CIO Policy and Audits

In my analysis of HB109 yesterday, I missed something which is crucial. I don't see, in the structure of the new Dept. of Technology Services, where the CIO has staff to help create and enforce policy. I'm sure there's a lot of people in the agencies and in the Legislature who are saying "we don't want DTS to enforce policy," but that's a mistake. Here's why:

One of the big reasons agencies don't want to use services from ITS is that some people in ITS see their role as being the network cop instead of being the network service provider. That's understandable--someone has to enforce the rules of interoperability and security suffer, sometimes with disastrous consequences. These roles are incompatible and the three divisions of the new DTS have to be focused on providing great service. Someone else, in DTS, but outside the three service organizations, need to be focused on creating and enforcing policy.

One idea is to create, within DTS, a small group that is not part of the internal service fund (ISF). Call it the "Office of the CIO." Since its not part of the ISF, the legislature has more direct control over its budget and thus can more easily control it to curb abuse.