forecast – A prediction of some future event or condition based on an analysis of available pertinent data and correlated observations over time. As an agency tracks trend data over time, statistical analysis and historical comparisons of trend data will allow the agency to describe scenarios of future events, conditions and possibilities. 18 Hindering Factors – An external or internal variable that delays deters or impedes the production of results or obstructs the agency from implementing its strategies and accomplishing its objectives. Indicator – A single quantitative or qualitative statement that reports information about the nature of a condition and/or activity influencing the goal. The term indicator is used commonly as a synonym for the word measure. Examples include student-teacher ratio, number of degrees awarded, number of investigated child abuse reports and per capita income. Information Technology Resources – Equipment, hardware, software, firmware, programs, systems, networks, infrastructure, media, and related material used to automatically, electronically, and wirelessly collect, receive, access, transmit, display, store, record, retrieve, analyze, evaluate, process, classify, manipulate, manage, assimilate, control, communicate, exchange, convert, converge, interface, switch, or disseminate information of any kind or form. Internal Environmental Assessment – An assessment that primarily explores the environment inside the agency in order to identify its strengths and weaknesses or agency capabilities. There are five major categories that must be monitored in such an exploration: 1) mission and organizational values: 2) services, programs and policies; 3) resources; 4) present strategies; and 5) performance. Legislative Budget Request – A request to the Legislature, filed pursuant to s. 216.023, F.S., or supplemental detailed requests filed with the Legislature, for the amounts of money an agency or branch of government believes will be needed to perform the functions that it is authorized, or which it is requesting authorization by law, to perform. Long-Range Program Plan – A plan developed on an annual basis by each state agency that is policy-based, priority-driven, accountable, and developed through careful examination and justification of all programs and their associated costs. Each plan is developed by examining the needs of agency customers and clients and proposing programs and associated costs to address those needs based on state priorities as established by law, the agency mission, and legislative authorization. The plan provides the framework and context for preparing the legislative budget request and includes performance indicators for evaluating the impact of programs and agency performance. Mission Statement – A broad enduring statement of purpose that describes what the agency does, for whom it does it, and how it does it. It answers the question, "Why does the agency exist?" An ideal mission statement is short and concise, and provides the framework for the agency's priorities. State Office of Information Security (OIS) - The State of Florida, enterprise information security office, whose role is to guide, coordinate, and assist state agencies in identifying threats to their information assets and mitigating their vulnerabilities, so effective security controls can be implemented. Organizational Values – Principles or qualities that define organizational excellence, how an organization works with its stakeholders, and how it works with its members. Outcome – An indicator of the actual impact or public benefit. Examples include the change in scores on achievement tests, number of bus or train trips off schedule, bed disability days per treated customer, the quality of water after treatment, and reduction in crimes committed. 19 Output – The actual service or product delivered. Examples of outputs include the number of cases processed, number of persons screened, lane miles of road constructed and number of students graduating. Performance Measure – A quantitative or qualitative indicator used to assess performance. Performance Review Standards – Criteria used by OPB staff and the Legislature to review and evaluate agency performance reports and strategic plans. Plan-in-Brief – A summary of the ITSP between, one and ten pages, depending on the format used. It summarizes the most important trends and conditions, strategic priorities, goals and objectives. Sometimes key strategies are included. Policy-Makers – The executive and legislative leadership of state government who establish and implement laws that provide direction and operational guidance and controls. Program – A set of activities undertaken in accordance with a plan of action organized to realize identifiable goals and objectives based on legislative authorization. Program Purpose Statement – A brief description of an approved program’s responsibility and policy goals. The purpose statement is similar to an agency’s mission statement except that it is directed at the program level. Projection – An estimate of future possibilities based on current trends. Projection Table – A table used to delineate annual agency forecasts for strategic objective outcome targets for the time period covered by the ITSP. Public Condition – A state or circumstance that affects or impacts the health, safety or welfare of Floridians. SMART – An acronym that describes the parts of a strategic objective: Specific, Measurable, Achievable, Responsible, and Time certain. Stakeholder – Any person, group or organization that can place a claim on an organization’s attention, resources or output or is affected by that output. Examples of state government stakeholders include citizens, taxpayers, and service recipients, the Legislature, employees, unions, interest groups, political parties, the financial community, businesses and other governments. The label “customer” is given to the agency’s key stakeholders. Standard – The baseline level of performance of an outcome or output. State Comprehensive Plan (SCP) – Florida's highest-level state planning document as described in Chapter 187, Florida Statutes. The SCP provides long-range guidance for state, regional and local governments and other entities in the development and implementation of their respective plans, programs, and services. The purpose of the SCP is to provide basic policy direction to all levels of government regarding the protection of the state's resources and the physical, social and economic growth of Florida. Strategic Goal – A long-term end towards which an agency directs its efforts by stating policy intentions. Achievement of a strategic goal moves the agency closer to realizing/solving the 20 associated strategic issue. Goals are consistent with the agency’s mission – usually requiring a substantial commitment of resources and achievement or short-term and mid-term objectives. Strategic Focus Issue – The point-of-departure for the strategic plan. Strategic issues are developed by agency decision-makers and serve to identify the most significant opportunities and/or threats/problems that must be addressed in the next five years in order to succeed or fail in achieving the mission. Strategic issues are critical challenges or fundamental policy concerns that affect the nature of a public condition. They may address a public condition, but usually address a contributing factor to the condition. To be considered critical, an issue must significantly impact the health, safety or welfare of the public. If not addressed, the agency can expect undesirable results from a threat, missed opportunity or both. Strategic Objective – A measurable, short-term (2-3 years) or mid-term (4-5 years) performance target that is achievable and supports the strategic goal. It provides a means of defining in quantifiable, measurable, and time certain terms how a strategic goal will be achieved. Objectives are outcome, rather than output, oriented. An objective also can be used to evaluate the policy direction of a strategic issue, as well as how well resources are being used. Strategic objectives are not be limited only to what a agency has control over, rather they can be more global and written to include what the agency may only partially influence. Objectives should be SMART (Specific, Measurable, Achievable, Responsible, and Time certain). Strategy – A methodology or means of achieving a goal and its objectives. It may address available funding and relate to internal actions that need to be taken to make the agency more efficient. Goals and objectives show what is to be achieved; strategies show how they will be achieved. Strategies are not in themselves operational, but they are the link between the strategic objectives and the action/operational plans and activities of an agency. Rather than being a short term "action step" that is completed rather quickly, a strategy usually comprises many action steps and directs staff in accomplishing an objective, often at the program level. For the ITSP there are four basic types of strategies: • Global – These are overarching methodologies that include multiple divisions/bureaus within the agency or methodologies that include agencies and/or organizations outside of the agency to achieve a goal or an objective. • Stakeholder/Subunit – These are methodologies that use specific target groups to achieve a goal or an objective. Example: FL ISAC Portal • Service, Program, and Business Process – These are primarily internal methodologies that are oriented towards reorganization and/or service and process improvements that would aid in achieving a goal or objective. • Functional – These are finance, staffing, facility information technology or procurement methodologies that would aid in achieving a goal or an objective. Strength, Weakness, Opportunity and Threat (SWOT) Analysis – A global assessment of stakeholders and the agency’s external and internal environments. It is the most important part of the performance evaluation and planning process, and it is the initial part of the strategic planning process cycle. The SWOT analysis assesses the external environment to determine future-oriented opportunities and threats, assesses the internal environment to determine present strengths and weaknesses, and assesses stakeholders to determine needs and key success factors. The 21 analysis helps to identify issues important to stakeholders, formulate specific actions to deal with threats and weaknesses, build on strengths, and take advantage of opportunities. Because the analysis is conducted on a cyclic basis, it also aids in validating information developed in previous analyses and confirming strategic issues, goals and objectives. In addition, the analysis confirms or rejects the continued validity and appropriateness of the selected issues, goals and objectives. Success Factors – The things an agency must do, the criteria it must meet, or the performance indicators it must satisfy to survive and prosper in the external environment. Trends – A general movement in the course of time of a statistically detectable change. In addition, it can be a prevailing tendency or inclination of related historical or projected changes in forces that impact the agency. Trends and Conditions Analysis (TCA) – A summary of selected portions of the SWOT analysis that is tailored to setup strategic focus issues and the associated goals and objectives. Each TCA identifies and analyzes factors observed by the agency that impact the agency's ability to perform its mission and meet the needs of its stakeholders in relation to the strategic issues. The TCA includes an analysis of current conditions and trends, and forecasting of future conditions and trends. The TCA provides sufficient information to aid decision-makers and interested readers in understanding the strategic issue(s) and to “set up” associated goals and objectives. Work Breakdown Structure (WBS) - A deliverable-oriented grouping of project elements that organizes and defines the total work scope of the Security Plan. Each descending level represents an increasingly detailed definition of the focus issue and strategic objective. Each item in the WBS is generally assigned a unique identifier; these identifiers can provide a structure for a hierarchical summation of costs and resources. 22