New Mexico
Department of
Information Technology
BUSINESS CONTINUITY - PHASE I
DISASTER RECOVERY ASSESSMENT
AND
FEASIBILITY STUDY
PRO JECT CH ARTER FO R CERTIFICATIO N
EXECUTIVE SPONSOR – DEPARTMENT OF INFORMATION TECHNOLOGY
BUSINESS OWNER - STATE OF NEW MEXICO
PROJECT MANAGER – MARY WANDA ANAYA
ORIGINAL PLAN DATE: NOVEMBER 12, 2008
REVISION DATE: NOVEMBER 12, 2008
REVISION: 1.00
Office of
Business Continuity
ABOUT THIS PROJECT CHARTER DOCUMENT
PERMISSION TO PLAN THE PROJEC T AND SETTING THE GOVERNANCE STRUCTURE
The Project Charter provides the project manager and project team with permission to proceed
with the work of the project, within the scope delineated in this document. The Project Charter
should be the outcome of a number of documents that went into the pre-planning for the project,
and in many cases the agency IT Plan, Business Case for appropriations, Federal funding requests
and the like.
Project sponsors sign the Project Charter signifying that they have agreed to the governance
structure for guiding the direction for the further planning of the project, discovery and defining
the requirements, acquiring necessary resources, and within that context the statement of work
for any related contracts including a contract for the Independent Validation and Verification.
The Project Charter is also the foundation for the creation of the project management plan, and
much of the thinking and writing for this charter will be immediately usable for that project
management plan.
PROJECT CERTIFICATION INITIAL PHASE DOCUMENTATION
The Project Charter is also used within the State of New Mexico IT Project Certification process
as evidence of the project’s worthiness for the Initial Phase certification. The Initial Phase
certification is especially critical to many state and agency projects because of its related release
of the initial funds required for the project.
Initiation Phase funding is requested by an agency for use in developing project phases,
developing Independent Verification and Validation (“IV&V”) plan and contract; address
project review issues and/or to develop an overall project management plan. Note: Waiver of
the IV&V requirement requires specific written approval by the Secretary of the DoIT.
DoIT “Project Certification” Memorandum July 2, 2007
The Project Charter and the Request for Certification Form are meant to provide a
comprehensive picture of the project’s intention and initial planning, that includes the project’s
place in the context of the State of New Mexico’s IT Strategic Plan, Enterprise Architecture, and
DoIT project oversight process. See “IT Project Oversight Process” Memorandum July 5th
2007 on the OCIO-DoIT web site.
i
TABLE OF CONTENTS
ABOUT THIS PROJECT CHARTER DOCUMENT .......................................................................................................... I
TABLE OF CONTENTS .............................................................................................................................................. II
1. PROJECT BACKGROUND ..................................................................................................................................... 1
1.1 EXECUTIVE SUMMARY -RATIONALE FOR THE PROJECT 1
1.2 SUMMARY OF THE FOUNDATION PLANNING AND DOCUMENTATION FOR THE PROJECT
1.3 PROJECT CERTIFICATION REQUIREMENTS
2
2
2.0 JUSTIFICATION, OBJECTIVES AND IMPACTS ...................................................................................................... 3
2.1 AGENCY JUSTIFICATION 3
2.2 BUSINESS OBJECTIVES 3
2.3 TECHNICAL OBJECTIVES 4
2.4 IMPACT ON ORGANIZATION 4
2.5 TRANSITION TO OPERATIONS 5
3.0 PROJECT/PRODUCT SCOPE OF WORK ............................................................................................................. 11
3.1 DELIVERABLES
11
3.1.1 Project Deliverables ...................................................................................................................................11
3.1.2 Product Deliverables..................................................................................................................................13
3.2 SUCCESS AND QUALITY METRICS 13
4.0 SCHEDULE ESTIMATE ...................................................................................................................................... 14
5.0 BUDGET ESTIMATE ......................................................................................................................................... 15
5.1 FUNDING SOURCE(S) 15
5.2. BUDGET BY MAJOR DELIVERABLE OR TYPE OF EXPENSE 15
5.3 BUDGET BY PROJECT PHASE OR CERTIFICATION PHASE 16
6.0 PROJECT AUTHORITY AND ORGANIZATIONAL STRUCTURE ............................................................................. 16
6.1 STAKEHOLDERS 16
6.2 PROJECT GOVERNANCE PLAN
17
6.3 PROJECT MANAGER 17
6.3.1 PROJECT MANAGER CONTACT INFORMATION ..........................................................................................17
6.3.2 PROJECT MANAGER BACKGROUND ..........................................................................................................17
6.4 PROJECT TEAM ROLES AND RESPONSIBILITIES 18
6.5 PROJECT MANAGEMENT METHODOLOGY
18
7.0 CONSTRAINTS ................................................................................................................................................ 20
8.0 DEPENDENCIES ............................................................................................................................................... 21
9.0 ASSUMPTIONS ............................................................................................................................................... 21
10.0 SIGNIFICANT RISKS AND MITIGATION STRATEGY ......................................................................................... 22
11.0 COMMUNICATION PLAN FOR EXECUTIVE REPORTING.................................................................................. 22
12.0 INDEPENDENT VERIFICATION AND VALIDATION - IV&V ................................................................................ 30
ii
13.0 PROJECT CHARTER AGENCY APPROVAL SIGNATURES ................................................................................... 32
14.0 PROJECT CHARTER CERTIFICATION APPROVAL SIGNATURE .......................................................................... 32
iii
REVISION HISTORY
REVISION NUMBER
DATE
COMMENT
1.0
November 12, 2008
Original Scope
iv
PROJECT CHARTER [PROJECT NAME]
1
1. PROJECT BACKGROUND
The project background section is meant to provide the reviewer with a picture of the
development of the project from inception to its being submitted for certification.
1.1 EXECUTIVE SUMMARY -RATIONALE FOR THE PROJECT
The State of New Mexico, Department of Information Technology (DoIT) is striving to address
issues that will affect Business Continuity. An Office of Business Continuity (BC) has been
formulated.
Vision Statement
A Business Continuity Program that strives to maintain continuity of operations for the
State’s Mission critical services by sustaining a high level of standards and excellence.
Business Continuity Mission Statement
Provide the planning methodology for how the Department of Information Technology will
recover and restore partially or completely interrupted critical function(s) within a
predetermined time after a disaster or extended disruption. Prepare for future incidents that
could jeopardize the State’s core mission critical systems.
A dedicated Office for Business Continuity (BC) will help deliver proper planning to meet the
needs of customers and constituents. A well-planned BC program will minimize the risk of
human, economic, and legal consequences and provide an orderly path to the resumption of
regular service delivery. Mission Critical systems need to be accessible in the event of a
disaster, in order to keep state business running. First and foremost, systems that provide public
safety have the highest priority. The final objective is to provide a seamless, uninterruptible
service to state agencies and their constituents.
The State of New Mexico’s Data Center resides at the John F. Simms Building. The State’s
Enterprise Systems are hosted at this site. In addition, numerous agency mission critical systems
are co-located at this site. As the Department of Information Technology established a new
standard for Information Technology services to its constituent agencies, it faces many
challenges to bringing its Enterprise Capabilities up to the needs of the State of New Mexico
government.
Among the expectations of quality and responsible information technology operations is the
ability to provide the business function with business continuity and time sensitive recovery
from any disaster’s impact on the critical applications that support the State of New Mexico’s
ability to serve its citizens.
The Department of Information Technology is requesting funding for an assessment and
feasibility study to determine the best approach for redundancy for its most critical Information
Technology based services and applications. The purpose is to determine the most cost effective
means of providing this service.
PAGE 1
PROJECT CHARTER [PROJECT NAME]
2
A well-planned BC program will be developed that will minimize the risk of human, economic,
and legal consequences and provide an orderly path to the resumption of regular service
delivery. Over the next few months DoIT will identify Mission Critical systems that need to be
accessible in the event of a disaster, in order to keep state business running. First and foremost,
systems that provide public safety will have the highest priority.
DoIT will be exploring DR locations and options to accommodate the states needs.
Requirements for the Data Center will be identified such as: Equipment must be fully
redundant. A DR site must have a separation of sixty miles from the primary location. Public
Safety systems will require a failover site, while Mission Critical systems may require a hot site.
The final objective will be to provide a seamless, uninterruptible service to state agencies and
their constituents.
Currently DoIT is in the process of upgrading the Simms Building Data Center. A new air
cooled chiller with distribution piping dedicated to the data floor and telecommunications
cooling has been installed. The power was upgraded to triple the electrical capacity in the data
floor. New Power Distribution Units have been installed on the data floor to accommodate new
computer racks and provide dual electrical connections to computer equipment. A new DDC
Control and Monitoring System for automatic control and remote monitoring was installed. All
these efforts provide a more stable environment that includes redundant backup power and
allows future growth.
The Office of BC is involved in the planning of all DoIT projects. Staff attends all technical and
Steering Committee meetings. They review all risk and have been instrumental in designing the
risk matrix that will be become a state standard.
The implementation of a Business Continuity program will take several months to develop and
can not be done in a short time frame. However, DoIT is striving to address issues that will
affect Business Continuity. In the event of a disaster, Mission Critical systems that support key
agencies and their public constituents will remain functioning properly.
1.2 SUMMARY OF THE FOUNDATION PLANNING AND DOCUMENTATION FOR THE PROJECT
This project is based on DoIT FY09 IT Plan Business Case for a C2 Request and DoIT FY09
Business Continuity Strategic Plan.
1.3 PROJECT CERTIFICATION REQUIREMENTS
Does the project fit into the criteria for certification? Which and how?
CRITERIA
YES/NO
EXPLANATION
Project is mission critical to the agency
YES
This project is mission
critical to the agency as
it will assure the most
critical services and
applications are able to
recover in the event of a
disaster
PAGE 2
PROJECT CHARTER [PROJECT NAME]
3
Project cost is equal to or in excess of
$100,000.00
YES
Project impacts customer on-line access
NO
Project is one deemed appropriate by the
Secretary of the DoIT
YES
Will an IT Architecture Review be required?
NO
Total estimated cost is
$250,000.
This is a DoIT project,
funded by the legislature
2.0 JUSTIFICATION, OBJECTIVES AND IMPACTS
The justification and objectives section relates the project to the purpose of the lead agency and
describes the high level business and technical objectives for the project. The section also
includes a high level review of the impact to the organization, and of the concerns for transition
to operations.
2.1 AGENCY JUSTIFICATION
IDENTIFY AGENCY MISSION, PERFORMANCE MEASURE OR STRATEGIC GOALS TO BE
ADDRESSED THROUGH THIS PROJECT
NUMBER
DESCRIPTION
AGENCY 001
To determine the best approach for redundancy for the most critical
information (IT) based services and applications. The purpose of this
project is to determine the most cost effective means for providing
this service.
AGENCY 002
Ensure business Continuity and data integrity for the state of New
Mexico in the event of a disaster at the Simms building enterprise
data center and to identify Critical Business Operations; to include
tangible and intangible impacts.
2.2 BUSINESS OBJECTIVES
USE THE FOLLOWING TABLE TO LIST MEASURABLE BUSINESS OBJECTIVES
NUMBER
DESCRIPTION
BUSINESS
OBJECTIVE 1
Identify the state’s mission critical systems
BUSINESS
OBJECTIVE 2
Make accessible the critical and vital computer production
environments for each agency within the timeframes specified by
PAGE 3
PROJECT CHARTER [PROJECT NAME]
4
NUMBER
DESCRIPTION
each agency.
BUSINESS
OBJECTIVE 3
Ability to resume critical business functions, i.e. business continuity
BUSINESS
OBJECTIVE 4
Identify cold, warm and hot sites
BUSINESS
OBJECTIVE 5
Provide business systems that support and enhance the efficiency of
State Agencies and sustain their ability to deliver services to the
citizens of New Mexico.
BUSINESS
OBJECTIVE 6
Enable an individual from each agency to work directly with the
OBC who will be responsible for departmental business continuity
and recovery.
2.3 TECHNICAL OBJECTIVES
NUMBER
DESCRIPTION
TECHNICAL
OBJECTIVE 1
Recovery Objective Validation - Evaluate the impact to DoIT
business / operational functions resulting from a disaster
TECHNICAL
OBJECTIVE 2
Define the amount of sustainable time from outage to recovery of IT
infrastructure
TECHNICAL
OBJECTIVE 3
IT Recoverability Assessment / Strategy Recommendations –
Evaluate DoIT’s data center’s recovery capability using current
processes and procedures for services above.
Recommended improvements will be made to meet the Recovery
Point and Recovery Time Objectives.
TECHNICAL
OBJECTIVE 4
Continue to implement Redundant Network Recovery strategies and
develop documentation to support the switching of systems to the
backup networks that will meet Business/Operational recovery
requirements
2.4 IMPACT ON ORGANIZATION
The impacts on the organization are areas that need to be addressed by the project through its
planning process. They may not be internal project risks, but they can impact the success of the
project’s implementation.
AREA
DESCRIPTION
END USER
At least one staff member from each agency trained in BC with
PAGE 4
PROJECT CHARTER [PROJECT NAME]
5
AREA
DESCRIPTION
through understanding of Business Impact Analysis and Risk
Management.
BUSINESS
PROCESSES
Ensure continuity of business and time sensitive recovery
IT OPERATIONS AND
STAFFING
DoIT subject matter experts for each functional knowledgeable in BC
requirement.
OTHER
2.5 TRANSITION TO OPERATIONS
The transition to operations areas include items that are asked in the certification form to assure
that the project has accounted or will account for these matters in its planning and requirements
specifications.
AREA
DESCRIPTION
PRELIMINARY
OPERATIONS
LOCATION AND
STAFFING PLANS
This is a DoIT project. The Feasibility Study will identify which
systems should have redundant DR equipment hosted within the
Simms Data Center and which systems should be hosted at the DoIT
DR Site. Where consolidation of applications and platforms may be
possible will also be determined.
The Feasibility Study will provide recommendations for DoIT and
the agencies that will lead into several additional projects. These
projects may provide redundancy requirements or replications
requirements for an application such as the FY10 request for Failover capability for the Enterprise SHARE system.
DATA SECURITY,
BUSINESS
CONTINUITY
DATA SECURITY
Physical Security Systems
The Department of Information Technology has installed and
implemented a state of the art security access control and video
surveillance system. The security system consists of biometric
and proximity card readers and video surveillance throughout the
agency.
Improving Sentry Functions
DoIT security technicians uncover many of incidents every year.
Functions are over dependent on human conditions. These are
some of the DoIT initiatives that will improve the process.
 Install Security Information Event Management - One
of the essential elements of security is logging events of
PAGE 5
PROJECT CHARTER [PROJECT NAME]
AREA
6
DESCRIPTION
various intrusions and anomalies. In Fiscal Year 2010
security information event management will be
implemented to provide a minimum of thirty days of
retention and include all core security, network and server
devices. This will provide greater visibility of information
events.
 Firewall Upgrades DoIT currently manages several
firewalls for itself and various agencies. Most firewalls on
state core network are outdated. In Fiscal year 2010 DoIT
will upgrade core Internet firewall with high availability.
DoIT will upgrade several Intranet firewalls.
 Install a Core Intrusion Detection and Prevention
System (IDP) - Developing an enterprise IDP solution
will greatly improve the level of security of state data
communication. IDP systems can automatically recognize
the signatures of attacks.
 Annual Vulnerability Assessment - Annual network
security assessments will be conducted by a reputable 3rd
party vendor. This will verify appropriate security
configurations, patch levels, device vulnerabilities, hot
fixes, unused services, open ports, share permissions and
restricted groups re in place.
 Security Scans - DoIT will perform vulnerability
assessments for all agencies/customers on state Intranet
network with new network vulnerability appliance.
Devices in the data center will also be scanned for
security vulnerabilities quarterly.
BUSINESS CONTINUITY
The State of New Mexico had a contract with a disaster recovery
company, SunGard, which provides standby services based on a
number of planned application configurations at a cost to the state.
SunGard operates for the State of New Mexico as a cold site
available to the state when and if the state declares an emergency.
Among the problems with that arrangement with SunGard was that
should other customers declare emergencies ahead of the State of
New Mexico, DoIT would not have been able to use their services.
Also testing had to be scheduled far enough in advance to allow
SunGard time to configure their equipment to DoIT’s specifications.
In the event of a disaster the State of New Mexico would have to
transport both data backup and operating teams between Santa Fe and
the DR site in Philadelphia. In addition to that cost there was more
PAGE 6
PROJECT CHARTER [PROJECT NAME]
AREA
7
DESCRIPTION
cost added for schedule the test.
The major change to improve business resumption is that DoIT has
moved DR services to in-state. DoIT has signed a master service
agreement with Mainline Disaster Recovery Services, LLC. The
current recovery site is Northrop Grumman in Albuquerque. The
Office of BC is in the process of leasing DR equipment for the
mainframe and open systems to provide resumption of services
within a recovery time that is realistic to the state’s business needs.
MAINTENANCE
STRATEGY
List below are efforts that assure emergency and disaster
management are in place.
Business Continuity Program
A well-planned BC program is being developed for DoIT that
will minimize the risk of human, economic, and legal
consequences and provide an orderly path to the resumption of
regular service delivery. A Vision and Mission statements have
been defined. Polices and Procedures are being developed.
Roles and Responsibilities have been set. The top ten priorities
for the Office of BC have been set. As noted below this project
aligns with the priorities that the Office of BC as set.
1. Develop a Business Continuity (BC) Program
2. Develop and maintain the Enterprise BC Plan to include; the
scheduling and regular testing of BC Enterprise Systems
i. Mainframe System,
ii. Enterprise Email System,
iii. Enterprise SHARE System,
iv. HIPPA Servers,
v. Internet, other services provided by DoIT,
vi. Agency Mission Critical Systems,
vii. Infrastructure Network Systems,
viii. Phone Systems,
ix. Voice Mail Systems,
x. Radio Systems (broadband and narrowband)
3. Conduct a Disaster Recovery Site Assessment. (This Project)
4. Attain Project Certification for the FY09, DoIT Disaster
PAGE 7
PROJECT CHARTER [PROJECT NAME]
AREA
8
DESCRIPTION
Recovery Assessment and Feasibility Study for redundancy of
the most critical information technology-based services and
applications. Complete the Project Plan, Project Schedule,
and Certification documents. (This Project)
5. Contract DoIT Feasibility Study for Mission Critical Systems
for the State of New Mexico. (This Project)
6. Visit other States that have recognized BC/DR successful
plans and well developed standards and best practices. The
state of Arizona has been recommended by Qwest(This
Project)
7. Attend Formal Training for BC and DR which includes
implementation, development and maintenance.
Contract
BC Training for agencies and internal staff. (This Project)
8. Develop Enterprise Guidelines, Standards, and Policies, for
BC and DR following best practices.
9. Incorporate a Change Control Process that supports and
includes the BC Policy objectives.
10. Conduct the detail Business Impact Analysis that will identify
Critical Business Operations; to include tangible and
intangible impacts for Mission Critical Systems. (This
Project)
New Mexico Business Continuity Steering Committee
A BC steering committee has been formulated. Members include
DoIT Secretary Marlin Mackey as Chair of the committee, DoIT
Enterprise Operations Deputy Secretary Elisa B. Storie, Terry
Othick CIOC Representative, Bill Garcia ITC Representative, and
Gil Gonzales independent member from the University of New
Mexico. The DoIT Office of Business Continuity will function
as a BC Project Manager for BC efforts addressed by this
committee.
Business Continuity Plan Policy for Test - Summary
The Office of Business Continuity and Disaster Recovery, under
the direction of the Department, shall maintain and test a
PAGE 8
PROJECT CHARTER [PROJECT NAME]
AREA
9
DESCRIPTION
Business Continuity Plan. The plan will support the continuity
of operation of the Departments information technology, to
include operations that the Department supports on behalf of
other departments or external entities. Within the scope of this
policy all individuals assigned to participate with plan testing
must cooperate with the Office of Business Continuity and
Disaster Recovery to ensure a successful plan.
Risk Management Plan - Summary
The Office of Business Continuity has the primary leadership
responsibility to identify risks and to determine what impact these
risks have to business operations. The Departments Management
Team will plan for business continuity based on these risks and
document recovery strategies and procedures in a defined
business recovery plan that is reviewed, approved, and updated
on an annual basis. The Risk Management Plan includes all
divisions: business, technology and operational support. (This
Project)
Annual Business Continuity Plan Policy for Review Summary
The Business Continuity Plan will be reviewed based on a
defined review process.
Division Directors and IT Managers will review the plan annually
and submit their updates and modification to the plans in June to
the Office of Business Continuity. The Office of Business
Continuity shall submit the entire plan to the Executive
Management for approval.
INTEROPERABILITY
With the current short term plans DoIT is scheduled to begin
testing recovery of the Mainframe services in late December
2008. Testing will begin with connectivity tests to the DR Site,
recovery of the Mainframe’s operating system at the site, and
continue with recovery of Mainframe services.
As recovery of Mainframe services is proven planning will begin
for recovering Open Systems. DR equipment leases include
Open Systems and Storage. Therefore, recovery for these
systems can be planned using as a warm to hot site model.
PAGE 9
PROJECT CHARTER [PROJECT NAME]
AREA
RECORD RETENTION
10
DESCRIPTION
DoIT has taken direction from the Title 1 – General Government
Administration Retention and disposition schedules in
addressing record retention as listed below:
DISASTER RECOVERY FILE:
Retention: until superseded by new plan or information. A copy
of this file will be stored off-site. In the event of a disaster, all
copies of this file shall be retained until any or all investigations
have been concluded.
PROJECT CONTROL FILE:
Retention: one year after close of fiscal year in which project
completed or cancelled
DOCUMENTATION TAPE FILE:
Retention: one year after discontinuance of system provided all
magnetic data files are authorized for disposal or transferred to
new or alternate system. System test documentation for
approved systems may be destroyed one year after completion of
testing.
TEST FILES:
Retention: two years after system goes into production
WEBSITE:
Retention:



PAGE 10
platform (software): one year after discontinuance
of the system.
web content:
o unique records or information: see the
general or agency program schedule for
retention.
o replicated information: until superseded or
no longer relevant.
web site structure:
o informational web site: one year after site
is updated or changed.
o transactional web site: three years after
PROJECT CHARTER [PROJECT NAME]
AREA
11
DESCRIPTION
site is updated or changed.
CONSOLIDATION
STRATEGY
The Feasibility Study will include an analysis and plan for
consolidating applications and platforms for greater cost savings and
operating efficiency of the redundancy.
3.0 PROJECT/PRODUCT SCOPE OF WORK
In its efforts to move from the high level business objectives to the desired end product/service
the project team will need to deliver specific documents or work products. The State of New
Mexico Project Management Methodology distinguishes between the project and the product.
Project Deliverables relate to how we conduct the business of the project. Product Deliverables
relate to how we define what the end result or product will be, and trace our stakeholder
requirements through to product acceptance, and trace our end product features and attributes
back to our initial requirements
3.1 DELIVERABLES
3.1.1 PROJECT DELIVERABLES
This initial list of project deliverables are those called for by the IT Certification Process and
Project Oversight memorandum, but does not exhaust the project deliverable documents
Project Charter
The Project Charter for Certification sets the overall scope
for the project, the governance structure, and when signed is
considered permission to proceed with the project. The
Project Charter for Certification is used to provide the
Project Certification Committee with adequate knowledge
of the project and its planning to certify the initiation phase
of the project
Certification Form
The Request for Certification and Release of Funds form is
submitted when a project goes for any of the certification
phases. It deals with the financial aspects of the project, as
well as other topics that indicate the level of planning that
has gone into the project. Many of the questions have been
incorporated into the preparation of the project charter
PAGE 11
PROJECT CHARTER [PROJECT NAME]
Project Management Plan
12
. “Project management plan” is a formal document approved by
the executive sponsor and the Department and developed in the
plan phase used to manage project execution, control, and project
close. The primary uses of the project plan are to document
planning assumptions and decisions, facilitate communication
among stakeholders, and documents approved scope, cost and
schedule baselines. A project plan includes at least other plans
for issue escalation, change control, communications, deliverable
review and acceptance, staff acquisition, and risk management.
plan.”
IV&V Contract & Reports
IT Service Contracts
Project Risk Assessment and
management
“Independent verification and validation (IV&V)” means the
process of evaluating a project to determine compliance with
specified requirements and the process of determining whether
the products of a given development phase fulfill the
requirements established during the previous stage, both of
which are performed by an organization independent of the lead
agency. Independent verification and validation assessment
reporting. The Department requires all projects subject to
oversight to engage an independent verification and validation
contractor unless waived by the Department.
The Department of Information Technology and the State
Purchasing Division of General Services have established a
template for all IT related contracts.
The DoIT Initial PROJECT RISK ASSESSMENT template
which is meant to fulfill the following requirement:
“Prepare a written risk assessment report at the inception of
a project and at end of each product development lifecycle
phase or more frequently for large high-risk projects. Each
risk assessment shall be included as a project activity in
project schedule.” Project Oversight Process memorandum
Project Schedule
A tool used to indicate the planned dates, dependencies, and
assigned resources for performing activities and for meeting
milestones. The defacto standard is Microsoft Project
Monthly Project Status
Reports to DoIT
Project status reports. For all projects that require Department
oversight, the lead agency project manager shall submit an
agency approved project status report on a monthly basis to the
Department.
Project Closeout Report
This is the Template used to request that the project be
officially closed. Note that project closure is the last phase
of the certification process
PAGE 12
PROJECT CHARTER [PROJECT NAME]
13
3.1.2 PRODUCT DELIVERABLES
The product deliverable documents listed here are only used for illustration purposes
Requirements Documents
The Feasibility Study will produce the following
documents:
Risk Management Assessment
Business Impact Analysis
Cost Benefit Analysis
Critical Application Analysis
Disaster Recovery Enterprise Site Recommendation
Design Documents
Systems Specifications
Systems Architecture
System and Acceptance
Testing
Operations requirements
3.2 SUCCESS AND QUALITY METRICS
Metric are key to understanding the ability of the project to meet the end goals of the Executive
Sponsor and the Business Owner, as well as the ability of the project team to stay within
schedule and budget.
NUMBER
DESCRIPTION
QUALITY METRICS
1: Link Project to DoIT Goals and Objectives
The effective measurement of DoIT investment’s contribution to
DoIT’s accomplishments is based upon DoIT mission and strategic
business plans. The Office of BC organization has built a partnerships
with program offices and functional areas to define that this project
will contribute to the agency’s goals and objectives.
PAGE 13
PROJECT CHARTER [PROJECT NAME]
NUMBER
14
DESCRIPTION
2: Develop Performance Measures
The project manager and Project Team will develop the performance
measures. These measures will evaluate the outcomes of the DoIT
investment, cost, timeliness and quality. Included in the measurements
will be improvements in the quality and delivery of the DoIT services.
3: Collect Quality Data
The Project Team will determine what data are needed to determine
the output of the project. What data are needed to determine the
effectiveness of the project. The data used will depend upon
availability, cost of collection and timeliness. Accuracy of the data is
more important than precision. The effort to education the end-user in
business continuity will provide data for the study that is accurate and
detailed deemed quality data.
4: Analyze Results
After obtaining results, the Project Team will conduct measurement
reviews to determine if the project met the objectives and whether the
indicators adequately measured results.
5: Integrate with Management Processes
To assure that results improve performance, the Project Team will
integrate the performance measurments existing in the management
processes.
6: Communicate Results
The Project Team will communicate results with DoIT Executive staff
and the CMIS users.
4.0 SCHEDULE ESTIMATE
The schedule estimate is requested to provide the reviewers with a sense of the magnitude of the
project and an order of magnitude of the time required to complete the project. In developing the
schedule estimate, certification timelines and state purchasing contracts and procurement lead
times are as critical as vendor lead times for staffing and equipment delivery. Project metrics
include comparisons of actual vs. target date. At the Project Charter initial phase, these times can
only be estimated.
PAGE 14
PROJECT CHARTER [PROJECT NAME]
15
5.0 BUDGET ESTIMATE
Within the Project Charter budgets for the project can only be estimated. Original budgets
requested in appropriations or within agency budgets are probably not the numbers being worked
with at project time. Funding sources are asked for to help evaluate the realism of project
objectives against funding, and the allocation of budget estimates against project deliverables.
Please remember to include agency staff time including project managers as costs.
5.1 FUNDING SOURCE(S)
SOURCE
AMOUNT
ASSOCIATED
RESTRICTIONS
FY09 C2 REQUEST
$250,000.00
5.2. BUDGET BY MAJOR DELIVERABLE OR TYPE OF EXPENSE –
Consulting Services
Feasibility Study
$150,000.00
$150,000.00
Assessment
IV &V Contractor @ 5%
Education
Business Continuity Online Training
Business Continuity Staff Formal Training
Business Continuity Staff Certification
Business Continuity Agency Training - 3 day
Business Continuity Overview Training - 1 day
Site Visits
Other States Government Site Visits - 6 days
Out of State Commercial Site Visits - 4 days
In State Commercial Site Visits
$12,500.00
$12,500.00
$995.00
$10,175.00
$1,190.00
$25,000.00
$10,000.00
$47,360.00
$23,250.00
$16,500.00
$390.00
$40,140.00
$100,000.00
PAGE 15
PROJECT CHARTER [PROJECT NAME]
16
Total Cost
$250,000.00
5.3 BUDGET BY PROJECT PHASE OR CERTIFICATION PHASE
BC Project Phase I – DR Assessment and Feasibility Study
BC Project Phase II – Failover Capability for SHARE
FY10 C2 Request
$250,000.00
$1,750,000.00
BC Project Phase III – Replication for Enterprise Email
and Mainframe (not requested at this point)
BC Project Phase IV – Replication/Redundancy for
State’s Critical Application (not requested at this point)
6.0 PROJECT AUTHORITY AND ORGANIZATIONAL
STRUCTURE
6.1 STAKEHOLDERS
Stakeholders should be a mix of agency management and end users who are impacted positively
or negatively by the project.
NAME
STAKE IN PROJECT
ORGANIZATION
T IT L E
CABINET SECRETARY
MARLYN MACKEY
STATE CHIEF
INFORMATION OFFICER,
STATE OF NEW
MEXICO,
DOIT SECRETARY
DOIT
STATE CIO,
CABINET
SECRETARY
DEPUTY SECRETARY
ELISA STORIE
BUSINESS CONTINUITY
AND DISASTER
RECOVERY FOR
ENTERPRISE OPERATIONS
DOIT
DEPUTY
SECRETARY
OF ENTEPRISE
OPERATIONS
DEPUTY SECRETARY
CONNY MAKI
BUSINESS CONTINUITY
AND DISASTER
RECOVERY FOR
ENTERPRISE SERVICES
DOIT
DEPUTY
SECRETARY
OF ENTEPRISE
SERVICES
NICOLAS BEHRMANN
STRATEGIC PLAN FOR
NEW MEXICO,
DOIT
OFFICE OF
STRATEGIC
PLANNING
MANAGER
STRATEGIC PLAN FOR
DOIT
PAGE 16
PROJECT CHARTER [PROJECT NAME]
17
6.2 PROJECT GOVERNANCE PLAN
A diagram of the organization structure including steering committee members, project manager
and technical/business teams would be helpful.
Department of Information Technology
BUSINESS CONTINUITY – PHASE I
DISASTER RECOVERY ASSESSMENT AND FEASIBILITY STUDY PROJECT
Monday, November 17, 2008
Marlin Mackey
Department of Information
Technology (DoIT)
Cabinet Secretary
And State CIO
New Mexico Business
Continuity Steering
Committee
Agencies
Elisa B. Storie
DoIT Deputy Secretary
Enterprise Operations
Conny Maki
DoIT Deputy Secretary
Enterprise Services
Governance Project Structure
IV&V Contractor
Feasibility Study
Contractor
Mary W. Anaya
DoIT, Office of Business
Continuity
BC Project Manager
Stephanie Gallegos
DoIT
BC Project Team
DoIT
Office of Security
DoIT
Office of Strategic Planning
DoIT
Enterprise Server
Operations
DoIT
Enterprise IVR
Page 1
6.3 PROJECT MANAGER
6.3.1 PROJECT MANAGER CONTACT INFORMATION
NAME
ORGANIZATION
PHONE #(S)
EMAIL
MARY W. ANAYA
DOIT, OFFICE OF
BUSINESS
CONTINUITY
505-476-1892
MARY.ANAYA@
STATE.NM.US
6.3.2 PROJECT MANAGER BACKGROUND
PAGE 17
PROJECT CHARTER [PROJECT NAME]
18
6.4 PROJECT TEAM ROLES AND RESPONSIBILITIES
ROLE
RESPONSIBILITY
DoIT Project Manager
Develop and Manage Project
Office of Business
Continuity
Assure the project meets the needs of the states Business Continuity
Strategic Plans.
Contractor Project
Manager
Develop and Manage Contracted Feasibility Study
IV&V Contractor
Assess the Progress and Risk of the Project and Provide
Recommendations
Training Coordinator
Work with Project Manager on writing Training Plans
Feasibility Contractor
Contractor that will provide the Feasibility Study
Enterprise Data Center
Director
Assure the project meets the requirements of the states data center
Enterprise IVR
Director
Assure the project meets the requirements of the states network
infrastructure, voice, and radio.
Office of Security
Assure the project meets the requirements of physical and cyber
security
Enterprise Services
Director
Assure the project meets the requirements for the Enterprise Services
that DoIT provides.
6.5 PROJECT MANAGEMENT METHODOLOGY
The Department of Information Technology certification process is built around a series of
certification gates: Initiation, Planning, Implementation and Closeout. Each of these phases/gates
has a set of expected documents associated with it. The gates and the associated documents
make up the certification methodology.
6.5.1 PROJECT MANAGEMENT LIFE CYCLE
This Project Management Plan will describe the process used to monitor progress on the
project in order to ensure that all tasks are being completed according to schedule, and that
the project remains aligned with the primary business strategic goals.
Project planning will be an ongoing activity during the life of the project. The planning
activities started with the request of funding for FY09 and FY10. Project Phase I is the
Disaster Recovery Assessment and Feasibility Study which cascade from the Certification
PAGE 18
PROJECT CHARTER [PROJECT NAME]
19
Initiation Phase to the Planning Phase, which will produce a planning guide and framework
for the large project of providing Business Continuity for the states critical systems.
Given the level of planning that will be completed prior to the project implementation, the
Project Manager will be responsible for ensuring the project is tracking to plan, and also for
making any adjustments to the plan that may be required due to change orders etc. As with
any long-term project, it is expected that the project plan may be adjusted as the project
progresses during different phases. The following list of processes and standards are critical
to the success for the project and will be included in detail in the project schedule:
PROJECT COMMUNICATION PROCESS

Assess project communications requirements for any type of project.

A project kick-off will be held. Participants will include project team and
contract staff.

A project phase closure meeting will be held at completion of each phase of the
project. Participants will include project team.

A project closure meeting will be held at completion of project. Participants will
include project team.

Weekly project meeting will be held for status update and/or decision process.
Participants will include project team, contact staff and/or project extended staff.

Project status reporting will be documented, reviewed at weekly meetings and
posted on ITD internal web site.

An approval form will created for issue management and approval processing
procedures.
RISK MANAGEMENT PROCESS

A Risk Management Process will be used.

Risks will be identified by type and characteristics.

Risks will be evaluated by probability and impact.

A realistic response strategy will be developed for each risk.
PAGE 19
PROJECT CHARTER [PROJECT NAME]

20
Risk Management Policies and Procedures will be developed through out the risk
process.
STATEMENT OF WORK PROCESS

All Statement of Work (SOW) documents will be review and approved by the
Project Team.
PROBLEM SOLVING PROCESS

A problem response roadmap will be designed for the technical staff.

A problem response roadmap will be designed for the contract staff.

A problem response roadmap will be designed for the end-users.

Problem management policy will be created and documented through out the
process. Policy will include Problems Management planning, preparation,
review, approval, document version control and ongoing maintenance.
PROJECT MANAGEMENT STANDARDS

A customized set of project management standards and best practices (for project
initiation, planning, execution, control and closure) will be created through out
the project.
7.0 CONSTRAINTS
NUMBER
DESCRIPTION
CSTR-001
The project is funded with a finite amount. Therefore there is a limitation of
the number of agencies that will be part of the project scope.
CSTR-002
The state agencies have diverse levels of Business Continuity and Disaster
Recovery Plans.
PAGE 20
PROJECT CHARTER [PROJECT NAME]
NUMBER
21
DESCRIPTION
CSTR-003
All state agencies do not have dedicated resource to Business Continuity
and Disaster Recovery.
8.0 DEPENDENCIES
Types include the following and should be associated with each dependency listed.



Mandatory dependencies are dependencies that are inherent to the work being done.
D- Discretionary dependencies are dependencies defined by the project management team. This may also
encompass particular approaches because a specific sequence of activities is preferred, but not mandatory
in the project life cycle.
E-External dependencies are dependencies that involve a relationship between project activities and nonproject activities such as purchasing/procurement
NUMBER DESCRIPTION
TYPE M,D,E
DEP-001
DoIT has a Mainframe System upgrade project
M
DEP-002
The Enterprise Email System will be upgraded to Exchange
2007
M
DEP-003
The Enterprise Storage is upgrading the tape library
M
DEP-004
DoIT will be testing disaster recovery on the Mainframe during
this project.
D
DEP-005
The agencies that will participate in the feasibility study will
have their own projects that have dependencies to this project.
E
9.0 ASSUMPTIONS
NUMBER
DESCRIPTION
ASMPT-001
State Agencies have high interest and executive buy-in for adequate
participation in this Business Continuity Project.
ASMPT-002
DoIT Project Management staff is able to orchestrate the requirements of
multiple projects with equally high priorities.
PAGE 21
PROJECT CHARTER [PROJECT NAME]
22
10.0 SIGNIFICANT RISKS AND MITIGATION STRATEGY
10.1 Internal Risk Factors - Dependencies on other internal system
Description –
Other internal system
projects will consume
resources required for
this project.
projects
Probability and Impact –
risk probability (Might)
severity of impact (Medium)
Mitigation Strategy –
 Review project plan and project schedule weekly to
ensure that project is on track to achieving
objectives.
 Detail review risk that are assessed as "judgmental
boundary" at every project meeting.
 High-level review and re-access the probability and
impact rating of all risk at every project meeting.
 Meet with management weekly to validate the need
to dedicate required resources.
 Meet with management weekly to review goals and
report project status.
 Identify a second if primary resource is not
available.
Contingency Plan –
 The Project Manager will estimate the impact of the
projects scope (time lines, cost, and deliverables) if
the resource is not available.
 The Project Manager will hold a meeting with the
Project Team on this issue.
 The Project Manager will setup a meeting with
management specifically directed towards this issue.
 The Project Manager will invoke Issue Management
and/or Change Control Management if required.
PAGE 22
PROJECT CHARTER [PROJECT NAME]
23
10.2 INADEQUATE STAFF RESOURCES
Description –
Subject Mater Experts
staff that supports the
systems will not be
available.
Probability and Impact –
risk probability (Might)
severity of impact (Medium)
Mitigation Strategy –
 Get commitment from executive staff to provide
staff resources.
Contingency Plan –
 The Project Manager will estimate the impact of the
projects scope (time lines, cost, and deliverables) if
the staff are pulled away.
 The Project Manager will hold a meeting with the
Project Team on this issue.
 The Project Manager will setup a meeting with
management specifically directed towards this issue.
 The Project Manager will invoke Issue Management
and/or Change Control Management if required.
PAGE 23
PROJECT CHARTER [PROJECT NAME]
24
10.3 INADEQUATE MANAGEMENT COMMITMENT AND SUPPORT
Description –
Management staff may
have priorities that
redirect they
commitment to
supporting this project.
Probability and Impact –
risk probability (Unlikely)
severity of impact (Medium)
Mitigation Strategy –
 Meet with management weekly to review goals and
report project status.
 Request management gives approval to second in
command when unavailable.
Contingency Plan –
 The Project Manager will hold a meeting with the
Project Team on this issue.
 The Project Manager will setup a meeting with
management specifically directed towards this issue.
 The Project Manager will invoke Issue Management
and/or Change Control Management if required.
PAGE 24
PROJECT CHARTER [PROJECT NAME]
25
10.4 INTERNAL COMPETING INTEREST
Description –
Continuous business
requirements infringe on
commitment of required
staff participation.
Probability and Impact –
risk probability (Might)
severity of impact (Medium)
Mitigation Strategy –
 Meet with management weekly to review goals and
report project status.
 Identify a second if primary resource (staff) is not
available.
 Project Manager distribute project schedule weekly
to Project Team and management.
Contingency Plan –
 The Project Manager will estimate the impact of the
projects scope (time lines, cost, and deliverables) if
specific staff are not participating on project.
 The Project Manager will hold a meeting with the
Project Team on this issue.
 The Project Manager will setup a meeting with
management specifically directed towards this issue.
 The Project Manager will invoke Issue Management
and/or Change Control Management if required.
PAGE 25
PROJECT CHARTER [PROJECT NAME]
26
10.5 DEPENDENCIES ON EXTERNAL SYSTEM PROJECTS
Description –
Other external system
projects will consume
resources required for
this project.
Probability and Impact –
risk probability (Unlikely)
severity of impact (Low)
Mitigation Strategy –
 Review project plan and project schedule weekly to
ensure that project is on track to achieving
objectives.
 Meet with management weekly to validate the need
to dedicate required resources.
 Meet with management weekly to review goals and
report project status.
 Identify a second if primary resource is not available
Contingency Plan –
 The Project Manager will estimate the impact of the
projects scope (time lines, cost, and deliverables) if
a specific resource is not available.
 The Project Manager will hold a meeting with the
Project Team on this issue.
 The Project Manager will setup a meeting with
management specifically directed towards this issue.
 The Project Manager will invoke Issue Management
and/or Change Control Management if require
PAGE 26
PROJECT CHARTER [PROJECT NAME]
27
10.6 MANDATE FOR PROJECT TIMELINES]
Description –
A change to the timeline
will affect the project
scope.
Probability and Impact –
risk probability (Might)
severity of impact (Low)
Mitigation Strategy –
 Review project plan and project schedule weekly to
ensure that project is on track to achieving
objectives.
 High-level review and re-access the probability and
impact rating of all risk at every project meeting.
 Meet with management weekly to validate the need
to stay committed to the project timeline.
 Meet with management weekly to review goals and
report project status.
Contingency Plan –
 The Project Manager will estimate the impact on the
projects scope if the timeline is slipping.
 The Project Manager will hold a meeting with the
Project Team on this issue.
 The Project Manager will setup a meeting with
management specifically directed towards this issue.
 The Project Manager will invoke Issue Management
and/or Change Control Management if required.
PAGE 27
PROJECT CHARTER [PROJECT NAME]
28
10.7 STATE GOVERNMENT REORGANIZATION
Description –
Any type of
reorganization will
affect this project’s
resources.
Probability and Impact –
risk probability (Might)
severity of impact (Low)
Mitigation Strategy –
 The Project Manager will setup informational
meetings with any new management.
 The Project Manager will report on project status to
DoIT Executive Management and New Mexico
Business Continuity Steering Committee.
 Meet with management weekly to review goals and
report project status.
Contingency Plan –
 The Project Manager will estimate the impact on the
projects scope (time lines, cost, and deliverables) if
a specific resource is not available.
 The Project Manager will hold a meeting with the
Project Team on this issue.
 The Project Manager will setup a meeting with
management specifically directed towards this issue.
 The Project Manager will invoke Issue Management
and/or Change Control Management if require
PAGE 28
PROJECT CHARTER [PROJECT NAME]
29
10.8 CHANGES IN STATE AND FEDERAL LAW
Description –
Any changes in law may
affect the business logic
which may require
completed task in the
project to be
readdressed.
Probability and Impact –
risk probability (Might)
severity of impact (Medium)
Mitigation Strategy –
 Schedule project timelines with room for
adjustments and additional unplanned tasks.
 Project Team will designate an individual to be
aware of any upcoming legislation that will affect
NMCD.
 Detail review risk that are assessed as "judgmental
boundary" at every project meeting.
 Meet with management weekly to review goals and
report project status.
Contingency Plan –
 The Project Manager will hold a meeting with the
Project Team on this issue.
 The Project Manager will estimate the impact on the
projects scope (time lines, cost, and deliverables) if
the business logic is modified.
 The Project Manager will setup a meeting with
management specifically directed towards this issue.
 The Project Manager will invoke Issue Management
and/or Change Control Management if require
11.0 COMMUNICATION PLAN FOR EXECUTIVE REPORTING
The project plan requires a Project Communications Management Plan be completed. Included
in the plan will be the following items:

Project information will be given to the Project Team for view and the Project
Manager will post documents on a shared directory assigned to this project.
PAGE 29
PROJECT CHARTER [PROJECT NAME]
30

The Project Manager will maintain a distribution list showing what information is
provided by who, to what stakeholder, in what format and how often.

The Project team will use standard templates and forms as much as possible.

A schedule of each regularly distributed communications and the person responsible
for generating the communication will be placed on the shared directory by the
Project Manager.

The Project Manager will schedule meeting and send out calendar mailings.

The Project Manager will create an escalation process for meetings; low level
meetings before high level meetings; emphasize the contractual obligatory meetings.

The Project Team will have weekly Status Meetings as reflected in a Communication
Matrix. The Project Committee Leads will report on strategy and planning efforts of
the project. Efforts will include IV&V reports. The Project Manager will plan and
schedule these meetings.

The Project Manager will meet with the project Governance Committee to present
project status and attain approvals minimum of once meeting per month and
additionally meetings as need for approvals.
12.0 INDEPENDENT VERIFICATION AND VALIDATION - IV&V
IV&V focus depends upon the type of project, with various emphases on project and product
deliverables. An IV&V contractor has been selected for this project. DoIT is currently in the
process of developing the scope for the contract. DoIT has elected to used an IV&V contractor
because this project expands many state agencies.
The following check list is based on Exhibit A of the OCIO IV&V Contract Template, and the
Information technology template. . It is included here to provide a high level of the type of
IV&V accountability the project envisions:
Project/Product Area
Include
–
PAGE 30
PROJECT CHARTER [PROJECT NAME]
31
Yes/No
Project Management
Yes
Quality Management
Yes
Training
Yes
Requirements Management
Yes
Operating Environment
No
Development Environment
No
Software Development
No
System and Acceptance Testing
No
Data Management
No
Operations Oversight
No
Business Process Impact
Yes
PAGE 31
PROJECT CHARTER [PROJECT NAME]
32
13.0 PROJECT CHARTER AGENCY APPROVAL SIGNATURES
SIGNATURE
DATE
EXECUTIVE SPONSOR
BUSINESS OWNER
PROJECT MANAGER
14.0 PROJECT CHARTER CERTIFICATION APPROVAL
SIGNATURE
SIGNATURE
DOIT / PCC APPROVAL
PAGE 32
DATE