Eight recommendations for improving the governance of information technology (IT) initiatives – including revising roles and responsibilities of governance bodies – at the federal bank deposit insurance agency were made in a report issued Thursday by the agency’s office of inspector general (OIG).
The eight recommendations made by the Federal Deposit Insurance Corp. (FDIC) OIG are that the agency’s chief information officer must:
- coordinate with FDIC stakeholders to develop an implementation plan that supports the IT Strategic Plan;
- incorporate cloud strategy principles into the IT governance framework;
- implement an enterprise architecture (EA) as part of the IT governance framework and use the EA to guide IT decision-making;
- revise the FDIC’s governance processes, including roles and responsibilities for governance bodies;
- incorporate revisions to IT governance processes into applicable FDIC policies, procedures, and charters;
- define and document roles and responsibilities for information security within the IT governance framework and processes;
- identify and document the IT resources and expertise needed to execute the IT Strategic Plan; and
- define and document procedures for evaluating the costs and potential benefits associated with cloud projects.
The 51-page report by the deposit insurer’s OIG stated that an audit of the agency’s IT program found that the FDIC had neither fully developed a strategy to migrate IT services and applications to the cloud nor obtained the acceptance of key business stakeholders before taking steps to initiate cloud projects.
“The FDIC also had not implemented an effective EA to guide either the three IT initiatives we reviewed or the FDIC’s broader transition of IT services to the cloud,” the report states.
An ineffective EA, the report notes, “limited the FDIC’s ability to communicate to business stakeholders how it intended to implement its new IT strategies. In turn, this caused stakeholders to question the decision to adopt new cloud technologies and their impact on their business processes.”
The report points out that a written response from the agency’s CIO concurred with all eight recommendations and stated that actions to address six of the recommendations have been completed. Plans to complete actions to address the remaining two recommendations by June 28, 2019, are in place, according to the CIO.