 |
|
 |
|
|
||
 |
| |||||||
|
|
Background The State's IT Planning Policy, P136, and Risk Management Standard, P800-S805, mandate that each executive branch agency submit an annual IT Security Assessment to GITA. The categories of IT security controls addressed in the assessment derive from the Federal IT Security Framework and the Federal Office of Management and Budget's control requirements for agencies. In addition, Arizona’s implementation plans for domains within the Enterprise Architecture (EA) call for gaps from target to be addressed as part of each agency’s annual IT planning activities. GITA has a new online assessment tool, Technology Infrastructure Standards Assessment (TISA), which now addresses IT quality assurance and enterprise architecture as well as IT security compliance. Purpose The purpose of the self-assessment is to help agencies identify their IT security vulnerabilities as well as deviations in complying with other statewide standards. These vulnerabilities and compliance deviations should then be addressed in the agency’s IT plan. The completed standards compliance assessment establishes a baseline for agency operations, which will then be used for evolutionary planning and budgetary purposes. Requirements Each major executive branch agency must assess its IT environment, using the TISA application, by September 1st of every year. For FY 2006, 25 categories are being assessed: 17 of the categories deal with IT security, two are in the area of software architecture, one in the area of network architecture, one in the area of platform architecture, three in the area of data/information architecture and one in the area of quality assurance. These categories correspond with the statewide standards found on the GITA web site at www.azgita.gov/policies_standards/. The questions are extracted verbatim from the standard with the paragraph number of the standard being indicated in parentheses at the end of each question. Agencies are requested to estimate their approximate percentage of compliance for the current and next three fiscal years in each of these categories. The intent is to use weighted and aggregated data to identify potential statewide trends across multiple agencies. Past years’ responses to TeSA will also be included in any statistical analyses. A threshold of 70% compliance has been set for FY 2006 responses. Estimates falling below this threshold require an explanation; i.e. funding. “Not applicable” is also a valid response requiring an explanation of the rationale for the particular standard not being appropriate in these circumstances. Again, resolution of gaps or compliance not reaching 100% within the next three years should be addressed in the agency’s IT plan as either an IT goal or objective including annual targeted performance measures. Questions? TISA application or general questions, contact the IT Planning Manager at 364-4784. For specific questions regarding a standard, contact either the Enterprise Architecture Manager at 364-4790 or for specific questions regarding IT security, contact the Homeland Security Technology Manager at 364-4771.
|
|
