GMIS Accreditation

 

I am excited to introduce you to a new initiative in GMIS, which has been designed to help our industry and our organizations. The information technology industry in the public sector is young compared to its colleagues in finance, community development, public works, public safety and others. As these other industries matured, standards and metrics were developed to help standardize best practices so they no longer varied from organization to organization.  

Collectively, we have built public-sector IT to be an integral part of government organizations. We have established ourselves as solution providers and process analyzers. However, this evolution is not equal across all organizations. A framework is needed to help those working in IT to help make decisions on solutions the organization needs, but in a way that meets industry standards. This framework must be flexible to be useful to a variety of proficiency levels and organization sizes.

This framework is the foundation of the GMIS Accreditation program. In developing this framework, GMIS intends to provide a path for organizations to evaluate their current level of information technology, plan and budget for needed improvements, execute this plan, and submit the results for an audit to be completed by an authorized third-party auditing firm.

The accreditation covers five areas of information technology:

● Security

● Strategy

● Governance

● Operations

● Continuous Improvement

Each of these coverage areas are scored in a self-assessment. Organizations working toward accreditation must achieve a minimum level of "Accredited" for each of the five coverage areas to become accredited.

Once the accreditation begins, the organization will receive a prepackaged toolkit and plan.  The plan will outline the following path toward accreditation:

1. Self-Assessment

2. Budget

3. Execution

4. Audit

The initial process may be difficult and time consuming depending on the organization’s current level of IT proficiency.  We allow three years for organizations to achieve the level of Accreditation across all five coverage areas before re-accreditation is required.  However, extensions can be provided on a case-by-case basis. 

This accreditation is aspirational in nature.  The goal is not to just become accredited, but to improve IT practices beyond the accreditation.  All agencies working toward accreditation will move from a beginning status through the statuses listed below, depending on their scoring on the self-assessment.

1. Beginning – Having just received information or a baseline score

2. Interim – Identifying tasks and beginning to score

3. Provisional – Scoring begins to improve towards the accredited level

4. Accredited – Minimum level of accreditation achieved

5. Commendable – Exceeding scoring within accreditation

6. Flagship – Highest levels of accreditation

The scoring will be achieved by using a modified version of the CHICAGO Score™ system. Developed by CHICAGO Metrics™, who is partnering with the GMIS Accreditation Committee, the CHICAGO Score™ scoring system provides the added benefit of tying the tasks required for accreditation to different risk categories impacting the overall organization. These risk categories are:

 

Character (Reputation)

Human Resources

Integrity

Confidentiality

Accessibility

GOld (Financial – CHICAGO is not spelled with an "F")

By categorizing and measuring risks in this manner, the accreditation process will help demonstrate the impact these tasks have on the organization as a whole. 

The committee is currently working with CHICAGO Metrics™ to finalize its implementation of the Chicago Score™ system and plans to begin testing the self-assessment by January 31, 2016. This testing is expected to take upwards of six months before the accreditation will go into production.

In addition, the committee is working with several potential auditing firms to determine costs for the auditing service required to complete accreditation. This phase of the process is critical to help the committee establish standards for use by auditing firms and to help develop pricing for the accreditation process.  

The GMIS Accreditation Committee has also met with a representative from NIST in an effort to obtain guidance and to help identify some of the fine details required in an accreditation program. This representative remarked how the director of his area had mentioned the need for such an initiative like the GMIS Accreditation program, which also has the potential for providing a vehicle to ensure organizations are using NIST’s latest framework updates. It is hoped the relationship with NIST will continue to grow as this initiative moves into production.  

We have also reached out to some risk management consortiums. By involving these organizations, there will be an opportunity to demonstrate how governmental entities meeting the minimum level of Accredited will have a lower risk profile, which, in turn, should lessen the risk premiums they are charged.

The following groups and individuals were instrumental in their assistance in helping convert this idea into a reality:

GMIS Illinois Board of Directors

GMIS International Board of Directors

GMIS Accreditation Founding Committee Members

● Larry Gunderson - Member Expert - City of St. Charles, Illinois

● Lawrence A. Kravets – Independent Expert – Baxter-Woodman Control Systems Integration

● Edward Marchewka – Independent Expert – Gift of Hope Organ Donation Network

GMIS Accreditation Founding Advisory Council

● Palo Alto Networks

● SHI

● Cisco

● Microsoft