The URL can be used to link to this page

Home My WebLink About02/25/1999, 1 - YEAR 2000 COMPLIANCE UPDATE council .ar 99 j apenaa Report Im.N� CITY OF SAN LUIS OBISPO FROM: Bill Statler,Director of Finance Robert F.Neumann,Fire Chief Prepared By: Teri Maa,Information Systems Manager SUBJECT: YEAR 2000 COMPLIANCE UPDATE CAO RECOMN ENDATION ■ Review and discuss the City's efforts to ensure Year 2000(Y2k) compliance. ■ Review and discuss the City's Y2k disaster preparedness efforts. ■ Adopt the Y2k master plan. ■ Approve funding in the amount of$207,000 for Y2k disaster preparedness and response resources as part of the 1998-99 mid-year budget review. REPORT-IN-BRIEF The City has been working hard to ensure that our most important information technology systems will be Year 2000 (Y2k) compliant by June of 1999. Additionally, we have been working closely with community-based groups and others on community awareness of the Y2k problem. We have also started planning for Y2k failures by other outside agencies that may affect City operations. As discussed more fully below, viewing Y2k compliance as part of our overall disaster preparedness program has become a major focus of our efforts at this point. In this context, we believe that the Y2k planning challenges ahead of us are not significantly different from our other disaster planning efforts for events such as fire, floods or earthquakes. These will all potentially disrupt City services and result in calls for City emergency services. In this context, this update addresses two key issues: the City's internal efforts to assure Y2k compliance for our information technology systems; and our broader efforts to use this opportunity to go beyond this more-narrowly defined problem to improve our overall disaster planning and response capabilities. DISCUSSION Background In September of 1998,we reviewed with the Council: what the Y2k problem is; actions taken to- date to address this problem; and recommended key steps to ensure that all "mission-critical" computers, software,-special applications, data communications and control systems are fully compliant by June 1, 1999. An agreement was executed with the firm of Information, Integration 1-1 Council Agenda Report—Year 2000 Compliance Update Page 2 and Innovation & Associates (I) to help keep the project on track, provide timely technical advice and direction, and to augment in-house resources available to manage this project. Scope of the Problem As discussed with the Council last September, there are three kinds of problems facing us mi assuring that our information technology systems are Y2k compliant: ■ Business process applications and systems. This is what we most commonly think of when considering technology systems. It includes software and hardware used for daily business operations, such as desktop work stations, file servers,printers, operating system software and office automation software as well as functional applications like GIS, public safety and finance systems. These include "off-the-shelf" software or package systems like Office 95 and GroupWise; major systems purchased from "turnkey"vendors like our GIS, public safety and finance systems; and locally developed applications using FoxPro (or other data base software) like our land use inventory, building permit and work order systems. ■ Process and control systems. These are often hard to identify, because they use "embedded" software and hardware for facilities and equipment, such as HVAC systems, telecommunications systems (telephones, voice mail, data communications), security systems, traffic signals, process control systems at our water treatment and wastewater reclamation plants, vehicle fuel pumps, street lights, radio communications or telemetry systems. ■ Data exchanges with other organizations. We rely on electronic information from other agencies, and other agencies rely on electronic information from us. Examples include investments, banking, PERS, payroll deposits, wire transfers and law enforcement information. In short, we rely upon electronic data from other agencies for a number of "mission-critical" operations, and they rely upon it from us. The problem: even if our own systems are Y2k compliant, this will not mean much if others we rely upon for electronic interfaces are not Y2k compliant as well. Business process applications and systems probably pose the lowest risk to the City for two reasons: ■ Based on the 1995 information technology master plan, we have started replacing or upgrading virtually all of our "mission-critical" applications like desk top hardware and software, local and wide area network systems, and public safety, finance and GIS applications. All of these efforts are underway and will be completed well before the Year 2000. ■ Replacing "non-mission critical" systems should be relatively easy and inexpensive (assuming we begin to do so on a timely basis); and the consequences of not being Year 2000 compliant will be less significant. 1-2 Council Agenda Report–Year 2000 Compliance Update Page 3 Our main risks—results of detailed inventory. In general, we are much more likely to experience serious difficulties with the "process control' and "data exchange" systems since they are less visible, and in many cases, beyond our control to fix. Based on a;comprehensive inventory of all three types of systems—which included detailed follow-ups with our vendors— we have concluded that we have minimal Y2k compliance issues with our business and process control systems. In.most cases, any identified problems can be addressed within existing resources, and well before the Year 2000 rolls around. Electronic interfaces, however, are more problematic, and we are following-up with our key "electronic partners" on this. Since we do not control their actions, most of our efforts will be focused on contingency plans for how we will operate if our "electronic partners" experience Y2k failures affecting our operations. Further, as discussed below,there are critical, "non-electronic' services we rely upon from others in delivering essential services to our community. The most critical of these is electrical power, and planning for disruption in this service had become a key focus in our preparedness efforts. Y2k Master Plan Attached is our master plan for assuring that our most important information technology systems are Y2k compliant—and well before the Year 2000. As outlined in this plan, it is our goal to do this by June of 1999. Realistically, all of our systems may not be compliant by then; and in fact, some systems may not be fully compliant until after January 1, 2000. Because of this, we are focusing our efforts on the most important systems; and by resolving most of our Y2k compliance issues by June of 1999, we can then focus our efforts on those few, high priority issues that remain. As summarized below, there are nine key tasks in the master plan associated with assuring Y2k compliance. For each of these, the plan sets forth: the goal for each task; the action plan; and our status as of February 1999: ■ Creating awareness—both within the organization and community. ■ Identifying critical business processes—as noted above,we may not be able to address all of our Y2k problems by January 1,2000;but we need to address the most important ones. ■ Conducting a comprehensive inventory of our information technology systems. ■ Assessing the results of the inventory. ■ Developing solutions based on the inventory and assessment. ■ Pre-testing existing applications that are supposed to be Y2k compliant (as stated by the vendor) to ensure that they actually are. ■ Implementing solutions as needed. ■ Testing solutions after they are installed to ensure that they work. . ■ Planning for Y2k failures by others. 1-3 Council Agenda Report–Year 2000 Compliance Update Page 4 In addition to focusing on just Y2k compliance, our work program includes developing an organization-wide disaster prevention and recovery plan for our information technology systems. Again, as noted above,there are a number of reasons why our technology systems might fail, and we are using our Y2k compliance efforts as an opportunity to address this broader issue. Current Status of Efforts While more fully discussed in the master plan, key accomplishments to-date include: ■ Replacing "mission-critical"hardware and application software as part of the information technology master plan adopted in April of 1995. ■ Forming an organization-wide "Y2k task force" with representatives from every department, and completing an initial inventory of our systems. ■ With consultant assistance, completing an initial compliance assessment. ■ Adopting a procurement policy that ensures that any new purchases are Y2k compliant. ■ Hiring a consultant(Information, Integration and Innovation& Associates) to assist us in our Y2k planning efforts. ■ Completing a comprehensive inventory of our systems, and assessing the results for follow-up action. Based on this assessment, we have already started patching, fixing, upgrading or replacing most of the non-compliant hardware and software identified by our vendors. ■ Informing the organization and community about our Y2k compliance efforts, including information on our web site and an article in our recent parks and recreation brochure, which is distributed to over 18,000 residences and other locations. ■ Adopting a policy for replying to requests by others about the status of our Y2k efforts. ■ Identifying "critical" processes with representatives from every department and completing an initial prioritized list of our processes. The final prioritized list will help us to focus and assure remediation of those technology systems that impact our most essential services. ■ Beginning pre-testing for key applications identified by our vendors as Y2k compliant. ■ Working closely with a community-based group—the San Luis Obispo County Y2k Action Alliance—to inform our community about Y2k issues, and what they should be doing personally in planning for this. Community Awareness As noted above, we believe informing our community about Y2k issues—and what they should be personally doing about them—is an important element of our Y2k efforts. The Fire Chief, as the City's chief disaster preparedness official,has taken the lead in this regard. An important part of this awareness effort is reassuring the public that the Y2k issue is manageable, and that the City is taking our responsibility to deliver essential services and 1-4 Council Agenda Report–Year 2000 Compliance Update Page 5 respond to Y2k problems very seriously. Fortunately, there is a new community-based group which is concerned about these same issues—the San Luis Obispo County Y2K Action Alliance. We believe our best approach is to work closely with this group, which meets every Tuesday morning at the Headquarters Fire Station. We have been very effective in participating in a number of talks, meetings, and a symposium held at the SLO Vet's Hall in conjunction with this group, and a news conference is planned for February 22. Future Action Alliance activities include more town hall-type meetings and talks, disaster preparedness symposiums, and a variety of media events to help educate the entire County. We plan to continue being active with this group, as we believe a County-wide, community- based approach will be the most effective one. Within the City, we will continue to educate and train our citizens through the Fire Department's Community Emergency Response Team (CERT) program. In addition, we will be developing a utility bill insert detailing our actions and guidelines for preparedness,which will be issued in the Spring of 1999. As the year unfolds, we will continue to monitor the effectiveness of our community awareness efforts. We will keep the Council updated about them, and return for further direction should it be needed. Master Plan Next Steps Our next steps include: ■ Developing solutions and begin implementing them. Based on the completed assessment of our current systems, and completion of our review of "critical business processes" currently underway, we can begin developing and implementing the "best" solutions. As noted above, many of these efforts are already completed or substantially underway. ■ Testing solutions. We need to ensure our "solutions" work well before the Year 2000 rolls around. ■ Planning for Y2k failures by others. We need to have contingency plans for how we will conduct business if some of our most important Y2k "electronic partners" (like federal, state and county law enforcement agencies) or other important service providers (such as PG&E and Pacific Bell) are not Y2k compliant when the Year 2000 arrives. ■ Preparing a disaster prevention and recovery plan. The City has a series of plans dealing with the mitigation of any major emergency that might strike the City. As part of their Y2k efforts, I' is designing a technology disaster recovery plan. Fire Department staff has met with I3, shared existing plans, and requested that the technology disaster recovery plan be designed to dovetail into our existing documents. In the future, as our plans are amended, our information technology disaster prevention and recovery plan will be directly included. 1-5 Council Agenda Report–Year 2000 Compliance Update Page 6 Schedule for Completing this Work As reflected in the following schedule, our goal is to complete our Y2k compliance efforts by June of. 1999. This should provide us with adequate time to ensure that fixes are mmning correctly and remediation efforts are underway. In those cases where we are not able to fully assure compliance by June of 1999, this will allow us to focus our efforts on the most important applications, and to develop contingency plans in the event of Y2k failures by others. TargetActivity . • Implement ongoing awareness plan In progress • Develop an overall Y2k master plan November 4, 1998 • Monitor progress of the master plan Ongoing • Decide remaining remediation efforts November 15, 1998 • Complete inventory;begin analysis January 1, 1999 • Begin identifying critical business processes January 14, 1999 • Update Council on Y2k status;receive funding authorization for February 25, 1999 selected remediation projects • Complete business process prioritization March 15, 1999 • Finish conducting pre-tests March 31, 1999 • Develop disaster recovery plan April 15, 1999 • Complete remediation and testing–Y2k compliance efforts June 1, 1999 "completed;"continue preparing contingency plans for Y2k failures by others and implementing solutions as needed. Improved Disaster Preparedness opportunities As noted above, we are using this opportunity to take a broader look at our information technology disaster prevention and recovery plans. In this context,we believe that Y2k problems should be handled like any other disaster that might strike us. This means we should continue to encourage the general public to be prepared to take care of their essential needs for a minimum of 72 hours (three days). In terms of City services, the Fire Department staff has been working over the past several years towards reaching the goal of ensuring that most of the City's operations can stand on their own for a minimum of 72 hours. The City's emergency operations (Police and Fire) are designed to go even longer, from seven to ten days. There are five areas of preparedness facing us in this regard: ■ Essential sewer and water services—power concerns. One area of concern that the Y2k issue has highlighted is electrical power service. Lately, many disaster preparedness planners have concluded that the nation's electric service, for reasons not solely related to Y2K, is becoming increasingly challenged. There are a variety of reasons for this: 1-6 Council Agenda Report–Year 2000 Compliance Update Page 7 • Population increase • No new power plants • Increased electrical demands • Possible decommissioning of nuclear power plants Given the changes occurring in the power industry, we have analyzed what it would take to increase the City's goal of delivering the essential services of sewer and water delivery from 3 days to 7 days without electric service. There are three primary factors to consider. • Reducing service levels. We can significantly extend our ability to deliver water to residents during an extended power outage by reducing the level of water service at which the system normally operates. • Water conservation. Our past experience shows us that when requested, the community can cut back dramatically on their water use, thus extending system service significantly. • Emergency power. We can finther extend our service delivery time frames by increasing the availability of stand-by generators and pumps. Considering these factors, we believe that with careful management and augmenting our electrical supply with emergency generators and pumps, we can run the sewer and water systems well beyond the seven day goal. It must be emphasized that when operating in an emergency mode, the systems will not be delivering their normal service levels. In fact, a very small portion of the community (approximately 25-301/6) will have its water delivery on a rotating, scheduled basis in a prolonged power outage. Additionally, the upper Ahita Street area (6-8 residences) and the Reservoir Canyon Road (2 houses) will be without water until electric service is restored. Staff will provide portable water tanks in these areas. To better meet water and sewer service delivery needs in the event of a prolonged power outage (for whatever reason—fire, flood, earthquake or Y2k failures), we recommend adding the following generators and pumps to our equipment inventory: • Four 100 kw generators on trailers($40,000 each, including installation—$160,000). • One 4-inch mechanical pump and diesel motor($25,000). Adding these resources will enable City crews to essentially run the systems for an indefinite period of time. An added benefit is that that they can be used for other purposes—such as lighting, cooking, and heating—in the event that the City is struck by a major emergency. Also, they will provide additional electric generation capacity at other essential City facilities—such as the Police Station, Fire Stations, Corporation Yard or City Hall—should their systems fail or need augmentation. 1-7 Council Agenda Report—Year 2000 Compliance Update Page 8 ■ Secure computer systems. Throughout the City, workstations should be physically secured to withstand the impact of an earthquake and the network backed-up with uninterrupted power supplies. We will propose funding for this effort ine the 1999-2001 Financial Plan. ■ Communication equipment. With the loss of electrical supply for any extended duration, the phone system is likely to fail. The addition of fifty 16 channel portable radios, spare batteries, and chargers would assure good internal communications should this occur. These radios would be cached at the Fire Department EOC and used only in the event of an emergency. ■ Emergency food caches. Staff recommends installing emergency food caches at the water reclamation and water treatment plants to bring these facilities up to the City's standards of covering workers for 72 hours. ■ Fuel contracts. Our existing fuel systems have plenty of capacity. However, in the case of a long-term electric outage, distribution could be a problem. We are in the process of developing contractual agreements with a local fuel provider so that at our request, a delivery truck would immediately become available for supplying outlying emergency generator systems such as the Whale Rock Reservoir,Police Station and Fire Stations. In addition, a propane supply for refueling the propane generator at the water reclamation facility and City Hall will be contractually guaranteed. Until used, these contracts have no fiscal impacts. The following summarizes estimated costs to augment existing emergency equipment, supplies and caches: • Radios $17,000 • Generators ($35,000 each; four generators will cost$140,000 plus $20,000 160,000 for associated retrofit and wiring cost) • PUMP 25,000 • Mailer/advertising 2,000 • Fuel contracts (in process) • Food caches(update existing and add new) 3,000 Total $207-000 * As noted above, there are no immediate impactsfor this;costs will not be incurred until fuel supplies are needed. The water($110,000) and sewer ($75,000) funds will be responsible for the generator and pump costs; the General Fund will be responsible for the remaining costs ($22,000). Funding for these improvements has been requested as part of the 1998-99 mid-year budget review. 1-8 Council Agenda Report—Year 2000 Compliance Update Page 9 Again, it is important to note that the Y2k issue is not the only driver for these additions to our disaster preparedness complement. All the requested actions would serve the City well in any emergency that may strike us. CONCURRENCES The MIS Steering Committee and the affected departments concur with this recommendation. FISCAL EMPACT ■ Disaster preparedness efforts. A mid-year budget request has been submitted with the following recommended funding plan based on benefit: General $22,000 Water 110,000 Sewer 75,000 Total $2079000 ■ Remediation efforts. No appropriations for Y2k remediation are requested at this time; departments are using existing operating and capital improvement plan budgets to address currently.known problems. However, as our implementation efforts continue, we may identify other required improvements that can not be made within current resources. On a case-by-case basis, we will return to the Council for direction as needed. ATTACHMENTS ■ Year 2000 Master Plan ■ San Luis Obispo County Y2k Action Alliance Mission Statement ■ Excerpt from City Web Site on Y2k Compliance Efforts GMS PoliciesNear 2000 Project/Y2k Status Council Agenda Report 2-25-99 1-9 Year 2000 (Y2k) Master Plan February 1999 Prepared By Department of Finance, Information Systems Information, Integration, Innovation & Associates �IIIIIIIIIIII�� IIIIIIIII � city ®f san WIS OBISPO Sr T a .`� ,�w S " b, .a+, 4 t ATTACHMENT 1 1-10 The City of San Luis Obispo Y2k Master Plan. Table of Contents PROCESSAPPROACH ..........»........»»......................................».».».4 PROJECT OVERVIEW» . _»»...».».».....»»........»....».........».».» GOALOF THIS PROJECT....................................................................................................................................5 PURPOSEOF THIS PLAN....................................................................................................................................5 BACKGROUND..................................................................................................................................................5 OBJECTIVESTo ACHIEVE GOAL.......................................................................................................................6 AWARENESS. .. ».. »»..».».............»..»..............»....».»_...... »» »8 PURPOSE..........................................................................................................................................................8 AWARENESSOBJECTIVES................................................................................................................................8 BUILDINGAWARENESS....................................................................................................................................8 MANAGEMENT AWARENESS BRH39NGS..........................................................................................................9 COMPLIANCEDEFINITION...........................................................................:....................................................9 ORGANIZATIONAWARENESS PROGRAM........................................................................................................10 Present Management Awareness Briefings..............................................................................................10 ORGANIZATION AWARENESS PROGRAM TASKS.............................................................................................10 Distribute Year 2000 Project Establishment Notification........................................................................II Distribute Year 2000 Notification to Contract Staff.................................................................................I I Distribute Year 2000 Notification to Legal Counsel................................................................................12 Distribute Year 2000 Notification to City's Public Affairs.......................................................................11 Distribute Year 2000 Notification to Contractors,Business Partners,and Electronic Partners.............12 Distribute Year 2000 Notification to Employees......................................................................................12 POLICYAND PUBLIC RELATIONS PLAN..........................................................................................................13 Identify Project Responsibilities for Legal Counsel.................................................................................13 Identify Project Public Relations Coordination.......................................................................................13 Statusof Task...........................................................................................................................................14 IDENTIFY CRITICAL CITY BUSINESS PROCESSES" ....-----..........»....»....»....»...» .15 PURPOSE........................................................................................................................................................15 OBJECTIVES.........:.........................................................................................................................................15 Develop Criteria for Criticality................................................................................................................16 Identify Critical Business Functions.........................................................................................................16 Prioritize the Systems supporting the Business Functions.......................................................................16 Statusof Task...........................................................................................................................................16 CONDUCTAN INVENTORY»....».»»....».........»...............................».... ».»». ». .»»..... ...18 PURPOSE........................................................................................................................................................18 OBJECTIVES...................................................................................................................................................18 SYSTEMINVENTORY......................................................................................................................................19 SYSTEMINVENTORY......................................................................................................................................20 DevelopSystem Survey.............................................................................................................................20 PerformSystem Survey.............................................................................................................................20 VerifySystem Inventory............................................................................................................................20 EstablishChange Control........................................................................................................................11 INVENTORYDIAGRAM...................................................................................................................................21 DevelopInventory Schematic...................................................................................................................21 Statusof Task...........................................................................................................................................22 ASSESSMENT... _. . ....»»...»»...................».....».............».........»....».»».»».......».23 PURPOSE........................................................................................................................................................23 OBJECTIVES...................................................................................................................................................23 IdentifySystems Affected..........................................................................................................................23 2 1-11 The City of San Luis Obispo Y2k Master Plan. VerifyMission Criticality.........................................................................................................................23 Divide the Systems and Hardware into In-house and Vendor Supported Groups...................................23 Develop a plan for addressing both groups.............................................................................................24 Statusof Task...........................................................................................................................................24 DEVELOP SOLUTION SET __._. »»»»»..» » ....»»»-».»»»»25 PURPOSE........................................................................................................................................................25 OBJECTIVES...................................................................................................................................................25 VendorSupported Hardware...................................................................................................................25 VendorSupported Software......................................................................................................................25 In-House Supported Hardware and Software..........................................................................................26 Statusof Task...........................................................................................................................................26 PRETESTING.........».».....».....»»...»...........»........»...........»....».....»...»..»....»....»..»»..»»..............»...»».27 PURPOSE........................................................................................................................................................27 OBJECTIVES........................................................I..........................................................................................27 HardwarePre-testing...............................................................................................................................27 SoftwarePre-testing.................................................................................................................................27 Statusof Task...........................................................................................................................................16 IMPLEMENT THE SOLUTION SET..».»»...... _......».......».»28 PURPOSE........................................................................................................................................................29 OBJECTIVES...................................................................................................................................................29 Statusof Task...........................................................................................................................................16 CONDUCTPOST-TESTING »............»..........................................................................................30 PURPOSE........................................................................................................................................................30 OBJECTIVES...................................................................................................................................................30 Standardize the Current Operating Environment.....................................................................................30 IdentifySystem Clock Issues.....................................................................................................................30 Establish a Test Environment and Procedures.........................................................................................30 Developa Test Plan..................................................................................................................................31 PrepareTest Data....................................................................................................................................31 Conduct Tests Simultaneously with Repairs.............................................................................................31 Statusof Task...........................................................................................................................................16 PLAN FOR Y2K FAILURES ON THE PART OF OTHERS»....»»..»»»»..»....»......»....»»........»»»32 SupportAgencies......................................................................................................................................32 Organizations with Electronic Interfaces.................................................................................................32 Vendors.....................................................................................................................................................33 Statusof Task...........................................................................................................................................16 WORK SCHEDULE FOR ALL TASKS,PHASES,AND ACTIVITIES.............. . ... 34 CHART 1 -TENTATIVE SCHEDULE OF DELIVERABLES FOR Y2K MASTER PLAN............................................35 CHART 2-TENTATIVE SCHEDULE OF TASKS AND FINAL DRAFT DUE DATES(Y2K).....................................36 REPORTING—_—.......................................................................................................—.-...37 PLANMAINTENANCE..........»».........................................».................................................................».38 GLOSSARY.......»....._................»..............................»......»..............................»...........»»........................39 3 1-12 The City of San Luis Obispo Y2k Master Plan. Process Approach This section discusses the guiding philosophy and general process to be employed in successfully completing this project. The guiding philosophy in this project is to coordinate and work closely with The City of San Luis Obispo staff and the project manager. We will incorporate SLO staff ideas, comments, and needs into all documents. This will be a major focus of our effort. To facilitate the exchange of ideas, avoid surprises, and ensure a cooperative work effort,we will submit to SLO a draft of all deliverables. SLO will review and provide comments for each deliverable document. The following procedure is used for each deliverable document: 1. The responsible I3 consultant will discuss a draft with the project manager (Information Systems Manager). These comments will be included in the final draft. 2. The final draft is then delivered to the SLO project manager,who will approve the final draft or request modifications as appropriate,normally within five working days. 3. Upon satisfactory completion, SLO project manager will approve and accept the deliverable document. 4 1-13 The City of San Luis Obispo Y2k Master Plan. Project Overview In this section, we describe the goal of the project, the purpose of the project plan, delineate the scope of effort, and summarize the objectives. Goal of this Project The goal of this project is to create a documented set of tasks, which will facilitate the establishment of a comprehensive, effective, and efficient Y2k Master Plan for the City of San Luis Obispo. These tasks will provide the basis for tailoring,bridging and maintaining conformance with Y2k remediation efforts. Purpose of this Plan The purpose of this plan is to delineate a strategy for identifying, assessing and performing remediation for any potential Year 2000 failures for the City of San Luis Obispo. This plan will describe project tasks,deliverables, schedule,and controls to ensure a cooperative and successful joint effort by staff from I3 &Associates and the City of San Luis Obispo. In particular,this plan is designed to ensure that the joint effort successfully obtains the objectives cited below while remaining on time and within budget. Background The Year 2000 problem results from an overriding computer programming technique originating in the late 50s and 60s;namely,memory was expensive and all data was stored so as to minimise the use of computer memory. There was a well-documented and financially justifiable basis for this technique. As a result,programmers stored date information in a format like MMDDYY or YYMMDD. In either case, dropping the first two digits shortened the year. If the year was stored alone, it was stored as YY. Computer programming logic expected a two-digit year. Leap years were calculated by dividing the two-digit year by 4. If the result were a whole number,then the year was a leap year. This concept of storing dates also applied to the design and manufacture of computer chips and a wide variety of electronic equipment, such as gauges,pumps,meters, etc. Computers were built with internal clocks imbedded in their BIOS,which operated on the logic of a two-digit year. Adding one to the two-digit year advanced the year. There are three specific problems which result and which are collectively referred to as the Year 2000 problem: • Internal clocks in computers and other electronic circuitry cannot transition from 99 (1999) to 00 (2000). They will stop operating, incorrectly calculate 5 1-14 The City of San Luis Obispo Y2k Master Plan. the transition to 1900, or revert to a default date, such as the date of manufacture(e.g. June 1, 1996). • The next problem occurs for systems,which can correctly transition to 00. When computer program logic calls for a date check, such as subtracting 90 (1990) from the current year, and the current year is (2000-reflected as a 00), the result will not be 10,which is the correct response. Rather it will often be( -90). It is calculated as follows: 00-90=-90. There are other similarly incorrect calculations; all producing unpredictable impacts on program processing. This has enormous implications across all areas of our computer dependent society. • The Leap Year Problem is the last of the problems caused by the year 2000. As indicated earlier,programmers determined a leap year by dividing the two- digit year by 4. If the result were a whole number,they would include February 29'n in the program logic. When you divide 00 by 4,you get 0,which is not a whole number, so virtually all programs will assume the year 2000 is not a leap year.Unfortunately, the year 2000 is a leap year because it complies with another,more obscure rule,the essence of which is that any year divisible by 400 is a leap year. Hence 1900 was not a leap year, 2100 will not be a leap year,but 2000 is a leap year. Imagine the consequence if a payroll system does not record employee hours on February 29'",resulting in your employees losing a day of wages. In sum,the Year 2000 problem is actually three separate problems, even though it is not always clear. For example, a manufacturer who certifies a piece of electronic equipment as Year 2000 compatible may not be including certification of the leap year problem. Objectives to Achieve Goal The City of San Luis Obispo has constructed a set of observable and achievable objectives whose successful accomplishment will realize the stated project goal. These objectives are: 1. Develop a comprehensive overall Master Plan that will address all tasks, activities, schedules, controls, and processes to be followed in successfully achieving the objectives of this project. This document will accomplish that objective. 2. Adopt a new procurement policy-As a matter of policy for every department, do not purchase anything without a solid certification of Year 2000 compliance from the manufacturer. 3. Develop an Awareness Plan-The next immediate step is to build an awareness plan, encompassing not only city governance,but also all city employees and the citizenry. 4. Identify critical city business processes and prioritize them in order of importance. - Conduct an assessment of key city processes and sub-processes, and then arrange them in a priority sequence according to importance of the City's mission. 6 1-15 The City of San Luis Obispo Y2k Master Plan. 5. Develop a litigation strategy-Prepare for Year 2000 litigation from citizens because of disruption some critical service or from a business which considers itself inappropriately disadvantaged by a Year 2000 failure for which the city is considered responsible. 6. Conduct a comprehensive inventory-Make a detailed inventory of all equipment, computers, and software which in any way may include computer code logic or circuitry which records or processes date information, and which may be affected by one of the Year 2000 problems. 7. Conduct an assessment of any identified or potential Y2k problems—The assessment process must identify those systems and hardware that need to be fixed and what steps are necessary to make repairs by the first day of the year 2000. 8. Develop solution set- This includes designing software solutions,possibly replacing hardware and equipment, and obtaining manufacturer certification. 9. Conduct Pre-testing—Conduct early warning testing where appropriate on PC's and any other feasible hardware. 10. Implement solution set—This includes modifying software,replacing computer chips, procuring new software or hardware, and obtaining certification from the vendors. 11. Conduct post-testing-Testing in this sense is broad and includes all those actions necessary to assess full compliance.Normally the tests are conducted immediately after implementation of the solution set. Test results are compared where appropriate with pre-test data to ensure full remediation. 12. Plan for Year 2000 failures on the part of others- Consider all the support and interfacing systems on which the key processes of the city rely. Assume these systems may not achieve full compliance and evaluate the possible impact of impaired or disrupted service for a time after January 1,2000. Prepare contingency plans for each system that effects a critical business process. 7 1-16 The City of San Luis Obispo Y2k Master Plan. Awareness This section explicitly addresses those actions necessary to increase awareness amongst the city staff and citizenry of San Luis Obispo and discusses "How To"build an Awareness Plan Purpose The purpose of the San Luis Obispo Year 2000 Awareness is: • To keep all city staff sufficiently informed of the city's Year 2000 remediation efforts so that they are confident we are on target and that they know enough to exercise initiative in problem identification and solution. • To inform the citizenry sufficiently so that they are confident that the city will be either unaffected by Year 2000 concerns or has planned appropriately to maintain essential city services should any disruption occur. • To respond to any inquiries from citizens, businesses, business partners, and other state and federal agencies with accurate and current information regarding the city's Year 2000 planning. Awareness Objectives ■ Define compliance for your organization. ■ Communicate the complexity and depth of the Year 2000 problem to senior management. ■ Identify the business impact of noncompliance and communicate to your organization. ■ Obtain senior management Year 2000 project commitment. ■ Gain senior management approval for Inventory and Assessment Phase costs and resources. Building Awareness During the Awareness phase, the City must foster an awareness of the potential seriousness of its Year 2000 problems, and convey the scope of the effort required to find and address those problems. The City begins by initiating a Year 2000 project,which will provide a systematic framework within which these problems will be solved. It is difficult to measure the extent of the Year 2000 problem. It includes operating systems,password and security codes, data,hardware, embedded, and software systems (both commercially available and customized), and many other types of automated 8 1-17 The City of San Luis Obispo Y2k Master Plan. systems that are not Year 2000 compliant. For this reason,managers at all levels and in all business areas and departments must be made aware of the Year 2000 problem. They must understand what resources they will need to manage the impact that Year 2000 will have on the City. Senior managers must commit to providing necessary Year 2000 project resources, including the management support required to accomplish Year 2000 tasks. There must be communication and support,not only between all departments within the City,but also with the citizens and business partners. Management briefings must also address the concerns of executives,managers, and staff who think the Year 2000 problem has been exaggerated. At the conclusion of the Awareness phase, the Y2k Project Team must have the authority to initiate the Inventory and Assessment phases of the Year 2000 project, along with the necessary budget for the completion of those phases. Management Awareness Briefings This series of briefings should provide senior managers with a broad understanding of the potential impact of the Year 2000 problem on the organization's operation. The Management Awareness Briefings are intended to make management aware of the serious consequences of a failure to address your organization's Year 2000 problems. The subtasks associated with this task should not take long to complete,but they are critical to the success of the project. • Conduct initial investigation of Year 2000 Problem • Identify Affected Business Units • Develop Management Awareness Briefings • Present Management Awareness Briefings Compliance Definition The definition of"Year 2000 compliance"often differs from one organization to the next. Devise a definition of compliance that accommodates your business environment and your anticipated Year 2000 problems. The compliance definition is a critical measure of success and completion of compliance efforts. The definition of compliance should identify possible sources of Year 2000 problems and should describe the functionality of a Year 2000 compliant system. The following definition was tendered by SLO staff for use in contracts with vendors and provides a definition of compliance: "Year 2000 compliant"means that goods or services provided to the City will continue to fully function,fault free, before, at and after the Year 2000, without interruption or human intervention; and if applicable, with full ability to accurately and unambiguously process, display, compare, calculate, sequence, manipulate and otherwise use date or date-related information in a manner transparent to the user. 9 1-18 The City of San Luis Obispo Y2k Master Plan. Organization Awareness Program The Organization Awareness Program consists of a set of notifications that inform the various departments in your organization and all persons and agencies with which the City interacts about the Year 2000 program. These communications alert general staff, middle management, and executive management that your Year 2000 effort has begun. Institutionalizing the Year 2000 effort ensures that no single department has to shoulder the whole responsibility. Each department-specific notification should define the role of the department in assisting the program, and describe what the department can do to minimise continuation of the problem. In addition, outside contractors and business partners should be aware of the City's plans to resolve potential Year 2000 problems that may affect them. The definition of compliance should identify possible sources of Year 2000 problems and should describe the functionality of a Year 2000 compliant system. Present Management Awareness Briefings Once the City has conducted an initial investigation and collected the necessary information about any potential Year 2000 problems and analyzed the possible Year 2000 consequences, the City is ready to brief management. Present the Year 2000 awareness material to at least the following management levels: • Senior management with preliminary budget authorization approval • Key data processing managers who understand what can happen if the Year problem is not addressed • Managers whose approval is needed to obtain required sign-off for budget and resources,to communicate with external partners,the citizens, and so on • The briefings will include: ■ A general description of the Year 2000 problem and its potential effect on your organization ■ The risks of delaying Year 2000 solutions ■ An overview of the Year 2000 solution options ■ The potential operational impacts of the Year 2000 solution process Organization Awareness Program Tasks The Organization Awareness Program is implemented in two stages. The first stage involves formally notifying your organization's various departments and business units of an established Year 2000 project. The second stage consists of more detailed notifications requiring specific action. The first formal notification should come from senior management. This general communication should inform the heads of departments that a Year 2000 project has been established, and solicits their cooperation in the process. The second set of notifications will come from the Year 2000 project team. These notifications are tailored to each recipient. Their purpose is to clarify the role each department or group will play in the Year 2000 effort,to request their active assistance and feedback, and to provide guidance for their-activities. 10 1-19 The City of San Luis Obispo Y2k Master Plan. Each task associated with this phase addresses a distinct audience, and covers the preparation, approval, and distribution of tailored notifications concerning the Year 2000 project. Awareness briefings should be offered to the entire staff. To complete the compliance efforts on time, the City is enlisting support from all of the departments. Consider offering"lunch time"awareness briefings to clarify the specific issues facing the organization. • Distribute Year 2000 Project Establishment Notification • Distribute Year 2000 Notification to Contracts and Procurement • Distribute Year 2000 Notification to Legal Counsel • Distribute Year 2000 Notification to City's Public Affairs • Distribute Year 2000 Notification to Contractors, Business Partners, and Electronic Partners • Distribute Year 2000 Notification to Employees Distribute Year 2000 Project Establishment Notification The project establishment notification comes from senior management. It notifies key managers that a formal Year 2000 project has been established, and identifies the key members of the Year 2000 project staff. This notification gives the Year 2000 project team authority to contact managers. Their cooperation will be needed not only to inform their staff,but also to access staff resources for the Year 2000 project. Distribute Year 2000 Notification to Contract Staff In this series of notifications,you inform contracts, subcontracts, and procurement staffs of the Year 2000 project of the necessity for. • Providing protection to your organization for systems,hardware, and software developed or being developed for external customers. • Ensuring that any new systems, software, or hardware purchased are Year 2000 compliant. • Ensuring that any systems,hardware,or software developed by or on behalf of the City are Year 2000 compliant. • Organization-specific compliance definition • Notifying all departments of specific Year 2000 contract and procurement issues. • Updating procedures for selecting vendors and contractors to include Year 2000 compliance requirements. Contracts and procurement staffs should work closely with the City's legal counsel as the City progresses towards Year 2000 compliance. The City may need to develop contractual indemnification, departmental position, or language with the help of legal counsel to protect the City, its employees, and its services. Sample compliance agreements and other sample contractual documents are found on the Internet. 11 1-20 The City of San Luis Obispo Y2k Master Plan. Distribute Year 2000 Notification to Legal Counsel This notification explains the Year 2000 project, its purpose, and its objectives. It also outlines the possible legal issues concerning Year 2000 noncompliance and requests legal counsel's active involvement in: • Defining(together with public affairs) organization policy on communications with clients, auditors,regulators,citizens, and outside media on Year 2000 compliance • Working with contracts, subcontracts, and procurement staffs to generate appropriate Year 2000 compliance language. • Building an understanding of potential City liability for Year 2000 noncompliance Distribute Year 2000 Notification to City's Public Affairs External requests for information are handled as follows: • In accordance with the City's recently adopted"Replying to Y2k Compliance Requests", the Risk Manager will take the lead responsibility in replying to formal requests for information about the City's Y2k efforts as they pertain to our ability to provide City services. • The Fire Chief will continue to work with a new group of community members who have formed the SLO County Y2K Action Alliance Committee. The committee is very effective in sponsoring talks,meetings, and symposiums concerning Y2k. • The Information Systems Manager conducts briefings as requested concerning the status of the Y2k initiatives being conducted by the City. Distribute Year 2000 Notification to Contractors,Business Partners, and Electronic Partners This notification explains the Year 2000 project, its purpose, and its objectives. It invites feedback and active participation from contractors,business partners, and electronic partners(e.g. State agencies). The notification to electronic partners should request: • Status of Year 2000 compliance of their interfaces with your organization • Information about any re-certification requirements or standards • The vendor definition of compliance • Notification that a Year 2000 project has been established • The City's compliance definition Distribute Year 2000 Notification to Employees This notification may take several forms:memos, e-mails, general briefings, or bulletin board announcements informing staff of the purpose and objectives of the Y2k project. Individual notifications,which may actually be generated and signed by department managers to their staff,should also: • Explain how the century date change might affect their work. • Identify broad areas where employee PC software, databases,and/or other routines may need to be revised. • Explain that employees will be notified when changes made to systems will affect them(for instance, system downtime,training). • Mention the critical importance that the current staff has on the Year 2000 project. 12 1-21 The City of San Luis Obispo Y2k Master Plan. • Monitor and manage the perceptions system changes will have on key staff(for example, selecting to replace your current systems may send a message that your current staff is not needed). • Notification that a Year 2000 project has been established • Proposed legal position and draft language • The City's compliance definition Policy and Public Relations Plan This plan includes tasks for addressing the legal ramifications of Year 2000 non- compliance and for establishing public relations coordination to answer inquiries about your organization's Year 2000 compliance status. Task Overview • Identify Project Responsibilities for Legal Counsel • Identify Project Public Relations Coordination Identify Project Responsibilities for Legal Counsel The City's legal counsel,contracts, and procurement staffs will work with a knowledgeable Year 2000 person to update vendor and contractor selection criteria to include Year 2000 compliance. Also legal counsel must provide guidance in the areas of: • Defining City policy(together with public affairs)covering communications with customers, auditors,regulators,citizens, and outside media on Year 2000 compliance. • Working with contracts and procurement staffs to generate appropriate Year 2000 compliance language • Developing an understanding of potential City and employee responsibility and liability relative to Year 2000 noncompliance • Tracking disclosure requirements from auditors and regulators The plan should establish methods for distributing pertinent information as the project progresses. It should contain tasks to create a legal inventory of systems and contracts that may be affected by Year 2000 anomalies. The legal inventory is an important part of establishing"due diligence"(as opposed to gross negligence). It should provide requirements and a timetable for developing suggested Year 2000 compliance language, guidelines for answering inquiries concerning your organization's Year 2000 compliance status, and screening criteria to select vendors and contractors that meet Year 2000 compliance requirements. Developing the screening criteria will most likely be the responsibility of the contracts and procurement staffs but will require legal input. These criteria may also need to be communicated to project managers or isolated business managers who may be involved in vendor, contractor, or product selection. Identify Project Public Relations Coordination Although the City may not solicit inquiries on Year 2000 compliance,they are likely to be received. There is one primary reason for customers, outside media, citizens, regulators, and auditors to be interested in the City's Year 2000 compliance: It could have an enormous impact on the provision of essential city services. 1-22 13 The City of San Luis Obispo Y2k Master Plan. The Policy and Public Relations Plan must both establish methods of communicating project goals and progress to external parties, and clearly define the persons or offices who will answer inquiries from specific sources. The City must also establish methods for internal reporting to ensure that updated information on project progress is always available. Status of Task SLO has implemented a number of Awareness initiatives and taken the following actions: • In the Fall of 1997, the Information Systems Manager conducted Y2k awareness briefings for the MIS Steering Committee,Department Heads, and at Good Morning San Luis Obispo. • City staff was notified by e-mail of the Y2k problem and informed of the new procurement policy requiring all vendor products to be Y2k compliant. • The Information Systems Manager has been appointed as spokesperson for the media for any questions concerning the status of the Y2k initiatives being conducted by the City. • On September 2, 1998 a briefing was conducted advising Council of the Y2k problem,the results of the Y2k assessment,and the next steps for correcting Y2k problems. • In early October 1998, an interview was conducted with KSBY TV,Channel 6 on the status of the City's Y2k efforts. • On November 13,the Information Systems Manager conducted a briefing on Y2k efforts for District 8 of the California Parks and Recreation Department. • In December, an article on SLO Y2k efforts will be in the Parks and Recreation publication. • The Millennium Bug- What's the City doing about it? is a feature article on the City's web site under"What's New in the Finance Department" • On February 10, 1999,the MIS Steering Committee adopted a policy, "Replying to Y2k Compliance Requests," whereby the Risk Management Division of the Department of Human Resources will take the lead responsibility in replying to formal requests for information about the City's Y2k efforts as they pertain to our ability to provide City services. • Active on-going participation in the SLO County Y2K Action Alliance Committee, a group of community members who meet regularly at Headquarters Fire Station. The Fire Chief operates in an advisory capacity for the group. • Continued education and training is offered to our citizens through the Fire Department's Community Emergency Response Team(CERT)Program. • A utility billing mailer detailing our Y2k actions and providing guidelines for disaster preparedness will be sent to all homes in the Spring of 1999. 14 1-23 The City of San Luis Obispo Y2k Master Plan. Identify Critical City Business Processes This section addresses the identification and prioritization of City business processes. After completing these tasks, the City can decide which systems will be repaired andlor replaced. Later this information will be used as a basis to decide where equipment must be purchased or on standby to keep certain critical systems operational. Purpose The purpose of identifying critical business functions is twofold. For Y2k purposes, it is necessary to know which systems are critical to the continued operation of critical city business operations. For disaster recovery planning, the list is used to help make decisions about which equipment should be procured in the event of a natural disaster. Objectives The following objectives are accomplished during the phase for identification of critical business functions: ■ Develop a criterion for identifying which business functions are critical to the City. ■ Identify all critical business functions by organization using the criterion developed in the first objective. ■ Using guidelines from management and staff, prioritize the functions for later use in decision making. The end result of this process will be the prioritization of The City's systems based on business-related, as opposed to technical criteria. It also identifies the business risks associated with each system. The determination of system priorities will be based, in part, on the information contained in this listing. During Inventory phase,the City staff will collect a massive quantity of system information. This information will support the analysis and decision tasks that occur during this phase and the project team must find an efficient method of utilizing this information. The City will be required to analyze and summarize existing information in order to define the"primary function"and the"primary dependencies"of each system. Following the capture of summary information concerning each system, you may wish to further summarize this information(by department,by technical risk category,by owner, and so on). For example, the City may want to create a summary of all systems that have a designation of"Very High"technical risk. Alternatively, it may be helpful to prepare a summary of systems for each department in the City. 15 1-24 The City of San Luis Obispo Y2k Master Plan. Develop Criteria for Criticality This task involves developing criteria for identifying which business processes are critical to the City. One suggested criterion would limit critical functions to only those that are essential to the uninterrupted, dav-today ability of the City to provide essential services to its citizens. For example, these services might include water, sewer, and emergency services such as 911. Identify Critical Business Functions This process begins with the identification of the core competencies of each department or organization within the City. Using these as a guide, identify the business functions that each organization provides. After identifying the entire list of functions,use the criteria above to determine whether or not the function is critical to the City. Prioritize the Systems supporting the Business Functions During this task,the City management must assess the business risk associated with each system in the organization. To assess business risk, assign values to two risk factors for each system: • The probability that a Year 2000 problem associated with the system will have an adverse impact on business objectives • The magnitude of that impact Normally associated with risk assessment,the managers use the method of assigning a value within a 0-1 scale. You calculate system business risk by multiplying the two factors. One suggested method is to use numerical values of business risk corresponding to the following Likert Scale values: Very high: .8 and above High: .6 to .8 Medium: .4 to .6 Low: .2 to .4 Very low: .2 and below Based on a variety of organizational considerations, including the business risk values assigned to each system,the decision-making group assigns business priorities to each of your organization's systems. This task is the heart of the Business Process phase, for these priorities, in concert with technical and economic considerations will determine the order in which Year 2000 problems will be addressed. This may be the most difficult political task of the Year 2000 project. Status of Task SLO has recently initiated the critical business process identification and taken the following actions: • On September 3, 1998 a briefing was conducted to check the status of inventories and to explain the next step of business process analysis. 16 1-25 The City of San Luis Obispo Y2k Master Plan. • On November 10, 1998 a briefing was conducted for all Y2k representatives concerning the Y2k Master Plan. At this briefing the process for identification of critical business processes was described and a strawman definition of critical business processes for SLO was offered. The proposed definition follows: "Critical business functions are those that are essential to the uninterrupted, day-to- day ability of the City to provide essential services to its citizens. For example, these services might include water, sewer, and emergency services such as fire,police and 91.1." • A meeting with the CAO and Department Heads took place on November 19, 1998 to discuss the methodology to be used by SLO for the identification of critical business processes. • In mid-January, meetings were held with each department to identify and prioritize their respective critical business processes. • On February 9, 1999, a strawman prioritized listing of all critical business processes was submitted by I' for review by the City. 17 1-26 The City of San Luis Obispo Y2k Master Plan. Conduct an Inventory This section explicitly addresses those actions necessary to conduct an inventory of all possible systems that may be affected by the Y2k problem. Purpose The primary purpose of this phase is to complete an inventory of all automated systems or inventory items in your organization. Objectives The goal is to establish a Year 2000 database. As suggested by many authors you should: • Identify all automated systems in your organization. • Identify all system interfaces. (For example any electronic interfaces with banks or State agencies.) • Determine those systems that will be affected by the Year 2000 date problem. • Identify and catalog any internal tools that could assist with Year 2000 detection and correction. Before you can decide how to solve the Year 2000 problem in your organization,you must understand the magnitude and boundaries of the problem. You must determine how many of your organization's systems will be affected by Year 2000 problems and to what extent those problems and systems are interdependent. In addition you must determine which of the systems were developed within your organization and which are COTS (commercial off the shelf) systems. Finally, it is also important to know which of these systems are actively used in your organization and which are used only occasionally. To answer these questions,you must carry out the dual tasks of identification and review: Identify every system in your organization, and review how many of those systems are likely to be affected by Year 2000 problems. The systems will include software applications, operating systems, commercial off the shelf(COTS) software, computing hardware, communications hardware,third-party interfaces, and embedded systems (for example, E-PROMS,microcontroller chips,PC BIOS, and so on). Inventory participants must do two things: • Identify systems they believe will be affected by a Year 2000 problem, and • Assess the extent to which these systems will be affected. A secondary goal is to identify automated tools that can support your Year 2000 project. The information collected during Inventory will be captured in the Year 2000 database. This database will provide managers and staff with the information needed to make sound decisions during future Year 2000 endeavors. 18 1-27 The City of San Luis Obispo Y2k Master Plan. System Inventory The System Inventory provides a complete inventory of the systems in your organization. The inventory will include detailed information concerning each system: its location, number of users,importance to the organization,primary functionality, age, current licensing agreement,risk elements, and more. Upon completion of this task,you will be able to update your previous rough-order-of-magnitude assessment of the size of your organization's Year 2000 problem. The information contained in this inventory will also pave the way for Assessment phase tasks. This inventory information is significantly more detailed than the information gathered during the Awareness phase of the project. Initial attempts were intended to reveal the extent to which automated systems permeate not only revenue-producing areas of the organization,but vital operational and infrastructure areas as well. The System Inventory,however, is intended to be an exhaustive identification of all systems in the City. It is a definitive compilation of all systems that are candidates for assessment and remediation. Below is the suggested information to be captured for each system as appropriate: • Software item/piece of equipment • location • manufacturer/vendor • manufacture/vendor address • manufacturer/vendor phone number • manufacturer/vendor POC if known • date of purchase • version number • department • division • Y2K concern • mitigation strategy • warrantee/guarantee on file • documentation on file • Y2K certification on file • priority level to correct • impact on mission if it malfunctions • Interfacing systems • Provides information electronically • Receives information electronically 19 1-28 The City of San Luis Obispo Y2k Master Plan. • Provides and receives information electronically • Impact if there is a failure at the source • Known status of Year 2000 compliance of external system • Measure of criticality if transfer of information is delayed or disrupted • Comments System Inventory • Develop System Survey • Perform System Survey • Capture System Inventory • Verify System Inventory • Baseline System Inventory • Establish Change Control Develop System Survey During this task,you will develop a survey that will facilitate the identification of each and every system in your organization. The format suggested above is a good start but each organization may find that other items of information are useful. The survey should solicit the minimum amount of system information needed to support Business Process phase activities. By keeping the Inventory survey short and focused,the chances of obtaining complete and timely responses are increased. Perform System Survey After identifying specific survey teams, distribute the survey and retrieve completed copies. SLO has chosen to use the EXCEL Spreadsheet distributed in August as the required survey instrument. Verify System Inventory To ensure the integrity of system information captured in the database, the City must find a way of verifying this information. The most efficient method of verification is an organized cross-check of system information by staff members who possess broad-based knowledge concerning the City's systems. • IS department staff members are ideal candidates for verification activities. • After incoming survey information has been entered into the database, verification staff can review and verify this information on an individual basis or as a group. • System information problems identified by the verification staff should be resolved jointly by the verification staff and the staff members who authored the survey instrument in question. • Any changes to system information should be communicated to appropriate system managers and users. 20 1-29 The City of San Luis Obispo Y2k Master Plan. Establish Change Control After establishing a baseline,you must control change for all elements that relate to system information, including: • Database records • Published documents that incorporate system information • Hard copies of survey instruments • Use change control procedures that have been defined within the Year 2000 project plan. If necessary,update the plan to include additional procedures, or changes to established procedures. • Select someone to perform the duties of a configuration control manager(CCM). • The change control mechanism should capture the following information, at the very least: • Person suggesting change • Person authorizing the change • Date of change proposal • Date of change • Reason for change • Impact of change on other records(change dependencies) Inventory Diagram The Inventory Diagram depicts the systems and system relationships currently functioning within your organization. This schematic is based upon the information contained within the Year 2000 repository and serves as a top-level summary of that information. The Inventory Diagram provides a schematic drawing of all systems included in the system inventory and identifies the relationships and dependencies among them. It allows the City to assess the technical impact of a specific system upon related systems. Develop Inventory Schematic Develop a comprehensive schematic that portrays the existing systems in your organization and the relationships among these systems.All systems in the system inventory should be included in this schematic. This schematic will include many different types of system hardware, software,operating systems, firmware, control languages, databases,networks, and embedded systems. A schematic is typically a drawing, or graphic,in the form of a directed graph. Some people utilize a pre-defined method of information system portrayal, such as Yourdon's Data Flow Diagram method, when developing a schematic. Others simply use the basic constructs of a directed graph of nodes and arcs to portray individual systems and the relationships among them. Whatever drawing conventions are used,remember to keep it simple. The most important attribute of any schematic is a clear understanding by all parties. The schematic should provide a clear and concise depiction of the City systems and the relationships among them. 21 1-30 The City of San Luis Obispo Y2k Master Plan. Status of Task SLO began the inventory process in April 1998. Actions to date include: • In June the results of the initial inventory were reviewed by V. A recommendation for a more detailed inventory was made and the new inventory began in July with a target date of August 30, 1998. • On November 1, 1998 all inventories were completed. Public Works,Utilities, Police and Fire were the last to complete due to the extensive number of items that had to be reviewed. • On November 10, 1998, I3 reviewed the inventories and made certain follow-up recommendations for Fire, Public Works, and Utilities. A final review for Police was not possible. • In January of 1999, a final inventory review was held with each department. Special meetings were held to address external electronic interfaces and embedded chips. 22 1-31 The City of San Luis Obispo Y2k Master Plan. Assessment This section discusses the assessment process. Information collected during the inventory process is reviewed during the assessment process to determine which systems are affected by the year 2000 problem. Purpose The purpose of the assessment phase is to identify which systems and hardware must be fixed and what steps are necessary to make repairs prior to the Year 2000. Objectives At this point in the project, you have completed an inventory of your systems and prioritized the systems based on your organization's business objectives. You know what systems are relevant and where your priorities lie. You are ready to decide which systems will be assessed, and what steps must be taken to complete this phase. Objectives include the following: • Using the entire inventory, identify which systems the Y2k bug affects. • For any identified systems,verify that it is mission critical. • Divide the systems and hardware into two groups;those that can be legally fixed in- house and those that must be fixed by licensed vendors. • Develop a plan for both groups and a schedule of tasks for completion. Identify Systems Affected During the inventory process,the inventory teams recorded all possible system and hardware that had potential Y2k problems. Using the inventory,identify all possible systems affected and separate them from the compliant systems. Verify Mission Criticality During the phase on identification of critical City business processes, a prioritized list of business functions was created. During this step it must be determined if the system or hardware is essential to the performance of the business function it supports. Using a method similar to assigning priority to the business processes, create a prioritized list of systems and hardware. Divide the Systems and Hardware into In-house and Vendor Supported Groups The hardware and systems must be separated into code and devices either owned or created in-house and those purchased from a vendor. Once the division has been made, special attention must be given to vendor supported or licensed software and hardware. 23 1-32 The City of San Luis Obispo Y2k Master Plan. When assessing vendor software/hardware,legal review of contracts, licensing agreements,warranties, and any other documents signed when the software/hardware was acquired. No assessment or recommended actions should take place until the legal review is conducted. Legal counsel should advise on the following topics: • Possible penalties assessed if the City or the vendor breaches the agreement. • Advice on the impact of recent court decisions and settlements of similar cases. • Advice on whether or not the City should intentionally breach the contract and fix the software/hardware. (This would only occur in rare cases where the vendor was obviously not going to fix the problem and the City would suffer serious damage etc.) Develop a plan for addressing both groups A plan must be developed for both in-house and vendor supported systems and hardware. In the previous task,the City developed a prioritized list of systems and hardware according to its criticality in supporting the mission. In this task the project team must address the following questions: • What is the drop-dead date for fixing each system? • What staffing is required to fix the systems? • What facilities and equipment are required? • What contingencies must be made if the deadlines are missed? • What resources are needed to support the project? • Can the repairs or fixes be made in-house or is outside assistance required? Status of Task In some respects the Assessment phase has been ongoing since the beginning of the inventory process. Actions accomplished to date include: • As part of the City's 1995 Information Technology Master Plan, a number of "mission-critical"business systems(such as public safety, finance, "desktop" and network systems)have been replaced with Y2k compliant software and hardware. • Each department has assessed their inventory and developed a master list of Y2k problems. This includes software fixes to apply, software to replace, and/or hardware to replace to achieve Y2k compliance. • As part of their inventorying efforts, departments have included letters sent to and received from vendors(i.e., Pacific Bell,PG&E, Bank of America, etc.) concerning Y2k compliance. 24 1-33 The City of San Luis Obispo Y2k Master Plan. Develop solution set This section discusses software solutions,possibly replacing equipment, and obtaining manufacturer certification. Particular attention must be paid to interfacing systems in this step and all subsequent steps. Purpose The purpose of the Solution Set phase is to identify the necessary fixes and repairs made to hardware and software for all critical systems affected by the Y2k bug. Objectives Using the prioritized lists from the Assessment Phase,the City must develop solutions and what steps must be taken to complete this phase. Objectives include the following: • For vendor supported hardware, determine the status of Y2k compliance from the documentation or query the vendor. • For vendor supported software, determine the status of Y2k compliance and any existing certification or warranties. • For In-house software,determine what fixes are required and what resources are needed to complete these fixes. • For In-house hardware, determine if components can be replaced or what actions are necessary to ensure compliance. Vendor Supported Hardware Search the Internet and any available vendor literature for evidence of compliance or certification. Determine the vendor's intention with respect to ensuring compliance prior to January 1, 1999. If necessary, ask the vendor in writing whether or not the hardware will be Y2k compliant by the established cutoff date (January 1, 1999). Vendor Supported Software Search the Internet and any available vendor literature for evidence of compliance or certification. Determine the vendor's intention with respect to ensuring compliance prior to January 1, 1999. If necessary, ask the vendor in writing whether or not the software will be Y2k compliant by the established cutoff date(January 1, 1999). If answers from the vendor are not forthcoming on these issues,the following actions may be recommended: • Perform a credit check on the vendor to determine the financial status. 25 1-34 The City of San Luis Obispo Y2k Master Plan. • Visit the vendor site and determine if sufficient staff are available to handle the required changes to hardware/software. • Ask the vendor in writing to see a plan and schedule for making the fixes. In-House Supported Hardware and Software At this point in the planning the final results of the City's inventory are not fully realized. For this reason,the tasks are minimally defined on the premise that if the problem does not exist, it is not necessary to plan for it. Depending upon the hardware problems the City may need to take any of the following actions: • Replace certain PC's,modems,or other communications equipment since it is not economical to repair them. • Replace chips or components on certain hardware as determined in the Assessment Phase. • For software the following fixes may be necessary: • Expansion of two-digit years to Four Digits • Calculations resulting from dates retrieved from a field in the database • Calculations using a date for encoding into another field • Display of information on a screen or in a report • Calculations that determine a lapse of time • Calculations that use dates in functions Based upon the results of the assessment,the following solution sets may be devised: • Sliding Dates, commonly referred to as windowing. • Bit Twiddling—This involves manipulation of the two-digit years to four digit years by resetting bits. • Bridge programs—A program that converts a record layout to another record layout that can make a non-compliant program function in a compliant manner. • Rewriting or replacing the software- Certain programs will not be worth the effort to fix them and can be replaced with software off the shelf or rewritten with new code. Status of Task We're in the very early stages of developing the Solution Set. 26 1-35 The City of San Luis Obispo Y2k Master Plan. Pretesting This section discusses the steps to be conducted in pretesting the software and/or hardware. Purpose The purpose of pretesting is to identify clearly the results of date change on a given piece of hardware or software program. Objectives • Where appropriate set the system date ahead to the year 2000 on designated computers • Perform testing on software programs by inserting year 2000 dates into the programs and detaining the affect. Hardware Pre-testing The following test is recommended by a number of authors and vendors for PC's: • Disconnect the PC from the network • Backup all systems stored on the PC • Set the system clock to 23:55 and the date to December 31, 1999 • Tum off the computer for five minutes • Tum on the computer and check the date and time. Several PC's have already been identified as problems with respect to compliance. These include AST computers with R1.02 GA-486US BIOS,Micro Pro with BIOS version 3.2- 00nm, COMPAQ: Proliant 4100,Hewlett Packard Vectra M2 486/99 and Deskpro 575. Check the vendor web sites for current lists. Software Pre-testing Software pre-testing is conducted on individual programs and the necessary steps are dependent on the actual function of the program. Caution: Certain software programs will expire if the date is advanced. Determine if there is any date dependency on any software program being tested. The program can be tested by devising tests appropriate to the software's function. For example, for any program in which dates cross the millennium,the program can be passed these dates and the results examined. It is recommended that these tests be conducted in a separate test directory using duplicate copies of the software. In cases where duplications are impractical then conduct a back- up of the software prior to testing. 27 1-36 The City of San Luis Obispo Y2k Master Plan: _ Status of Task We will begin this task in early March. Some vendors are sending out test scenarios for their applications. The Finance Department received a very detailed Year 2000 testing document from Pentamation-for their Financial lVlanagerrient..System.. Fi—andeStAff is planning to tmt.the entiresystein in Spring of 1999.. 2g 1-37 The City of San Luis Obispo Y2k Master Plan. Implement the solution set This section discusses the implementation of the solution set devised earlier. It includes the detail additions to the plan for ensuring compliance. Purpose The purpose of solution implementation is to execute the necessary solutions to ensure compliance for appropriate City hardware and software. Objectives The following tasks will be performed: • Vendor supported hardware and software: • Continually monitor the vendor's progress towards achieving compliance. This includes following up to ensure that compliance is being accomplished and if necessary badgering the vendor to provide the desired results. • In the event of vendor failure,notify the project manager so that alternative measures or contingency plans can be executed. • In-House Hardware • Repair or replace critical hardware components by the date designated in the plan • Replace PC's,modems and other equipment as necessary in accordance with the plan. • In-House Software • Repair or replace software programs using the following techniques: • Expansion of two-digits date fields to four digits • Windowing • Bit Twiddling • Development of necessary bridge programs. Status of Task This task is scheduled to begin in early-April of 1999. 29 1-38 The City of San Luis Obispo Y2k Master Plan. Conduct Post-Testing This section discusses the suggested testing to ensure that the City's systems are Y2k compliant. Purpose The purpose of Y2k testing is to ensure that all of the Y2k problems that have been repaired have been tested both individually and in a system mode. Verification of compliance includes testing all development, integration,production and use of bridges, patches, and interfaces. Objectives In order to conduct effective testing,the following tasks are recommended: • Standardize the current operating environment • Identify any particular system clock issues • Establish a test environment and procedures • Develop a test plan • Prepare test data • Conduct tests simultaneously with repairs Standardize the Current Operating Environment This means freezing or not changing other components of the software or hardware except for those necessary changes being made for solving Y2k problems. At some point, enhancements to existing software should be delayed until Y2k problems are solved. This would include not installing upgrades to commercial software unless the upgrade was specifically intended to solve Y2k problems. Identify System Clock Issues Test whether or not the system clock works in the Year 2000. This task must be performed carefully and is usually done in a separate test environment. Establish a Test Environment and Procedures It is best if the City can establish a separate test environment in which all hardware and software can be tested. This includes the operating system that will be used for 2000 and the expected upgrades and components. 30 1-39 The City of San Luis Obispo Y2k Master Plan. Develop a Test Plan The test plan is just a subset of the tasks included in the project plan. Once all tasks for testing are known,they can be entered into the project plan. Prepare Test Data Prepare data for all problems that have been repaired. This normally includes the following types of data: • Data to test all special dates • Data to ensure that all normal processing still works • Data to test error processing. Conduct Tests Simultaneously with Repairs. Obviously,most testing is best accomplished at the time that the repairs are completed. However, certain integration and system testing will have to wait until each component has been completed. Some of the following tests may be conducted during this process: Warning: Do not conduct any of these tests without the involvement of IS personnel! • System Clock beyond 2000—This involves testing by setting the system clock to a date and time after the year 2000. • Automatic Update Function Rollover—Set the system clock to just before midnight on December 31, 1999,while still on,wait until 2000, if date is correct, tum the power off and back on. If that works, set the date to just before midnight on December 31, 1999 again,turn the power off and wait until 2000 then tum the power back on and check the date. • Set the system clock to just before midnight on December 31, 1999,and suspend a time-display program without a wake-up timer. When the clock reaches 2000,resume the program. • Test date scenarios for going forward and backward over the year 2000 for various processing cycles including : • Daily including end-of-day activities • Weekly • Semimonthly • Monthly • Bimonthly • Quarterly • Semiannually • Annually • Different combinations of time and date for various scenarios • Other testing as determined by the nature of the results of the inventory Status of Task This task is scheduled to be completed by June of 1999. 31 1-40 The City of San Luis Obispo Y2k Master Plan. Plan for Y2k Failures on the part of Others This section discusses the detailed plan for addressing Y2k failures on the part of others. This includes vendors, systems with which the City has interfaces (banks, state agencies etc.,) and support systems such as power and telephone services. The purpose of this portion of the plan is to identify and make backup plans for failures on the part of others. After the Assessment Phase is completed,the list of"others"may increase. At this time the following groups reflect the types of failures based on information from inventories: • Support agencies that provide major support in the form of utilities. • Organizations with which the City has electronic interfaces in support of critical business processes. • Vendors that must either provide replacement hardware, such as an updated chip or a software fix or version release that will solve the Y2k bug for their software. A description of known agencies or organizations that are included in each group is provided below: Support Agencies Current support agencies that provide major support to SLO in the form of utilities include PG&E, GST/Call America, and Pac Bell. Currently, letters have been written to each of these agencies asking for the status of their Y2k remediation efforts. To date, most responses have not provided the assurances that the City desires. At some point plans to take action in the event of failure for these agencies will be planned. Organizations with Electronic Interfaces Initial inventory results identify the following critical electronic interfaces: • Bank of America for electronic payments etc. • PERS ,payroll Retirement Report • ICMA, Deferred Compensation—Payroll • IRS —payroll data • CA State—payroll data • IRS— 1099 input • Pac Bell—receipt of billing information • MRS interface via an—in-house program • Arson Info Reporting System with DOJ • Crime Reporting to DOJ via SLOPD • Violation Tracking Program with City of SLO • CLETS with DOJ • CLETS with SLO County 32 1-41 The City of San Luis Obispo Y2k Master Plan. • LS (District Attorney)with SLO County • Clerk Recorders with SLO County • Recorders Vital Statistics with SLO County Each of the interfaces must be verified as to the status of Y2k compliance and if necessary backup plans created in the event that the agency does not comply. Vendors The list of vendors is extensive. Refer to the actual inventories for a complete list. After assessment this section will be updated to reflect the current list of vendors and the actions required. Planning for failures on the part of others will evolve in parallel with the Assessment and Identification of Critical Business Process phases. This portion of the plan provides a bridge to disaster recovery planning since the process points to actions that must be taken in the event of any natural or man-made disaster. Status of Task Finance and Police electronically interface with various agencies and businesses. Police is working with their partners to resolve interface conflicts. Finance will be ensuring that they can handshake with their partners in Spring of 1999. 33 1-42 The City of San Luis Obispo Y2k Master Plan. Work Schedule for all Tasks, Phases, and Activities This section discusses the detailed Master Plan, including Identification of Key City Business Processes, Awareness, Assessment, Inventory, Pre-Test, Implement solution Set, Post Test,plan for Y2k failures on the part of others, tasks,phases, activities, milestones, hours, and costs for each deliverable. 34 1-43 m r - m a oa= v m = m = m d � 9 c Nco Q co Y 7 m Q LL .. a c Cc dil � m � p m >Cy G L Z - vO h .y M cc y m cn � a Q E .Y m N p CL L m y m : N 40. m 0 c .D c m ° m i m m n d d m N Eo o Lt CL = U m `o d I-- cc Z c CL y. Fi _ 'U m .� o m p C° m c w f_T7 :0 m m T N0 CL m vmi rn m o m �+ > C rd m m > m d m Z E co o `��° c aci m V o a y .y+ t � C c L y m c C O .D m = m Z o m m a C D O C) O C Q m U =CO a (CD 0 N m 0 EO d :Q O G N _ H Nccti 3 = v m � z o mo o > > : c = E i o 4.+ C m I G o W mCm O 'O mv m om ° m m mo mm J N e+1 a of f0 r- m Of V 1-44 V N ay+ r C a _ as is CO w o� O ® d a o, o, d H � °' 0 IM CL CL wG E CL y c � — �'M CO c6MM cc w CEO. Q yco N LL O � � c a � Q — cc > o 4) RCcm Y}c w.. Nom RU) m y d> aN U)do :d . 0 E 0 w O .2 CD CD c yy C. CN ` O470 O E R CE p — 0 • yO v dycmc R ` CL 0O dr O Hdc wl0 aa ° dM o L- t.. omo : co E ,o 0 Laa , dadO N y > 0 0 > C O > 0 Cd > C crC macmO > OL. OOO oMN Q00 - 00. c Nlh � 1!! (O 1z ODod� � � � rrr � 0i0 1-45 The City of San Luis Obispo Y2k Master Plan. Reporting This section addresses the reporting plan, including unique and recurring reporting requirements, briefings, and meetings. I'proposes the following minimum schedule of reports and meetings for this project: • Monthly meetings of the Y2k Project Team • Monthly Progress Reports to the Y2k Project Manger • Quarterly Progress Reports to the City Council 37 1-46 The City of San Luis Obispo Y2k Master Plan. Plan Maintenance This section addresses procedures for revising or updating this plan, including coordination of schedule revision, minimization of schedule variance, and management of contingencies. The project schedule plan will be routinely updated at the end of each month, dependent upon whether there have been any significant changes to the schedule of deliverables. In general,we have planned the project schedule conservatively, and expect to complete the project either on time or slightly early in calendar time. However, should unforeseen circumstances arise (e.g. a special request to change scope from SLO, a serious illness or other incapacitation on the part of a key SLO staff member or I' consultant, etc.),we will immediately submit a proposed schedule and plan revision to account for the special circumstances. In the event of the non-availability of an I3 consultant,we will augment our staff with another until the original consultant is available. 38 1-47 The City of San Luis Obispo Y2k Master Plan. Glossary In this section, terms or acronyms of relevance to the project plan are reflected. Acronym Expansion Y2k Year 2000 Attribute The information held about an entity; e.g. attributes about a customer could be name, address,phone number,recent orders, etc. Entity Something about which information is retained; e.g. customer, employee,product, etc. Event a trigger to which one or more business functions respond; e.g. a license application Function a major work unit of an organization; e.g. performing payroll Object Something about which information is collected, i.e., customer bill record,which might contain 120 characters of information, and there might be 50,000 of them. Process a series of tasks which result in one or more critical deliverables Task a unit of work that results in a single deliverable 39 1-48 LOCY2KAA-Mission Statement and Goals http://www.SLOCountyY2" -rg/Action_..ce/Mission Statement and_Goals.hmi www.SLOCountyY2K.org San Luis Obispo County Y2K Action Alliance A work in progress... Mission Statement: SLO County Y2K The SLO County Y2K Action Alliance Action Alliance exists to facilitate preparation of the San SLOCY2KAA Luis Obispo County community for the Home potential repercussions of Y2K. This will Mission Statement, be accomplished through education, Goals&Obiectives preparation, community involvement, and Who is SLOCY2KAA? contingency planning. Meetings Assionments Goals & Objectives: Discussion Forum Take Our Quick Poll 1 ) Develop and provide awareness Events programs concerning the y2k problem Chat Room • awareness seminars/ fairs A Household Guide - provide accurate informational Neighborhoods materials Join the SLO County . develop media programs/ website Y2K ListSery • program delivery Disaster Preparedness for People with Disabilities 2) Facilitate others in developing Resources& Links preparedness plans for Y2K impact Link to SLOCY2KAA Articles • personal and family Pres. Clinton on Y2K • special needs community State of the Union • student community (ASI) January 19. 1999 • business communitv 1-49 1 of 3 ATTACHMENT 2 2/18/99 2:07 P1 >LOCY2KAA-Mission Statement and Goals http://www.SLOCountyY2Y -rg/Action_..ce/Mission_Statement_and Goals.html I A Word of Thanks . emergency responders Disclaimer a city/ county government 10- • religious/ church groups Email: • hospitals Y2Klol SLOCountyY2K.om 3) Serve as a resource center to coordinate effective actions • act as a contact point for the wide range of stakeholders • work with service clubs and neighborhoods • direct people to the appropriate agency for assistance A work in progress... Mission Statement. Goals & Objectives I President Clinton on Y2K SLO County: Meetings I Events I Assignments Quick Poll SLO County: Neighborhoods I Discussion Forum Chat Room Links: Resources I Articles I Link to SLOCY2KAA Preparing for the Year 2000 -A Household Guide Disaster Preparedness for People with Disabilities Who is SLOCY2KAA? I Join SLO County Y2K ListSery I Home A Word of Thanks r Web Site by I ICSJ& Web Hosting by Disclaimer All Contents © 1999 San Luis Obispo County Y2K Action Alliance, San Luis Obispo County, California, except where otherwise noted. All 1-50 2 of 3 2/18/99 2:07 PT finance Department What's New The Millenium Bug httr "•,ww.ci.san-luis-obispo.ea.us/finance/millennium.asl ku 081 Choose a Destination... Go! Search Centaa Us ricma The Millennium Bug: What's the City Doing About It? There has been a lot of"buzz"lately in the media about the major problems in-store for any organization that is not working hard right now to ensure that their technology W-What!s New systems will be Year 2000 (Y2k)compliant.This report reviews what the"Y2k" problem is,what the City has done to-date to address this problem and what we are • doing to assure that our technology-driven systems will be Y2k compliant so we don't catch the millennium bug! "isl Utility • What Is the Problem? Until pretty recently,computer memory was very limited—and because of this, also very expensive.To save space (and money),for many years computer programmers . . - only used the last two digits of the year in writing date-related programs. For example,"1965"was programmed and entered as"65." In determining the length of • = • • • time since an event last happened (such as a birth date and today), the"19" part of How,zr�e we the date is assumed, so it is easy to calculate that 33 years have past from 1965 to " 1998(98 minus 65). So why is this a problem? Because when the year 2000 rolls around, computers with only"65"in them will not know what to do.A straight forward calculation should result in a negative 65 years passing since"65"(00 minus 65).At this point, it is not clear what most systems will do when they encounter a negative date number—other than it is unlikely that an accurate answer will result! (This is why testing is an integral part of most Y2k compliance plans.) Dates are used in an overwhelming number of applications in our daily lives,from computing interest earnings on savings accounts to determining retirement benefits; from telling when the next inspection is due on an elevator(and it will not run if it is past due)to determining the freshness of food products. So the short answer is: This is a problem because date-related computer calculations are everywhere in our daily lives, and we can be assured that serious (and in many cases, unforeseen)consequences will result from hardware and software that cannot correctly deal with the millennium change. This date-calculation problem can be found in two places: embedded in the hardware itself in the built-in operating system (BIOS); and in application and operating system software.Additionally, the Y2k problem is potentially more than just correctly calculating dates.The Year 2000 is a leap year, and many computer programs--even if they consider themselves Y2k compliant—may not correctly account for this because of an obscure rule that only comes into play once every 400 years. What the City Has Done So Far We are taking this very seriously, and we have adopted and started implementing a Y2k compliance action plan.Accomplishments to-date include: ATTACHMENT 3 1-51 1 of 4 2/18/99 2:07 PI Inance Department What's New The Millenium Bug http://•-ww.ci.san-luis-obispo.ca.us/finance/millennium.asF • Replacing"mission-critical"application software as part of the information technology master plan adopted in April of 1995. • Forming an organization-wide"Y2k task force"with representatives from every department. • Performing a detailed, organization-wide inventory of our Al our systems.This included extensive vendor research for both hardware and software to identify potential Y2k compliance problems. In any case where we were not able to secure vendor Y2k certification from the vendor,we are assuming that the application is Y2k vulnerable. • Completing a formal compliance assessment.The results of this assessment are discussed below. • Adopting a procurement policy that ensures that all new purchases(not just "technology"ones)are Y2k compliant. • Preparing an action plan for assuring that our most important technology systems are Y2k compliant by June 1, 1999. Scope of the Problem There are three kinds of problems facing the City: • Business process applications and systems.This is what we most commonly think of when considering technology systems. It includes software and hardware used for daily business operations, such as desktop workstations,file servers, printers,operating system software,office automation software(like Word and Excel), and specialized applications like geographic information systems(GIS), public safety,finance, pavement management,work orders and building permits. • Process and control systems.These are often hard to identify, because they use"embedded"software and hardware for facilities and equipment, such as heating,cooling and ventilation systems,telecommunications systems (telephones,voice mail, data communications), security systems,traffic signals, process control systems at our water treatment and wastewater reclamation plants, vehicle fuel pumps, street lights, radio communications and telemetry systems. • Data exchanges with other organizations.We rely on electronic information from other agencies, and other agencies rely on electronic information from us. Examples include investments,banking, retirement system reporting, payroll deposits,wire transfers and law enforcement information. In short,we rely upon electronic data from other agencies for a number of"mission-critical" operations,and they rely upon it from us.The problem: even if our own systems are Y2k compliant, this will not mean much if others we rely upon for electronic interfaces are not Y2k compliant as well. Business process applications and systems probably pose the lowest risk to the City for two reasons: • Based on the 1995 information technology master plan,we have started replacing or upgrading virtually all of our"mission-critical"applications like 1-52 2 of 4 2/18/99 2:07 V 'inance Department What's New The Millenium Bug httr "'rww.ci.san-luis-obispo.ca.us/finance/millennium.asr desk top hardware and software, local and wide network systems, and public safety,finance, GIS applications.All of these efforts are underway and will be completed well before the Year 2000. • Replacing"non-mission critical"systems should be relatively easy and inexpensive (assuming we begin to do so on a timely basis); and the consequences of not being Year 2000 compliant will be less significant. We are much more likely to experience serious difficulties with the"process control" and"data exchange"systems since they are less visible, and in many cases, beyond our control to fix. Results of the Compliance Assessment Report We completed a formal compliance assessment report in August of 1998.The report concludes that the City is off to a good start in our Y2k compliance efforts; however,a lot of work remains ahead of us in assuring that our most important applications will still be working when the clock rolls over to January 1, 2000. As we suspected, our biggest challenges will be With"embedded"technology, like those used in control systems at our water treatment and reclamation plants; and with electronic links with other agencies,which are used extensively in our law enforcement and finance operations. Next Steps: Our Action Plan • Analyze the results of the comprehensive system inventory. From the results of this comprehensive inventory,we can fully assess our Y2k vulnerabilities, and identify the best solutions available to us. In most cases, this will mean upgrading or replacing hardware and software;this may be as simple as moving to a newer version of the software we already use. • Develop awareness. it is important to let our employees and the community know that we are taking this problem seriously, and are taking reasonable steps to address it. Putting this report on our web site is part of this effort.We will also be sending-out information in our utility bills and Parks& Recreation program catalog. • Identify"critical" processes. What are the most important things for us to assure work correctly on January 1,2000? Realistically,we probably can not make absolutely sure that every City system is Y2k compliant, so our efforts need to be focused on the areas of greatest impact.We will be using the results of this effort in developing a broader disaster prevention and recovery plan for our technology systems that identifies how we can continue to operate our most important services and facilities in the event of power outages,fires, floods or earthquakes. • Develop solutions and begin implementing them. After assessing our current systems and"critical business processes;we can begin to develop and implement the"best"solutions. • Test solutions. We need to ensure our"solutions"work—well before the Year 2000 rolls around. - • Plan for Y2k failures by others. The simple fact is that we conduct a lot of our business electronically with others.And many of these agencies and organizations will not be Y2k compliant, even if we are. Because of hi 3 of 4 2/18/99 2:07 Pl finance Department What's New The Millenium Bug http://-•ww.ci.san-luis-obispo.ca.us/finance/millennium.asp need to have contingency plans for how we will conduct business if some of our most important"electronic partners"are not Y2k compliant when the Year 2000 arrives. As reflected above,we have a number of key steps ahead of us. Our goal is to complete all of them in a timely manner so we can ensure that all"mission-critical" hardware, software, special applications, data communications and control systems are fully Y2k compliant by June 1, 1999. For More Information about the City's Y2k plan, please call Teri Maa, Information Systems Manager,at 781-7131 or send her an email. About the Department I Programs and Services I Whets New I FAQs I Utility Billing Business Tax I Financial Reports I City Budget I Bids&Proposals I Department Home About the City I Visiting SLO I WhaYs New I City Government Emoloyment I Economic Development I FAQs I How are we doing? Copyright 1999, City of San Luis Obispo and Ernest&Allen,Inc Designed and Hosted by EA/ntemet.com 1-54 4 of 4 2/18/99 2:07 PP