Business Technology Strategic Plan: 2013 - 2017
IT Service Management
Execution of the business technology strategy for the FDIC is supported by skilled management of the information technology resources and services. Information technology is a critical resource in fulfilling the FDIC's mission. Information technology resources include a broad range of hardware and software assets, such as desktop computers, laptops, network infrastructure, the business application portfolio, and the FDIC's public website (www.fdic.gov). The management of IT services is a balance of governance, risk management, security, and flexibility.
Governance ensures that information technology is aligned with the business and delivers value, performance is measured, resources are properly allocated and risks are managed and mitigated. The governance of information technology at the FDIC is a collaborative endeavor, led by the CIO Council. The CIO Council advises the CIO on all aspects of adoption and use of IT at the FDIC. The Council provides a leadership forum and is part of the governance structure for discussing issues of mutual interest across organizational boundaries. The Council champions the creative use of IT to support FDIC stakeholders and maximize the efficiency of FDIC's internal operations. The Council prioritizes and selects IT projects for funding and reviews the progress of these projects on a monthly basis. The Council is chaired by the CIO and its membership includes senior managers from the FDIC divisions and offices. The CIO Council is heavily involved in the execution of the business technology strategy, guiding the sequencing of application modernization efforts.
Major information technology investments are overseen by the Capital Investment Review Committee (CIRC). The Committee determines whether a proposed investment is appropriate for the FDIC Board's consideration, oversees approved investments throughout their life cycle, and provides quarterly reports to the Board of Directors. The committee is co-chaired by the CFO and CIO and its membership includes all division directors.
The implementation of the strategic imperatives outlined in this plan will be monitored by the FDIC's Enterprise Architecture Board (EAB). The EAB provides guidance, direction and oversight necessary to ensure that FDIC's enterprise architecture provides a comprehensive and effective mechanism for ensuring that IT solutions are optimized to support the mission and strategic direction of the FDIC.
The FDIC follows industry best practices and employs governance frameworks and methodologies to ensure successful execution of information technology projects, investments, and services. Chief among these methodologies are the Information Technology Infrastructure Library (ITIL) and Rational Unified Process (RUP). ITIL is a framework of best practice approaches to facilitate the delivery of high-quality IT services. The framework outlines best practices for IT data center operations and services. The FDIC uses ITIL to help with internal integration and standardization efforts, and to ensure data center operations are better documented, repeatable, and easier to audit. RUP is a full life cycle process framework for delivering IT solutions, and is intended to be tailored to allow project teams to select the appropriate elements of the process for each IT effort. The FDIC has adapted the base RUP framework to support a wide range of IT projects such as system maintenance and enhancement, implementation of commercial off the shelf products, and custom software development. RUP is based on a set of core principles and best practices, which emphasize an iterative and incremental approach to conducting IT projects, the use of a component-based architecture, visual modeling, and close management of requirements.
The use of information technology introduces a level of risk to the FDIC. The FDIC has a robust risk management program. The FDIC employs the Control Objectives for Information and related Technology (COBIT) framework and supporting toolset to bridge the gaps between internal control requirements, risk management, and technical issues. COBIT provides a framework to help ensure that IT functions are adequately aligned with the business, resources are used responsibly, and risks are well managed. The initial COBIT framework was published in 1996 by the IT Governance Institute. The FDIC uses version 4.1, which covers a total of 34 IT processes. There are four sections for each process: a high level control objective for the process, detailed control objectives, management guidelines such as process inputs and outputs and metrics, and a maturity model for the process.
The FDIC has a highly effective information technology security program that protects the organization's technology investments and data. The Information Security Management Committee (ISMC) ensures an enterprise-wide approach to information security at the FDIC. It is a forum to discuss mutual concerns, emerging issues, and organizational security policy and initiatives. The ISMC is charged with implementing the Information Security Strategic Plan. In support of this mandate, the ISMC reviews, analyzes, revises and implements policies and procedures to ensure enforcement of security-related Federal laws and regulations and FDIC directives.
The FDIC has implemented programs that support a proactive IT security agenda and assure integrity, confidentiality, and availability of organization's information. The programs cover:
- Security technology assessment;
- Virus protection;
- Computer facility protection;
- Hardware security;
- Software security;
- Security of databases;
- Data encryption;
- Data communications and networking;
- Security on the Internet, Extranet, and Intranet;
- Security for personal computers and laptops; and
- Local area network security.
In the course of meeting its mission to maintain stability and public confidence in the nation's financial system, the FDIC collects and maintains a wide range of sensitive and non-sensitive personally identifiable information (PII) on customers of financial institutions collected through receivership and examination activities, as well as on FDIC employees, contractors and visitors. Under Federal law and regulation, the FDIC is responsible for protecting the privacy of PII, the loss or theft of which could result in significant harm to the individual and Corporation.
The FDIC Chief Information Officer (CIO) serves as the Chief Privacy Officer (CPO) and reports directly to the FDIC Chairman. The CPO is a statutorily mandated position and serves as the Senior Agency Official for Privacy responsible for establishing and implementing a wide range of privacy and data protection policies and procedures pursuant to various legislative and regulatory requirements.
The FDIC has established a risk-based corporate-wide Privacy Program that aims to integrate and embed privacy within FDIC's corporate culture. The program is primarily focused on ensuring that appropriate steps are taken to protect PII from unauthorized use, access, disclosure, or sharing and to protect associated information systems and web sites from unauthorized access, modification, disruption, or destruction. Program activities include the issuance of directives, policies and procedures for managing and protecting sensitive and non-sensitive PII held by the agency in accordance with the Privacy Act of 1974, the E-Government Act of 2002 (Section 208), Section 522 of the 2005 Consolidated Appropriations Act, Federal Information Security Management Act, and related Office of Management and Budget (OMB) guidance.
Additional activities include understanding potential privacy risks, exposures, and liabilities throughout the Corporation at the system, program and enterprise level by conducting Privacy Impact Assessments; mitigating risks; conducting awareness and targeted training, as well as addressing public and employee privacy expectations and concerns.
The FDIC adjusts its risk management, security, and privacy approaches as needed to address emerging threats and ensure successful execution of this business technology strategic plan.
Flexibility is critical to providing information technology services. The FDIC must be able to respond to the evolving requirements to carry out business capabilities and emerging trends in the industry. The information service delivery model at the FDIC allows flexibility. Two major components of the service model, contracting and enterprise architecture, demonstrate this flexibility.
The use of contracts allows the FDIC flexibility in providing information technology services and acquiring resources as needed. The FDIC largely uses a performance-based approach for contracting information technology services. Performance-based acquisitions are structured around the results to be achieved, as opposed to the manner in which the work is to be performed. The performance-based approach allows prospective vendors an opportunity to propose: (1) services and solutions that achieve the overall objective; and (2) the methods for evaluating the progress of the work and the end product/results/deliverables. These types of contracts are especially effective for information technology services, because it encourages contractor innovation and efficiency. The performance-based approach also helps to ensure contractors provide timely, cost-effective, and quality performance with measurable outcomes.
For each performance-based contract, the FDIC and contractor agree to a performance work statement (PWS) and/or Quality Assurance Plan/Quality Assurance Surveillance Plan. The contract oversight manager and technical monitor are then responsible for measuring and documenting contractor performance against the standards and metrics as stated in the plan. The approach protects FDIC rights under the contract and helps to ensure project success. The approach allows for corrective action to be taken as soon as potential performance problems are identified and also provides the FDIC with additional flexibility in its contracting approach.
The IT Sourcing Governance Program was established in 2009 to help the FDIC manage relationships with its IT contractors in order to improve service quality and manage accountability that would cultivate effective, efficient, and timely delivery of IT services. The three-tiered IT Sourcing Governance Program expands FDIC's oversight activities beyond tactical contract, project, and financial management activities. It focuses on the management of contractor performance, the quality of the relationship between the parties, and ongoing added value through technology innovation and cost improvements. The ultimate goals of the IT Sourcing Governance Program are to mitigate risk, to increase the realized value of IT outsourcing, and to build more strategic relationships with contractors where appropriate.
The enterprise architecture of the FDIC continues to evolve toward a target enterprise architecture that is business-driven and highly integrated with both strategic planning and the current needs of the organization. It includes a Service-Oriented Architecture (SOA) that allows the FDIC to assemble applications from shared services within the organization. The target architecture fosters the development of common IT services and reuse of IT resources to maximize the return on investment (ROI) for the FDIC. It also promotes interoperability of IT systems and solutions, reducing the investment required for FDIC lines of business to work together collaboratively and efficiently.
A strong data management program underlies the enterprise architecture. The data management program guides the management of information throughout its lifecycle. The data management program safeguards the information assets of the FDIC. The objectives of the data management program include reducing information duplication and improving data consistency; increasing data sharing and improving data access through FDIC organization-wide standard data definition and standard data access and exchange technologies; and shortening data integration time among transactional data, integrated data warehouses, and multi-dimensional data marts.
At the fundamental level, the enterprise architecture is driven by business processes and capabilities (see Appendix A). The business processes themselves are driven by FDIC's mission, goals, and outcome measures and targets. These arise from and are tied to the overall strategic planning of the organization.
The activities undertaken to execute this business technology strategic plan will conform to the principles of the FDIC's enterprise architecture. These principles include:
- FDIC business needs drive FDIC IT decisions;
- Business process reengineering and improvements will typically precede implementation of new technology;
- Information technology must be adaptable to meet changing business needs and the business environment in which the FDIC operates;
- Information technology must be accessible to individuals (both members of the public and FDIC staff and contractors) with disabilities in accordance with Section 508;
- Architecture promotes the integration of business processes and provides a common operating environment;
- Data is a FDIC asset which should be managed from a corporate perspective;
- Data is accessible, reliable, and of a high quality;
- Applications should be partitioned to separate presentation, business logic and data;
- Applications shall be infrastructure independent to facilitate scalability and adaptability;
- Applications shall reuse existing capabilities, services and components;
- Application are modular to facilitate maintainability and built for high availability;
- Infrastructure is managed as a service that can respond to demands for infrastructure components or capacity changes in a fast, efficient manner;
- The FDIC infrastructure is reliable, available, and recoverable;
- The FDIC will limit complexity of the infrastructure;
- Access to IT resources will be controlled and limited to those with legitimate business needs; and
- Applications are developed and designed to be secure.
The implementation of the strategic imperatives outlined in this plan and the continued modernization of the FDICs' application portfolio will introduce new technologies into the organization. The technologies will be consistent with the target enterprise architecture and the FDIC's Enterprise Architecture Blueprint will be updated regularly to reflect these technology updates.
Use the .PDF file for a Printable version.
Business Technology Strategic Plan: 2013 - 2017 - PDF 739kb (PDF Help)