Item 5 Staff Report Approve Response to Santa Clara County Grand Jury Request for Information on Computer Information Systems Disaster Recovery PlansMEETING DATE: 8/18/03
ITEM NO.
COUNCIL AGENDA REPORT
DATE: August 11, 2003
TO: MAYOR AND TOWN COUNCIL II''
FROM: ORRY P. KORB, TOWN ATTORNEYev
SUBJECT: APPROVE RESPONSE TO SANTA CLARA COUNTY GRAND JURY REQUEST
FOR INFORMATION ON COMPUTER INFORMATION SYSTEMS DISASTER
RECOVERY PLANS
RECOMMENDATION:
Approve response to Santa Clara County Grand Jury Request for Information on Computer Information
Systems Disaster Recovery Plans.
DISCUSSION:
Prompted by a Santa Clara County Internal Audit in May 2002 concerning shortfalls in disaster recovery
plans and physical security for computer information systems in the Santa Clara Valley Health and Hospital
System, the Santa Clara County Civil Grand Jury initiated an investigation of disaster recovery for computer
systems in all cities in the County.
The attached response acknowledges the report and generally agrees to undertake the recommended action,
the preparation of a written plan, which is consistent with the Information Technology Strategic Planning
Process currently underway by the Town's Administration. Once approved by Council and signed by the
Mayor, the attached letter will be forwarded to the Presiding Judge of the Santa Clara County Superior Court
who supervises the Civil Grand Jury.
ENVIRONMENTAL ANALYSIS:
Responding to the recommendations of the Grand Jury is not a project as defined by CEQA.
FISCAL ANALYSIS:
Responding to the recommendations of the Grand Jury may require some limited outside consultant to study
the feasibility of modifying the Town's MIS record keeping system, and some staff time to develop a plan
for disaster recovery. The response does not commit the Town to significant additional costs.
Attachments: 1. Grand Jury Report --Inquiry Into Computer Information Systems Disaster Recovery
Plans
2. Response Letter
PREPARED BY: ORRY P. KORB, TOWN ATTORNEY
Reviewed by:
Rev: 8/11/03
OPK:LMB/wp [N:1ATY\Grand-Jury.Connpuler.TCR.wpd]
own Manager c.)S' Assistant Town Manager Clerk
4.Finance Community Development
:32 am
Reformatted: 7/19/99
File# 301-05
June 24, 2003
Debra J. Figone
Town Manager
Town of Los Gatos
110 East Main Street
Los Gatos, CA 95030
Dear Ms. Figone:
JUN 2 5 2003
The 2002-2003 Santa Clara County Civil Grand Jury is transmitting to you its
Final Report, Inquiry Into Computer Information Systems Disaster Recovery Plans.
California Penal Code, Section 933(c) and 933.05(c) require that an elected
county official or agency head shall respond within 60 days to the Presiding Judge of the
Superior Court, on the findings and recommendations pertaining to matters under the
control of their agency or department. Copies of responses to the Grand Jury's report
must also be submitted to the Board of Supervisors. California Penal Code, Section
933.05 contains guidelines for responses to Grand Jury findings and recommendations
and is attached to this letter.
PLEASE NOTE:
1. As stated in Penal Code 933.05, you are required to "Agree" or
"Disagree" with each FINDING. If you disagree, in whole or part, you
must include an explanation of the reasons you disagree.
2. As stated in Penal Code 933.05, you are required to respond to each
RECOMMENDATION with one of four possible actions.
Your comments are due in the office of the Honorable Thomas P. Hansen,
Presiding Judge, Santa Clara County Superior Court, 191 North First Street, San Jose,
CA 95113, no later than August 25, 2003.
ATTACHMENT .1
SUPERIOR COURT BUILDING • 191 NORTH FIRST STREET, SAN JOSE, CALIFORNIA 95113 • (408) 882-2721 • FAX 882-2795
Page Two
Copies of all responses shall be placed on file with the Clerk of the Court.
Sincerely,
,c)
FRED de FUNIAK
Foreperson
2002-2003 Civil Grand Jury
FdF:dsa
Enc.
California Penal Code §933.05, in relevant part:
933.05. (a) For purposes of subdivision (b) of Section 933, as to each grand jury finding,
the responding person or entity shall indicate one of the following:
(1) The respondent agrees with the finding.
(2) The respondent disagrees wholly or partially with the finding, in which case
the response shall specify the portion of the finding that is disputed and shall include an
explanation of the reasons therefor.
(b) For purposes of subdivision (b) of Section 933, as to each grand jury
recommendation, the responding person or entity shall report one of the following
actions:
(1) The recommendation has been implemented, with a summary regarding the
implemented action.
(2) The recommendation has not yet been implemented, but will be implemented
in the future, with a timeframe for implementation.
(3) The recommendation requires further analysis, with an explanation and the
scope and parameters of an analysis or study, and a timeframe for the matter to be
prepared for discussion by the officer or head of the agency or department being
investigated or reviewed, including the governing body of the public agency when
applicable. This timeframe shall not exceed six months from the date of publication of
the grand jury report.
(4) The recommendation will not be implemented because it is not warranted or is
not reasonable, with an explanation therefor ... .
FLED
2002-2003 SANTA CLARA COUNTY CIVIL GRAND JURYON 2 03
INQUIRY INTO COMPUTER INFORMATION SYSTEMS'
DISASTER RECOVERY PLANS
Summary
As a follow-up to audit findings by the Santa Clara County Internal Auditor, the
2002-2003 Santa Clara County Civil Grand Jury (Grand Jury) conducted an
inquiry into the status of computer information systems disaster recovery plans
for cities/towns within Santa Clara County and for selected county
agencies/authorities/districts. The Grand Jury determined that not all
organizations have prepared written disaster recovery plans and that, when such
plans have been prepared, they have not always been tested or updated. A
recommendation is made to improve this situation.
Background
An audit report issued by the Santa Clara County Internal Auditor in May 2002
indicated shortfalls in disaster recovery plans and physical security for computer
information systems of Santa Clara Valley Health and Hospital System
(SCVHHS). In view of this information, the Grand Jury elected to conduct an
inquiry to determine if cities/towns within Santa Clara County and selected
county agencies/authorities/districts had prepared written disaster recovery plans
for computer information systems, and if these plans were regularly tested and
updated.
The primary objective of a computer information systems disaster recovery plan
is to allow mission -critical systems to survive a disaster and support the re-
establishment of normal operations. Our cities/towns and county
agencies/authorities/districts provide many essential services to their citizens. The
disruption of these services following a disaster could result in significant harm or
inconvenience to those who are served.
The Government Finance Officers Association (GFOA), the professional
association of state/provincial and local finance officers in the United States and
Canada, recommends that every government agency formally establish and
regularly update written policies and procedures for minimizing disruptions
resulting from computer failures following a disaster. Specifically, the GFOA
recommends that such policies and procedures accomplish the following:
• Formally assign disaster recovery coordinators for each agency or
department to form a disaster recovery team;
• Require the creation and preservation of backup data;
• Provide detailed instructions for restoring disk files from backup;
• Make provision for the alternative processing of data following a disaster;
• Establish guidelines for the immediate aftermath of a disaster.
In addition, the following actions are recommended by GFOA:
• Copies of the policies and procedures should be kept offsite to assure
availability in the event of a disaster;
• The recovery plan should be tested periodically, and immediate action
should be taken to remedy any deficiencies identified by that testing;
• Steps should be taken to assure the adequacy of disaster recovery plans for
outsourced services.
In order to assess the overall status of computer information systems disaster
recovery planning within Santa Clara County, meetings were held with the
Director, Business Development and Applications, in the Santa Clara County
Information Services Department and with the Chief Information Officer for the
Santa Clara Valley Health and Hospital System. In addition, a survey was sent to:
• Fifteen cities/towns within Santa Clara County;
• Santa Clara County Sheriff's Office, Assessor's Office and Department of
Correction;
• Valley Transportation Authority;
• Santa Clara Valley Water District.
The survey consisted of seven questions:
1. Does a disaster recovery plan exist?
2. Date it was prepared.
3. Date of last major update.
4. Date of last testing of the plan.
5. Are there any access controls in place? If so, please provide a summary.
6. Are routine access reports generated? If so, what is the frequency of their
review?
7. If there is no plan in writing at this time, and if one were to be written,
from whom might you seek help?
Finding
The results obtained from this survey indicate that only six of the fifteen
cities/towns have written disaster recovery plans at this time, and that all of the
selected agencies/authorities/districts have written plans. In addition, it was
determined that only three of the cities/towns and all but one of the
agencies/authorities/districts with written plans have tested them. For security
reasons, the Grand Jury is not divulging the names of the government entities that
lack formal written disaster plans. Those entities not in compliance are aware of
this deficiency, based on information furnished to the Grand Jury.
Nine of the fifteen cities/towns in Santa Clara County do not have written disaster
recovery plans for computer information systems; and not all written plans have
been tested and updated.
Recommendation
All cities/towns within Santa Clara County and all county
agencies/authorities/districts should have written disaster recovery plans for
mission -critical computer information systems, and should regularly test and
update these plans. Managers, supervisors and other personnel with a "need to
know" should have ready access to current versions of the plans.
PASSED and ADOPTED by the Santa Clara County Civil Grand Jury on this 20`h day of May,
2003.
(J,„14
Fred de Funiak
Foreperso
on R. La
Foreperson Pro em
Patricia L. Cunningham
Secretary
4
References
Documents
County of Santa Clara, Audit of Data Center Operations, Information Services, Santa Clara
Valley Health and Hospital System (SCVHHS) dated March 1, 2002 (County of
Santa Clara Finance Agency Internal Audit Division, May 17, 2002).
Government Finance Officers Association (1750 K St. N.W., Suite 350, Washington, D.C.
20006), http://www.gfoa.org/services/nllcomputer-disaster-recovery.shtml.
Letter dated January 2, 2003, RE: Information Systems Disaster Recovery and Physical Security,
City Manager, City of Morgan Hill.
Letter dated January 14, 2003, RE: Information System Disaster Recovery and Physical Security,
County of Santa Clara, Office of the Sheriff.
Letter dated January 14, 2003, RE: Information Systems Disaster Recovery and Physical
Security, City of Mountain View.
Letter dated January 17, 2003, RE: Information System Disaster Recovery and Physical Security,
City of Campbell, City Manager's Office.
Letter dated January 16, 2003, Information Systems Disaster Recovery and Physical Security,
Chief Executive Officer, Santa Clara Valley Water District.
Letter dated April 17, 2003, RE: Information Systems Disaster Recovery and Physical Security,
City of Palo Alto.
Letter dated January 6, 2003, RE: Information Systems Disaster Recovery and Physical Security,
City of Cupertino.
Letter dated January 14, 2003, RE: City of Gilroy's Information System Disaster Recovery and
Physical Security, City of Gilroy.
Letter dated January 15, 2003, RE: Information Systems Disaster Recovery and Physical
Security, Town of Los Gatos, Office of the Town Manager.
Letter dated January 15, 2003, Information Recovery and Physical Security,
City of Sunnyvale.
Letter dated January 15, 2003, Information Recovery and Physical Security,
City of Santa Clara, Office of City Manager.
5
Letter dated April 1, 2003, RE: Information System Disaster Recovery and Physical Security,
City of Saratoga.
Letter dated January 17, 2003, RE: Information System Disaster Recovery and Physical Security,
City of San Jose.
Letter dated January 16, 2003, RE: Information System Disaster Recovery and Physical Security,
County of Santa Clara, Office of the County Assessor.
Letter dated January 23, 2003, RE: Information System Disaster Recovery and Physical Security,
County of Santa Clara Department of Correction.
Letter dated March 25, 2003, RE: Information System and Physical Security,
Los Altos Hills.
Letter dated January 16, 2003, RE: Information Systems and Disaster Recovery and Physical
Security, Chief Operating Officer, Santa Clara Valley Transportation Authority.
Letter dated March 25, 2003, RE: Information System and Physical Security and Disaster
Recovery, City of Monte Sereno, Office of the City Manager.
Letter dated December 10, 2002, RE: Information System and Disaster Recovery,
County of Santa Clara, Office of the County Executive, Information Services Department.
Letter, dated November 22, 2002, RE: Information Security Policies, Chief Information Officer,
SCVHHS.
Letter, dated April 14, 2003, RE: Update to Information Services Business Continuity Plan,
Effective March 31, 2003, Robert C. Feldman, Chief Information Officer, Santa Clara Valley
Health & Hospital System.
Meetings
Chief Information Officer, Santa Clara Valley Health & Hospital System, November 20, 2002.
Director, Business Development and Applications (and staff), Santa CIara County Information
Services Department, October 23, 2002.
6
OFFICE OF THE MAYOR AND TOWN COUNCIL
(408) 354-6801— FAX: (408) 399-5786
Sandy Decker, Mayor
Steve Glickman, Vice Mayor
Diane McNutt, Council Member
Joe Pirzynski, Council Member
Mike Wasserman, Council Member
August 12, 2003
Honorable Thomas P. Hansen
Presiding Judge
Santa Clara Superior Court
191 North First Street
San Jose, CA 95113
RE: 200202003 SANTA CLARA COUNTY CIVIL GRAND JURY REPORT - INQUIRY
INTO COMPUTER INFORMATION SYSTEMS DISASTER RECOVERY PLANS
Dear Judge Hansen:
The Town of Los Gatos, pursuant to Penal Code sections 933(c) and 933.05(c), hereby responds to the
finding and recommendation contained in the above report of the Civil Grand Jury.
FINDING:
Nine of the fifteen cities/towns in Santa Clara County do not have written disaster
recovery plans for computer information systems; and not all written plans have been
tested and updated.
RESPONSE:
To the best of the Town's knowledge and in reliance on the fact finding of the Civil Grand Jury, the
Town agrees with the finding.
RECOMMENDATION:
All cities/towns within Santa Clara County and all county agencies/authorities/districts
should have written disaster recovery plans for mission -critical computer information
systems, and should regularly test and update these plans. Managers and supervisors
and other personnel with a "need to know" should have ready access to current versions
of the plans.
RESPONSE:
The recommendation has not been fully implemented. While the Town does not currently have a
written plan, it has procedures in place to ensure recovery of data. Given the relatively small size of
ATTACHMENT 2
Honorable Thomas P. Hansen
August 8, 2003
Page 2
the Town's computer network, server back-up tapes are made daily and copies of the tapes are stored
off site. These procedures are occasionally tested and with success. The Town is currently developing
an Information Technology Strategic Plan, which includes the development of a written business
recovery plan for key business systems, networks and other supporting infrastructure. The Town is
working to complete this process by fiscal year 2004-2005. Once complete, the Town intends that this
plan be available to key personnel. The Town shall continue to test its procedures in the manner it
deems appropriate.
We trust that this fully responds to the report.
Sincerely,
SANDY DECKER
Mayor
SD:pg
N : W TYlgrand. j ury. computer. letter. wpd
cc: Town Council
r
Town Council Minutes August 18, 2003
Redevelopment Agency Los Gatos, California
PERSONNEL BOARD/OPENINGS (00.12)
Mayor Decker announced that two applications had been received from Cecelia Bass and Cristina
Piasecki for one vacancy on the Personnel Board. Due to a scheduling conflict, this opening will be re-
agendized for September 15, 2003.
ARTS COMMISSION COMMENDATIONS (00.28)
Mayor Decker announced that there were two Town Commendations for Carla Dougher and David
Breidenthal for their years of dedicated service on the Arts Commission. They were not present to
receive their commendations which will be delivered to them.
SCHEDULE OF PUBLIC HEARINGS (01.28)
Motion by Mr. Glickman, seconded by Mr. Pirzynski, that Council accept and file informational report
regarding currently scheduled public hearings. Carried unanimously.
RATIFICATION OF PAYROLL/JULY-AUGUST 2003 (02.V)
Motion by Mr. Glickman, seconded by Mr. Pirzynski, that Council ratify the check register for payroll
of July 20, 2003 through August 2, 2003 paid on August 8, 2003 in the amount of $562,013.72. Carried
unanimously.
ACCOUNTS PAYABLE/RATIFICATION/AUGUST 2003 (03.V)
Motion by Mr. Glickman, seconded by Mr. Pirzynski, that Council ratify the accompanying check
registers for accounts payable invoices paid on August 1, 2003 and August 8, 2003 in the amount of
$968,062.43. Carried unanimously.
MINUTES OF AUGUST 4, 2003 (04.V)
Motion by Mr. Glickman, seconded by Mr. Pirzynski, that Council approve the Minutes of August
4, 2003, Regular Joint Town Council/Redevelopment Agency Meeting as submitted. Carried
unanimously.
SANTA CLARA COUNTY GRAND JURY/COMPUTER SYSTEMS DISASTER RECOVERY (05.41)
Motion by Mr. Glickman, seconded by Mr. Pirzynski, that Council approve response to Santa Clara
County Grand Jury Request for Information on Computer Information Systems Disaster Recovery
Plans. Carried unanimously.
UNIVERSITY AVENUE 605/SOLAR PANELS/RESOLUTION 2003-97 (06.15)
Motion by Mr. Glickman, seconded by Mr. Pirzynski, that Council adopt Resolution 2003-97 entitled,
RESOLUTION OF THE TOWN OF LOS GATOS DENYING AN APPEAL OF A DECISION
OF THE PLANNING COMMISSION DENYING A REQUEST TO MODIFY THE EXTERIOR
OF A COMMERCIAL BUILDING BY INSTALLING UNSCREENED SOLAR PANELS ON
A LOT ZONED LM. Carried unanimously.
Mr. Wasserman thanked the Attorney for the resolution that noted the Town's various development
policies which harmonize with the Town's practices and policies intended to preserve its architectural
quality, small town charm, historic character, and which also strongly support the use of energy
conservation and alternative energy technologies.
N:\CLK\Council Minutes\20031M 08-18-03.wpd
2