Special Notice / Hearing: None__
Vote Required: Majority
To: Honorable Board of Supervisors
From: John L. Maltbie, County Manager
Subject: Board of Supervisors' Response to the 2016-2017 Civil Grand Jury Report, “Acquisition and Deployment of Information Technology Resources by the County of San Mateo”
RECOMMENDATION:
title
Approve the Board of Supervisors' Response to the 2016-2017 Civil Grand Jury Report, “Acquisition and Deployment of Information Technology Resources by the County of San Mateo.”
body
BACKGROUND:
On June 26, 2017, the FY 2016-2017 San Mateo County Civil Grand Jury issued a report titled “Acquisition and Deployment of Information Technology Resources by the County of San Mateo.” The Board of Supervisors is required to submit comments on the findings and recommendations pertaining to the matters over which it has some decision making authority within 90 days. The Board’s response to the report is due to the Honorable Leland Davis, III no later than September 25, 2017.
DISCUSSION:
The Grand Jury made three findings and three recommendations in its report. Each finding and recommendation, along with County staff’s recommended response, is set forth below:
FINDINGS
Finding 1:
Based upon Grand Jury interviews and examination of the IT Service Catalog, the
Information Services Department cross-charging method appears complex, difficult to manage, and subject to time-consuming error correction.
Response:
Agree.
Finding 2:
Data security vulnerabilities arise because of the varied responsibilities of the
Information Services Department and user departments for software patches and upgrades and hardware encryption under different arrangements supported in the current cross-charging method.
Response:
Agree.
Finding 3:
The current cross-charging method complicates the budget process because it causes difficulties for both the Information Services Department in forecasting alternative modes of service that departments may elect, and also for departments in forecasting their Information Services Department charges.
Response:
Agree.
RECOMMENDATIONS
Recommendation 1:
The County Manager’s Office and Information Services Department shall:
• Centralize the budgeting, cost-incurrence, personnel, operations, and responsibilities for backbone infrastructure and general-purpose hardware support not managed by user departments and all software support (including nonstandard, special mission applications) within the Information Services Department;
• Discontinue actual charging of services to user departments and replace with a memorandum-charging system to mimic the current cross-charging method for continued grant reimbursement;
• Continue inclusion of costs for supplies, capital, and leasing of hardware and software in departments using them, as is currently done.
Response:
ISD will take responsibility for the budgeting, procurement, licensing, security, compliance, and support of the County’s technology communications infrastructure and common computing devices (PC, radios, phones, servers, switches, etc.) that connect to this infrastructure.
All budgeting for such devices and procurement will be done following standard County budget practices as directed by the CMO and the procurement office, via County Procurement bid processes as managed by HR Procurement. Starting in FY 18-19 the above-mentioned technology devices will be tracked in an asset management system managed by ISD and assessed a one-time 3% asset management charge to offset the cost of the asset management program.
ISD will focus on the licensing, security and patching of software for county wide systems that are directly managed by ISD. Department specific, or department managed application licenses, compliance, patching, and security will remain the responsibility of departments.
The funding for the replacement of equipment, licensing of software installed on the equipment, and ongoing security patching and replacement of the equipment will continue through a combination of funds (non-departmental, departmental, grant, etc.) based on direction from the County Manager’s Office to ensure that costs are fairly assessed to user departments, and that the source of funding for this plan does not adversely impact the finances of the County.
Changes to the IT Budget process and ISD Service Charge system are currently being studied by ISD, CMO and the Controller’s Office with the assistance of external consultants. This work is scheduled to be complete in FY 17-18 and any changes resulting from that study would be scheduled for implementation as part of the next budget cycle (FY 19-21).
Recommendation 2:
The Information Services Department shall schedule replacement of the existing cross charging method with the memorandum charging system for July 2018.
Response:
Changes to the IT Budget process and ISD Service Charge system are currently being studied by ISD, CMO and the Controller’s Office with the assistance of external consultants. This work is scheduled to be complete in FY 17-18 and any changes resulting from that study would be scheduled for implementation as part of the next budget cycle (FY 19-21).
Recommendation 3:
The Information Services Department shall assume single-point responsibility and accountability for all software security compliance throughout the County.
Response:
ISD is responsible for software licensing and security compliance to all systems managed by ISD as either a Core Service or as an annual Application Subscription Service basis for departments.
Many departments procure and manage their own applications both on internal servers or as hosted / cloud applications. Those departments will be responsible to ensure that the software they procure independently is licensed for the entire lifecycle of each application, and that the licenses are renewed in compliance with the licensing model for each application.
Departments are required to complete a “Security Review form” when independently procuring software or signing an agreement with an application service provider. ISD will revise the current “Security Review Form” to better highlight the ongoing compliance and security responsibilities of departments when signing software agreements.
Additionally, ISD will continue to provide a centralized software patching system, security compliance oversight, and require that all personal computers and servers on the County network be configured to receive patches from this resource to be completed by Dec 2017.
An update to the County’s Patch, Virus and Vulnerability Management Policy will be approved by Dec 2017.
The report has been reviewed and approved by County Counsel as to form.
Acceptance of this report contributes to the Shared Vision 2025 outcome of a Collaborative Community by ensuring that all Grand Jury findings and recommendations are thoroughly reviewed by the appropriate County departments and that, when appropriate, process improvements are made to improve the quality and efficiency of services provided to the public and other agencies.
FISCAL IMPACT:
There is no Net County Cost associated with accepting this report.