The URL can be used to link to this page

Home My WebLink About09-05-2017 Item 01 - Information Technology Strategic Plan & Assessment Meeting Date: 9/5/2017 FROM: Derek Johnson, Assistant City Manager Prepared By: Steve Schmidt, Information Technology Manager SUBJECT: INFORMATION TECHNOLOGY STRATEGIC PLAN AND ASSESSMENT RECOMMENDATION Council review and adoption of the Information Technology Strategic Plan and Assessment. REPORT-IN-BRIEF At its most basic level, technology reduces the costs associated with delivering services. At a much higher level, when technology is fully leveraged across an organization, it has the potential to significantly improve and enhance service delivery and organizational productivity. Technology also has the potential of enhancing transparency and accessibility of City services to the community. The Information Technology Strategic Plan (ITSP) guides the City’s use of technology over the next five years with these objectives in mind. The technology planning effort resulted in major recommendations in three key areas: governance; structure; and project prioritization. During the planning process, it became known that the City would be facing significant budgetary challenges over the next few years that adversely impacted the initial plan to implement and manage technology programs as well as other City initiatives. Thus, the original ITSP was revamped to ensure the most critical items were addressed to ensure a robust, secure, and reliable technology infrastructure. The remaining IT initiatives in the plan are documented and would be initiated as funding and resources become available through the Financial Planning process. Maintaining technology services operating efficiently is a top priority and ongoing investments in hardware, software, and staffing will be required over time to meet the City’s technology vision. DISCUSSION Background In the 2009-11 Financial Plan, the Council authorized updating the existing ITSP. The City issued an RFP, received proposals from several consulting firms, and after extensive evaluation, selected NexLevel Information Technology, Inc., in May 2011 to perform an IT assessment followed by the strategic plan. The plan was completed in August of 2012. NexLevel Technology was selected because of its extensive knowledge about information technology and its expertise in local government and public safety. NexLevel was selected once again for the FY 2017-2018 IT Strategic Plan update because of their familiarity with the City’s systems and staff, as well as the quality of work that NexLevel has performed for the City over the past five years on many other technology projects. Packet Pg. 7 1 Purpose of the Strategic Plan The purpose of the ITSP is to provide a roadmap to guide the City’s management and acquisition of information technology, both hardware and software, over the next five years. The ITSP identifies and makes recommendations regarding governance, structure, and specific projects that will take the City’s technology from where it is today to where it needs to be to meet current and future demands. The ITSP is a valuable tool to ensure technology is procured, implemented and managed in a cost-effective approach that maximizes the benefits to the City and its citizens and businesses. To develop the ITSP, NexLevel and City staff participated in the following tasks: ▪ Assessment of the City’s current use of technology. ▪ Identification of new departmental technology projects that will improve customer service, increase staff productivity or increase public access to information. ▪ Completion of Customer Satisfaction Survey. ▪ Prioritization and phasing of identified projects from a Citywide perspective. Information Technology Assessment A comprehensive understanding of the City’s current technology use provided the foundation upon which the ITSP was built. NexLevel completed its Information Technology Assessment in June, 2017 prior to completing the ITSP. The Assessment focused on how effectively the City was leveraging technology to attain its stated mission and vision, and evaluated whether the City’s Network Services infrastructure and support organization were prepared to support the future needs of the City. This is consistent with the City’s organizational values to improve services, be open to innovation, be flexible to change and use City resources wisely. ITSP Recommendations As mentioned above, the ITSP is intended to guide the City’s use of technology over a strategic planning period. The ITSP’s major recommendations are broken down into three key areas: governance; structure; and project prioritization. 1. Governance IT Governance is generally defined as the leadership, reporting structure and, resource allocation processes that ensure that the organization’s information technology sustains and extends the City’s strategies and objectives. Due to on-going budgetary constraints, the City faces a significant challenge over the next five years to implement and manage new technology. As many organizations have come to realize, the cost and risks of implementing technology can be significant. The ITSP recognizes this and places a high level of importance on the IT Steering Committee to help manage and p rovide oversight to technology implementations. Currently, the City is using a sophisticated IT governance structure to guide the City’s IT activities. The current IT Steering Committee (ITSC) is chaired by the Assistant City Manager and includes department heads as voting members. The ITSC is responsible for establishing the priority of technology projects, and ensuring the allocation of IT resources accordingly. Packet Pg. 8 1 For the ITSC to function as a policy making body, it is important to delegate the tech nical aspects of projects and initiatives to the IT Division to perform a review and analysis of the specific technical components. The Technical Advisory Committee (TAC) is charged with the responsibility to review all technology requests prior to submittal to the ITSC for approval and prioritization. The TAC helps ensures that the plan for the requested technology is compatible with the existing infrastructure, aligns with the City’s technology standards, and ensures adequate ongoing support and maintenance. Once approved by the TAC, the project will be submitted to the ITSC for review and prioritization. 2. Structure NexLevel completed a comprehensive assessment of the City’s use of technology that resulted in a set of recommendations that are compatible with the City’s existing technical environment (i.e., IT Division staffing, infrastructure, network, supervisory control and data acquisition (SCADA), applications, and technical standards and policies). Staffing recommendations are as follows. Database Administration NexLevel has indicated that a priority resource need for the City is to add an additional position to the IT Division, that position is a second Database Administrator (DBA). Technology has advanced very rapidly and has become dependent on databases and enterprise system integrations. This, in addition to the increased Database Administrator workload with the migration to a new Enterprise Resource Planning system (ERP) and the City’s growing need for results tracking, and dashboards to present that information to the public has driven the need for an additional DBA. As part of any future reorganization, a second DBA will be considered as a priority to maintain and provide forward looking business services to the City. Help Desk Function There are approximately 241 help desk requests processed by the Help Desk each month. The Help Desk also includes all Computer Technician duties. The current technology industry standard is 175 - 200 computers per technician. The City has a total of 640 desktops, laptops, tablets, mobile data computers, virtual desktop computers along with over 500 cellular devices. The time required to process these requests ranges from quick ten minute fixes to multi-day installations. NexLevel indicates this level of support, desired staff service level, and the volume of equipment supported would require the attention of staff based on industry standards. The ability to add additional resources is not contemplated nor requested and Staff will be identifying cost effective ways to maintain systems within allocated budgetary resources. Project Prioritization The projects addressed in the proposed ITSP were prioritized by City IT Management Staff and the IT Steering Committee based on criteria such as financial impact, health and safety impact, customer service impact, business operations impact, alignment to City goals, business vision and mission, and technology obsolescence. In addition, the prioritization process considered the limited resources available to implement and manage technology projects. Packet Pg. 9 1 The ITSP strives to set reasonable expectations as to when projects will be completed. However, a project’s ultimate start date will be based on funding or budget approval as well as the capacity of staff to successfully implement the project. It is the intent of the ITSP to support the City’s annual capital planning and budgeting processes by providing direction and input necessary to justify expenditures. It is important to note that the ITSP does not include detailed specifications, requirements, or recommended vendor solutions. When a project is initiated, the procurement of technology will follow established project planning and management processes that would include detailed requirements analysis, formal procurement and selection, and implementation processes. With the rapid change in technology and vendor solutions, the City is best served by carefully evaluating the market solutions available at the time a project is scheduled for procurement. SUMMARY The City’s current technology environment represents a complex system that consists of numerous applications and infrastructure that supports a total of 568 employees. The breakdown of employees is 384 FTEs, 10 Contract and 174 Part-time as of the 8/17 payroll period. As with any complex system, the addition or modification of any component has the potential to impact other parts of the system. The ITSP includes projects that are aimed at improving business applications, technology infrastructure and governance. As projects are implemented, it will take careful coordination and planning to manage the change introduced and to ensure the projects do not adversely impact other components within the City’s technology environment. The City recognizes that technology is critical to performing many day-to-day business functions. In addition, the City recognizes the importance of leveraging technology to meet its growing business needs in the most cost effective manner. The ITSP is a valuable tool to ensure technology is procured, implemented and managed in a cost-effective approach that maximizes the benefits to the City and its customers. CONCURRENCES The IT Steering Committee (ITSC) concur with the strategic direction and recommendations provided in the ITSP. FISCAL IMPACT It is important to stress that the ITSP is a plan; it is not a budget. The ITSP identifies and prioritizes major Information Technology projects, but does not allocate budget resources. Current and future IT projects will compete for limited funding resources and scheduling prioritization. Project costs should include funding for possible contract services and project management. The IT Steering Committee will determine the priority for all City IT projects. Funding for the ITSP project were realized from the IT consultant services budget line item. Packet Pg. 10 1 ALTERNATIVES 1. Do not adopt the proposed ITSP. If the plan is not adopted, the City will not have a roadmap for implementing future Information Technology initiatives and projects. 2. Refer the ITSP back to staff for further study. The Council can refer the plan back to staff for further analysis. However, based on the extensive work throughout the organization that has gone into preparing this plan, staff does not believe this is likely to result in an improved plan unless Council has specific changes it desires to make. In this case, adoption of the plan at this time with changes as directed by the Council is the preferred approach. Attachments: a - 2017 Information Technology Strategic Plan b - IT Assessment Report 2017 Packet Pg. 11 1 City of San Luis Obispo Information Technology Strategic Plan DRAFT v4.0 for Review August 11, 2017 Packet Pg. 12 1 IT Strategic Plan DRAFT v4.0 Page a This page intentionally left blank for duplex printing. Packet Pg. 13 1 IT Strategic Plan DRAFT v4.0 Page b TABLE OF CONTENTS EXECUTIVE SUMMARY .................................................................................................................. 1 BUILDING BLOCKS ........................................................................................................................................................... 1 TECHNOLOGY ROADMAP ............................................................................................................................................... 1 1.0 INTRODUCTION ...................................................................................................................... 4 2.0 SALIENT POINTS OF THE CITY IT ASSESSMENT .................................................................. 5 2.1 “VOICE OF THE USER” SURVEY ............................................................................................................................... 5 2.2 MEASURE OF BEST PRACTICE CONFORMANCE ..................................................................................................... 6 2.3 IT ASSESSMENT RECOMMENDATIONS ................................................................................................................... 9 3.0 STRATEGIC IT TRENDS THAT COULD IMPACT THE CITY .................................................. 12 3.1 “SMART CITY” TECHNOLOGIES ............................................................................................................................ 14 Internet of Things (IoT) ..................................................................................................................................... 14 Business Intelligence and Business Analytics (BI/BA) ............................................................................ 15 Digital Government ............................................................................................................................................ 16 3.2 ORGANIZATIONAL AGILITY ................................................................................................................................... 17 3.3 ORGANIZATIONAL CHANGE MANAGEMENT (OCM) ....................................................................................... 17 3.4 CYBERSECURITY ...................................................................................................................................................... 18 3.5 ENTERPRISE CONTENT/DOCUMENT MANAGEMENT (ECM) ........................................................................... 19 3.6 MOBILITY ................................................................................................................................................................ 20 3.7 STRATEGIC SOURCING AND CLOUD SERVICES ................................................................................................... 21 4.0 ROADMAP ............................................................................................................................. 23 4.1 METHODOLOGY ..................................................................................................................................................... 23 4.2 PROJECT PORTFOLIO ............................................................................................................................................. 23 5.0 CONCLUSION ......................................................................................................................... 33 Packet Pg. 14 1 IT Strategic Plan DRAFT v4.0 Page c This page intentionally left blank for duplex printing. Packet Pg. 15 1 IT Strategic Plan DRAFT for Review – v4.0 Page 1 Executive Summary In today’s digital world, information is expected to be available anytime, anywhere, via any type of device. To achieve this objective over time, organizations must proactively plan their purchase, implementation, and management of technology. In setting the foundation for this IT Strategic Plan, the City of San Luis Obispo, working in concert with NexLevel, developed a number of key building blocks that provide the foundation for the ITSP. Building Blocks To empower the City to provide excellent service to the community To connect people to information and technology solutions 1) Innovation, 2) Integration, 3) Information Technology Roadmap With the building blocks set, NexLevel worked with the City to complete an IT Assessment. The IT Assessment was developed using information that resulted from a survey of users regarding their satisfaction with the City’s IT environment, their future needs, interviews with key user stakeholders, interviews with the IT Manager and ITD staff, and an IT best practices review. This process provided a detailed picture of the City’s current information technology environment, user expectations, current unmet needs, and future requirements. Upon completion of the IT Assessment, NexLevel worked with the City to complete this IT Strategic Plan (ITSP), which identifies strategic IT trends that could impact the City, recommendations specific to those trends, and projects to be completed. The ITSP will enable the City to better allocate its information technology resources and obtain greater benefits for its investments in information technology. During the planning effort, due to City budget constraints, the original technology project roadmap has been placed on hold. Those projects will be continually evaluated by the IT Steering Committee, and when resources and funds become available, they will be initiated. Packet Pg. 16 1 IT Strategic Plan DRAFT for Review – v4.0 Page 2 At this time, the focus is on the Capital Improvement Plan (CIP) projects approved as part of the City’s two-year Financial Plan. The CIP technology projects are summarized in Table 1 below. Table 1 – CIP Technology Projects Project Name South Hills Radio Site Upgrade and Radio Enhancements SQL Server Cluster Motion Enterprise Resource Planning (ERP) Implementation Police Department (PD) Storage Area Network (SAN) Controller Replacement Voice Over Internet Protocol (VoIP) Telephone System Replacement/Upgrade Radio Handheld and Mobile Device Replacement Storage Capacity Replacement Universal Power Supply (UPS) Battery Backup System Replacement Emergency Communication Center (ECC) Blade Computer Replacement ECC Equipment Replacement Tait Radio System Backend Upgrade Irrigation Software (RainMaster/RainBird) Automation Fleet Management Software Upgrade Microsoft Office 365 Migration Firewall Replacement Network Security Upgrade Virtual Private Network (VPN) Replacement Dispatch Radio Console Replacement Audio Recording System Replacement Server Operating System Software Upgrade Wireless System Citywide Upgrade Public Surveillance Cameras Upgrade/Replacement Packet Pg. 17 1 IT Strategic Plan DRAFT for Review – v4.0 Page 3 1.0 Introduction This IT Strategic Plan (ITSP) was prepared for the City of San Luis Obispo (City) by NexLevel IT, Inc. (NexLevel) as the culmination of an extensive process of information gathering, analysis, and collaboration with key members of the City’s management team to identify and prioritize strategic technology projects. The goal of the ITSP is to enable the City to better allocate its technology resources and to obtain greater benefits for its investments in technology. The ITSP does not attempt to predict the future; but rather, enable the City to more effectively respond to new and/or changing requirements by proactively adapting processes, organization, people, and infrastructure to meet ever-changing technology needs and priorities. To avoid confusion, concepts and observations in this document regarding the use of IT in general are abbreviated as “IT,” while “ITD” is used to reference to the City’s IT Division. The remainder of this document consists of the following sections:  2.0 - Salient Points of the City IT Assessment – summarizes the key findings and recommendations as a result of the IT Assessment  3.0 - Strategic IT Trends that Could Impact the City – identifies and describes technology trends that could impact the City and that align with the City’s IT vision  4.0 - Roadmap – describes the open and collaborative process used to develop the ITSP and resulting project roadmap  5.0 - Conclusion – provides general thoughts and observations for the City’s consideration Packet Pg. 18 1 IT Strategic Plan DRAFT for Review – v4.0 Page 4 2.0 Salient Points of the City’s IT Assessment As the first step in the development of the City’s ITSP, NexLevel completed an IT assessment and published an Assessment Report. The following are two of the main components of the Assessment Report, the results of which are summarized in the following sections:  Voice of the User Survey  Measure of Best Practice Conformance Note that the following presents a summary of the IT Assessment. For additional information, please refer to the actual IT Assessment document. 2.1 “Voice of the User” Survey NexLevel administered an online user survey focused on technology use, support, and needs. Of the approximately 540 City employees invited to take the survey, 191 participated (35%), which based on NexLevel’s experience is above average participation. The summary level results from the survey follow below. For Network Services, which is responsible for ensuring the City’s information technology resources are effectively managed and used as key organizational tools:  Regarding the time it takes to solve/correct their problem, 97% indicated they were satisfied with ITD performance  Regarding satisfaction with the communications on issue resolution, 94% indicated they were satisfied with ITD performance  Regarding the timeliness and completeness of follow- up/check back on the service provided, 93% indicated they were satisfied with ITD performance Packet Pg. 19 1 IT Strategic Plan DRAFT for Review – v4.0 Page 5 Regarding training provided for the business applications used in a department, 78% indicated they were satisfied with ITD performance  Regarding the reasons City staff contacted them for assistance included: o Software Applications – 73% o Hardware – 68% o Enterprise Applications – 30% For Information Services:  Regarding satisfaction with understanding or their needs, 88% indicated they were satisfied with ITD performance  Regarding satisfaction with the time to respond to their request for service, 86% indicated they were satisfied with ITD performance  Regarding satisfaction with their ability to communicate clearly, 86% indicated they were satisfied with ITD performance NexLevel tends to be cautious in drawing conclusions from the user survey alone. The survey results are often driven by current perceptions of the users and these tend to be isolated rather than holistic and reflect recent experiences rather than looking at service levels over time. However, the survey does provide a point of view that was considered in the IT Assessment. 2.2 Measure of Best Practice Conformance NexLevel’s IT Assessment Methodology uses a comprehensive list of best practices categorized into six dimensions that evaluate the organization’s compliance with best practices. NexLevel assessed the degree to which the City conforms to these best practices based on numerous sources of input including the survey, interviews with City’s Packet Pg. 20 1 IT Strategic Plan DRAFT for Review – v4.0 Page 6 user stakeholders, interviews with ITD staff, and the results of the IT Best Practices self-assessment completed by ITD. Figure 1 identifies the assessment findings for each dimension. The results were plotted and points connected with a dotted line to provide a perspective of the City’s overall conformance. Figure 1 – City Conformance to IT Best Practices Ownership is identified as being IT owned, enterprise owned (City), or shared (between departments). Each of the rings represents a level of conformance to IT best practices. The characteristics of each level are:  Frontier Level (red): Organizations at this level have fewer than 20% of their processes in compliance with best practices. This level of maturity is characteristic of new and/or re-organized IT organizations. Business Technology Applications - 64%(Shared)Serv i ce De l ive ry - 72%(Sha red ) IT Governance - 74% (Enterprise Ownership)Secu r i ty - 57% (Sha red )Infrastructure - 73%(Shared)Administration - 63% (IT Ownership) 111111 111111 Packet Pg. 21 1 IT Strategic Plan DRAFT for Review – v4.0 Page 7  Reactive Level (orange): Organizations at this level generally have well developed procedures including formalized procures for incident reporting and tracking and are committed to customer service, but spend a disproportionate amount of their time and resources “fighting fires.”  Proactive Level (tan): Organizations at this level have many of the same attributes as organizations at the Reactive Level, but with the key difference that they continually seek to improve service delivery by finding long-term solutions to common problems such as improving user competency, self-reliance, and training so that they do not need to call IT for support as often.  Service/Value Level (green): Organizations at this level have more than 80% conformance to IT best practices. They continue the trend towards value and generally derive much higher returns for their investments in information technology, although at greater expense. NexLevel views organizations having less than 50% conformance to IT best practices as being reactive, while organizations having more than 50% conformance as being proactive. The latter indicates an organization is better positioned to ensure a reliable, robust, and secure IT environment. Organizations that are more proactive are better able to obtain greater benefits for their investments in IT than those that are not, and while reactive organizations often spend less on IT (and thus have a lower total cost of ownership for IT) they realize less in return and are generally unable to effectively respond to new requirements. Overall, the City’s Conformance to IT Best Practices is 67%, which is well within the proactive band and is considered outstanding when compared to municipal IT organizations in California, of similar size and scope to the City, for which NexLevel has worked. To put these results in perspective, between 2014 and this year, NexLevel performed more than fourteen IT assessments for cities of similar size and scope to that of the City of San Luis Obispo. The City scored higher than the average city score in all dimensions. Packet Pg. 22 1 IT Strategic Plan DRAFT for Review – v4.0 Page 8 Another method used to evaluate the City’s technology performance was a Strengths, Weaknesses, Opportunities, and Threats (SWOT) Analysis as shown in Figure 2. This analysis is based on IT best practices assessment, but provides a slightly different perspective by summarizing ITD’s strengths and weaknesses and the opportunities and threats facing the City as a whole in its use of IT. It should be noted that there is a close relationship between these items since the City’s ability to realize the potential opportunities and mitigate the potential threats is dependent on its ability to leverage its strengths (particularly the recent organizational and staff changes with ITD) while addressing the weaknesses (Assessment recommendations). Figure 2 – SWOT Analysis Overall, the City is effectively managing and deploying technology to meet business needs. The City and ITD must now strive to build on their success, expand service offerings, and lead the transformation of information technology from a back-office productivity tool to a strategic enabler for the delivery of information and services to City departments and the public. Packet Pg. 23 1 IT Strategic Plan DRAFT for Review – v4.0 Page 9 2.3 IT Assessment Recommendations NexLevel developed the IT Assessment recommendations based on our experience in working with local government agencies and with an emphasis on identification of activities that have high value. Some of these can be accomplished with existing resources, while others will require augmentation of City resources. NexLevel understands that it is much easier to prescribe change than to implement it, and that no public or private sector organization has sufficient resources to embrace all possible IT governance and delivery best practices. Consequently, these recommendations are pragmatic and conditioned by real-world considerations. As shown in Table 2, these recommendations (which are actionable, achievable, and have measurable outcomes) will help the City realize improvements in how it governs, manages, and delivers IT services. Table 2 – Recommendations and Objectives Recommendation Objectives 1. Take steps to ensure the security and sustainability of the City’s IT environment Provide a secure framework for the on- going operation of the City’s technology infrastructure by developing formal plans and processes for: ▪ Cybersecurity Planning ▪ Disaster Recovery ▪ Penetration Testing ▪ Application Impact Analysis ▪ Single points of failure ▪ Root Cause Analysis Packet Pg. 24 1 IT Strategic Plan DRAFT for Review – v4.0 Page 10 Recommendation Objectives 2. Adopt additional IT Best Practices Create and adopt the following processes to improve core delivery of technology services to City departments: ▪ Project Guidelines and Management ▪ Resource Management ▪ Succession Planning ▪ ITD Service Catalog and Service Level Agreements ▪ Service Support Management ▪ Policies and Procedures 3. Expand ITD to improve its ability to support current and emerging user requirements Structure the City’s IT Division to be more customer focused and equipped to meet increased demand through adoption of: ▪ Resource management plans ▪ Near-term ITD Organization ▪ Long-term ITD Organization 4. Develop a Business Application Portfolio Enable ITD to better track the business applications to ensure the City obtains the highest possible return on its investments through application re-use and the sharing of business processes and information across departments 5. Take steps to improve its collaboration/ communication with City departments Improve internal and external communication between ITD and City departments, vendors, external agencies, and the public 6. Develop an Enterprise Data Architecture Create a City-wide blueprint, supporting standards, and resources to create uniformity in databases, information gathering, and reporting Packet Pg. 25 1 IT Strategic Plan DRAFT for Review – v4.0 Page 11 3.0 Strategic IT Trends that Could Impact the City Organizations seeking to develop effective IT strategic plans need to consider a number of different factors including internal user needs, public expectations, and trends in IT to better allocate funds and resources in support of their business objectives and priorities. In particular, the ways in which organizations use IT are changing as are the expectations of internal and external stakeholders for access to information and services. While public sector organizations must also become more customer-centric and innovative, they also must find ways to control their IT total cost of ownership (TCO) and demonstrate that they are obtaining the greatest possible value for their investments, commonly measured as return on investment (ROI). Similarly, the technologies, methodologies, and tool sets used to develop and support automation, as well as the ways in which organizations use IT, have evolved considerably with the emergence of web-based (“cloud”) services, the consumerization of IT, and mobility. The continued introduction and rapid evolution of IT products and services could impact the City of San Luis Obispo in a number of ways including:  The need to respond to increased public expectations for access to information and services is forcing a shift in the allocation of IT resources from internal uses to public-facing uses  The growing adoption of mobile workforces and mobile computing as the solution of choice for remote access to internal applications and repositories of information coupled with the desire of users to have the same “desktop environment” on a remote device as they have in the office will drive the creation of new policies, support models, and security models Packet Pg. 26 1 IT Strategic Plan DRAFT for Review – v4.0 Page 12  In the face of a highly diverse and evolving market of new IT products and services and the demand for their use, organizations will be increasingly challenged to effectively allocate limited local IT resources Based on our knowledge and experience, NexLevel has identified seven IT trends, as identified in Figure 3, that are changing how local governments invest in IT. Ultimately, organizations need to find a balance between investing their limited resources to better leverage existing information assets versus investing in innovative technologies that have the potential to radically transform how services and information are delivered to the public. Figure 3 includes a number of acronyms defined as follows:  ROI (Return on Investment)  ECM (Electronic Content Management)  OCM (Organizational Change Management)  IoT (Internet of Things)  BI/BA (Business Intelligence/Business Analytics) Packet Pg. 27 1 IT Strategic Plan DRAFT for Review – v4.0 Page 13 Figure 3 – Enterprise Information Technology Trends In the following sections, we describe these technologies. 3.1 “Smart City” Technologies “Smart City” is unusual in that this trend is not a single technology, per-se, but rather an integrated approach to the utilization of emerging information technologies and technology trends that enable local governments to more effectively identify trends (such as incidents, traffic, power demand, parking space availability, etc.), to re-allocate or reprogram City resources in response to these trends, and to support programs such as Smart Building, autonomous vehicles, Smart Payment, and Smart Street Lights. Smart City capabilities also enable members of the community and visitors to obtain information through smartphone apps regarding employment services, public safety, healthcare, social services, transit and driving route information, parking and event information. Innovation (Value)Innovation (Value)Leverage (ROI)Leverage (ROI)High Leverage Less Innovative MobilityCyber- security Strategic Sourcing OCM “Smart City” Technologies High Leverage Highly Innovative Low Leverage Less Innovative Low Leverage Highly Innovative ▪ IoT ▪ BI / BA ▪ Digital Gov’t AgilityECM Packet Pg. 28 1 IT Strategic Plan DRAFT for Review – v4.0 Page 14 Below, we address the following Smart City technologies:  Internet of Things (IoT)  Business Intelligence/Business Analytics (BI/BA)  Digital Government Internet of Things (IoT) The Internet of Things (IoT) provides the foundation for many Smart City initiatives. Although some local governments look at Smart City in very tactical terms (involving highly- specialized and isolated IoT applications such as “Smart Intersections” and “Smart Corridors,”) the effective implementation and continued use of smart technologies requires a broader approach that includes:  The development and implementation of open and collaborative processes to develop the visions for the implementation and governance of Smart Technologies  The implementation of secure, resilient, and ubiquitous wireless services that enable access to smart services from any device, anywhere, and anytime and that can scale to meet expected surges in demand  The development and management of public/private partnerships and regional partnerships (including regional transportation) including plans for regional collaboration and information exchange  The development and implementation of the processes required to support continuing communication and collaboration with members of the community, as well as those to leverage the information produced by smart devices, including business intelligence and business analytics Packet Pg. 29 1 IT Strategic Plan DRAFT for Review – v4.0 Page 15 In regards to IoT, as discussed in IT Assessment Recommendation #1, NexLevel recommends the City take steps to ensure the security of its IT environment. The existing Wireless System Citywide Upgrade and the Network Security Upgrade projects will help support/address IoT. Business Intelligence/Business Analytics (BI/BA) There has been considerable progress in the development of tools that enable organizations to consume a growing body of information for either tactical/reactive purposes (business intelligence) or for strategic/proactive purposes (business analytics). The development and maintenance of the “enterprise data architecture” required to support the use of BI/BA tools is one of the hidden costs of implementing Smart City technologies. This includes:  Processes and staff to support the architecture, including processes for its governance, support, and evolution  Standards and policies to ensure that business applications will be able to exchange information with other business applications and support the integration and compilation of information Organizations without an enterprise data architecture, supporting standards, and staff to support it, often attempt to support decision-makers through a cumbersome combination of ad-hoc applications, databases, and spreadsheets. These tools often use data inconsistently, are seldom well documented or able to quickly meet new requirements, and eventually become a drain on organizational resources. This can quickly become a worst- case scenario as the total cost of ownership for these ad-hoc processes quickly mounts while the return on the organization’s investment decreases. Packet Pg. 30 1 IT Strategic Plan DRAFT for Review – v4.0 Page 16 In regards to BI/BA, as discussed in IT Assessment Recommendation #6, NexLevel recommends the City develop an Enterprise Data Architecture that will support the use of BI/BA tools. The City is currently in the process of procuring an Enterprise Resource Planning system (Motion Project) that may influence the overall data architecture. Progress on this recommendation will be made after ERP selection. Digital Government Digital government is a comprehensive approach to the use of the Internet and mobile technologies as conduits for providing information to the public and to enable them to conduct business. The development and maintenance of a digital government strategy has become more complex due to the rapid multiplication of the number of channels for communicating with the public, as well as the continued evolution of mobile devices. The Federal Government has adopted a digital government strategy that is built on four principles that could be adapted for the use of other government agencies:  An “Information-Centric” approach – Moves us from managing “documents” to managing discrete pieces of open data and content that can be tagged, shared, secured, mashed up, and presented in the way that is most useful for the consumer of that information  A “Shared Platform” approach – Helps us work together, both within and across agencies, to reduce costs, streamline development, apply consistent standards, and ensure consistency in how we create and deliver information  A “Customer-Centric” approach – Influences how we create, manage, and present data through websites, mobile applications, raw data sets, and other modes of delivery, and allows customers to shape, share and consume information, whenever and however they want it Packet Pg. 31 1 IT Strategic Plan DRAFT for Review – v4.0 Page 17  A platform of “Security and Privacy” – Ensures this innovation happens in a way that ensures the safe and secure delivery and use of digital services to protect information and privacy In regards to Digital Government, as discussed in IT Assessment Recommendation #5, NexLevel recommends the City take steps to improve its collaboration/communication with City departments, vendors, external agencies, and the public. 3.2 Organizational Agility Agility is both a trend and an outcome of the significant changes that have taken place in how local governments (and other organizations) respond to both new information technologies and how those information technologies are used by the public. The ability to agilely respond to both changes in IT and changes in user and public expectations rests largely on the ability of an organization to identify and prioritize requirements and to allocate and/or reallocate both IT and user resources accordingly. Effective planning and IT governance are key components of organizational agility. Planning documents often speak to the need to align technology plans and directions with business or operational needs and priorities. Generally, this implies a two-step process in which operational plans are developed and then technology plans are crafted to support them. NexLevel believes that this process is not as effective as it could be since the transformative impact of technology should be considered in the course of developing business plans, not afterwards. IT Governance is used as the catalyst to ensure the alignment between an organization’s business goals and priorities and how it allocates its IT resources and assets. In the absence of effective alignment of business and IT direction, scarce resources can be allocated for IT projects that may be interesting, but fail to deliver real benefits to the organization. Packet Pg. 32 1 IT Strategic Plan DRAFT for Review – v4.0 Page 18 In regards to Organizational Agility, as discussed in IT Assessment Recommendation #3, NexLevel recommends the City expand ITD staffing to improve its ability to support both current and emerging user requirements. 3.3 Organizational Change Management (OCM) The introduction of new business applications and/or modifications to existing business applications often involves changes to existing business processes and organizational structure. These changes, as well as the effort required to implement the business application, have the potential to significantly disrupt operations. Additionally, organizations have found that resistance to change can limit their ability to realize the intended benefits of business applications and prolong implementation projects, sometimes to the point that project success is in jeopardy. Organizational Change Management (OCM) provides a methodological framework for managing the organizational impact of the implementation of new automation including changes in business processes, changes in organizational structure, and changes in culture by focusing on improving communication, setting expectations, and working to minimize the impact of misinformation. OCM is also dependent on performance management since it provides an objective and factual assessment as to whether the organization is obtaining the desired outcomes from changes to business processes, structure, and resourcing and the effectiveness of any subsequent steps that may be needed to overcome obstacles. In regards to Organizational Change Management, as discussed in IT Assessment Recommendation #2, NexLevel recommends the City adopt additional best practices, including, among others, Project Guidelines and Management, as this will help ensure OCM is considered for every project. Packet Pg. 33 1 IT Strategic Plan DRAFT for Review – v4.0 Page 19 3.4 Cybersecurity While the need to secure information systems is not new, the increased focus and importance of cybersecurity is a direct result of the increased utilization of the web for the delivery of information and services and the related rise of the use of mobile and personal devices. The shift toward mobility and cloud services is placing a greater security burden on endpoints and mobile devices that in some cases may never even touch the corporate network. The fact is that mobile devices introduce security risk when they are used to access company resources; they easily connect with third-party cloud services and computers with security postures that are potentially unknown and outside of the enterprise’s control. In addition, mobile malware is growing rapidly, which further increases risk. Organizations can be crippled not just by attacks which result in the disclosure, modification, and destruction of information, but also by attacks that takeover or disable critical infrastructure components, or impede the ability of legitimate users to access information and services. The nature of cybersecurity threats is continually evolving due to the growing sophistication of hackers, the resources available to them, and an increase in the range of motivations from mischief and activism to profit. As a result, the community of hackers has expanded to include criminal enterprises that profit through extortion as well as through the theft of digital assets. As a result, organizations must adopt and implement systematic approaches to protect their information assets from cyber threats including the ability to detect and defeat these threats, limit the impact of potential intrusions, recover from them, and adapt processes to better manage similar attacks in the future. The National Institute of Standards and Technology (NIST) has developed a cybersecurity framework that enables organizations to progressively implement procedures to safeguard against cyber threats. Packet Pg. 34 1 IT Strategic Plan DRAFT for Review – v4.0 Page 20 In regards to Cybersecurity, as discussed in IT Assessment Recommendation #1 NexLevel recommends the City take steps to ensure the security of its IT environment. The existing Firewall Replacement and Network Security Upgrade projects, as well as on-going user training, will help address/support Cybersecurity. 3.5 Enterprise Content/Document Management (ECM) The management of enterprise content, including documents, audio, video, and images is not a new trend. However, due to the increasing amount of content (particularly video), organizations are adopting enhanced ECM strategies and capabilities in order to:  Better organize and catalog documents and digital content so that they are more readily available across the organization and to ensure that users have access to the most current versions  Improve the ability to collaborate with internal and external users (including the ability to annotate)  Control access to documents, including permissions to add, read, copy, modify, and delete  Conform to records management requirements  Search documents and content in conformance with public records requests  Support users working from remote locations More recently, organizations have also realized that the absence of a document and content management framework limits the usefulness of field mobility since this depends on the ready availability of content. Consuming bandwidth and time to search for documents is frustrating for end-users and increases organizational costs for mobility. Packet Pg. 35 1 IT Strategic Plan DRAFT for Review – v4.0 Page 21 In regards to ECM as discussed in IT Assessment Recommendation #6, NexLevel recommends the City develop an Enterprise Data Architecture. The existing Motion Enterprise Resource Planning (ERP) project could be leveraged to support ECM, as ERP solutions typically include such functionality. 3.6 Mobility Mobility refers to the use of personal devices to obtain access to organizational services and information and represents a significant opportunity for government to improve the effectiveness and timeliness of service to the public. However, mobility is also vexing for enterprise IT planners since:  The proliferation of devices is a challenge for support organizations as users attempt to obtain connectivity to secured wireless networks and utilize applications  User access to enterprise information and services from mobile/wireless devices potentially exposes them to cyber attacks  Public-facing solutions need to be both open and adaptive to optimize the user experience from a universe of devices that is continually evolving  “Follow me” mobility fundamentally changes the paradigm of the standard desktop computing model where the computer, the operating system, the applications, and the user’s data and preferences are integrated into a single platform Despite these challenges, mobility is a “game changer” in the public sector enabling users to move as needed and to enter or update information on a real-time basis. In addition, mobility enables access to information where/when it is most needed (i.e., in responding to incidents and emergencies). Packet Pg. 36 1 IT Strategic Plan DRAFT for Review – v4.0 Page 22 In regards to Mobility as discussed in IT Assessment Recommendation #1 NexLevel recommends the City take steps to ensure the security of its IT environment. The existing Radio Handheld and Mobile Device Replacement, Virtual Private Network (VPN) replacement, and Wireless System Citywide Upgrade projects will help address/support Mobility. 3.7 Strategic Sourcing and Cloud Services Strategic sourcing is based on the concept of using the most effective service provider to respond to user needs, thus enabling permanent IT staff members to focus on high- priority, high-value tasks and technologies. For many organizations in both the public and private sector who have aging IT facilities and infrastructures, the use of “cloud” based services including Infrastructure as a Service (IaaS), Desktop as a Service (DaaS), and Software as a Service (SaaS) offer an alternative to initial capital expenditures, the recruitment of additional staff members, or the procurement of traditional staff-supplementation services (contractors). An additional benefit for many organizations is that using SaaS simplifies their disaster recovery and business continuity planning since they can quickly resume operations from a facility that has connection to the internet. Common strategies for cloud-based services include:  Public Cloud – Public Cloud services are generally shared (thus “public”) with users sharing a common code base, but with their data maintained separately  Private Cloud – is similar to a Public Cloud, but in a COTS/SaaS environment the private cloud is based on a separate code base and database for each organization (although multiple organizations may share a virtualized computing environment) Packet Pg. 37 1 IT Strategic Plan DRAFT for Review – v4.0 Page 23  Hybrid Cloud – a combination of private and public cloud services, potentially from different service providers, this permits organizations to use more expensive private cloud services for mission-critical applications and confidential information, while leveraging the public cloud for less critical applications and information Key benefits of sourcing include:  The ability to obtain services under the terms of a service level agreement  The ability to obtain service coverage for extended hours of operation including 24x7  The ability to defer, or avoid, capital costs for the acquisition of IT infrastructure assets  The ability to more readily scale the IT environment to meet demand  Reduced dependence on local staff resources, including training and planning for staff succession  Less risk since the applications are hosted in a remote data center Nonetheless, organizations seeking to use external services (cloud-based or not) need to carefully consider:  The cost of implementation  The continuing costs for utilization  The provisions for the availability and security of information that is stored off-site  Data ownership and location  The costs and effort related to potentially exiting the sourcing arrangement in the future Packet Pg. 38 1 IT Strategic Plan DRAFT for Review – v4.0 Page 24 In regards to Strategic Sourcing and Cloud Services, as discussed in IT Assessment Recommendation #1, #2 and #6, NexLevel recommends the City take steps to ensure the security and sustainability of its IT environment, adopt additional IT best practices, and develop an Enterprise Data Architecture respectively. Packet Pg. 39 1 IT Strategic Plan DRAFT for Review – v4.0 Page 25 4.0 Roadmap Strategic planning enables organizations to find a balance between immediate and long-term needs. It follows that the process for the development of an IT strategic plan needs to take the same considerations into account. 4.1 Methodology Without an IT strategic plan to serve as a baseline to manage and respond to change, organizations tend to become reactive rather than proactive and, as a result, spend more, fail to leverage technology assets, and overall, obtain reduced benefits for their investments in IT. Strategic projects were identified based on operational needs and priorities identified in the course of the interviews with the City’s user stakeholders, IT needs and priorities, and the recommendations that NexLevel identified for the City. The resulting project list was reviewed with the City’s management team and refined considering both the user and IT resources that would be required to implement the projects and information regarding information technology trends. The refined project list was to serve as the foundation for the planning and prioritization workshop. However, due to a City resource shortage and budgetary constraints, these technology projects have been placed on hold. Only technology projects approved as part of the annual CIP budget have been included in the plan. The majority of these projects are infrastructure improvements and do not address replacement of user equipment. 4.2 Project Portfolio The following figures summarize the projects in the portfolio, as well as the projects that have been placed on hold: Packet Pg. 40 1 IT Strategic Plan DRAFT for Review – v4.0 Page 26  Table 3 - CIP IT Project Names and Descriptions  Figure 4 - Prioritized CIP IT Projects (provided as separate attachment)  Table 4 - CIP IT Project Funding and Timeline  Table 5 - List of IT Projects On Hold (non-funded, non-prioritized, and sorted by department) Packet Pg. 41 1 IT Strategic Plan DRAFT for Review – v4.0 Page 27 Table 3 - CIP IT Project Names and Descriptions Project Name Sponsor Description South Hills Radio Site Upgrade and Radio Enhancements City-wide Replacement of South Hills Radio shelter and addition of 100' tower. This is needed to increase radio coverage Citywide. SQL Server Cluster IT Clustering of SQL servers to provide real-time redundancies for critical database applications. Motion Enterprise Resource Planning (ERP) Implementation Finance The City is embarking on the implementation of an Enterprise Resource Planning system that includes financials, procurement, human resources, payroll, and other related functions. The project will align city business processes to the new ERP system environment and provide interfaces to other core business applications currently deployed throughout the City. Police Department (PD) Storage Area Network (SAN) Controller Replacement Police & IT The City’s Storage Area Network Controllers have a 5-year lifespan before beginning to have frequent failures. Controllers are critical for users to be able to search for and assess stored data. It is not recommended to push the equipment beyond the recommended 5 years. Voice Over Internet Protocol (VoIP) Telephone System Replacement/ Upgrade City-wide The ShoreTel System was installed in 2008 and is the City’s main internal and external telephone system. At the time of installation, it was estimated that the life of the VoIP system would be 10 years. Staff will be seeking approval to release an RFP in 2017 to replace/upgrade end user and back-end ShoreTel equipment. Radio Handheld & Mobile Device Replacement Police & Fire All City radio end user equipment (public safety and non-public safety) are reaching end-of-support and/or end-of-life. Almost all of the City’s radio handhelds and mobiles were replaced as part of the radio upgrade project in 2010. This equipment is expected to have a 5-year life span. The public safety portion of the equipment is heavily used and requires a high degree of reliability. This equipment is the primary means of communication with and between Fire and Police staff in the field. It is also relied upon by the Utilities and Public Works Departments on a daily basis as well as in the event of a natural disaster. Radios are also used by Parks and Recreation for major events. Because of the different radio frequencies that the City uses, Police and Fire radios are not interchangeable. This means that the City must keep a variety of back-up radios and only has a limited inventory of any one particular frequency radio. Normal use results in these back-up radios being used while others are in for repair. Packet Pg. 42 1 IT Strategic Plan DRAFT for Review – v4.0 Page 28 Project Name Sponsor Description Storage Capacity Replacement IT Replacement of the City’s main Dell Compellent Storage system, which is the primary storage system for 120 virtual servers, all the City’s databases and the City’s network applications. This system consists of a larger set of enterprise hard drives configured to provide resiliency in case of failure. This system is replicated to another City facility for added redundancy and security. Universal Power Supply (UPS) Battery Backup System Replacement IT These UPS’s maintain devices powered on during commercial power loss and until the building’s electrical power generator comes on. It is vital that UPSs be replaced to provide maximum power capacity so that City systems such as servers, data and storage networks don’t experience data loss or corruption. Emergency Communication Center (ECC) Blade Computer Replacement Police These computers are run 24/7/365 by our police and fire dispatchers. These computers provide the Network, Spillman CAD, Radio and Security interfaces and computing environments that are critical to the day-to-day operations of Public Safety Dispatch Center. These computers are kept “always on” so in case of a failure or an emergency, all 9 dispatch consoles in the ECC are ready for immediate use. This ‘always on’ state shortens the working life of the equipment. Mission critical public safety equipment must remain highly reliable so staff recommends a 5-year replacement schedule to maintain the integrity of the system. ECC Equipment Replacement Police This equipment is utilized 24/7/365 by olice and fire dispatchers. This project includes 2 large security monitors and supporting equipment. In addition, the 36 heavy duty type batteries in the centers two Eaton UPS systems will be replaced with a fresh set of batteries. These batteries are maintained regularly and are regularly monitored for usability. The batteries will reach life expectancy in 2018. Tait Radio System Backend Upgrade City-wide The City’s simulcast Tait TB8100 radio system was installed in 2010, and will be eight years old in 2018. This project will upgrade the existing Tait radio system from Analog TB8100’s to Digital TB9100’s. This will allow for simplified management, easier troubleshooting, and improved error reporting. Additionally, this upgrade will eliminate three points of failure in the system, and creates a distributed voting structure among all sites, which significantly reduces the impact of a site loss while improving radio coverage for the City’s Police and Fire personnel. Irrigation Software (RainMaster/ RainBird) Automation Public Works The aging City irrigation system (RainMaster/RainBird) will need to be upgraded or replaced. Packet Pg. 43 1 IT Strategic Plan DRAFT for Review – v4.0 Page 29 Project Name Sponsor Description Fleet Management Software Upgrade Public Works Upgrade of the Public Works Cartegraph fleet maintenance system. The current version of fleet management software is no longer being supported and does not provide the level of data management and reporting the fleet operations require to provide services on a city-wide basis. Microsoft Office 365 Migration IT The City currently moved to the yearly subscription based Microsoft Office 365 Cloud version. This project is critical to maintaining this subscription base model funded for the next several years. It is critical that the City stay on this subscription based model to make sure that our Office Productivity tools are always up to date. Firewall Replacement IT City firewalls were last upgraded in 2014 which means that they are due for replacement in 2019. Support for these devices will be limited to next business day replacement parts support exposing the City to prolonged outages if a failure is hardware related. Network Security Upgrade IT The City network security equipment was last replaced in 2014 which means that they are due for replacement in 2019. Support for these devices will be limited to next business day replacement parts support exposing the City to prolonged outages if failure is hardware related. Virtual Private Network (VPN) Replacement Police & IT The City VPN system equipment was last replaced in 2014 which means that it is due for replacement in 2019. Support for these devices will be limited to next business day replacement parts support exposing the City to prolonged outages if a failure is hardware related. Dispatch Radio Console Replacement Police The Avtec Radio Consoles were last upgraded in 2015 and are run 24/7/365 by police and fire dispatchers. These consoles are the main gateways between the backend radio equipment and the radio consoles that the police and fire dispatchers use to communicate between public safety personnel internal to the City as well as surrounding agencies. The consoles also provide uniform access to the Fire Station ring down system and to critical gates and doors that are monitored by dispatch. The ‘always on’ state shortens the working life of the equipment. Mission critical public safety equipment must remain highly reliable so staff is recommending a five-year replacement schedule to maintain the integrity of the system. Packet Pg. 44 1 IT Strategic Plan DRAFT for Review – v4.0 Page 30 Project Name Sponsor Description Audio Recording System Replacement Police The City’s audio recording system records and retains mission critical phone and radio traffic used in the course of business. The City of San Luis Obispo records radio channel traffic for the police and fire departments, phone calls at the six main 9-1-1 consoles located at the Emergency Communications Center, and all phone lines located within the police department. These recordings are used in a variety of ways, such as for evidence in criminal cases, training, investigations and review for quality assurance. The recordings are kept for two years according to the City’s Records Retention Policy unless retained as evidence or for training purposes. The system was last upgraded in 2016 and as part of the 911 System upgrade. It is critical that this system be maintained and hardware be kept highly reliable so staff recommends a five-year replacement schedule to maintain the integrity of the system. Server Operating System Software Upgrade IT The City is currently running on a Microsoft Windows Server Platform. Failure to keep up with the Microsoft latest version of Server operating systems could lead to security vulnerabilities and the inability to run current applications. Wireless System Citywide Upgrade City-wide The City’s wireless network infrastructure currently consists of 60 access points and Meraki Cloud Based Networks wireless controllers. The access points are used to support; Public safety in-car video system, fleet maintenance systems, Emergency Operation Center’s audio/visual controls, Channel 20 broadcast system’s control system, public wireless access for the Council Chambers and Council Hearing room and the Emergency Communications Center’s audio/visual control system. Each of these systems has unique requirements that necessitate a wireless network connection to meet their various specifications. Enterprise level wireless controllers allow the combining of numerous access points to create large wireless hot spots, manages conflicts between multiple wireless networks and centralizes management, security and access control for both the public and City staff. The City’s current Meraki wireless system has been in place for over 4 years and will soon become obsolete due to the manufacturer discontinuing future system upgrades and security enhancements of the current wireless equipment. Staff is recommending a full upgrade to maintain wireless service and Security. Public Surveillance Cameras Upgrade/ Replacement City-wide The main objective of the public surveillance system is to record data that may be used to investigate various events and/or crimes. The public video system includes cameras, camera housings, mounts, servers, storage and a control system. The current system has various components that need replacement or updating. Public cameras are located at the Golf Course, City Hall, and the City Pool facility. Packet Pg. 45 1 IT Strategic Plan DRAFT for Review – v4.0 Page 31 Packet Pg. 461 IT Strategic Plan DRAFT for Review – v4.0 Page 32 Table 4 - CIP IT Project Funding and Timeline Project Title Budget Allocation of Cost By Fiscal Year FY 2017/18 FY 2018/19 FY 2019/20 FY 2020/21 FY 2021/22 Motion Enterprise Resource Planning (ERP) Implementation $ 350,000 $ 350,000 South Hills Radio Site Upgrade and Radio Enhancements $ 437,837 $ 254,255 $ 183,582 SQL Server Cluster $ 100,000 $ 100,000 Storage Capacity Replacement $ 85,000 $ 85,000 Police Department (PD) Storage Area Network (SAN) Controller Replacement $ 80,000 $ 80,000 Public Surveillance Cameras Upgrade/Replacement $ 26,500 $ 26,500 Fleet Management Software Upgrade $ 100,000 $ 100,000 Radio Handheld & Mobile Device Replacement $ 486,929 $ 180,000 $ 143,123 $ 14,100 $ 149,706 Irrigation Software (RainMaster/RainBird) Automation $ 12,000 $ 12,000 Microsoft Office 365 Migration $ 125,350 $ 125,350 Tait Radio System Backend Upgrade $ 508,045 $ 508,045 Universal Power Supply (UPS) Battery Backup System Replacement $ 42,706 $ 42,706 Emergency Communication Center (ECC) Blade Computer Replacement $ 4,317 $ 4,317 ECC Equipment Replacement $ 35,000 $ 35,000 Firewall Replacement $ 154,863 $ 154,863 Network Security Upgrade $ 125,000 $ 125,000 Virtual Private Network (VPN) Replacement $ 102,014 $ 102,014 Server Operating System Software Upgrade $ 41,868 $ 41,868 Audio Recording System Replacement $ 120,000 $ 120,000 Dispatch Radio Console Replacement $ 375,000 $ 375,000 Wireless System Citywide Upgrade $ 50,217 $ 50,217 UPS Battery Backup System $ 42,706 $ 42,706 PD SAN Controllers $ 80,000 $ 80,000 Voice Over Internet Protocol (VoIP) Telephone System Replacement/Upgrade $ 256,371 $ 256,371 Totals $ 3,741,723 $ 825,755 $ 1,261,000 $ 525,000 $ 550,968 $ 579,000 Packet Pg. 47 1 IT Strategic Plan DRAFT for Review – v4.0 Page 33 Table 5 - List of IT Projects On Hold (non-funded, non-prioritized, and sorted by department) Project Title Owner/Sponsor eDiscovery City Attorney Litigation Management Application City Attorney City Intranet Development Citywide Contract Management Citywide Document Scanners Citywide Photo Management Citywide Timecard System (IntelliTime) Citywide EnerGov Community Development EDCM Roadmap Clerk CAFR and Financial Plan Database Automation Finance Misc. Fee database Finance Critical Community Connectivity Project Fire EPCR (Electronic Patient Care Reporting) Fire Fire Radio Receive Site at Fire Station #4 Fire Fire Scheduling (Telestaff) Fire Risk Management Application Human Resources City Hall Data Center Relocation IT City/County Parcel Project IT Data Integration Roadmap IT Enterprise Storage Growth IT GIS Roadmap IT Network Switching Infrastructure Equipment IT Redundant Internet Connection IT SAN Controllers - City IT Sharelink Deployment IT VDI - Phase II IT VM Infrastructure IT Graphics Tools Parks & Rec Virtual Tour of City Facilities Parks & Rec Volunteer Worker Tracking Software Parks & Rec 911 Phone System Police ECC Audio Visual System Police EOC AV System Police Field Reporting/Citations Police Interview Room Technology Upgrade Police Police CAD Hardware Servers/storage Police Police CAD/RMS Study Police Shore Micro (Radio System Redundant Bypass Link) Police Packet Pg. 48 1 IT Strategic Plan DRAFT for Review – v4.0 Page 34 Project Title Owner/Sponsor Stolen Vehicle Project Police Streaming Video (Event mgt. for Dispatch) Police Thinkstream CAD Police Automated Vehicle Locater Police & Fire Public Safety MDC's Police & Fire Access Control (Automatic Gate Card System) Public Works Asset Management Public Works AutoCAD - Engineering Software Public Works Signal & Light Management (Cartegraph) Public Works Signs Management (Cartegraph) Public Works Transit AVL System Public Works Transit Fare Systems GFI Public Works CityWorks Implementation at Whale Rock Utilities Hach WIMS (Prev. OPS32) Utilities iFix SCADA System - Controls wastewater alarms Utilities MP2 Maintenance Software System Utilities Utility Billing System Utilities Water Telemetry HMIs Utilities Whale Rock Wi-Fi Utilities Packet Pg. 49 1 IT Strategic Plan DRAFT for Review – v4.0 Page 35 5.0 Conclusion The ITSP is a roadmap in that it charts the route to get from where the City is today to where it needs to be. Organizations that are working to transform their IT environments (including the ways in which they strategically govern IT, manage the delivery of IT services, and deliver them) to a target state, and underscore the critical role that IT governance, combined with a focused approach to organizational change management and well-defined and measurable objectives, plays in organizational transformation. The City’s management team must continue to be committed to maintaining and communicating the City’s IT vision, mission, values, etc. adapting all as circumstances require changes in priorities, and considering alternative approaches to enable the City to attain its objectives. Support of the ITSP will need to come in terms of priorities, funding, policies and best practices. Successful implementation may mean making compromises, and it will mean exercising patience, taking an organization-wide perspective, and maintaining a continued focus on revising the plan as events take place. Finally, it will take cooperation, communication and flexibility to adapt to changing needs, technologies and resources. Packet Pg. 50 1 Information Technology Assessment Report Prepared by: October 2016 Revised November 2016 Revised April 2017 Revised June 2017 Packet Pg. 51 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | a This document has been formatted for duplex printing and this p age intentionally left blank Packet Pg. 52 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | b Table of Contents SECTION 1 – INTRODUCTION ..................................................................................................................................................................................................... 1 1.1 – SCOPE AND OBJECTIVES .................................................................................................................................................................................................................. 1 1.2 – DOCUMENT ORGANIZATION AND CONTENTS....................................................................................................................................................................................... 1 1.3 – ROLE OF IT ASSESSMENT REPORT ..................................................................................................................................................................................................... 1 SECTION 2 – IT ASSESSMENT ...................................................................................................................................................................................................... 3 2.1 – IT ASSESSMENT OVERVIEW ............................................................................................................................................................................................................. 3 2.2 – SUMMARY OF “VOICE OF THE USER” SURVEY ...................................................................................................................................................................................... 4 2.3 – USER STAKEHOLDER INTERVIEWS ...................................................................................................................................................................................................... 6 2.4 – IT INTERVIEWS ............................................................................................................................................................................................................................ 14 2.5 – CORE BUSINESS APPLICATIONS ....................................................................................................................................................................................................... 16 2.6 – IT BEST PRACTICES ASSESSMENT .................................................................................................................................................................................................... 20 2.7 – SWOT ANALYSIS......................................................................................................................................................................................................................... 28 SECTION 3 - STATUS OF 2011 IT ASSESSMENT RECOMMENDATIONS ....................................................................................................................................... 30 SECTION 4 – RECOMMENDATIONS .......................................................................................................................................................................................... 34 4.1 – THE CITY SHOULD TAKE STEPS TO ENSURE THE SECURITY AND SUSTAINABILITY OF ITS IT ENVIRONMENT ......................................................................................................... 37 4.2 – ITD SHOULD ADOPT ADDITIONAL IT BEST PRACTICES ........................................................................................................................................................................... 41 4.3 – THE CITY SHOULD EXPAND ITD TO IMPROVE ITS ABILITY TO SUPPORT CURRENT AND EMERGING USER REQUIREMENTS ..................................................................................... 47 4.4 - THE CITY SHOULD DEVELOP A BUSINESS APPLICATION PORTFOLIO .......................................................................................................................................................... 53 4.5 – ITD SHOULD TAKE STEPS TO IMPROVE ITS COLLABORATION/COMMUNICATION WITH THE CITY DEPARTMENTS ............................................................................................... 55 4.6 – THE CITY SHOULD DEVELOP AN ENTERPRISE DATA ARCHITECTURE ......................................................................................................................................................... 57 APPENDICES............................................................................................................................................................................................................................. 59 APPENDIX A – INVENTORY OF TECHNOLOGY POLICIES ............................................................................................................................................................ 60 APPENDIX B – IT BEST PRACTICES CHECKLIST ........................................................................................................................................................................... 62 Packet Pg. 53 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | c This document has been formatted for duplex printing and this page intentionally left blank This Information Technology Assessment Report was developed for the City of San Luis Obispo, by NexLevel Information Technology, Inc. Packet Pg. 54 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 1 Section 1 – Introduction 1.1 – Scope and Objectives This Information Technology (IT) Assessment Report was developed for the City of San Luis Obispo (City) by NexLevel Information Technology, Inc. (NexLevel) to document how effectively the City governs, manages, and delivers information technology services. The information provided in this report was derived from: ▪ An online IT User Satisfaction Survey ▪ Interviews conducted with key user department stakeholders, subject matter experts (SMEs), and policy advisers ▪ Interviews conducted with the City’s IT Manager and staff ▪ An Information Technology Best Practices Assessment that provides an analysis of the City’s conformance to a set of information technology best practices ▪ A review of the 2011 IT Assessment and progress made to date Terminology To avoid confusion, concepts and observations in this report regarding the use of information technology in general are spelled out (“information technology”) or abbreviated as “IT”, while “IT organization or ITD” are used for references to the City’s Information Technology Division. 1.2 – Document Organization and Contents This report contains the following sections: 1. Introduction (this section), which provides information regarding the scope and objectives of this project and the relationship of this report to the overall project scope, and role of the IT Assessment in the overall process of developing an IT Strategic Plan 2. IT Assessment, which provides a summary of the findings resulting from each component of the assessment including the interviews with key user stakeholders, interviews with the City’s IT Manager and ITD staff, a status of the previous assessment, and a current assessment of the degree to which the City’s practices and procedures conform to information technology best practices; and 3. Recommendations, which provides specific recommendations for actions that should be taken by the City based on the findings of the assessment, along with suggested steps that the City should take to implement the recommendations. 1.3 – Role of IT Assessment Report “Voice of the User” Survey User Stakeholder Interviews ITD Best Practices Assessment Documentation Review IT Assessment Draft and Final Survey Reports Draft and Final IT Assessment Reports Prioritization Workshop Draft and Final Project Portfolio Strategic Technology Master Plan Ø Citywide IT Projects Ø ITD Specific Projects Figure 1 – Information Technology Assessment and Strategic Plan (ITSP) Process Figure 1, Information Technology Assessment and Strategic Plan (ITSP) Process, depicts the major tasks and deliverables involved in the development of the City’s IT Strategic Plan and the role of the IT Assessment in the overall process. As shown, the IT Assessment provides Packet Pg. 55 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 2 the foundation for the development of the IT Strategic Plan by enabling the development of a shared, City-wide vision of: ▪ Where the City is today with regard to the information technology services provided by ITD including a detailed review of the City’s information technology strengths, weaknesses, opportunities, and threats ▪ A best practice review of key dimensions of IT operations and an assessment as to the City’s compliance with technology service delivery and commonly accepted guidelines ▪ Steps that the City should take to better govern, manage, and deliver information technology services An additional product of the work related to the development of the IT Assessment, provided later, under separate cover, is the preliminary portfolio of proposed IT projects which will provide the foundation for the Prioritization Workshop that will help shape the City’s IT Strategic Plan. Packet Pg. 56 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 3 Section 2 – IT Assessment 2.1 – IT Assessment Overview The IT Assessment provides a picture of how the City governs information technology objectives and priorities, manages information technology, and delivers information technology services to the City’s departments. The assessment provides a baseline that defines where the City is today, where it needs to be, and the gap between the two. As depicted in Figure 2, Components of Information Technology Assessment, NexLevel’s evaluation was developed based on information from: ▪ The “Voice of the User” Survey and comparison to similar surveys conducted by NexLevel for the City in 2011 and 2014 ▪ A series of interviews with City decision-makers, stakeholders, and subject matter experts ▪ A series of group and individual interviews with IT managers and staff members ▪ An assessment of the City’s core business applications ▪ An assessment of the degree to which the City’s information technology operations and practices conform to a set of best practices ▪ A review of the 2011 IT Assessment conducted by NexLevel with a progress report relative to the recommendations provided in that assessment Ø City-wide Priorities Ø Common User Concerns and Needs Ø Obstacles Ø Opportunities Ø Common Technology Concerns Ø Obstacles Ø Opportunities Ø Projects in Progress Ø Application Lifecycle Ø Status of Core Business Applications Ø Maturity Model Ø City Conformance to IT Best Practices Ø SWOT Analysis Ø Recommendation Progress Review Ø User Satisfaction with IT Infrastructure, Applications, and Services Ø Comparison to 2011, 2014 Surveys “Voice of the User” Survey User Stakeholder Interviews IT Staff Interviews Core Business Applications IT Best Practices Assessment Review of 2011 IT Assessment Information Technology Assessment Figure 2 – Components of Information Technology Assessment The IT Assessment and the resulting recommendations are comprehensive and are thus not driven by any single factor; but represent the consensus of NexLevel’s consulting team based on the totality of the information collected, along with the consultants’ cumulative experience in managing IT organizations and conducting similar engagements. The experience of the consulting team is particularly important in considering, reconciling, and weighing the results obtained from each component of the IT Assessment, which can sometimes vary as a result of the different methodologies used to capture the information. Packet Pg. 57 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 4 For example, when there is a variance between the results of the “Voice of the User” Survey and the interviews conducted with key user stakeholders, the interviews are given greater weight since, unlike the survey, the interviews are conducted face-to-face. The in-person approach of the interviews enables the consultants to ask follow -up questions to better assess whether the information being provided is consistent with information obtained in prior interviews and represents an objective assessment, from the users’ perspective, of how the organization governs, manages, and delivers information technology services. Regardless of the source of information, NexLevel’s approach is to validate the concerns expressed by the user community, and to provide the City with actionable recommendations designed to improve IT service delivery, increase organizational efficiency, and enhance information security. 2.2 – Summary of “Voice of the User” Survey Between September 20, 2016 and October 3, 2016, NexLevel conducted an on-line survey of City employees to assess their satisfaction with the support they receive from ITD and general observations concerning the City’s use of technology. Of the approximately 540 City employees invited to take the survey, 191 participated (35%). Network Services: ▪ Of the 175 individuals who responded to the question regarding their satisfaction with the time it takes Network Services to solve/correct their problem, 145 (97%) indicated they were satisfied to some degree (either very satisfied, satisfied, or somewhat satisfied) ▪ Of the 169 individuals who responded to the question regarding their satisfaction with the communications on issue resolution from Network Services, 154 (94%) indicated they were satisfied to some degree ▪ Of the 167 individuals who responded to the question regarding the timeliness and completeness of Network Service’s follow- up/check back on the service provided, 155 (93%) indicated they were satisfied to some degree ▪ Of the 142 individuals who responded to the question regarding training provided for the business applications used in a department, 111 (78%) indicated they were satisfied to some degree ▪ Reasons City staff contacted Network Services for assistance included: - Software Applications (Microsoft, Adobe, etc.) – 73% - Hardware (PCs, Laptops, etc.) – 68% - Enterprise Applications (Business software) – 30% Survey respondents were asked to rate their satisfaction with core business applications: ▪ 41% indicated a level of dissatisfaction with Finance/Community PLUS (finance system) ▪ 41% indicated a level of dissatisfaction with EnerGov (land management system) ▪ 39% indicated a level of dissatisfaction with IntelliTime (time reporting) ▪ 28% indicated a level of dissatisfaction with Spillman (Police CAD/RMS system) ▪ 25% indicated a level of dissatisfaction with MinuteTraq (agenda management system) ▪ All other applications were rated at some level of satisfaction When asked, “What does Network Services do well?” typical responses included: ▪ Quickly responds to user issues ▪ Keep systems running Packet Pg. 58 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 5 ▪ Great and helpful team ▪ Friendly, knowledgeable staff When asked, “What can Network Services do better?” typical responses included: ▪ Add staff ▪ Provide additional applications training ▪ Proactively identify problem areas and recommend solutions Information Services: ▪ Of the 42 individuals who responded to the question regarding their satisfaction with Information Services understanding or their needs, 37 (88%) indicated they were satisfied to some degree ▪ Of the 42 individuals who responded to the question regarding their satisfaction with Information Services time to respond to their request for service, 36 (86%) indicated they were satisfied to some degree ▪ Of the 42 individuals who responded to the question regarding their satisfaction with Information Services ability to communicate clearly, 36 (86%) indicated they were satisfied to some degree When asked, “What does Information Services do well?” typical responses included: ▪ Responsive and accommodating ▪ Understanding needs and delivering on requests ▪ Very knowledgeable and helpful When asked, “What can Information Services do better?” typical responses included: ▪ Provide enterprise access (single log-on) ▪ Provide formal training ▪ Increased communication with GIS users and departments overall to ensure needs are being met and that staff understands solutions that are available Network Services, Information Services and Database Administration Combined: Other observations made by City employees relative to the City’s overall use of technology included: ▪ Not aware of data/information security policies; need awareness ▪ KBOX Help Desk software is not intuitive and can be confusing at times ▪ KBOX email status updates can be difficult to read and specific responses are buried under clutter ▪ I get locked out of VDI too often ▪ VDI is slow, problematic at times ▪ Poor radio communication in parts of the City ▪ VPN connections drop in certain areas of town ▪ Database administration (DBA) services does a great job with the resources available to them ▪ DBA services need additional staffing ▪ Too much of the time, Database Services is not available and work efforts are delayed ▪ Need better understanding of GIS and the overall picture ▪ The IT Steering Committee is a great idea with a lot of potential, but it seems to be a “black box” ▪ Would like more City-wide communication of the IT Steering Committee’s work and efforts Packet Pg. 59 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 6 The survey represents one of several data points that were evaluated to determine how City staff view the services they receive from ITD and how the City manages City-wide technology resources. NexLevel tends to be cautious in drawing conclusions from the user survey alone. The survey results are often driven by current perceptions of the users and these tend to be isolated rather than holistic and reflect recent experiences rather than looking at service levels over time. 2.3 – User Stakeholder Interviews In the course of the IT Assessment, NexLevel conducted interviews with: ▪ Administration/City Manager ▪ City Attorney ▪ Community Development ▪ Finance ▪ Fire ▪ Human Resources ▪ Parks and Recreation ▪ Police ▪ Public Works ▪ Utilities 2.3.1 – Summary of User Concerns and Requirements During the user interviews, the interviewees voiced the following concerns and requirements: ▪ Some of the users expressed the concern that while IT does a good job of responding to basic infrastructure issues that its support of new and existing business applications is not as good. Common issues regarding business applications included: - A lack of depth in staffing and experience so that if a key ITD staff member is out of the office there is no backup for that person - Problems with the application of software patches, releases, and new versions, with some of the City’s business applications being out of date - A feeling that there is minimal focus on enterprise applications’ and little vision or plan for the management of business applications in general ▪ While Laserfiche has been implemented to support document management, numerous departments do not use it ▪ The Payroll/Timesheet Reporting application (IntelliTime) is not configured to support the City’s FLSA requirements which results in nonexempt employees having to report days and hours worked into IntelliTime that may be different than the actual schedule worked ▪ Departments typically forego the implementation of application upgrades due to the time and resources required, and because the upgrades include functionality for which departments have not been trained ▪ Users would like access to additional applications other than those that are used within their department ▪ The users of specific applications are entering data into those applications in different ways, which is causing data integrity issues, and in turn, affecting the quality of reports ▪ While user training pertaining to specific applications occurs around the time of implementation, that training is just enough to “get started,” and as time moves forward, users tend to forget much of what they learned, yet no additional training is provided ▪ With the focus on KPI’s, each department is interested in implementing a dashboard, however, this will require a significant time commitment from ITD Database Administration Packet Pg. 60 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 7 ▪ Numerous applications have been implemented without consideration as to whether: - There might be other applications already in place in the City that could fulfill the same need - The applications should be integrated with existing applications - Work flow and improved business processes are often overlooked 2.3.2 – Interview Summaries Administration/City Manager The City’s executive view for the use of technology is to “be cutting edge, but not bleeding edge and stretch the City’s core competencies in terms of technology and community services”. Specific areas for the application of technology include: ▪ Citizen Access to Data: any device, to any data, from anywhere; applications should be integrated, the data must be secure, accessible and approachable, instructions on data usage must be provided to meet ever increasing self-service public demands ▪ Technology Refreshment: technology must be current and relevant; the City must find economical ways to stay fresh and current with the use of technology ▪ Lessons Learned: the City should define a process to review technology projects in order to learn from past successes and mistakes ▪ Data Analytics: the City wants its data repository to be the backbone to make decisions; implement the tools to mine, collect and analyze data; establish uniform City-wide performance measurements ▪ Sourcing: the City should continue to evaluate technology sourcing options (SaaS, Managed Services, etc.) as it acquires new applications to reduce infrastructure support or to perform commodity services (e.g. Help Desk, Network Monitoring, etc.) ▪ Organizational Structure: so that IT is not thought of as the sole innovator for advancing technologies to keep departments current with technology ▪ Efficiency: doing the best job with the resources available: ▪ Replacing the Finance System with a City-wide ERP ▪ Exploring downtown public Wi-Fi ▪ Automating manual processes within all departments and eliminating duplicate data entry where possible ▪ Using repeatable processes (i.e. checklist standards) for routine tasks City Attorney The department’s use of technology is limited to basic Microsoft products and most tasks are supported by manual processes. Several systems are available (Houdini Esquire, Laserfiche), but these have been deemed too complicated and are not being utilized. The department has identified the following activities, which could expand their use of technology or better utilize systems currently implemented within the City: ▪ Data Retention: mechanism to ensure the City’s retention policies are being followed ▪ Public Records Requests: track City’s responses to public requests, and an application to support the location of information ▪ Document Management: initiative to effectively utilize Laserfiche City-wide ▪ Contracts Management: implement a contract management solution to improve the creation, routing/tracking, versioning, and storage of contract materials Packet Pg. 61 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 8 ▪ Access to other City systems: obtain access to information such as GIS, Community Development applications, etc. ▪ Enterprise Systems: the Department indicated that the City should more effectively utilize enterprise systems rather than implementing standalone, department based applications (i.e. Microsoft OneNote) Community Development The Community Development Department identified the following technology needs and issues: ▪ Permitting and Land Management: EnerGov was implemented to replace the obsolete Bonnie App. In consideration of lessons learned, the department tried to make EnerGov work like the Bonnie App instead of changing the business processes, which limits the effectiveness of the application. Through continued work with Tyler Technologies, an EnerGov maturity model has been developed with a 6 to 18 month implementation plan. The maturity model, along with hiring an applications specialist, will support the desire to go paperless and increase the features available in the customer self-service portal ▪ Plan Check: engineering customers have recommended Bluebeam Software – need to plan for it in CIP ▪ Mobile Computing: both building and code enforcement staff use iPads for access to EnerGov; need to set up work flow ▪ Retirement of Bonnie Apps: as mentioned, the department is still using the land use inventory as it has large numbers of links for document management and it is the easiest way to access those documents; department is cutting and pasting information for FEMA reporting ▪ GIS: the technology is in place, but has not been activated or tested; staff have not been trained; ▪ Project Management: the department has not had good success implementing IT projects in the past (e.g. it took 5 years for the EnerGov implementation and 2 years for the data migration from the Bonnie Apps) and has a need for project management services ▪ Document Management: Tyler Content Manager is used to attach documents and Laserfiche is not used. Document management is a City-wide need to clarify how/where documents should be archived and avoid archiving documents in multiple places ▪ Council Agenda: currently using Accela MinuteTraq, but unsure if the City is committed to using it. They have had it for a year, but have had other products for many years that were discarded ▪ Neighborhood Information: neighborhood services specialists follow the same work flow as code enforcement – they use tablets in the field connected to EnerGov; static information is available for citizens on website, but the desire is to move to dashboards; active on social media – Instagram, Twitter and Next- door; want citizens to select geographic areas of interest and then specific announcements/bulletins ▪ Public Works and Utilities: the Public Works and Utilities departments have implemented applications that Community Development is not familiar with. Information in their applications may be of value to Community Development, but an understanding of what the applications can provide is needed ▪ Multiple Databases: an understanding of the City’s multiple databases in needed in order to better utilize information that is available, especially for GIS/maps Finance The Finance Department is highly dependent on technology, but is somewhat in a transition period. Current and near future technology solutions are centered on the following: ▪ Financial Management: the department currently uses the SunGard Pentamation solution, but will be transitioning to a new ERP system in the next three years (entitled Motion Project, of which Finance is the Project Sponsor) Packet Pg. 62 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 9 ▪ Budget: the department has been using Excel spreadsheets, but has purchased and is currently implementing Questica. While there is no integration planned between Questica and Pentamation, the City should consider integration between Questica and the new ERP system, unless the ERP has an integrated Budget module that meets the City’s needs ▪ Document Management: the department has no document management capabilities, but will need such functionality in the future to support the Motion Project. SharePoint and Laserfiche may be possible document management solutions. ▪ Other future Interfaces: the department indicated the need for other future interfaces from the new ERP system to Springbrook utility billing and Cityworks asset management ▪ Fees: the department indicated a need to re-calculate fees and ensure they are reflected in accounting; they are interested in a fees database which is currently under development within CDD. ▪ Business Process Re-engineering: the department feels that many current processes can be made more efficient and are looking forward to the upcoming business process re-engineering efforts that will be completed as part of the Motion Project. Fire The Fire Department maintains a strong need for, and focus on, technology to meet their needs and requirements. Specifically, the department is focused on: ▪ Electronic Patient Care Reporting (EPCR): the department will be implementing the ImageTrend EPC reporting component of ImageTrend in October 2016; ImageTrend has a number of other components/modules that could be beneficial for Fire, and as such, they would like to investigate these further ▪ Inventory Management and Equipment Replacement: the department would like to be able to track equipment inventory in one system (except perhaps for vehicles), and have that system provide automated alerts as to when specific equipment is to be replaced; ideally, this system would feed into the City’s budgeting process such that replacement costs are connected to budget projections and submissions ▪ Reporting: the department anticipates that ImageTrend is going to provide comprehensive reporting capabilities (including custom reports), and would like to initiate a strong focus on reporting – reporting that will allow them to be proactive instead of reactive; the Fire Department would appreciate support from IT to help the Fire staff develop reports in the ImageTrend database - Fire is interested in being an active partner in developing these reports, but consulting with an IT database expert would significantly enhance their efforts ▪ Data Extraction: the department indicated a need for the extensive retrieval and analysis of data from existing and/or planned application systems for more effective management of the department and to report metrics to City executives, including from EnerGov, Spillman (dispatch software), and Questica (finance software); a real-time database of meaningful metrics would significantly enhance data-driven decision making ▪ Mobile Computing: field staff will soon have iPads that will allow them to communicate directly to ImageTrend; the iPads will also have an application that will allow them to communicate with EnerGov, and the department would like to continue to expand their use of the iPads to additional applications ▪ Value Propositions: the department would like the City to move away from cul-de-sac solutions, and instead, have a keen focus on enterprise solutions – ones that can meet various needs and provide value across departments ▪ Communications Infrastructure: the department indicates that their radio system is rudimentary and that it lacks redundancy; would like to make sure someone is focused on this and the changing legal issues (FCC) associated with it, as well as planning for taking advantage of technological advancements Packet Pg. 63 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 10 ▪ Leverage Neighboring Agencies: the department would like to investigate the services and technologies used by neighboring agencies to determine if they can be leveraged in any way. Included in this is the sharing of unit status and geolocation information among emergency response partners. ▪ Emergency Operations Center (EOC)/IT Training Room: the department would like to see a more functional, large, turnkey EOC. The current EOC is a training room too small for full EOC activation; does not have dedicated computers; and requires time and trained staff to set up for opening/operations. As the City plans a new Police Headquarters it should include an EOC/IT Training Room as a significant step forward for emergency operations capabilities, security of EOC operations, and City technology training resources. ▪ Strategic Champion: the department would like to have someone in their department who could serve as a Strategic IT Champion – one who would be responsible for attending meetings and being involved in decisions; this would allow IT to represent technical options and consequences, and charge the department with making key operational decisions on programs/projects which the operating departments are the primary users; this should be used City-wide to avoid a repeat of “the EnerGov debacle” in which the primary operating department(s) shifted strategic program accountability and decision making to IT; a City-wide culture shift needs to happen - as an example, last week, IT started receiving questions and concerns about the new payroll software update, and those questions should go primarily to Finance/Payroll, not IT; the strategic plan should list and annually refresh the following: - All the technology platforms being used by the City (in all departments) - The current version the City is using - The current release version by the vendor - The primary function (the “why”) for using this solution to avoid inconsistent redundancy (which is this case isn’t an oxymoron) - The operating department Strategic Champion for that solution by job title and name (due to turnover and movement of personnel) - Operating departments are responsible for partnering with IT to submit their exhaustive list of technology platforms, and any platform not formally captured would be assumed to be unsanctioned by the IT Steering Committee and unsupported by IT - This list should be reviewed by the IT Steering Committee as part of the bi-annual budget development process Human Resources* Issues identified based on a lack of sufficient technology: ▪ NeoGov, the online recruitment application, functions well for the department and they are using more and more of its capabilities – self scheduling interviews, screening, etc. However, there are even more capabilities that would be more effective if the department had an HRIS system to interface with NeoGov ▪ Work Flow: The department has been setting up some work flows in NeoGov but it is time consuming because there is no HRIS for NeoGov to “talk to” or draw from. Human Resources needs work flow throughout its department as it currently requires filling out paperwork, signing, interoffice mailing, etc. which is not as efficient as the process could be. It should be noted that Laserfiche is currently available to manage HR forms and workflows. ▪ Human Resources Information System: manual processes and workarounds are taxing the department and causing missed deadlines, errors, etc. The department has received the approval Packet Pg. 64 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 11 to implement a Human Resource Information System (or related modules) as part of the ERP system implementation ▪ Regulatory Compliance: in support of the Affordable Care Act, t he department must track who was offered insurance, who accepted/declined, and conduct an annual audit to determine if employees are eligible and should now be offered insurance ▪ Fair Labor Standards Act: the department needs to complete an audit that will require payroll to run side-by-side overtime calculations every pay period and to determine how the FLSA overtime compares to the MOUs ▪ Human Resources could not be scheduled for an in-person interview. However, the department provided written observations relative to technology use in the department. Parks and Recreation The Parks and Recreation department identified the following technology issues and needs: ▪ Communication: department utilizes up to 150 temporary employees and has no effective way to communicate with them due to the volunteers not having access to the City network ▪ Volunteer Sign Ups: department utilizes up to 400 volunteers and would like to implement a more efficient method for them to sign up ▪ Wi-Fi: department would like to have the use of Wi-Fi expanded in their offices, City parks, and schools ▪ Collaboration: the department issues the City’s special event permits and directs applicants to receive approvals from appropriate departments (i.e. traffic management, rubbish containers and pickups); it would be helpful to have a special event application to support multi-department event planning and support ▪ Mobile Technology: staff have many iPads, but cannot use them to access department directories/information; need additional devices for 13 staff working at schools so they have access to department directories/information ▪ Graphics: the department expressed a need for software and staff training for graphics to support collateral development ▪ Mailings: the department has a difficult time obtaining addresses for mailing labels to support public notifications; they rely on Community Development or Public Works to provide assistance; consideration should be given to using EnerGov for the creation of mailing lists ▪ Time Reporting: the pay periods in IntelliTime do not support the department’s work schedule which makes payroll time reporting difficult ▪ Game Cameras: the ability to monitor wildlife activity in open space areas using mounted and hidden video cameras is desired Police The Police Department indicated a wide variety of technology usage and needs: ▪ Spillman: CAD and RMS are currently running on version 6.2 and needs to be upgraded (current version is 6.5 and a newer one is expected early 2017); need to review Spillman sometime in the next five years to see if it makes sense to continue with it or investigate other solutions ▪ Non-Video Evidence: the department expressed a great need for a system to support the storage of non-video evidence (i.e. photographs) ▪ Field Reporting: desire is to move to mobile field reporting, but waiting for Spillman development - citations are to be supported in a new version (about a year out) Packet Pg. 65 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 12 ▪ Cellular Phones: approximately half of the officers still have flip phones and the need is for more smart phones, as they support easy testing, can serve as a recording device, provide a camera, and can be used to share data, intelligence, send receive suspect photos quickly, view IP cameras etc. ▪ Internal Affairs: department has implemented IAPro – this is central for customer complaints, early warning, accident tracking and internal affairs – training is scheduled in November and go live in December ▪ Crime Analysis: the department has a strong focus on crime analysis; the department feels it needs an IT analyst assigned to department that will be focused on Crime Analysis. The department is currently evaluating several different crime analysis software applications to determine which will suit their needs most effectively ▪ Mobile Data Computers (MDC) and Body Worn Cameras (BWC): these will need to be replaced in about a year; technology refreshment every five years should be planned and budgeted; it is anticipated MDCs will be replaced in fiscal year 19-20, along with BWCs, and at that time, the MDCs and BWCs will move forward, together, on a five-year replacement rotation ▪ Body Cameras: the department is currently operating 10 WatchGuard body worn cameras and anticipates purchasing 33 more units within the next 30-45 days; cameras will be issued to all patrol staff; IT is currently analyzing storage needs and is assisting the department as they transition to increased digital storage capacity; the next generation of WatchGuard cameras will be Wi-Fi enabled and will integrate with the current WatchGuard In-Car video cameras, and all video will download wirelessly through the existing infrastructure ▪ Equipment Inventory Tracking: the department has demoed two different systems and plans on purchasing the ITD approved system ▪ Field Radios: there are locations in the City with poor coverage; the department is currently replacing some units, need to determine schedule for addressing these spots, and for planning technology refreshment every five years ▪ Detective Interview Rooms: the department is considering revamping the existing detective interview room and replacing equipment with WatchGuard products that will integrate with the other WatchGuard systems to create consistency and software/storage compatibility Public Works Public Works identified the following technology needs and issues: ▪ Fleet Management: the department would like to implement a new fleet management system sooner rather than later as Cartegraph is not meeting the department’s needs ▪ Cityworks: building maintenance, street maintenance, parks maintenance, and urban forest crews use Cityworks; staff usage is uneven and usage depends on supervisor’s comfort level and crew’s acceptance of it; a new City engineer is tasked to review the system to evaluate the results of its use; reporting consistency is also needed as performance measures do not seem to be available as much of what the department would like to track does not appear to be easily monitored and reported; other cities have indicated they are using Cityworks extensively, but Public Works does not feel they are maximizing its utilization which may be a training issue or the department is not using some components because they don’t work or because staff doesn’t know the best way to maximize utilization; the department has also found it difficult to track and obtain specific information (e.g. money spent on specific sidewalk projects, their locations, etc.) from the system ▪ CIP Ace: a formal procurement was completed last year and CIP Ace was selected for CIP budgeting; additional vendor assistance or follow-up may be needed to effectively use the product Packet Pg. 66 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 13 ▪ Time Reporting: there are many complaints pertaining to IntelliTime payroll time reporting ▪ IT Strategic Planning: the department would like to get a better handle on their IT needs as there are 12 different programs funded by different sources; would like to schedule a “summit” with ITD once a year to discuss where they are and where they need to go with IT ▪ GIS: the department has been a leader, but perhaps there are more hidden gems to be uncovered; would like simple way to show activities to the public ▪ Grants: would like simple way to track grants available, due dates, applied for, and grants received ▪ Budget: the department has been given the responsibility of doing the budget for CIP; need way to do this that is more efficient than it has been done in the past Utilities The Utilities Department identified the following technology needs and issues: ▪ Cityworks: Cityworks CMMS has been integrated to Springbrook (service orders generated in Springbrook, interfaces to CMMS, when service order is complete, CMMS sends data back to Springbrook); department is very concerned about data being entered into Cityworks - it goes across department lines, and yet, there is no DBA assigned to it – the data is suspect; still on 2013 version – need to be updated; department is not sure how much Public Works is utilizing Cityworks, but believe that staff in both departments are doing the same tasks in different ways and using fields in different ways – makes data, data searching, and reports unusable; department thinks it might be beneficial for a Cityworks representative to visit the City every quarter to determine if City is maximizing the application and to provide additional training; analytics module has never been implemented ▪ GIS: the department is operating in a self-taught manner, which allows them to get by, but they believe they are misplacing fundamental building blocks and this will be exposed as they move further ahead with the application; a strategy for quality and completeness is also needed ▪ Springbrook: the department has taken over utility billing responsibilities from Finance; Springbrook is integrated to Cityworks and GIS ▪ SCADA: new construction project for SCADA is pending; design is in progress; would like it to trigger work orders automatically (e.g. a pump should be maintained after a specific number of hours and should automatically generate a work order) ▪ IntelliTime: department staff are frustrated with this application – hours are spent trying to get data entered correctly – morale is low; entry of hours on specific days limited based on definition of work week – sometimes have to fool the system; application may have been broken during implementation ▪ Application Integration: the department would like to determine if there is a way to expand the integration between EnerGov, Cityworks, Springbrook, and GIS ▪ Security: the department identified a number of data security concerns: 1) When citizens sign up on website with SSN, how long do we keep that data? 2) What is City’s liability for customer credit card data kept in Springbrook if data is breached? 3) The potential for a security breach into SCADA is a concern – pumps, water treatment, etc.; believe the department heads should know the threats and how to prevent them ▪ Dashboards: this is a great idea for managers and execs, but if the data is bad, it will cause poor decisions ▪ Mobile Computing: field staff are dependent on laptop computers, they struggle to send email, but expect them to know and understand GIS; there has been a lot of change – staff needs Packet Pg. 67 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 14 PC training, application training, safety training, etc.; goal is to get staff to do data entry in the field ▪ Application Upgrades: when updates are released for various applications, it seems there is no specific City-wide strategy for implementation; in fact, if staff (in any of the departments) is uncomfortable with upgrading (training issues, difficulty adapting to change, etc.), the upgrade is typically stymied; a version upgrade policy needs to be established by the IT Steering Committee 2.4 – IT Interviews Information Services Information Services identified the following technology needs and issues: ▪ GIS: 1) Need to know more about recent update to ArcGIS Server (a.k.a. ArcGIS Enterprise) and how it will affect the Spillman, Cityworks, and EnerGov; 2) connectivity for public parcel viewer is critical for the next phase – Need to implement EnerGov’s Citizen Self Service in addition to providing data through ArcGIS Online and ArcGIS Portal ▪ Cityworks: some crews are using this application effectively, but some hesitate, and others do not use it; the benefits of the system cannot be realized if the staff are not using it and using it correctly; some use paper instead of the application; the analytics tool is not deployed, but regardless, it will not be effective if data is not entered correctly ▪ EnerGov: this application has improved since Tyler purchased the company - the application backend was rewritten and the system speed has increased; this has changed how staff can use the software; staff would like to use the system features more effectively ▪ Spillman: this application is three versions behind and needs to be upgraded; Spillman uses c-tree database instead of Microsoft SQL; to obtain crime statistics – it requires data duplication and there is a risk of bringing down CAD when the data is duplicated because the interface can lock up and queries cannot be completed; crime statistics are important for the Police Department ▪ Pulsepoint: this application supports the initiative to notify someone trained in CPR when there is a heart attack victim nearby to allow the trained person to get to the victim faster than the Fire Department may be able to; Police and Fire want a dashboard to measure activity and this may requirement a Spillman upgrade ▪ Reporting: the management team’s ability to obtain accurate reports will be at issue if data is not entered correctly; the data entry requirements should be documented and staff trained to ensure accuracy ▪ Document Management: there are no existing City policies (where are documents stored, what is the document retention policy, who is authorized to use them, etc.); plan file management needs to be addressed – it was supported by a Bonnie App (FoxPro) - Laserfiche was purchased to support document management but it has not been implemented Database Administration ▪ Reporting and KPI’s: Reporting seems to be overlooked when discussing new applications; vendors typically indicate they can provide all requested reports (which may or may not be the case) but the City’s desire is for real time or near real time ad hoc reporting. For example, Community Development had 15 measures of performance (KPI’s) in the City’s Financial Plan. There is a need for EnerGov data and appropriate tools to support this. ITD was asked to display information on the website, but there was no plan on how to do it; data had to be dumped into a data warehouse, manipulated using Microsoft SQL Server Analysis models, and then reported using Excel. This process was labor intensive and took two months of effort to complete the project. Other examples include similar processes for Pentamation, Packet Pg. 68 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 15 Springbrook, and Cityworks were also labor intensive to meet the reporting objectives all of which were not part of original project scope of work. The new ERP system should include specific toolsets to support reporting, without a plan it could fall back to ITD. Recommendation: - Embrace that reporting is not an optional activity - City KPI reporting is enterprise wide just like the objectives - City departments should create reports as part of their routine business and not be viewed as an ITD project - Provide staff with ad hoc reporting tools and training ▪ Technical Project Oversight: There is little oversight for IT projects and little consideration for how a project will affect others beyond the originator. Example “setting new water meters”: - Four departments, fifteen people, three applications - Issue for 25 years - 90% of existing business processes – no documentation; no architectural leadership - Recommendation: ▪ All projects be labeled “enterprise” unless proven otherwise ▪ Train staff on how to do this ▪ Interpret into something actionable ▪ IT Roadmap: What is the ongoing role of information and technology in the City; where is IT going; what are its guiding principles? The resulting plan should include declarative statements like those in City financial plans, general plans, and strategic plans and should evaluate projects against guidelines before going to IT Steering Committee. Recommendation: - Elevate department concerns to same level of importance as other policies - Evaluate tasks at a broad, enterprise level - Focus commitment to doing so as a “way of life” Network Services ▪ The IT Steering Committee takes a leadership role and is effective. However, a “project” is not clearly defined and can result in IT resources supporting “informal projects” that are not visible to the IT Steering Committee ▪ The addition of a dedicated Help Desk staff member has improved staff productivity. Previously, the Network Administrators were assigned to Help Desk support which took time away from projects and ongoing support ▪ Two dedicated IT resources were added to support Utilities. The staff are able to focus on plant requirements, security, upgrade of the control systems, and related IT support for critical operations ▪ Application subject matter expertise (SME) with in-depth knowledge of business requirements and an IT perspective is needed to provide ongoing support after implementation (i.e. Cityworks, EnerGov, Springbrook) to understand how change will affect a department, improve business processes, and support version upgrade testing and training ▪ Data base administration (DBA) is provided by one staff member. This is a critical position and an additional DBA is needed to assist with the workload, increase the knowledge base, and protect the City in the event of an unplanned staff absence, vacation or employee separation ▪ Change management processes are needed to ensure that modifications are completed in a controlled and coordinated manner including timely communication with users, effective planning and management of risks associated with changes being introduced, and creation of supporting documentation for future Packet Pg. 69 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 16 reference. The processes should ensure changes are well planned and fully documented to include logs that record the who, what, where, and when of changes made ▪ Staff are physically located in different areas of City Hall which makes communication and collaboration challenging ▪ Current projects include: - The Fire Department will be going live on ImageTrend electronic patient care (ePCR) - EnerGov phase 2 includes the roll out of 35 iPads for field staff - Virtual Desktop Infrastructure (VDI) is underway with 150 installations completed and 100 will be scheduled. The project scope includes the procurement of new host hardware and data storage - Microsoft Exchange is being upgraded to Office 365 version 2016 - Wireless connectivity is being upgraded for all City locations and will provide public access for guests - Project planning for the implementation of body cameras for Police is underway and 10 cameras are being piloted - Partnership between the City and Cal Poly for the SLO HotHouse to support business development ▪ New projects: - Staff would like to relocate the servers and data storage in City Hall to a data center for redundant power, environmental controls (generator, fire suppression) and security - The Intranet is dated it will be replaced using Microsoft SharePoint. However, the SharePoint administrator is not identified 2.5 – Core Business Applications In the course of the IT Assessment, NexLevel performed a review of the City’s core business applications (software products that support City operations excluding general office software such as word processing, e- mail, and spreadsheets and 3rd party applications used for reference only). Figure 3 – Business Application Lifecycle and Viability Figure 3, Business Application Lifecycle and Viability, provides a perspective of the lifecycle of an application from it being a prototype, to its emergence as a product, through its maturity, and finally, to a phase where the product is maintained but not enhanced. As an application matures, it gains both functionality and viability as the vendor becomes more adept in supporting the application and assisting organizations in its implementation. Eventually, many products reach a stage (“Maintenance”) where the vendor continues to support it (such as correcting reported defects and keeping the product compatible with current web-browsers) but seldom adds new functionality or features. The maintenance stage may continue Packet Pg. 70 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 17 for some time; however, eventually a product reaches the point where reductions in the user base reduce maintenance revenue so that it is longer economically feasible to support it or technology advancements require a rewrite. When this happens, the vendor may announce the end of support for the product, contract support to a third-party, or sell it. Since replacing a business application can be a complicated, multi-year process, organizations with effective application portfolio management processes usually begin planning for the replacement of business applications early in the maintenance stage. Using this model, NexLevel has prepared a recommended disposition of each of the core business applications including: ▪ Assess – The City should assess emerging business applications to identify and begin tracking promising solutions ▪ Retain – The City should continue to use the business application ▪ Evaluate – The City should perform an evaluation to determine whether continued use of the business application is consistent with the City’s business needs and priorities ▪ Enhance – The City should retain the business application, but plan to enhance it by augmenting the business functionality provided ▪ Expand – The City should expand the use of the application ▪ Replace – The City should plan for the replacement of the business application and begin setting aside funds for this purpose with the objective of replacing it as soon as practicable Table 1, Core Business Applications, provides a summary of NexLevel’s findings. Information for each application includes: ▪ The business function provided by the application ▪ The name of the application, product or service ▪ The vendor responsible for the support of the business application ▪ The department(s) that sponsor the application (i.e., who are the primary users of the application and who control the budget) ▪ Other users of the application ▪ The application’s disposition based on NexLevel’s assessment of its continued viability and the viability of its supporting technology Packet Pg. 71 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 18 Table 1 – Business Application Matrix Business Function Product or Service Vendor User Sponsor(s) Other Users Disposition Agenda Management MinuteTraq Accela City Manager All City Departments Retain Applicant Tracking NeoGov NeoGov HR Expand (1) Asset Management Cityworks Cityworks Utilities Public Works, Utilities, Community Development Retain Body and Car Video Mgt. WatchGuard WatchGuard Police Budget Questica Budget Questica Finance All City Departments Evaluate (2) Business License HDL Prime HDL Software Finance Evaluate (2) CAD/RMS Spillman Spillman Police/Fire Assess (3) CIP Management CIPAce CIPPlanner Corp Public Works City Wireless Network Mgt. Meraki Systems Cisco ITD All City Departments Control and Data System SCADA ITD Public Works, Utilities CPR Alerts PulsePoint PulsePoint Foundation Fire Retain Document Management Laserfiche Laserfiche City Manager Community Development Expand (4) Email, Office Productivity Office 365 Microsoft ITD All City Departments Financial Management Pentamation SunGard Finance All City Departments Replace (2) Fire Alerting G2 USDD ITD All City Departments Fleet Management Squarerigger Squarerigger Public Works Fuel Management Gasboy Public Works Evaluate (5) GIS ArcGIS ESRI ITD All City Department Retain Incident Management Spillman Spillman Police Fire Irrigation Management Rainmaster Irritrol Public Works Retain Miscellaneous Database FoxPro Bonnie Apps ITD Com. Dev. (Land Use, Floodplain Mgt., Noticing) Replace (6) Parking ParkMe ParkMe Public Works Payroll/Time Reporting IntelliTime IntelliTime Finance All City Departments Evaluate (2) Permitting and Land Mgt. EnerGov Tyler Technologies Com. Dev. Utilities, Fire Expand (7) Recreation Registration Active.Net Active.Net Parks & Recreation Retain Safety Training Target Safety Sol. Target Fire Scheduling InTime InTime Police Scheduling Kronos Workforce Telestaff Fire Scheduling WhenToWork WhenToWork Parks & Recreation Signal Management Cartegraph Cartegraph Public Works Tee Time Scheduling GolfNow GolfNow Parks & Recreation Tree Inventory Management ArborPro ArborPro USA Public Works Utility Billing Accela Springbrook Utilities Evaluate (2) Video Camera Management Milestone Milestone Utilities Web Proxy & Mail Filtering McAfee SAA Intel ITD All City Departments Packet Pg. 72 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 19 Notes: Please note that this list is not intended to be a comprehensive inventory. It was developed from the information provided by the City and supplemented based on information developed in the course of the interviews with the user departments and ITD . (1) NeoGov is currently being effectively used by Human Resources. Additional functionality is available within the product, and when time permits, the department is testing and applying the additional features. In the future NeoGov may be expanded for other City department use, particularly as it relates to work flow. (2) The City is currently initiating an ERP project (Motion) for the replacement of the Pentamation finance system. During the process, a determination will be made as to the modules included in the replacement software (Budget, Payroll, Timekeeping, Utility Billing, Business License, Human Resources, etc.). If these modules are not included in the ERP replacement, new, stand-alone applications should be considered. At a minimum, interfaces between the new ERP and existing applications will need to be developed. (3) The Spillman CAD/RMS application will need continuous version updates. As the application continues to age, and new products enter the market, the City should assess the viability of replacing the system. (4) The City should develop an Enterprise Document Management System strategy and determine the long-term viability, or expandability, of the Laserfiche application. (5) The City will need to determine if GasBoy will continue to meet City needs and if it will integrate with the new ERP system and/or existing fleet management system. If not, it may be necessary to acquire new software. (6) As the City implements new business applications, old applications, created in FoxPro (Bonnie Apps.) should be migrated to the new core application and the old software discontinued. (7) Progress should continue on the EnerGov maturity model. Perhaps the application could be expanded to include additional functionality and be used by more City departments. Packet Pg. 73 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 20 2.6 – IT Best Practices Assessment As part of the development of the IT Assessment, I TD and NexLevel performed an assessment of the degree to which the City and I TD conform to a set of information technology best practices. This section of the report provides a detailed review of that assessment. As noted earlier, the scope of this IT Assessment is limited to the City-wide responsibilities for the governance of information technology and ITD’s responsibilities for the management and delivery of information technology services. Components of the City’s IT environment that are entirely supported by individual departments are not considered in this best practice assessment. Figure 4 – Levels of Best Practice Conformance 2.6.1 – Best Practices Maturity Model and Conformance Figure 4, Levels of Best Practice Conformance, provides a conceptual framework that NexLevel uses to depict IT best practices conformance based on a maturity model. The model is based on five levels of maturity ranging from “Frontier” (where the IT organization is largely unstructured) to levels of progressively higher conformance to best practices as organizations adopt well-defined and repeatable processes. The characteristics of each of the levels in the maturity model are as follows: ▪ Frontier Level: Organizations at the Frontier Level have fewer than 20% of their processes in compliance with best practices. This level of maturity is characteristic of new and/or re-organized IT organizations ▪ Reactive Level: Organizations at the Reactive Level generally have well developed procedures including formalized procures for incident reporting and tracking and are committed to customer service but spend a disproportionate amount of their time and resources “fighting fires.” Organizations at this level of maturity tend to be primarily focused on managing the cost of information technology rather than finding a balance between cost and value ▪ Proactive Level: Organizations at the Proactive Level have many of the same attributes as organizations at the Reactive Level, but with the key difference that they continually seek to improve service delivery by finding long-term solutions to common problems such as improving user competency, self-reliance, and training so that they do not need to call IT for support as often. This is the “turning point” for many organizations since they are better able to use their IT resources for strategic purposes rather than reactively responding to the same problems. These organizations are often focused on the value that they obtain for their investments in information technology ▪ Service and Value Level: Organizations at the Service and Value Level have more than 80% conformance to IT best practices. They continue the trend towards value and generally derive much higher Packet Pg. 74 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 21 returns for their investments in information technology, although at greater expense. The Service and Value Level is not seen as frequently in the public sector except where organizations provide services (for a fee) to neighboring jurisdictions although some organizations find that some components of the Service and Value Level (particularly at the higher end, i.e., greater than 90% conformance) are useful particularly with regard to community engagement The vertical dotted line between the Reactive and Proactive levels of the model illustrates a key metric regarding IT best practice conformance. Organizations with less than 50% conformance are generally reactive in responding to user needs, while those with better than 50% conformance are generally proactive and are better able to anticipate user needs. NexLevel has observed that many organizations achieve between 40% to 60% conformance to the IT best practices and, as a result, often have some of the characteristics of both the Reactive and Proactive levels of the model. NexLevel recommends that organizations work to achieve at least 50% compliance with best practices (i.e., on the border between the Reactive and Proactive levels), with 65% being a reasonable target considering both the costs related to achieving this level of conformance and the value of the benefits that are obtained. Caveats Regarding Best Practices Several cautions about IT best practice conformance are appropriate. Although NexLevel attaches considerable importance to best practice conformance as an essential building block for the effective delivery of IT services, an IT organization need not meet or exceed every best practice in order to provide effective customer service. A higher degree of conformity to best practices, however, generally enables an IT organization to better sustain service delivery levels over time and to more successfully cope with external and internal factors that have the potential to disrupt the ability to effectively deliver IT services. NexLevel has noted that a high degree of conformance to the IT best practices does not necessarily result in user satisfaction. NexLevel believes that this is due to the difference between IT best practice conformance and the ability of the IT organization to deliver services that are consistent with user expectations. Figure 5 – Factors Enabling IT Service Delivery As depicted in Figure 5, Factors Enabling IT Service Delivery, the ability of an IT organization to execute (i.e., to provide IT services that are responsive, sustainable, and agile) is dependent not only on best practices conformance but also on enabling factors such as organizational mission and vision, organizational culture, as well as IT funding and IT organization and staffing. Each is briefly discussed below: ▪ Organizational mission and vision: Organizations with well- defined business plans including detailed statements of their mission and vision are generally better prepared to align their investments in information technology with their business objectives and priorities Packet Pg. 75 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 22 ▪ Organizational culture: Culture, especially with regard to an organization’s continuing commitment to the strategic governance of IT and to user ownership for information technology, also plays a key role in the delivery of effective IT services ▪ IT funding: This is one of the most common limiting factors. Funding plays a key role in ensuring that the IT organization has the resources needed to keep business applications and the infrastructure supporting them on current versions / releases and that patches are applied in a timely manner ▪ IT organization and staffing: IT staffing (which is often related to funding) has a significant impact on service delivery. The best practices are heavily weighted toward the development and use of formalized procedures and supporting documentation since these provide the basis for sustaining and improving services and service levels Procedures and documentation enable IT staff to be more productive but are not a substitute for sufficient IT staff (considering the number, experience, and qualifications of the staff members). Similarly, if the procedures and documentation are out of date because there are insufficient resources to keep them current, best practice conformance does not necessarily translate into improved service delivery Organizational structure also plays a key role in determining the effectiveness of IT services, since IT organizations that are structured and staffed to support infrastructure are not necessarily well equipped to support end-users If we were to compare two organizations, each needing similar IT services and service levels and each having the same degree of conformance to the IT best practices, the organization with the most enabling factors (especially with regard to IT funding, organization, and staffing) will obtain greater benefits. 2.6.2 – Dimensions of IT Best Practices Figure 6 – IT Best Practices Model As depicted in Figure 6, IT Best Practices Model, NexLevel uses a comprehensive list of best practices that are categorized into six separate dimensions to evaluate the organization’s compliance with best practices. The dimensions are separated into three categories and include: ▪ City Leadership / Management Team: The organization’s leadership / management team is responsible for conformance to the IT best practices for IT Governance, particularly the alignment of the information technology spending and priorities with the organization’s overall objectives and priorities ▪ City Leadership / Management Team and IT Organization(s): Those dimensions where the City’s leadership / management team (and sometimes the user community as well) share ownership for IT best practices conformance with the IT organization(s) involved. These dimensions include: Packet Pg. 76 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 23 - Service Delivery – Practices related to coordinating the processes involved in providing customer support including training, help desk, service delivery management, and the establishment of service level agreements (SLAs) and tracking conformance to them - Business Technology Applications – Practices related to the management and support of the application information systems supporting business operations - Infrastructure – Practices related to the acquisition, utilization, and maintenance of equipment (such as servers and storage devices), operating systems, support software, and network services - Security / Information Protection – Practices related to the effective use of policies and standards, user conduct, software tools (filtering, monitoring, etc.), and audits to validate that material and software resources are used only for their intended purposes ▪ IT Organization(s): The IT organizations supporting the user community are primarily responsible for best practices conformance in the dimension of IT Administration which includes practices related to the management of technology budgets, maintenance agreements, software licenses, and the development and maintenance of current and accurate documentation on all technology activities 2.6.3 – Assessment of the City’s Conformance to the IT Best Practices NexLevel assessed the degree to which the City conforms to the IT best practices in each of these dimensions based on the interviews with the City’s user stakeholders, interviews with ITD staff, and the results of the IT Best Practices self-assessment completed by ITD. The results of this analysis are provided below and the detailed self-assessment completed by the City is provided in Appendix B. The calculation of best practice conformance is based on a multi-step process that included: ▪ NexLevel asked ITD to provide an assessment as to whether the IT best practice factor was applicable or not (inapplicable factors are not considered in the assessment), and then whether ITD was of the opinion that it was fully in conformance with the best practice (“Y”), partially in conformance (“O”), or not in conformance (“N”) ▪ A score was developed based on the City’s assessment of its conformance to the IT best practices. Items reported as being in full conformance (“Y”) were given a score of 3, items reported as being partially conformant where scored 1 or 2 indicating whether the City is substantially or minimally conformant with the IT best practice, and non - conformant items (“N”) were given a score of 0 ▪ NexLevel reviewed ITD’s self-assessment and made adjustments based on information obtained through the user interviews and the interviews with ITD staff ▪ The percentage of conformance was then calculated based on the total score for the assessment factors in each of the best practice dimensions divided by the maximum score in the dimension Table 2, City’s Conformance to IT Best Practices by Dimension, provides the findings of the assessment for each dimension of IT best practices. The results were then plotted by dimension and level of organizational maturity in Figure 7, IT Best Practices Conformance. Table 2 – City’s Conformance to IT Best Practices by Dimension Dimension Factors in Dimension Max Score City Score City Pct. IT Governance 31 93 69 74% Service Delivery 36 108 78 72% Business Tech. Applications 25 75 48 64% Infrastructure 44 132 97 73% Security / Info Protection 33 99 56 57% IT Administration 25 75 47 63% * TOTAL* 194 67% Packet Pg. 77 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 24 Business Technology Applications - 64%(Shared)Serv i ce De l ive ry - 72%(Sha red ) IT Governance - 74% (Enterprise Ownership)Secu r i ty - 57% (Sha red )Infrastructure - 73%(Shared)Administration - 63% (IT Ownership) 111111 111111 Figure 7, IT Best Practices Conformance Each of the rings in Figure 7 represents a level in the IT best practice maturity model, with the outer most (red) ring representing the Frontier Level of organizational maturity (the lowest level of conformity to best practices) and the core of the diagram representing the Service and Value Levels (the highest degree of conformity to best practices). In between, the orange band represents the Reactive Level of the maturity model and the yellow band represents the Proactive Level of the maturity model. The width of the bands is proportional, with the bands representing the Reactive and Proactive levels being the widest since they represent a range of 60% compliance with best practices. NexLevel has plotted the results of the assessment for each of the best practice dimensions within the rings (the target points) and then connected them together to depict where the City is from an overall perspective in relationship to the maturity model. As depicted, the City’s conformance to the IT best practices all fall within the Proactive Level. NexLevel considers this as outstanding performance and a goal most California municipalities are still striving to obtain. Overall, the City is approximately 67% conformant to the IT best practices which again puts the City at the level NexLevel generally targets for municipal IT organizations. That being said, there is room for improvement within Business Technology Application, Security, and Administration. When implemented, the recommendations presented in Section 3 of this report will improve performance in those areas and move the City to a higher level of return on its technology investment. Table 3, Comparative Conformance to IT Best Practices, places these results in perspective. Between 2014 and this year, NexLevel performed fourteen similar IT assessments. The City of San Luis Obispo scored higher than the average city score in all dimensions and exceeded the previous high score for one dimension (IT Governance). The City scored close to the high score for all other dimensions (Service Delivery, Applications, Infrastructure, and Administration). Only one dimension was significantly lower than the high score (Security). Packet Pg. 78 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 25 Table 3 – Comparative Conformance to IT Best Practices Best Practice Dimension Best Practice Conformance San Luis Obispo Low Average High IT Governance 10% 36% 51% 74% Service Delivery 30% 45% 73% 72% Business Tech. Applications 20% 37% 63% 64% Infrastructure 15% 53% 74% 73% Security / Info Protection 35% 54% 81% 57% IT Administration 20% 44% 67% 63% Overall Conformance 26% 45% 61% 67% The factors contributing to the assessment within each of the dimensions are discussed in detail below, including: ▪ An indication of where the City’s conformance to the IT best practices falls ▪ A summary of the assessment findings ▪ A discussion of IT best practice strengths and weaknesses Information Technology Governance Status: Excellent Summary of IT Best Practice Conformance: The City is 74% conformant to the IT best practices for IT Governance and this corresponds to the upper border of the Proactive level of the Maturity Model. The average conformance in the dimension is 36% and the previous highest rating was 51%, so this is an area of strength for the City. Best Practice Strengths: - An effective, well-structured, and active IT Steering Committee which is supported by a Technical Advisory Committee for detailed technical analysis of proposed projects - The development and maintenance of a Business Strategic Plan for the City that includes specific objectives and measurements and that is periodically updated as well as a detailed Financial Plan - The delivery of information and services to the public through its web site and community forums - An approved IT Strategic Plan which has been effectively used to improve technology service delivery and implement new business applications Best Practice Weaknesses: - The lack of formal IT project and resource management - The lack of adequate ITD staff - Internal and external communication process to keep ITD staff and user departments informed as to project status, infrastructure updates, and technology priorities - It is possible for a department to approach ITD with requests that should be defined as a “project” but are not clearly stated in order to circumvent the IT Steering Committee’s approval process Packet Pg. 79 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 26 Service Delivery Status: Excellent Summary of IT Best Practice Conformance: The City is 72% conformant to the IT best practices for service delivery and this corresponds to the upper border of the Proactive level of the Maturity Model. The average conformance in the dimension is 45% and the previous highest rating was 73%, so this is an area of strength for the City. Best Practice Strengths: - ITD operates a Help Desk that provides a single point of contact (via telephone or e-mail) for users - The services currently being provided by the Help Desk are appreciated by the user departments and have played a significant role in changing user satisfaction with ITD’s services - ITD has remote access tools and to the extent possible, schedules maintenance activities so as to not impact the user community - ITD has formal processes for the monitoring of system and network performance Best Practice Weaknesses: - ITD has not developed a service catalog, or service level agreements with all City departments and technology vendors - ITD does not conduct detailed analysis of Help Desk tickets to determine root causes, training opportunities, hardware failures, or staff resource utilization - ITD has not deployed self-help features for user departments via a knowledge base or through published “tips”, short-cuts, or “things to try” documentation - ITD does not have formal change management and escalation procedures Business Technology Applications Status: Very Good Summary of IT Best Practice Conformance: The City is 64% conformant to the IT best practices in this dimension and this corresponds to the mid-point of Proactive Level of the Maturity Model. The average for conformance in this dimension is 37% and the high is 63%. The City is at the level for high performers in this dimension. By updating current version levels and creating application standards, the City can improve this rating. Best Practice Strengths: - The City’s enterprise applications are generally centralized and supported by ITD (i.e., SunGard, Laserfiche, ESRI, etc.) along with mission-critical applications (SCADA, Police and Fire CAD/RMS) - ITD provides oversight for departmental applications or services that are supported by vendors - The City’s governance process is effective by ensuring technology solutions are acquired and/or supported in conformance with City standards Best Practice Weaknesses: - The City does not have a formal enterprise architecture including standards for City-wide process and information sharing - The City has not fully defined departmental requirements for the availability / recovery of business applications - ITD does not have a formal resource management plan to allocate resources to these applications, but staff member assignments ensure minimum coverage - ITD does not maintain an Applications Portfolio for the City including tracking the status of vendors and products - The City does not have a formal process for evaluating and approving the use of cloud-based services Packet Pg. 80 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 27 Infrastructure Status: Excellent Summary of IT Best Practice Conformance: The City is 73% conformant to the IT best practices in this dimension and this corresponds to the upper border of the Proactive level of the Maturity Model. The average conformance in this dimension is 5 3% and the high is 74%, so this is an area of strength for the City. Best Practice Strengths: - The City’s wired and wireless networks are generally well supported. ITD maintains documentation for the networks and monitors system performance through the use of industry standard tools - ITD provides secure remote network access with VPN and GoToMyPC which are governed by a City approved access policy - Servers are virtualized and use appropriate centralized storage - Server backups are well-designed and use replication devices off site. - Technology equipment refreshment plans are in place Best Practice Weaknesses: - Remote vendor access policies and administration are informal and need to be monitored, and enforced - Server software standards should be defined and routinely audited - Physical improvements within the ITD server room are needed to ensure operation during power failure or an emergency - Expanded and regularly updated documentation of servers, routers, switches, and cabling are needed Security / Information Protection Status: Slightly Above Average Summary of IT Best Practice Conformance: The City is 57% conformant to the IT best practices in this dimension and this corresponds to the border between the Reactive and Proactive levels of the Maturity Model. The average conformance in this dimension is 54% and the high is 81%. This is an area the City can improve and the recommendations presented in Section 3 of this document will assist in improving the rating of this ever-increasing and critical dimension. Best Practice Strengths: - ITD performs system backups on a routine basis which includes applications information, and ITD documentation - The City has an EOC and conducts regular drills to ensure that the EOC can function as needed. ITD is included in practice drills - The City has a Business Continuity Plan that is regularly updated Best Practice Weaknesses: - ITD does not have a formal plan for the identification and remediation of single points of failure in the City’s IT environment - ITD does not have an independent entity perform perimeter or other testing of the City’s network to ensure that is secure and to identify and remediate possible security threats - City-wide policies concerning security (passwords, data sensitivity, encryption, etc.) are either obsolete or non-existent - ITD does not have a current Disaster Recovery Plan Packet Pg. 81 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 28 IT Administration Status: Very Good Summary of IT Best Practice Conformance: The City is 63% conformant to the best practices in this dimension and this corresponds to the mid-point of the Proactive Level of the maturity model. The average conformance in this dimension is 44% and the high is 67%. By updating technology policies/procedures and completing “in- progress” administrative tasks, the City can easily improve this dimension rating. Best Practice Strengths: - As resources permit, the City plans to create a stand-alone IT department - ITD generally reviews the procurement of IT equipment and services and the IT Steering Committee approves and establishes priorities for all technology projects - ITD meets with external vendors as needed to ensure conformance with City policies and procedures and has positive vendor relationships Best Practice Weaknesses: - ITD does not have a resource management plan nor does it track the amount of time staff members work on specific projects. ITD does not have a tactical work plan to ensure that staff members know what their priorities are and what progress is being made in completing these assignments - ITD has not developed staff succession plans to ensure that critical skills and competencies are maintained - ITD has not created a training/certification plan for staff development - Technology policies/procedures are not current 2.7 – SWOT Analysis Ø Knowledgeable, motivated ITD staff Ø Effective, rapid ITD support Ø Customer service focus Ø Effective IT governance structure Ø Addition of a help desk analyst has improved staff productivity Ø Dedicated IT staff to support Utilities Department technology Ø Data integrity Ø Reporting capabilities and lack of analytics Ø Aging business application portfolio Ø Unwillingness to change business practices during application implementation Ø City-wide ERP implementation Ø Application subject matter expertise (SME) for continued improvement after go-live Ø Leverage and share with community Ø Siloed databases with no City-wide architecture Ø City Hall server room environment Ø Future technology demand may exceed resources Ø DBA services provided by single staff member Ø Retention of talented ITD staff Strengths Weaknesses Opportunities Threats Figure 8 – SWOT Analysis Figure 8, SWOT Analysis, provides a summary of the strengths, weaknesses, opportunities, and threats identified in the course of the IT Assessment. There is a close relationship between these items since the City’s ability to realize the potential opportunities and mitigate the potential threats is dependent on its ability to leverage its strengths (particularly the recent organizational and staff changes with ITD) while addressing the weaknesses (IT Assessment recommendations). With regard to information technology: ▪ The ITD staff has seen a significant turnover in the past few years resulting in a very knowledgeable, motivated team which has improved customer service and is providing rapid, effective support to City departments. In addition, the City has created a permanent Help Desk position to support Tier 1-2 user requests thereby freeing the Network Analysts to focus on infrastructure projects. The City has implemented an effective IT Governance Packet Pg. 82 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 29 Structure which is supported by a Technology Advisory Committee which evaluates projects for technology standards compliance and infrastructure compatibility ▪ The weaknesses identified are directly related to the core business applications either currently used or planned in the near future. The City must take advantage of this new functionality and be willing to modify its business processes to make the most effective use of the products. This attitude, along with an agreed - to City-wide data architecture, will position the City to take full advantage of its technology investment ▪ As the City leverages its strengths and mitigates its weaknesses, it will be in a position to realize significant opportunities to expand its delivery of services and increase the return on its investments in information technology. Of particular note is the planned implementation of an ERP system that will provide new, expanded financial functionality to all departments. In addition, as new applications are implemented, the City should take advantage of its public and private community relationships in order to meet government transparency goals and improve citizen access to data ▪ The City may encounter threats to its ability to sustain the delivery of IT services if the recommendations for improvement as presented in this IT Assessment are not considered, the physical limitations of the existing server room are not remediated, and personnel resources are not deployed and expanded to sustain the ever-increasing workload Overall, the City is effectively managing and deploying technology to meet business needs. The City and ITD must now strive to build on their success, expand service offerings, and lead the transformation of information technology from a back-office productivity tool to a strategic enabler for the delivery of information and services to City departments and the public. Packet Pg. 83 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 30 Section 3 - Status of 2011 IT Assessment Recommendations The 2011 IT Assessment, conducted as part of the 2012 Technology Plan project, made 44 recommendations for the improvement of technology service within the City. As of today, 28 have been completed, 15 are in progress, and 1 is on hold pending City funding. Table 4, Status of 2011 Recommendations, provides additional information. It should be noted that some “In Progress” recommendations have been carried forward into the 2016 recommendations described in Section 4. Packet Pg. 84 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 31 Table 4 – Status of 2011 Recommendations 2011 Recommendation Dimension 2016 Status Comment Re-organize the IT organization structure to recognize a Tier I and Tier II help desk role, allowing more experienced resources to focus on more complex and higher value work requests Governance Complete Current Tier 1 resource is only funded through FY17 Re-organize the IT Division into three components; infrastructure, application, and customer service Governance Complete Reorganized into Information Services (GIS & DBA), Support Services and Network Services Implement a formal IT Governance structure that includes re-orienting the current IT Steering Committee to align with best practices of IT Governance Governance Complete Implement formal Project Management framework, processes, and tools that will work in concert with the IT Governance structure, thus ensuring projects are implemented as authorized by the IT Governance process Governance In Progress Expanded in 2016 Recommendations (3.3.2) Consider implementation of a formal training room Service Delivery Complete Outsourced majority of training to local vendor Implement Help Desk reporting structure to improve communication, prioritization, and interaction with departments Service Delivery In Progress Expanded in 2016 Recommendations (3.3.5) Evaluate alternative (off-hour) system maintenance to minimize impact to users Service Delivery Complete Implement basic IT infrastructure change management processes Service Delivery In Progress Leverage SolarWinds to monitor system performance Service Delivery Complete Implemented LogicMonitor Perform root cause analysis to evaluate system anomalies and assist in future problem resolution Service Delivery Complete Expanded in 2016 Recommendations (3.3.1) Centralize system log files to retain full event history Service Delivery Complete Establish application upgrade policy to keep applications current Service Delivery In Progress Expanded in 2016 Recommendations (3.3.4) Continue to keep effective applications current in terms of releases and patches Applications In Progress Expanded in 2016 Recommendations (3.3.4) Continue implementation of Class and CMMS Applications Complete Consider migration of SquareRigger to CMMS or EnerGov Applications Complete Plan Pentamation replacement Applications In Progress Current project is MOTION Packet Pg. 85 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 32 2011 Recommendation Dimension 2016 Status Comment Implement new website based on proven CMS technology Applications Complete Continue migration of Bonnie Apps to COTS solutions Applications In Progress Implement test environments to support core applications Applications Complete Establish long-term support structure for the existing and future SCADA (application and associated PLCs) and determine the organization best able to provide this support Applications Complete SCADA support moved to Network Services FY17 Evaluate the implementation of department collaboration tools (i.e. Intranet, SharePoint, etc.) to help improve inter and intra department communication and cross department project coordination Infrastructure In Progress Complete a Business Continuity Plan and update the Disaster Recovery Plan to include a business impact analysis to help guide recovery strategies and expectations Infrastructure In Progress Expanded in 2016 Recommendations (3.3.1) Relocate the City Hall data center/server room (located outside the Finance department in the public hallway) to a more secure and suitable location. Make the existing City Hall data center a fiber switching closet Infrastructure In Progress Relocation of server room equipment to Digital West and/or ECC Install adequate emergency power generator to sustain City Hall data center operations for a limited time and allow for orderly shutdown Infrastructure Hold Funding was not approved Add additional web filtering categories for more effective Internet usage Infrastructure Complete Evaluate policies and procedures for remote computer access Infrastructure Complete Reduce equipment refreshment cycles back to best practice ranges as budget permits Infrastructure In Progress Upgrade Cat 3 and Cat 5 wiring with current standards Infrastructure In Progress On-going with office remodeling or relocations Contract to have a network vulnerability analysis and penetration test performed and remediate identified issues Security In Progress Expanded in 2016 Recommendations (3.3.1); however initial penetration testing was conducted in April 2017 Consider removing desktop administrative rights for users to prevent unauthorized software installation Security In Progress Implement processes/tools to regularly scan desktops to identify recently added software and review results Security Complete Implement disk-to-tape backups with off-site storage Security Complete Continue strong antivirus/antispyware practices Security Complete Packet Pg. 86 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 33 2011 Recommendation Dimension 2016 Status Comment Implement a patch management approach and application Security Complete Implement an Intrusion Detection System (IDS) Security Complete Implemented Juniper Firewall System Establish a budgetary amount for hardware refreshment in each budget cycle Administration Complete Have the IT Steering Committee, with input from the IT Division, enforce software and hardware procurement policies Administration Complete Conduct an annual review of technology contracts to ensure the terms reflect the current needs of the environment Administration Complete Routinely inventory all software and compare to original license agreements for compliance Administration In Progress Inventory is complete but comparisons to license agreements is on-going Routinely inventory technology hardware to support the hardware refreshment budget Administration Complete Create technical documentation for all aspects of the IT Division’s day - to-day operation and store in central repository Administration In Progress Add documentation requirements to IT job descriptions Administration Complete Update the IT Policies and Procedures Manual Administration Complete Expanded in 2016 Recommendations (3.3.2) Develop new technology polices Administration Complete Expanded in 2016 Recommendations (3.3.2) Packet Pg. 87 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 34 Section 4 – Recommendations NexLevel’s approach is to help our clients maximize the use of resources to feasibly reduce the most common and probable obstacles faced by agencies in the effective use of information technology. The recommendations provided in this report were developed by NexLevel based on our experience in working with local government agencies and with an emphasis on identification of activities that have high value. Some of these can be accomplished with existing resources, while others will require augmentation of City resources. NexLevel understands that it is much easier to prescribe change than to implement it, and that no public or private sector organization has sufficient resources to take on all possible information technology governance and delivery best practices. Consequently, these recommendations are pragmatic and conditioned by real-world considerations. As depicted in Figure 9, Process for Implementation of Recommendations, NexLevel believes that communication with all internal and external stakeholders is central to the effective delivery of technology services. All other factors being equal, organizations that foster communication and collaboration (including change management) perform better than those that do not. Planning and measurement also play key roles: planning provides the baseline for performance; and measurement provides vital feedback to improve future planning, procurement, and implementation. This commitment to continuous improvement enables organizations to progress to higher levels of maturity and performance. Figure 9 – Process for Implementation of Recommendations The successful implementation of organizational and procedural changes must take into account behavioral and organizational culture factors as well. Change, even change that is ultimately beneficial, is subject to resistance, and skepticism. Research has shown that the changes that prevail are those that: ▪ Have engaged executive sponsors who develop and communicate their vision for the future to the organization ▪ Have immediate and tangible benefits ▪ Become anchored in the culture of the organization Packet Pg. 88 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 35 Figure 10, Recommendation Framework, illustrates the model used by NexLevel in the development and evaluation of assessment recommendations, looking for items that have high impact and, ideally, that can be implemented with a reasonable degree of difficulty (i.e., cost and risk). Nonetheless, organizations need to be strategic in their implementation of any long-term recommendation. For example, there may be times when projects that have low impact and low risk should be evaluated in light of available new technologies and/or implementation approaches which, will be very effective and offer little risk to the organization. Figure 10 – Recommendation Framework The specific recommendations contained within this Assessment, have been developed to enable the City to realize improvements in how it governs, manages, and delivers information technology services, with emphasis on recommendations that are actionable, achievable, and have measurable outcomes. The recommendations include: ▪ 4.1 - The City should take steps to ensure the security and sustainability of its IT environment ▪ 4.2 - ITD should adopt additional IT Best Practices ▪ 4.3 - The City should expand ITD to improve its ability to support current and emerging user requirements ▪ 4.4 - The City should develop a Business Application Portfolio ▪ 4.5 - ITD should take steps to improve its collaboration/communication with the City Departments ▪ 4.6 – The City should develop an Enterprise Data Architecture The recommendations are, in turn, placed into a frame of reference by Table 5, Summary of Recommendations, which provides the objective(s), the potential difficulty (cost / risk) to implement, the potential business impact, and the resulting priority. Each of the recommendations is then discussed in further detail, including: ▪ A discussion of the rationale(s) for the recommendation and the intended objectives ▪ The potential benefits (particularly with regard to reducing total costs of ownership and improving return on investment) ▪ The high-level activities required to implement the recommendation Packet Pg. 89 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 36 Table 5 – Summary of 2016 Recommendations Recommendations Objective(s) Difficulty (Cost / Risk) Business Impact Priority 4.1 - The City should take steps to ensure the security and sustainability of its IT environment Provide a secure framework for the on-going operation of the City’s technology infrastructure by developing formal plans and processes for: ▪ Cybersecurity ▪ Disaster Recovery ▪ Penetration Testing ▪ Application Impact Analysis ▪ Single points of failure ▪ Root Cause Analysis High High High 4.2 - ITD Should Adopt Additional IT Best Practices Create and adopt the following processes to improve core delivery of technology services to City departments: ▪ Project Guidelines and Management ▪ Resource Management ▪ Succession Planning ▪ ITD Service Catalog and Service Level Agreements ▪ Service Support Management ▪ Policies and Procedures Medium High Medium 4.3 - The City should expand ITD to improve its ability to support current and emerging user requirements Structure the City’s IT Department to be more customer focused and equipped to meet increased demand through adoption of: ▪ Resource Planning and Management ▪ Creating an interim ITD organization ▪ Planning a long-term target ITD organization Medium High High 4.4 - The City Should Develop a Business Application Portfolio Enable ITD to better track the business applications being used to ensure that the City obtains the highest possible return on its investments in information technology through application re-use and the sharing of business processes and information across departments Medium High High 4.5 - ITD should take steps to improve its Collaboration/Communication with the City departments Improve internal and external communication between ITD and City departments, vendors, external agencies, and the public Medium High Medium 4.6 - The City should develop an Enterprise Data Architecture Create a city-side blueprint, supporting standards, and resources to create uniformity in databases, information gathering, and reporting High High Medium Packet Pg. 90 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 37 4.1 – The City should take steps to ensure the security and sustainability of its IT environment 4.1.1 Cybersecurity The City does not have a formal cybersecurity plan that addresses all phases of cybersecurity including planning and implementing preventative measures, monitoring network activity to detect intrusion attempts and suspicious network activity, the implementation of procedures to mitigate cyberthreats and to recover from them, as well as processes to review the cyberattack and adapt the City processes to better meet similar threats in the future. The National Institute of Standards and Technology (NIST) has developed a framework for cybersecurity planning that outlines the steps to be taken to monitor the network for suspicious activity and to remediate the situation.1 The NIST framework for cybersecurity planning is comprehensive and built around discrete cybersecurity functions including: ▪ Identify (Asset Management, Business Environment, Governance, Risk Assessment, and Risk Management Strategy) ▪ Protect (Access Control, Awareness and Training, Data Security, Information Protection Processes and Procedures, Maintenance, and Protective Technology ▪ Detect (Anomalies and Events, Security Continuous Monitoring, and Detection Processes) ▪ Respond (Response Planning, Communications, Analysis, Mitigation, and Improvements 1 NIST developed a detailed cybersecurity framework in conformance to US Executive Order 13636, Improving Critical Infrastructure Cybersecurity, which was issued in February 2013. Details of the cybersecurity framework are provided at: http://www.nist.gov/cyberframework/index.cfm ▪ Recover (Recovery Planning, Improvements, and Communication It would be prudent for the City to take a comprehensive and proactive approach to cybersecurity. Security programs typically involve a multi -step process including: ▪ Contracting with an independent, certified, firm to conduct a threat assessment to identify security gaps and identify areas for improvement ▪ Developing a security plan to remediate the identified vulnerabilities and to provide a continuing approach to security management including periodic threat assessments and the development of plans to detect and respond to security breaches including the potential implementation of next generation firewall (NGF) technology ▪ Educating users, especially those using mobile devices, regarding security risks, safe networking practices, and their responsibility to protect City information and assets Cybersecurity plans also include provisions to protect City information from unauthorized access, modification, and destruction by: ▪ Securing the City (to the extent possible) against external threats including hacking attempts, malware, and viruses, with the understanding that it is impossible to achieve 100% protection against these incidents. Typically, this involves multiple layers of protection so that, for example, even if a hacker is able to defeat the firewall, their access to City information is limited ▪ Securing the City against internal threats (such as disgruntled employees) by carefully granting access to confidential information to only those users who have a legitimate need to do so and logging all access attempts and actions Packet Pg. 91 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 38 ▪ The implementation of procedures and monitoring to detect incidents and alert ITD staff ▪ The development of procedures to respond to security incidents ▪ Encrypting communications ▪ Educating users, especially those who use mobile devices, about security threats, and the protection of their devices (“Securing the human”) ▪ Conducting periodic exercises to verify that procedures are working as intended and to identify potential vulnerabilities. The complexity of these processes is driven in large part by the increased “online footprint/presence” that organizations and their staff members have (including social media), the growing use of mobile devices, and the increased sophistication of cyber criminals, many of whom are adept at exploiting weaknesses (or “exploits”) in personal computer operating systems and installed software products. Palo Alto Networks has noted that, “Cybercriminals have evolved… into bona fide cybercriminals, often motivated by significant financial gain and sponsored by nation-states, criminal organizations, or radical political groups”. Compared to the hackers of the past, Palo Alto Networks warns that today’s attacker has more resources available to facilitate an attack, has greater technical depth and focus, is well funded and better organized. Implementation ▪ The City should develop a NIST conformant cybersecurity plan to provide a continuing approach to security management including periodic threat assessments and the development of plans to detect and respond to security breaches ▪ The City should adopt a City-wide security policy which requires annual employee review and signatures ▪ The City and ITD should acquire/develop a program to educate users, especially those using mobile devices, regarding security risks, safe networking practices, and their responsibility to protect City information and asset 4.1.2 Disaster Recovery While ITD ensures all servers are routinely “backed-up” and copies are retained at an off-site facility, the City does not have a comprehensive, well-tested, disaster recovery plan to cover emergency operational scenarios. NexLevel recommends the City develop a comprehensive Disaster Recovery Plan that would establish the priorities for restoring technology services and ensures adequate processes, procedures, and resources would be available to support an orderly recovery of the City’s applications within the defined timeframe and in priorities as deemed by the City departments. Once the Disaster Recovery plan has been completed, ITD should exercise the plan to validate that the servers, operating systems, application software, and databases can be brought into service from the recovery site within the specified timelines, that the applications will function as expected, that network connectivity can be successfully established, and that system performance is acceptable. Provisioning physical systems for recovery, configuring these systems, and recovering applications can be time consuming; as a result, recovery may take from several hours to several days for each system. Successive recovery drills are needed to refine processes to reduce the time required to restore critical information systems The following best-practice considerations should also be evaluated in the development and maintenance of plans for business continuity and disaster recovery for the City: ▪ The plans must be relatively agile since the support for business operations and user expectations for support evolve continually whereas disaster recovery and business continuity plans are updated less frequently ▪ The restoration of complex applications is highly dependent on resources with specialized skills and experience who might not be available in the event of an emergency Packet Pg. 92 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 39 ▪ Provisioning physical systems for recovery, configuring these systems, and recovering applications can be time consuming; as a result, recovery may take from several hours to several days for each system. Successive recovery drills are needed to refine processes to reduce the time required to restore critical information systems ▪ Organizations need to be realistic in planning for disasters. Full- scale exercises, even when conducted on weekends, etc., can be very expensive and disruptive to business operations. Load testing is useful, but cannot ensure the performance and reliability of applications hosted from recovery centers ▪ Organizations often overlook single points of failure in their technology environments, especially where connectivity is concerned. It is not sufficient to simply restore systems and applications in an alternative location, connectivity to the users must also be provided ▪ The effort to develop, maintain, and refine these plans is significant, thus organizations need to prioritize their recovery needs based on a thorough risk and business-impact analysis ▪ The specialized knowledge and experience required to support the City’s applications. Planners commonly think of business continuity in terms of having the necessary facilities and resources to maintain service levels in the event of a natural disaster, public disturbance, emergency, or other event; however, if key personnel are unavailable, this can ultimately be as detrimental to sustaining service levels as is damage to a facility or the loss of a network link NIST has published a Disaster Recovery Contingency Planning Guide for Information Technology Systems as well as a template for the development of a Business Impact Analysis (please refer to http://nvlpubs.nist.gov/nistpubs). Implementation ▪ ITD should create, at a minimum, an IT Disaster Recovery Plan for City “mission critical” business applications ▪ ITD should test and modify the IT Disaster Recovery Plan on an annual basis ▪ ITD should participate in mock City disaster preparedness drills and other EOC planning activities in order to exercise the ITD Disaster Recovery and City’s Business Continuity Plans 4.1.3 Penetration Testing The City should plan to contract with a specialized firm to conduct network penetration testing and vulnerability assessments for the WAN, LAN, and wireless networks. These tests should be conducted on an on-going, regular basis (preferably annual) and upon completion, ITD should establish an aggressive plan to remediate identified vulnerabilities. It should be noted that the first such penetration tests were conducted in April 2017. Implementation ▪ ITD should contract with an independent, certified, firm to conduct an internal and external network vulnerability scan and penetration test to identify security gaps and develop an action plan for remediation of security weaknesses 4.1.4 Application Impact Analysis The City should direct user departments to prepare a business impact analysis that identifies each mission critical business application and the potential impacts to the City if the application is not available, the steps that can be taken to sustain operations without automation, and the maximum amount of time that the department can sustain operations without the application being available. Packet Pg. 93 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 40 Implementation ▪ The Technology Steering Committee should conduct an analysis of core business applications and determine the business impact, recovery strategy, and restoration priority for each system 4.1.5 Single Points of Failure ITD should formally identify single-points-of-failure and establish a plan/budget to eliminate findings. Absent preparations for business continuity, an incident such as the failure of a power feed or air conditioning unit can be as disruptive to information services as a natural disaster. Generally, the servers and storage devices typically used for enterprise applications are built for high-availability and fault-tolerance, so the most significant threats to business continuity are often related to infrastructure components (power lines, data lines, air conditioners, etc.) that have no backup and are thus single points of failure. Implementation ▪ ITD should identify single-points-of-failure within the City’s technology infrastructure and establish a plan and budget for remediation 4.1.6 Root Cause Analysis A Root Cause Analysis is a method of problem solving used for identifying the actual or root causes of faults or problems. Typically, multiple factors are involved in an incident or outage, including both casual factors (factors that may contribute to the problem, but are not the underlying cause) and root factors. A factor is considered a root cause if its removal from the “problem-fault” sequence prevents the final undesirable event from occurring. Root cause analysis is essentially a proactive activity since the elimination of root causes (such as a lack of user training) can prevent or largely minimize future incidents. A root cause analysis is usually performed in a structured manner similar to a peer review where multiple individuals, each with specific expertise, review the chain of events that lead to the incident, analyze the chain of events and identify the root cause(s), and develop a plan to mitigate or eliminate future incidents by correcting the root cause(s). Implementation ▪ ITD should create a standard, well-documented root cause analysis process for incident identification, remediation, avoidance, and historical reference Recommendation Benefits Benefits Impact Improved information technology resilience / security Direct Increased staff productivity Indirect Improved service delivery / operations Direct Reduced cost of information technology ownership Direct Improved return on investment for information technology Indirect Packet Pg. 94 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 41 4.2 – ITD should adopt additional IT best practices The further adoption of best practices by ITD would benefit the City by improving the ability of ITD to support the City’s departments and enable ITD to focus on higher-value activities (i.e., shifting from reactive to proactive activities). NexLevel sees several areas where ITD could modify its approaches to the management and delivery of IT services to benefit both the user community and ITD. These include: ▪ Project Guidelines and Management ▪ Resource Management ▪ Succession Planning ▪ ITD Service Catalog and Service Level Agreements (SLAs) ▪ Service Support Management ▪ Polices & Procedures 4.2.1 Project Guidelines and Management Project management is the discipline of planning, organizing, securing and managing resources to achieve specific goals. Ineffective project management can result in extended timelines, budget overrun, and project failure. The City does not utilize a formal project management methodology during the implementation of major technology projects either managed by ITD or a City department. Since most projects are initiated without formal processes, it is difficult to determine if projects have been completed on- schedule, on-budget, and whether they met original expectations. Recent major projects such as EnerGov and Motion have been planned around a more formal structure; however, the City does not have the resources to implement a best in class project management framework. With that being said, basic project processes such as charters, formal meetings, roles and responsibilities, and status reporting can result in better use of resources and improve overall delivery success for all technology projects regardless of size or complexity. Once a project is initiated, the City should have standardized templates for the project manager (or designee) to track and report on project progress. Clarifying project components at the outset of a project helps ensure project success by setting expectations for the resources and level of effort required for the activities (that external software providers often leave to the client) including data conversion (including cleaning up information in the legacy system and reviewing the results of data conversion runs), preparation of test cases and acceptance testing, training, and revising internal processes and procedures to ensure that the features and functionality of the new application can be used as effectively as possible. Implementation ▪ At a minimum, project managers should complete the following templates throughout all future technology projects: - Charter - Timeline - Project Team - Project Leadership / Decision Making - Issue Management - Risk Management - Project Schedule and Resource Tracking - Budget Tracking - Status Reporting 4.2.2 Resource Management Although many organizations develop detailed project schedules and project management plans for the implementation of key enterprise Packet Pg. 95 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 42 business applications, these projects still take longer than planned, often these delays are a result of not having sufficient resources available. User resources also play significant roles in the business application projects, beginning with the definition of requirements through application selection, product configuration, data conversion, testing, and acceptance. While IT resources can usually be supplemented by external services, finding additional user personnel who are familiar with the organization’s business processes and objectives is more difficult. Faced with the competing needs to support both existing operations and implementation activities, organizations often make a concerted attempt to “get it done,” by reducing the amount of time and resources for data clean -up, user training and testing. Although organizations frequently plan to catch up on training and the implementation of any remaining functions in future phases following implementation, they seldom do so as the focus shifts to “getting work done.” The net of this is that: ▪ Applications are often implemented without sufficient testing or without having all functions available, resulting in the need for costly “workarounds” ▪ The users are often unable to make full use of application features and functionality, or to use the new application with confidence ▪ Users can become fatigued and demoralized, and their emphasis can shift from “doing things better” to “getting by” ▪ These factors combine to limit the organization’s ability to fully realize the intended benefits of new business applications, thus reducing the return on their investment Implementation ▪ The City should develop formal work plans that detail the tasks assigned to each staff member (ITD and City departments), the duration of the tasks, and the anticipated start and completion dates ▪ The resource management plan should provide the ability to track hours to tasks, determine how personnel resources are being used, analyze trends in user demand for ITD services, and ascertain ITD’s ability to meet future needs demands 4.2.3 Succession Planning The lack of a comprehensive succession plan for the ITD staff has the potential to be a significant issue for the City in the next several years. Much of the technical knowledge and expertise is held by staff with only informal documentation relative to the server room, application interfaces, databases, and network configurations. Cross-training can also mitigate the impact of attrition, but without sufficient resources to maintain service levels, the time and effort required for cross-training will impact the ability of ITD to maintain service levels. While cross-training and bringing back retired staff members as contractors are effective, short-term, solutions; the long-term solutions are to: (a) allocate time to the development of a knowledge base, even at the expense of slowing non-critical tasks, (b) develop a cross-training plan that assigns a backup for every staff member and allocates time for cross training and periodic briefings, (c) adopt highly-standardized procedures so that staff members can readily move from one assignment to another, and (d) take advantage of annual leave, etc., to verify the cross-training procedures and that the backups are prepared to take over as needed. Implementation ▪ The City needs to allocate sufficient time or resources for ITD staff to create comprehensive documentation that clearly identifies the network design, equipment configuration, and relationships between the infrastructure components, applications and data repositories. As ITD staffing changes occur, this documentation will provide a foundation from which new employees, or outside vendors, can begin an effective process of support Packet Pg. 96 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 43 ▪ ITD should partner with Human Resources staff to create a succession plan for each employee identifying backup personal and career advancement plans ▪ ITD should include the succession plan in the employee’s annual performance evaluation 4.2.4 ITD Service Catalog and Service Level Agreements The service catalog defines the services that an IT organization provides, the respective responsibilities of the users and the IT organization, and the metrics used to measure the effectiveness of service delivery. Services are often described in terms of levels, i.e.: ▪ Level 1 – These are usually actions that the user, or a “super user,” can take to resolve common problems, with password resets being a common item often handled as Level 1 services. More complex services can also be performed (at least initially) by users who have access to a knowledge base or other self-help facilities ▪ Level 2 – These services are typically performed by the Help Desk, often with the use of software that enables them to remotely access a user’s desktop ▪ Level 3 – These services are typically performed by a specialist within the IT organization (such as database administrators or server administrators), or by an external service provider Level 2 and Level 3 activities are usually covered by an escalation procedure (which is also defined in the service catalog) where the priority of a request can increase as it ages, and it can be escalated to IT management. SLAs provide the foundation for the management of the delivery of IT services and user expectations. The old adage that “you can’t manage (or for that matter, improve) what you don’t measure” directly applies to tracking service metrics for IT organizations. Service metrics are used to drive improvements and help focus staff and resources on what’s important, but also support organizational priorities and provide a window on performance, culture and productivity. Service metrics can be used to effectively: ▪ Drive the mission of the IT organization by focusing it on the delivery of services to the users ▪ Provide a foundation for the discussion of the scope of services provided by the IT organization, along with user expectations ▪ Make informed decisions regarding the allocation of resources ▪ Monitor and reward performance ▪ Continually improve both IT services and their delivery Implementation ▪ ITD should prepare a service catalog that reflects the demarcation of technology support responsibilities between ITD and City departments ▪ Service levels should be negotiated with the users and then reviewed and approved by executive management (particularly where increased service level expectations may require the allocation of additional resources) ▪ Service level agreements should also be developed and included in contracts with external service providers including items such as: specified level of service, support options, enforcement or penalty provisions for services not provided, a guaranteed level of system performance as relates to downtime or uptime, a specified level of customer support and what software or hardware will be provided and for what fee 4.2.5 Service Support Management ITD does not utilize a formal approach to change management, acceptance testing, and quality management. This can be problematic since change, Packet Pg. 97 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 44 and the need to effectively and quickly respond to change, is a constant factor in technology projects: ▪ Requirements often change as a result of external factors (such as statutory or regulatory changes), but also as a result of the users obtaining greater experience in how technology can best be used to improve operations. Changes in requirements can also lead to changes in policies and procedures and expectations, particularly regarding the availability, timeliness, and accuracy of information ▪ The availability of staff resources (and as a result, the project schedule) can change as a result of many factors including unforeseen priorities, contingencies, and human resource factors such as illness, resignations, retirements, etc. ▪ The scope and objectives of a project may change as a result of budgetary or other factors As a result, IT organizations must be able to manage change and ensure that completed projects conform to user specifications (acceptance testing), and that services are delivered in a manner consistent with ITD’s standards and user expectations (quality management). ▪ Change Management: Change management is the process that is used to identify, analyze, track, and reconcile these, and other, changes that may occur over the lifetime of a project. It can be used for multiple purposes including the management of: - The organizational, procedural, and cultural changes that often accompany transformational activities such as the introduction of an enterprise information system - Project changes that need to be made to the scope, organization, and other components of the implementation plans for information systems - Infrastructure and system configuration changes - Issues, since these typically relate to items such as scope, requirements, schedule and resources ▪ Acceptance Testing: ITD does not appear to have a universal approach that has department buy-in for the testing of applications and the steps that must be completed prior to placing a new application version, or an upgrade to an existing version, in production. The absence of consistent test cases and test data (that have been prepared in consultation with the users) makes it difficult to perform meaningful acceptance and regression testing to ensure that new applications or modifications to existing applications perform as expected before placing them in production. Best practices for testing generally call for the creation of a requirements traceability matrix to track user requirements from the point they are defined, through the development of specifications, development, and successive stages of testing including: - Unit and string testing by developers during the build phase - System testing (including integration and performance testing where appropriate) - Acceptance testing for activities such as data conversion - Acceptance testing for completed components of the system. ▪ Quality Management: NexLevel looks at quality management as a set of processes that ensure IT services are delivered in a manner that meets service levels, supports the City’s business operations, and meets user’s expectations, i.e., focusing on the correction of the root causes of problems rather than quick fixes, or providing documentation that is incomplete or inaccurate for the sake of meeting a deadline. Implementation ▪ Change management doesn’t have to be complex to be effective and, if fact, ITD has implemented some components of automated change tracking. ITD should ensure it is able to implement and use change management with a standardized form to request Packet Pg. 98 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 45 changes, a repository to record the change and its status, and a set of procedures to govern how change requests are managed and tracked (including a defined escalation path) ▪ ITD should have a policy to ensure that adequate acceptance testing is normally performed. ITD should set a minimum expectation that when acceptance testing is conducted that errors are documented and reviewed, and then tracked (possibly by creating a ticket in the Help Desk system) through the time that the test is finally successfully completed. Documenting error conditions in the Help Desk system would enable the dissemination and tracking of the error report and provide the ability to generate a report for the users to indicate that all errors have been resolved prior to placing a system in production ▪ ITD must be prepared and committed to organizational quality by: - Managing quality from the top down in a consistent manner - Define meaningful quality goals and measures that relate to customer satisfaction - Identify and prioritize ITD quality issues from an end-to-end perspective, rather than looking for quick fixes that are often demanded by the departments (except in urgent situations) - Assign issues to owners for the entire life-cycle of the ticket (from reporting to resolution), drive root cause analysis, and track results. - Promote knowledge sharing of best practices relative to quality management in IT - Drive preventive defect activities so that quality does not become an afterthought 4.2.6 Policies and Procedures A core component of technology best practices is the establishment and enforcement of policies and procedures. Effective policies and procedures guide the use of technology to ensure a secure, reliable, and supportable environment. It is important that the City adopt and routinely maintain technology policies and enforce their consistent use. The enforcement role should be an important tenet of the Technology Steering Committee. ITD has developed a comprehensive portfolio of technology policies and procedures as shown in Appendix A, Inventory of Technology Policies, many of which should be updated and expanded to reflect the current operational environment and technology standards. Some policies should be entirely rewritten and new ones added to support existing operations. In general core technology policies should include: ▪ Acceptable Use of Technology: Guidelines for the use of computers, telephones, cell phones, BYOD (Bring Your Own Device), portable storage devices, internet, email, and voicemail. Social networking usage guidelines and use of online file storage services not controlled by the City (e.g. Drop Box, iCloud, Google, SkyDrive, iTunes, other online backup services) should be included ▪ Security: Guidelines for passwords, levels of access to the network, virus/spyware protection, confidentiality, usage of data and data encryption ▪ Standards: Guidelines to determine the type of software, hardware, and systems will be purchased and used within the City, including those that are prohibited (for example, instant messaging or music download software) ▪ Network Set up: Guidelines regarding how the network is configured, how to on-board/off-board employees to the network, and permission levels for employees Policies that should be considered and developed as appropriate include: ▪ IT Steering Committee and Technical Advisory Committee ▪ Storage ▪ Document Retention ▪ VDI ▪ Cloud Packet Pg. 99 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 46 ▪ Public Information Requests ▪ Equipment Sanitation/Disposal ▪ Software Licensing ▪ Green IT ▪ Administrative Rights ▪ Change Control - Freezes & Risk Evaluation ▪ Desktop Move/Add/Change ▪ Inventory (Hardware and Software) ▪ Mobile Device Acceptable Use (radios/phones) ▪ Patch Management ▪ Removable Media Acceptable Use ▪ Wireless Access Points Implementation ▪ ITD should create and/or update its core technology policies and procedures and submit them for IT Steering Committee approval ▪ The City should adopt the approved core technology policies and inform all City staff ▪ The City should monitor and enforce technology policies as appropriate ▪ As time permits, ITD should create and/or update technology policies to include those not considered “core” policy Recommendation Benefits Benefits Impact Improved information technology resilience/security Direct Increased staff productivity Direct Improved service delivery/operations Direct Reduced cost of information technology ownership Indirect Improved return on investment for information technology Indirect Packet Pg. 100 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 47 4.3 – The City should expand ITD to improve its ability to support current and emerging user requirements The changes in the capabilities (and complexity) of information technology and how organizations use information have been profound. Within a relatively short timeframe, developments including reliance on the Internet, mobile computing, mobile applications, etc., have transformed information technology from a back-office productivity tool to a strategic enabler for the delivery of information and services to the public. Users increasingly expect to have information, and the tools needed to analyze it, readily available to them to assess organization performance and the impact of policy decisions on staffing and operations. In addition, users are now dependent on an organization’s IT infrastructure, business applications, and the support for them to perform their jobs. In the past users had manual workarounds; today they do not. When, for example, business applications are not available, are slow, or have functional defects, the impact on an organization is immediate and often evident to the public. Accordingly, these factors necessitate changes in how IT organizations are structured, managed, and staffed. Whereas IT organizations were previously responsible for implementing and maintaining an organization’s infrastructure and centralized business applications, they must now be service managers and service brokers in addition to service providers. In the past, network, systems, and programmers were the core of IT support organizations. Today, business analysts and project managers are needed to support user communities that rely on hybrid information technology environments that include centralized, departmental, and cloud -based applications. Current ITD Organization The current organization structure, as depicted in Figure 11, Current ITD Organization, has served the City well with staff delivering excellent service to City departments as evidenced by this assessment and discussed in Section 2.6 of this document. Figure 11 – Current IT Organization However, ITD, like most IT organizations, is being challenged to meet increased user expectations. Specifically, our findings include: ▪ Support Services which provides first-level response to user questions, issues, and requests, does not have adequate staff to handle the current volume or to provide sufficient coverage for the Help Desk throughout the day due to lunch, flex days, sick time, training, vacations, etc. The IT Support Services Supervisor Packet Pg. 101 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 48 also has collateral responsibilities for fiscal management within ITD, project management, and City-wide user training. As a result, other IT staff members (including network administrators and GIS specialists) are being called on to provide first-level support in addition to their assigned duties with the result that highly- trained staff members are being diverted from their primary assignments to handle first-level support tasks. The recent addition of a full-time Help Desk employee has significantly improved the delivery of services. ▪ Information Services supports the City’s Geographic Information System (GIS) and city-wide database administration. Increased demand for user reports and for integrating GIS data with the City’s other business applications (including Fire Analysis, Spillman CAD/RMS, Cityworks, Springbrook, etc.) is reducing the time available for GIS systems administration and maintenance. ▪ The single, Database Administrator, in addition to providing second-level Help Desk support, is responsible for managing all the City’s databases, supporting interfaces between the databases, providing for the generation of reports, coordinating the City’s project to implement a new ERP system, OpenGov, Dashboards, and City-wide departmental performance measurements. The responsibility for these critical tasks being placed on one individual raises concerns such as: work overload, backup, potential reduction in work quality, stress, and a singular knowledge of data structures/processes. As the City implements new technology and reconfigures ITD’s mission to meet future business objectives, staffing considerations will be critical if the City expects to maintain the high level of service currently provided. In Figure 12, IT Trends and Analysis of Staffing Impact, NexLevel forecasts the impact to the ITD organization and its ability to maintain service levels, based on current technology trends. The red boxes indicate areas that will be significantly impacted if staffing is not addressed. Figure 12, IT Trends and Staffing The columns across the top of the table represent the current divisions within the ITD organization. For each column, the green boxes indicate current staffing will most likely meet expectations for that trend, yellow are questionable, and red boxes indicate ITD will not meet support requirements given existing staffing configurations. The column labeled Technology Trends represent the technology, services, and business environment the City is either facing, or will face, over the next 3-5 years. These Technology Trends are defined as: • Ongoing Support Impact - Activities related to the continuing support (including user support, training, maintenance, enhancement, and refreshment) of the City’s technology environment including infrastructure, business applications, productivity tools, and data Packet Pg. 102 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 49 • Strategic Alignment - The implementation of processes to ensure the continuous alignment of information technology spending and resources with the City’s business priorities • Complex Applications - The activities related to the acquisition, implementation, and support of enterprise business applications to improve business processes and to mitigate the use of siloed business processes, business applications, and stand-alone repositories of information • Application Integration - Activities related to the design, implementation, and support of processes to facilitate the exchange of information between department business applications • Business Intelligence/Data Analytics - Activities related to the collection and analysis of information to support traditional reporting needs as well as the use of analytics to predict trends • Strategic Sourcing/Managed Services/Cloud Services - Activities related to the sourcing of information technology services to externally-supported services including private, public, and hybrid cloud services • Contractor/Vendor Management - Activities related to the management of the delivery of products and services by external suppliers • Digital Government - Activities related to the development and implementation of policies, procedures, and solutions to enable the public to obtain access to information and services using any device, from any location, at any time • Business and Digital Communication Strategies - Activities related to the development and implementation of strategies to enable the sharing of information with the public including the acquisition and deployment of broad-band access to the internet • Mobile Technology - Activities related to the acquisition and deployment of mobile devices to enable remote, wireless access to services and information as well as the management of the devices themselves • Cybersecurity - Activities related to the development and deployment of standards, polices, and procedures to prevent cyber-attacks and to recover from an attack • Open Data/Data Transparency - Activities related to making information readily available to the public • Unfunded Mandates - Activities related to the acquisition, deployment, and support of information technology services that are mandated by governmental or regulatory authorities which must be supported using existing funding sources The column labeled “Organization Impact” shows when the City will need to address the ITD organization based on the technology trends as they are implemented within the City. The last row of the table shows the probability of ITD to sustain service levels given today’s operational requirements and staffing. Near-term ITD Organization Based on the organizational findings and in order to meet and sustain a high-level of service delivery, NexLevel recommends the City consider implementing a near-term ITD organization as depicted in Figure 13, Near- term ITD Organization. It is to be noted that since the development of this IT Assessment, the City has made some changes to the ITD organization to accommodate staff retirements and ever-changing support needs. In addition, the City has not been able to allocate additional funds to support staffing recommendations, but plans to review IT staffing in upcoming years. Packet Pg. 103 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 50 Information Technology Manager Network Services Supervisor Network Administrator GIS Specialist II Information Services Supervisor Database Administrator GIS Specialist II Network Administrator IT Assistant/ Help DesK Database Administrator IT Assistant/ Help Desk Admin Assistant I (Shared w/ Finance) IT Temp/ Help Desk Part-Time Control Systems Administrator Control Systems Technician Network Administrator Support Services Supervisor GIS Temp/ Part-Time New Position Application System Specialist EnerGov Figure 13 – Near-term ITD Organization Specifically, as funding allows, changes to the current organization include: ▪ Adding a second Information Technology Assistant will provide better coverage for the first-level support issues and reduce the number of first-level problems, questions, and requests that are being handled by other ITD staff members. It should be noted that one industry standard and a similar NexLevel observation of IT organizations throughout California, is 1 Help Desk technician can support between 175-200 devices (desktops and laptops). Based on this metric, ITD should allocate between 2.7 and 3.0 FTEs to its Help Desk function (535/200 and 535/175). In addition, a second Information Technology Assistant provides backup and coverage during breaks, vacations, and other absences ▪ Adding a second Database Administrator to provide expanded coverage for database support and to provide a backup for the City’s single Database Administrator. The work load on the existing DBA has continued to increase over the past 5 years. What were once data elements within application files; today have become a complex network of databases attached to a myriad of application systems. It is extremely challenging to manage the City’s data, understand the architecture supporting the databases, and create effective solutions to effectively extract data and create meaningful reports for analysis and decision- making. Having an additional set of hands to meet the database workload appears to be critical. This is not to mention the “back- up” provided by a second individual working as an “under-study” to the City’s most experienced and knowledgeable DBA. NexLevel is confident that the proposed Near-term ITD Organization will better assist the City in realizing its vision for the use of information technology, maintain a high-level of user satisfaction, and enable the City to improve its return and protect its investment in information technology. Long-term ITD Organization Although the implementation of the Long-term ITD Organization is outside the time-line of the Strategic Technology Master Plan, NexLevel anticipates that as the City implements new technology and addresses dynamic technology trends, the City will need to move to an IT organizational structure as depicted in Figure 14, Long-term ITD Organization. As shown and as budget and other resources become available, ITD will likely evolve into an organization that is more of a service manager/service broker than solitary service provider. Packet Pg. 104 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 51 Figure 14 – Long-term ITD Organization Please note that this organization represents NexLevel’s recommendation of how ITD could be organized assuming that: (1) The Technology Trends described in Figure 12 become reality with the City actively moving to implement many of the new technologies and processes identified (2) Cloud-based services will continue to mature, become more cost- effective and ubiquitous than at present, and will provide viable alternatives for the support of the City’s IT infrastructure (hardware, networks, and applications) as well as for services such as training and some user support functions (3) The City’s user departmental staff will similarly continue to evolve in terms of their abilities to make use of information technology (particularly with regard to mobile and remote computing) with less support from ITD than at present (4) The City formally creates additional department-based Subject Matter Experts for major business applications (Work Order, Finance, Public Safety, etc.) thereby reducing the reliance on ITD for application assistance Compared to the current or Near-term ITD Organization, this Long-term ITD Organization is structurally different and highly reliant on web-based and managed services for applications support, network infrastructure monitoring and support, user support (help desk), and training. The Long- term ITD organization builds on the structure of the Near-term ITD organization but replaces some of the, then, current in-house positions with managed services personnel and adding new positions for a Security Officer, and Project Management Officer. It also consolidates the IT Support Supervisor and Network Support Supervisor into a single position. The roles of these positions are defined as: • Project Management Officer (could be a shared position with other City departments) - the management of core, enterprise projects, such as ERP, and additionally provide an internal resource to assist other City staff members in managing information technology projects, in conducting business process reengineering efforts, and in providing for the development and documentation of departmental business requirements. The Project Management Officer would also provide project oversight services and work with vendor project managers to ensure that their activities are progressing to plan and that proposed project changes are being appropriately identified, tracked, and resolved • Security Officer – a dedicated position for the management of the City’s security program including cybersecurity planning, ITD disaster recovery planning, and City-wide business continuity planning. In addition, this position is responsible for the City’s security practices, policies & procedures, employee security awareness training and EOC participation • Infrastructure Supervisor – this position will oversee and manage the remaining on-premise help desk and network administration staff. Additionally, this position will co-ordinate the managed services staff responsible for help desk, application training, and remote network monitoring/management • Subject Matter Experts - staff that are the focal point for how a City department uses its business software applications, determining the best method of applying the application to meet departmental business needs, and overseeing the departmental Packet Pg. 105 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 52 use of enterprise-wide technology (document management, GIS, ERP, etc.). In addition, the Subject Matter Experts would help department users find new technical solutions, research software and technology applications, and interface with ITD for the implementation of technology tools and data integration processes • External Services – vendors under City contract to provide services such as help desk, technical and user training, network infrastructure monitoring, upgrading, operating, GIS technical and/or planning support, project management, and application training, problem resolution or vendor co-ordination This staffing recommendation is conservative and the City should continually review ITD’s staffing requirements as it gains more experience with the use of managed services. NexLevel anticipates that the City’s need for networking support and application support will diminish over time. Temporary staff can always should the City need to procure new business applications or take on additional networking responsibilities. The use of external service providers can also provide other benefits including greater availability at all times, flexibility to scale the service as needed to accommodate demand, and the ability to have resources available to support key users such as executives or specialized technicians. Firms that provide dedicated IT services are also generally better able to recruit and retain highly skilled professionals and are motivated to keep their training current. It is important to note that the City’s ability to migrate to the Long-term ITD Organization will be dependent on the availability and maturity of cloud-based services (including Software as a Service; Platform as a Service; etc.), and the City’s willingness to adopt, and have the users accept, an alternative service delivery model for ITD services. To meet near-term and long-term staffing needs, the City may identify and employ the following vehicles for augmenting resources including: • Direct Hire • Internal transfer • Reassignment of responsibilities • Temporary help • Contracted personnel • Managed services Implementation ▪ The City should take steps to implement the Near-term ITD organization by adding 2 new staff (Information Technology IT Assistant and Database Administrator) ▪ In conjunction with the further implementation of IT best practices, ITD should adopt and implement a rigorous process for the allocation of staff resources and the tracking of the hours they expend on projects and support tasks ▪ In the future, the City should plan for, and create, the Long-term ITD Organization by adding a Project Management Officer, Security Officer, department-based Subject Matter Experts, and contracting with IT managed service providers as appropriate Recommendation Benefits Benefits Impact Improved information technology resilience / security Direct Increased IT staff productivity Direct Improved IT service delivery / operations Direct Reduced cost of information technology ownership n/a Improved return on investment Direct Packet Pg. 106 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 53 4.4 - The City should develop a Business Application Portfolio The successful implementation of recommendations outlined in this assessment and the deployment of new business applications, and their supporting technologies, will depend on ITD’s ability to manage projects and work effectively with external service providers (vendors). Industry research confirms that the ability to effectively collaborate with vendors and to facilitate the successful completion of projects must be a core competency for IT organizations. Application portfolios provide a repository of information about applications (and their supporting technologies) so that the org anization’s stakeholders, the IT organization, and end-users can make informed, enterprise-level decisions about the allocation of scarce resources to the maintenance, enhancement, and eventual replacement of applications in systematic and holistic manner that considers organizational goals and priorities rather than looking at each application in isolation and allocating resources by default. The application portfolio integrates information about applications that is often maintained by different individuals and enables collaboration between the IT organization and the user community. Forrester Research has noted that application portfolios enable IT organizations to optimize the use of “…limited resources while providing the maximum business benefit… This is the world of IT portfolio management — balancing resources, technology, business needs, and changing situations while simultaneously maximizing returns and minimizing risk.”2 The development of an application portfolio will enable the City to effectively manage its core business applications. The application portfolio will provide the vehicle for the City to: 2 Defining IT Portfolio Management: Holistic IT Investment Planning, Forrester Research, Sept. 2004 ▪ Evaluate the impact of technology changes on the business applications ▪ Conduct more-frequent periodic reviews of the application portfolio ▪ Develop and defend informed decisions as to the ultimate disposition of an application (retirement, replacement, technical renovation, functional enhancement) ▪ Define service levels based on the impact of the application on City operations / community impact ▪ Optimize ITD staff resource allocation ▪ Evaluate and prioritize decisions to source application support (such as to “cloud” or software-as-a- service (SAAS) solutions). Although there are products for application portfolio management, an effective application portfolio can be maintained in a spreadsheet. Fields typically contained in an application portfolio include: ▪ Application Acronym ▪ Detailed Budget Information (Run Rate, License Costs, etc.) ▪ Application Description ▪ FTE Support Requirements ▪ Executive Sponsor ▪ Additional FTE Requirements ▪ Current Status (i.e., production, development, etc.) ▪ Interfaces and Information Exchanges with other Applications ▪ Planned Status and Date ▪ Source Code Repository / Source Code Escrow ▪ Priority Classification ▪ Service Level Agreement Reference and Terms ▪ Support Profile Packet Pg. 107 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 54 ▪ Supporting Technologies ▪ Purpose ▪ Disaster Recovery Provisions ▪ User Sponsor ▪ User Community ▪ Business Continuity Provisions ▪ Version and Status Implementation ▪ ITD should work with the departments to develop an initial application portfolio and then augment the information as time and resources permit ▪ ITD should review the information in the Application Portfolio with the objectives of identifying opportunities to consolidate services and applications that may need to be replaced or enhanced ▪ ITD should keep the information in the Application Portfolio current and perform an annual review with the Technology Steering Committee Recommendation Benefits Benefits Impact Improved information technology r\esilience/security Direct Increased staff productivity Indirect Improved service delivery/operations Indirect Reduced cost of information technology ownership Direct Improved return on investment Direct Packet Pg. 108 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 55 4.5 – ITD should take steps to improve its Collaboration/Communication with the City departments Although ITD has made remarkable progress in increasing the effectiveness of the services it delivers to the City’s user departments, the performance issue becomes one of sustainability and in increasing proactive technology service delivery. The ability to communicate and collaborate within the IT organization and between the IT organization and the user departments has become increasingly vital to the successful delivery of information technology services. NexLevel considers that internal and external communication and collaboration are the foundation for the effective delivery of IT services. ITD must be able to maintain effective communication with a variety of communities of interest including: ▪ Communication between ITD and vendors ▪ Communication within ITD ▪ Communication between ITD and City departments ▪ Communication with external agencies/municipalities ▪ Communication with the City’s customers and the public IT organizations need to take the time and effort to preserve work plans, procedures, and other technical information so that it is available as needed. This should include the formal planning documents that guide the day-to-day activities of the IT organization such as technology deployment plans, procedures for the implementation and/or enhancement of business applications, and the refreshment of hardware and system software. Other proven approaches to improving communication and collaboration include: ▪ Providing an online forum where users can collaborate with each other and ITD regarding issues, questions, or pending upgrades, obtain information regarding the status of a request, or obtain immediate assistance from ITD without having to file a ticket and then wait for a response ▪ Providing users with access to real-time information regarding service levels, project and request status, and workload ▪ Publishing current compliance with service levels and performance metrics which will demonstrate ITD’s commitment to the users and ITD’s goal to continually improve service delivery ▪ Providing a knowledge base and self-help features to enable users to diagnose and/or resolve common issues ▪ Reaching out to the user departments to review issues and discuss (consult) new, or different, ways to use technology to meet their business needs) It should be noted that effective July 2017, ITD will become a separate department within the organization structure of the City. The change should help improve overall communication between ITD and City departments as there will now be a direct link and commonality among department heads. In the future, ITD must guard against communicating and collaborating with user departments in an informal, undocumented manner. If this form of communication/collaboration is unmanaged, the “institutional knowledge” often diminishes over time, it becomes difficult to consistently share and build on it, and it is not readily available to other staff members. This can be particularly true for projects that involve multiple departments or the participation of external service providers and/or contractors. Unfortunately, any absence of transparency promotes the suspicion in the City departments that ITD works on what it wants to, when it wants to, and with little regard to user needs. Implementation ▪ ITD should make on-going communications with user departments a priority. By developing an effective communications plan, ITD can bridge any gap of users not knowing the status of projects, the progress on requests for Packet Pg. 109 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 56 services, and the need for technical advice/consultation on how best to apply technology to meet business needs ▪ Explore and implement, where practical, expanded communication tools to better inform user departments as to ITD activities, up-coming maintenance activities, and technology project status Recommendation Benefits Benefits Impact Improved information technology resilience/security Indirect Increased staff productivity Indirect Improved service delivery/operations Direct Reduced cost of information technology ownership Indirect Improved return on investment for information technology Indirect Packet Pg. 110 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 57 4.6 – The City should develop an Enterprise Data Architecture The collection, aggregation, and analysis of information from disparate business units across an enterprise is often referred to as “Big Data,” by the information technology industry, Big Data provides the foundation for business intelligence and business analytics. Despite the development and continual improvement of the tools available, the collection of data from a portfolio of business applications and operational applications in support of regulatory reporting and management analytics can be difficult and expensive to achieve on a continuing basis unless the organization has an enterprise data architecture that predefines how the pieces fit together. The use of information to effectively manage organizations is dependent on: ▪ An enterprise data architecture ▪ Processes and staff to support the architecture (including processes for its governance, support, and evolution) since both the data being collected and the organization’s use of the data will change over time) ▪ Standards to ensure that business applications that are developed or acquired by the City, or on its behalf by external service providers, will be able to: - Exchange information with other City business and operational applications - Support the integration and compilation of information to support modeling, planning, performance management, and analytics Organizations without an enterprise data architecture, supporting standards, and staff to support it, often attempt to support decision-makers through a cumbersome combination of ad-hoc applications, databases, and 3 Improving State Government Operations Through Business Analytics, NASCIO Research Brief, February 2010 spreadsheets. These tools often use data inconsistently, are seldom well documented or able to quickly meet new requirements, and eventually become a drain on organizational resources. This can quickly become a worst-case scenario as the total cost of ownership (TCO) for these ad-hoc processes quickly mounts while the return on the organization’s investment (ROI) decreases. The National Association of State Chief Information Officers (NASCIO) has noted that: “Information assets are highly valued enterprise assets. As such, this resource must be properly managed through appropriate governance. One of the major challenges in governance of this resource is dealing with the continued growing volume of data, and how to sort out what data is most valuable in delivering efficient, high quality government services. The amount of data, the various media and types of data, and the sources of data is continually proliferating… government needs the means for managing this data in order to derive valuable information for ensuring: government services operate efficiently and effectively; fraud, waste, and abuse are detected and eliminated; government is able to anticipate future demands and opportunities. Typically, government is underinvested in business analytics capabilities.”3 An enterprise data architecture provides the foundation for the consumption of information for strategic purposes, otherwise known as business analytics. NASCIO notes that “Analytics is the extensive use of data, statistical and quantitative analysis, explanatory and predictive models, and fact-based management to drive decisions and actions… This includes the manipulation, visualization, statistical analysis, trending, and correlation analysis that are applied to data.”4 Implementation ▪ Develop a plan for the implementation of an enterprise data architecture including obtaining executive sponsorship 4 Business Analytics, op. cit. Packet Pg. 111 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 58 ▪ Engage a qualified data architect (may be an ITD staff member) to work with the City’s departments and ITD to develop the Enterprise Data Architecture ▪ Plan for the continuing maintenance of the Enterprise Data Architecture Recommendation Benefits Benefits Impact Improved information technology resilience/security Indirect Increased staff productivity Direct Improved service delivery/operations Direct Reduced cost of information technology ownership Direct Improved return on investment for information technology Direct Packet Pg. 112 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 59 Appendices Packet Pg. 113 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 60 Appendix A – Inventory of Technology Policies No. Document Title Origination Date Revision Date 101 Information Technology Acquisition and Support 1/28/98 1/20/10 105 Fiber Optic Communication Network 5/21/96 N/A 120 Network Access and Use Policy 7/20/93 10/20/13 123 Email Policy 10/2/97 1/20/10 125 Internet Access and Use Policy 5/7/98 1/20/10 127 Telephone Use 11/1/96 1/20/10 130 Electronic Village Concept 3/1/94 N/A 132 Regional Network Consortium 10/17/95 N/A 137 Web Policy 2/19/98 1/20/10 160 Purchasing Computer Workstations, Laptops, and Mobile Data Computers 12/5/95 1/20/10 163 Disposing of Surplus Computer Equipment 10/21/97 1/20/10 167 Employee Loan Program 12/3/96 1/20/10 175 Video Monitoring Systems 4/18/06 1/20/10 205 Training Strategy 6/26/97 12/17/09 225 Hard Drive Installation and Support 12/9/97 12/17/09 230 Network Application Installation 12/9/97 12/17/09 231 Mobile Application Installation 12/17/09 N/A 280 Fax Maintenance and Operation 12/22/93 12/17/09 285 IT Disaster Recovery Plan 11/1999 N/A Packet Pg. 114 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 61 Appendix A – Inventory of Technology Policies (Cont.) No. Document Title Origination Date Revision Date 301 Criteria for New Off-the-Radar Initiatives 12/15/04 12/17/09 305 General Computer Workstation Standards 1/31/96 12/17/09 307 Computer Laptop Standards 1/24/02 12/17/09 308 Mobile Data Computer Standards 12/17/09 N/A 310 CAD-GIS Workstation Standard 5/22/96 12/17/09 315 Application Server Standard 4/23/98 12/17/09 316 Virtual Server Standard 4/23/98 12/17/09 320 System Printer Standard 9/25/96 12/17/09 325 Color Printer Standard 5/29/97 12/17/09 330 Software Standards 2/28/96 12/17/09 340 Cellular Phones 2/24/97 12/17/09 350 Passwords 8/23/94 12/17/09 355 Data Storage for Recovery 1/28/09 12/17/09 360 Request for User Set-Up or Change N/A N/A 370 Voice Mail Greetings N/A N/A 372 Voice Mail Automated Attendant 10/4/04 12/17/09 380 Telemetry Standards 2/2/11 N/A 401 Committee and Group Members 4/2011 N/A Packet Pg. 115 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 62 Appendix B – IT Best Practices Checklist The IT Best Practices Checklist provides a mechanism for ITD and NexLevel to conduct a dialog regarding IT best practices conformance. ITD initially completes the checklist and it is then reviewed by NexLevel. For each of the assessment factors ITD is asked to determine if they are fully conformant (“Y”), somewhat or minimally conformant (“O”) or non-conformant (“N”). Items that are fully conformant receive a score of 3, items that are substantially conformant receive a score of 2, items that are minimally conformant receive a score of 1, and items for which ITD is non-conformant receive a score of 0. Comments are provided in the right-most column. “SLO” are comments directly from ITD and “NL” are comments or observations from NexLevel. Packet Pg. 116 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 63 Client Name and Contact Information Client Organization: CITY OF SAN LUIS OBISPO – INFORMATION DIVISION Primary Person(s) Completing Assessment: STEVE SCHMIDT Instructions This self-assessment is intended to be completed by NexLevel clients. The assessment is broken out b y into six best practice categories including:  Technology Governance  Service Delivery  Business Technology Applications  Infrastructure  Security  Administration For each assessment factor below please: (1) Indicate whether your organization is in compliance with the best practice assessment factor by entering: a. “Y” – if you believe your organization to be fully compliant with the best practice factor and enter “3” in the score column b. “O” – if you believe that your organization is somewhat, but not fully, in conformant with the best practice factor. Please enter a “2” in the Score column you believe that your organization is substantially in conformance or a “1” if you believe that your organization is at least minimally conformant. Please provide a brief explanation in the comments field. c. “N” – if you believe that your organization is not conformant with the best practice assessment factor. (2) If there is documentation available (i.e., plans, standards documents, etc.) for this assessment factor, please check this bo x. Please do not send the document(s), NexLevel will select a number of these items for follow -up and contact you to obtain copies (if needed); and (3) Please provide any comments that would be help NexLevel understand how your organization conforms to the best practice factor. Please note that in the tables below, “IT organization” refers to the unit(s) charged with providing information technology services to the user community, whether the services are provided by an internal service provider or an external service provider. Packet Pg. 117 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 64 Best Practice Conformance Nbr Dimension / Category Best Practice Factor Yes, No, Other Score (3,2,1) Doc Avail- able? Comments SLO – IT Department (NL = Comment from NexLevel) Information Technology Governance 1 IT Oversight Does the City have a defined IT Governance process? Y 3 Y SLO - IT STEERING & TAC NL – The governance structure used by SLO (IT Steering Committee and Technical Advisory Committee) appears to be effective and utilized by all departments 2 IT Oversight Does the IT organization report, directly or indirectly, to an IT governance committee? Y 3 Y SLO - IT Governance Plan 3 IT Oversight Does the IT governance process provide oversight for all City applications and services? Y 3 Y 4 IT Oversight Does the IT Governance Committee meet regularly? Y 3 Y SLO - MONTHLY 5 IT Oversight Does the City have formal procedures to ensure that departmental applications or web services conform to enterprise standards and best practices? Y 3 Y SLO - IT POLICY 6 IT Oversight Does the City have Steering Committees for enterprise (City-wide) projects or applications? Y 3 Y 7 IT Oversight Are the City’s policy makers and senior executives involved in making technology decisions? Y 3 Y NL – The governance process, committees, membership, and roles should be documented and adopted as a City technology policy 8 Strategic Business Plan Does the City have a strategic business plan? Y 3 Y 9 Strategic Business Plan Are the City's business goals and objectives identified, tracked and measured? Y 3 Y SLO - FINANCIAL PLAN 10 Strategic Business Plan Is the business plan updated on a regular basis? If so, please indicate how often. Y 3 Y SLO - 2 YEARS 11 eGovernment Strategy Does the City have a formal eGovernment / Community Engagement (i.e., social media) Strategy? O 2 Y SLO - SOCIAL MEDIA POLICIES, OPEN GOV, COMMUNITY FORUMS Packet Pg. 118 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 65 Best Practice Conformance Nbr Dimension / Category Best Practice Factor Yes, No, Other Score (3,2,1) Doc Avail- able? Comments SLO – IT Department (NL = Comment from NexLevel) Information Technology Governance 12 eGovernment Strategy Does the City’s web site provide citizen-facing functions? Y 3 Y SLO - SEE ABOVE, BILLING, DOCUMENTS, RECORDINGS, HISTORICAL RECORDS, ETC 13 eGovernment Strategy Does the IT organization formally monitor and manage the performance of external service provider(s) used to support the web-site? O 2 N SLO - RECEIVE MONTHLY PERFORMANCE REPORTS 14 Enterprise Project Management Does the IT organization have project management processes and standards? O 1 N SLO - PROJECT PLAN DOCUMENT ONLY NL – See recommendation 3.3.2 15 Enterprise Project Management If so, does the IT organization have a separate Project Management Office (PMO) function to ensure project quality and conformance with standards? N NL – See recommendation 3.3.2 16 Enterprise Project Management Are user stakeholders involved in IT projects? Y 3 N SLO - ITSC PROJECT REQUEST FORMS 17 Enterprise Project Management Are project charters developed for each major project? If so, is there a standard format or checklist for project charters? O 1 N NL – See recommendation 3.3.2 18 Enterprise Project Management Does the IT organization maintain an application portfolio? O 1 N NL – See recommendation 3.3.4 19 Enterprise Project Management Does the IT organization have formal procedures for reporting project status to users? O 1 N 20 Enterprise Project Management Does the IT organization have a high project success rate? Does the IT organization have a formal definition of what constitutes project success? Y 3 Y 21 Enterprise Project Management Does the IT organization maintain a list of enterprise IT projects in progress and planned? Y 3 Y SLO - DASHBOARD AND CURRENT/FUTURE PROJECT LIST 22 Enterprise Project Management Does the IT organization have adequate funding and staffing to handle current enterprise projects? O 1 Y SLO - DASHBOARD Packet Pg. 119 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 66 Best Practice Conformance Nbr Dimension / Category Best Practice Factor Yes, No, Other Score (3,2,1) Doc Avail- able? Comments SLO – IT Department (NL = Comment from NexLevel) Information Technology Governance 23 Enterprise Project Management Does the IT organization have adequate funding and staffing to handle anticipated future enterprise projects? O 1 Y SLO - PROJECTS IDENTIFIED, NOT FUNDED 24 Internal and External Communication Does the IT organization have a formal process for facilitating communication between functional managers? O 1 N SLO - IN PROCESS NL – See recommendation 3.3.5 25 Internal and External Communication Does the IT organization have a formal process for keeping its all staff members informed of system and application updates, policy changes, priorities, etc.? O 1 N SLO – INFORMAL NL – See #24 26 Internal and External Communication Does the IT organization keep the user community informed of changes to information technology environment? O 2 N SLO – INFORMAL NL – See #24 27 Internal and External Communication Does the IT organization have formal processes for communicating with the user community? O 2 N SLO – INFORMAL NL – See #24 28 IT Strategic Plan Does the City have an IT Strategic Plan (ITSP)? Y 3 Y NL – The IT Strategic Plan developed in 2012 has been effectively used by SLO to manage technology projects. 29 IT Strategic Plan Does the ITSP align with, and support, support the City’s business plan? O 2 Y 30 IT Strategic Plan Does the ITSP identify goals and objectives, and is progress regularly tracked and measured? Y 3 Y SLO - MONTHLY 31 IT Strategic Plan Is the ITSP updated on a regular basis? If so, please indicate how often the ITSP is updated and the date of the last update. Y 3 Y SLO - EVERY 5 YEARS, INCEPTION 2012 Packet Pg. 120 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 67 Best Practice Conformance Nbr Dimension / Category Best Practice Factor Yes, No, Other Score (3,2,1) Doc Avail- able? Comments (NL = Comment from NexLevel) Service Delivery 32 Help Desk Does the IT organization provide a single point of contact for user departments? Y 3 Y 33 Help Desk Does the IT organization have a dedicated Help Desk? Y 3 Y NL – A Help Desk has been established with 1 FTE who is funded through FY17. This position has been effective in meeting department needs for support and reducing the work load on the Network Administrators. See recommendation 3.3.3 for additional organizational suggestions 34 Help Desk Is the Help Desk organized along functional or organizational lines? O 2 N SLO - IN PROGRESS 35 Help Desk Does Help Desk staffing include subject matter experts who can assist users with both application usage and technology issues? Y 3 N NL – Business application support is provided by ITD staff other than the Help Desk. In the future, the City should consider department based analysts to fill this support role. See recommendation 3.3.3 36 Help Desk Does the Help Desk use an issue tracking system? Is the system available to other staff members in the IT organization? To users? Y 3 Y 37 Help Desk Does the IT organization routinely analyze call data for trends, volume and escalation? Y 3 Y SLO - MONTHLY 38 Help Desk Does the Help Desk have specific service levels for response to customers? Y 3 Y SLO – SLA NL – ITD should establish a service catalog so all City departments understand the role of ITD and delivery expectations. See recommendation 3.3.2 39 Help Desk Does the Help Desk have a formal methodology to prioritize requests? Y 3 Y 40 Help Desk Does the IT organization have a formal method for assessing user satisfaction with the services provided by the Help Desk? O 2 Y SLO - USER SURVEY EVERY 2 YEARS Packet Pg. 121 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 68 Best Practice Conformance Nbr Dimension / Category Best Practice Factor Yes, No, Other Score (3,2,1) Doc Avail- able? Comments (NL = Comment from NexLevel) Service Delivery 41 Help Desk Does the IT organization believe that the Help Desk services provided to the user community are effective? Y 3 NL – The 2016 User Satisfaction Survey indicated a high- level of satisfaction with Help Desk Services 42 Help Desk Does the IT organization have a formal escalation procedure? Y 3 43 Help Desk Does the IT organization have a formal process and dedicated channels to handle requests from VIPs? Y 3 44 Help Desk Does the IT organization provide and support remote access tools to take over user desktops to diagnose and correct problems? If so, what tools are used and how effective are they with regard to: Ease of use? Ensuring that access is restricted to authorized users? Access management? Y 3 SLO - GOTOASSIST AND GOTOMYPC 45 Help Desk Does the IT organization maintain a centralized knowledge base (wiki or other repository)? If yes, is the information contained in the knowledge base considered to be complete, current, and readily accessible? If no, is the IT organization planning to develop a knowledge base? O 2 Y SLO - KACE AND CONFLUENCE NL – A knowledge base will be important as ITD looks for ways to expand “self-service” techniques to City departments. 46 Help Desk Does the IT organization centrally develop and manage desktop and mobile device images that ensure appropriate “lock down” of desktops? Y 3 Packet Pg. 122 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 69 Best Practice Conformance Nbr Dimension / Category Best Practice Factor Yes, No, Other Score (3,2,1) Doc Avail- able? Comments (NL = Comment from NexLevel) Service Delivery 47 Training Does the IT organization provide training for users? If yes, please indicate whether: Training is provided on a regular basis? Does the IT organization have dedicated training resources or does it source training? Does the IT organization have formal training curriculums? Does the IT organization perform user surveys to assess the effectiveness of the training provided? Y 3 SLO - HELP DESK AND TRAINING VENDOR • OFFERED AND PROVIDED • OUTSOURCE • CREATED BY CONTRACTOR • YES 48 Hours of Service Does the IT organization provide Help Desk services on a regularly scheduled basis and, minimally, during prime shift / normal business work hours? Y 3 NL – ITD staff receive overtime pay for outside normal hours activities 49 Hours of Service Does the Help Desk provide support for users who may need extended support (such as public safety)? Y 3 Y SLO – SLA NL – See #48 50 Hours of Service Does the IT organization provide after-hours support for mission-critical systems? If yes, who provides the support? Y 3 Y SLO - SLA, STANDBY 51 Hours of Service Does the IT organization schedule routine and ad-hoc system maintenance so as to minimize the impact on internal users and the public? Y 3 Y 52 Service Delivery Management - Service Levels Does the IT organization have formal service level agreements (SLAs) with the user community? Y 3 Y SLO - COMMUNITY DEVELOPMENT, POLICE, FIRE, UTILITIES NL – ITD indicated service agreements have been created, but without a Service Catalog, it is difficult to ascertain if they are being met. SLAs should be developed for all City departments as well as external vendors. Packet Pg. 123 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 70 Best Practice Conformance Nbr Dimension / Category Best Practice Factor Yes, No, Other Score (3,2,1) Doc Avail- able? Comments (NL = Comment from NexLevel) Service Delivery 53 Service Delivery Management - Service Levels Does the IT organization have a service catalogue that identifies what IT services are provided, the service levels for each, and that is readily accessible by users? O 1 Y SLO - WORK IN PROGRESS NL – See recommendation 3.3.2 54 Service Delivery Management - Service Levels Does the IT organization have formal service expectations for vendors? Y 3 Y 55 Service Delivery Management - Service Levels Does the IT organization report performance against SLAs, to whom, and with what frequency? Y 3 Y 56 Service Delivery Management - Service Levels Have City departments defined their need for IT systems availability? O 2 Y SLO – SLA NL – See recommendation 3.3.1 57 Service Delivery Management - Service Levels Is the IT organization able to meet user needs with current IT resources, staff and infrastructure? O 2 Y SLO - HELP DESK & PROJECT ACTIVITY TRACKING (PAT) HOURS 58 Service Delivery Management - Change Management Does the IT organization have well-defined change management procedures? N NL – See recommendation 3.3.2 59 Service Delivery Management - Change Management Are procedures in place to ensure conformance with the change management procedures? N SLO - KDEPLOY, SPACE, UNIDESK, NL – See #58 60 Service Delivery Management - Change Management Are proposed changes routinely reviewed with the users? N NL – See #58 61 Service Delivery Management - Change Management Does the change management process specify how proposed changes should be communicated to the user community? N NL – See #58 Packet Pg. 124 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 71 Best Practice Conformance Nbr Dimension / Category Best Practice Factor Yes, No, Other Score (3,2,1) Doc Avail- able? Comments (NL = Comment from NexLevel) Service Delivery 62 Service Delivery Management - Change Management Does the change management process provide escalation procedures? N SLO - AD HOC NL – See #58 63 Service Delivery Management - Change Management Does the IT organization have an infrastructure change management process? N SLO - NOT CONSISTENT FOR SMALLER PROJECTS NL – See #58 64 Service Delivery Management - Capacity Management Does the IT organization routinely monitor the performance, availability, and the capacity of the network, servers, disk arrays, and other devices? Y 3 N SLO - LOGICMONITOR 65 Service Delivery Management - Capacity Management Does the IT organization utilize dedicated appliances (SAN, NAS, etc.) for the storage of shared enterprise data? Y 3 66 Service Delivery Management - Capacity Management Does the IT organization have a formal capacity plan? Is it used for the annual budgeting process? If not, what is used? O 1 SLO - PROJECTION AT TIME OF PURCHASE 67 Service Delivery Management - Root Cause Analysis Does the IT organization have a formal process for identifying, analyzing, and correcting the root cause of incidents? N SLO - KNOWLEDGE BASE NL – See recommendation 3.3.1 Packet Pg. 125 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 72 Best Practice Conformance Nbr Dimension / Category Best Practice Factor Yes, No, Other Score (3,2,1) Doc Avail- able? Comments (NL = Comment from NexLevel) Business Technology Applications 68 Application Support Are enterprise applications primarily centralized and supported by the IT organization? Y 3 Y 69 Application Support Does the IT organization have a formal resource management plan to allocate resources to applications? N 70 Application Support Does the City have an enterprise IT architecture and supporting standards? O 1 NL – See recommendation 3.3.6 71 Application Support Has the IT organization been charged to provide oversight for departmental applications or services (potentially supported by vendors)? Y 3 Y 72 Application Support If yes, are procedures in place to ensure that applications that are acquired and/or supported by departments conform to standards? Y 3 73 Application Support Are there procedures in place to formally assess requested exceptions to the standards? O 1 74 Application Support Does the City have procedures in place that require users to formally declare mission-critical applications and data and their requirements for availability as well as to periodically review the declarations? N NL – See recommendation 3.3.1 75 Application Support Does the City have procedures in place to ensure the ownership, security, and integrity of information that is stored in external applications or services (such as Dropbox)? N 76 Application Support If the IT organization supports any ad-hoc applications based on products such as MS Access or FileMaker Pro, are their procedures in place to ensure their appropriate use? N SLO - USERS ARE LOCAL ADMINS Packet Pg. 126 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 73 Best Practice Conformance Nbr Dimension / Category Best Practice Factor Yes, No, Other Score (3,2,1) Doc Avail- able? Comments (NL = Comment from NexLevel) Business Technology Applications 77 Application Support Does the City have procedures to control the user development of ad-hoc applications and spreadsheets? N 78 COTS Products Does the City have processes to ensure that commercial-off-the-shelf (COTS) applications are utilized largely as delivered with no or only essential custom modifications? O 1 SLO - NEED BETTER PROCESSES TO ENSURE 79 COTS Products Does the IT organization track the product positioning for each COTS product? O 1 SLO – INFORMALLY NL – See recommendation 3.3.4 80 COTS Products If any of the COTS applications no longer supported by the vendor, is IT working with the user community to replace them? O 1 SLO - ENTERPRISE LEVEL – YES 81 COTS Products Do application staff members and key users attend and participate in vendor user groups and conferences? O 1 82 Cloud Solutions Does the City have standards for the use of web- based (“cloud”) services such as software as a service (SaaS), cloud-based IT infrastructure (IaaS), etc.? N NL – The City should develop “cloud” application standards. This could be a part of the recommendation 3.3.2 (Policy/Procedures) or recommendation 3.3.6 83 Cloud Solutions Does the City have standards in place to ensure the security and availability of the information stored off-site? N 84 Cloud Solutions Does the City or the IT organization have a formal process for evaluating and approving the use of cloud-based services? N See # 82 85 Cloud Solutions Does the City have processes in place to fully review agreements with cloud-service providers to ensure that all logistical provisions and costs (such as those related to exiting the service agreement) are identified and considered? O 1 SLO - REVIEW AGREEMENTS Packet Pg. 127 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 74 Best Practice Conformance Nbr Dimension / Category Best Practice Factor Yes, No, Other Score (3,2,1) Doc Avail- able? Comments (NL = Comment from NexLevel) Business Technology Applications 86 Standards Does the IT organization regularly apply new vendor releases and upgrades (production vs. current release)? O 2 SLO - LACKS TEST ENVIRONMENT 87 Standards Are test environments provided for each application and are application updates formally and routinely tested by the user community? N See recommendation 3.3.2 88 Standards Does the IT organization have a defined system development lifecycle? N/A 89 Standards Does the IT organization have formal procedures to ensure that all components of the City’s information technology environment (i.e., hardware, system software, applications, etc.) are running on supported versions? O 1 See recommendation 3.3.4 and the development of current equipment/software standards as shown in recommendation 3.3.2 90 Standards Does the IT organization have application development standards? N/A 91 Application Effectiveness Does the IT organization routinely survey users to measure and track their satisfaction with the business application(s) they use? Y 3 SLO - 2 YEAR SURVEY 92 Application Effectiveness Does the IT organization routinely assess the degree to which applications conform to City standards? O 1 93 Application Effectiveness Does the IT organization routinely assess the degree to which applications meet the users’ performance expectations? Y 3 SLO - EVERY 2 YEARS 94 Application Effectiveness Does the IT organization routinely plan for the functional enhancement, technical renovation or replacement of applications? O 1 SLO - ENTERPRISE ONLY Packet Pg. 128 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 75 Best Practice Conformance Nbr Dimension / Category Best Practice Factor Yes, No, Other Score (3,2,1) Doc Avail- able? Comments (NL = Comment from NexLevel) Infrastructure 95 Network Does the IT organization maintain Open-Systems Interconnection (OSI) conformant diagrams that depict its topology as well as the configuration of major nodes? N SLO - LAYER 1 TOPOLOGY 96 Network Does the IT organization ensure that the network is protected from intrusions by firewalls, DMZ, et al? O 2 97 Network If the City has a wireless network, is access to the network restricted? Y 3 Y 98 Network If the City provides wireless access for "guests" is this provided on a separate wireless network or to segregate "guest" traffic? Y 3 Y 99 Network Does the IT organization have network management tools (CiscoWorks, Openview, etc.) and use them to routinely assess network usage, performance, and track trends? Y 3 Y 100 Network Does the IT organization routinely review all telecomm circuits to ensure the adequacy of the service as well as the continued need for the circuits? Y 3 Y SLO - COST ALLOCATION 101 Internet Access Does the City have an acceptable use policy that is signed by all employees with internet access? O 2 Y SLO - NOT SIGNED NL – This and other security related polices should be reviewed, updated, and adopted by the City 102 Internet Access Does the IT organization actively monitor and manage internet access including intrusion attempts? O 2 SLO - AUTOMATED INTRUSION DETECTION 103 Internet Access Does the City have software deployed to filter content and report policy exceptions? Y 3 Y SLO - USE POLICY Packet Pg. 129 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 76 Best Practice Conformance Nbr Dimension / Category Best Practice Factor Yes, No, Other Score (3,2,1) Doc Avail- able? Comments (NL = Comment from NexLevel) Infrastructure 104 Intranet Access Does the City have tools (such as SharePoint) to facilitate collaboration and to edit, approve, and publish documents? O 1 SLO - IN PROGRESS 105 Intranet Access Does the City have formal standards for the use of collaboration tools? O 1 SLO - OLD POLICY NL – This and other security related polices should be reviewed, updated, and adopted by the City 106 Remote Access Does the City provide remote access for employees? If so, is a structured and secured method (i.e., VPN) used for remote access? Y 3 SLO - VPN AND/OR GOTOMYPC 107 Remote Access Does the City have an acceptable use policy for remote users? Y 3 Y SLO - NETWORK ACCESS USE POLICY NL – This and other security related polices should be reviewed, updated, and adopted by the City 108 Remote Access Are there procedures in place to ensure that remote users are in conformance with the policy? O 2 109 Remote Access Does the City have a formal policy governing which users are eligible for remote access and that defines the procedures for granting and revoking access? Y 3 SLO – NETWORK ACCESS USE POLICY NL – This and other security related polices should be reviewed, updated, and adopted by the City 110 Remote Access If the City grants remote access to vendors: Is there a formal process for granting and monitoring remote access by vendors? Does the IT organization routinely audit vendor usage to ensure compliance with policy? Do the grants automatically expire after a specified period? O 1 Y • SLO - NOT MONITORED • SLO - NOT AUDITED • SLO - NO EXPIRATION NL – This and other security related polices should be reviewed, updated, and adopted by the City 111 Servers / Data Storage Does the IT organization have well-defined hardware and software standards? O 2 SLO - HARDWARE – YES SLO - SOFTWARE – YES NL – This and other security related polices should be reviewed, updated, and adopted by the City Packet Pg. 130 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 77 Best Practice Conformance Nbr Dimension / Category Best Practice Factor Yes, No, Other Score (3,2,1) Doc Avail- able? Comments (NL = Comment from NexLevel) Infrastructure 112 Servers / Data Storage Does the IT organization perform periodic audits to confirm compliance with the hardware and software standards? O 2 SLO - SOFTWARE - NO 113 Servers / Data Storage Does the IT organization have a formal process for reviewing and approving exceptions to the hardware and software standards? Y 3 Y SLO - IT STEERING COMMITTEE 114 Servers / Data Storage Does the IT organization have formal policies for the granting of administrative rights for physical and virtual servers? O 1 SLO - INFORMAL, IT ONLY NL – This and other security related polices should be reviewed, updated, and adopted by the City 115 Servers / Data Storage Does the IT organization periodically review grants of administrative rights? N NL – Procedure should be developed 116 Servers / Data Storage Does the IT organization perform routine performance monitoring to ensure that servers can support business applications? Y 3 117 Servers / Data Storage Does the IT organization virtualize servers? If so, does it have formal processes for the creation of instances and to periodically review their use? Y 3 N 118 Servers / Data Storage Does the IT organization perform routine performance monitoring to ensure that that all servers (virtualized or not) are being used effectively and that sufficient capacity is on-hand to meet current and future requirements? Y 3 119 Servers / Data Storage Does the IT organization perform routine performance monitoring to ensure that that centralized storage (NAS, SAN) is being used effectively and that sufficient capacity is on-hand to meet current and future requirements? Y 3 120 Servers / Data Storage Has the City deployed file servers and storage devices in departmental locations? If so, are they located in appropriate and secure facilities? N SLO - CENTRALIZED REDUNDANT STORAGE Packet Pg. 131 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 78 Best Practice Conformance Nbr Dimension / Category Best Practice Factor Yes, No, Other Score (3,2,1) Doc Avail- able? Comments (NL = Comment from NexLevel) Infrastructure 121 Routers and Switches Are wiring / server closets neat and free of extraneous materials / clutter? Y 3 Y 122 Routers and Switches Does the IT organization have procedures for cable management and labeling? Y 3 123 Routers and Switches Are routers and switches located in secure locations? O 2 124 Desktops, Laptops and Printers Does the IT organization have formal standards for desktops, laptops, printers, and other user devices? Y 3 Y NL – This and other security related polices should be reviewed, updated, and adopted by the City 125 Desktops, Laptops and Printers Does the IT organization control the granting of Administrator rights on desktops? O 1 SLO - REQUIRED FOR SOME LEGACY APPLICATIONS 126 Data Center Environment Has the main server room been appropriately sized for future expansion? Y 3 127 Data Center Environment Is the general layout of the main server room acceptable? Does the layout provide access to both the front and rear of racks? Y 3 128 Data Center Environment Has provision been made to prevent situations such as flooding and fire? O 1 SLO - WATER BASED FIRE SUPPRESSION AT MAIN DATA CENTER 129 Data Center Environment Are server racks and equipment cabinets secured front and rear with locking doors? N SLO - LOCATED IN SECURE FACILITIES 130 Data Center Environment Does the IT organization control and monitor access to facilities such as server rooms? Y 3 Y 131 Data Center Environment Does the IT organization have automated environmental controls to alert appropriate personnel to HVAC issues and other facility problems? Y 3 Packet Pg. 132 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 79 Best Practice Conformance Nbr Dimension / Category Best Practice Factor Yes, No, Other Score (3,2,1) Doc Avail- able? Comments (NL = Comment from NexLevel) Infrastructure 132 Data Center Environment Does the data center have sufficient electrical capacity and reliability / business continuity features such as a UPS, stand-by generators, and redundant power sources? O 1 SLO - CITY HALL - UNDERSIZED GENERATOR, OVER CAPACITY ELECTRICAL MAIN, NO BACKUP AC 133 Data Center Environment Does the City routinely test to ensure that standby power facilities perform as expected and that the capacity is sufficient? Y 3 134 Data Center Environment Are server racks braced for seismic shock? O 2 Y 135 Data Center Environment Is the data center, server rooms, wiring closets, generally clean and clear of clutter such as decommissioned equipment or unboxed devices? Y 3 136 Data Center Environment Are the cables well managed (i.e., orderly cable runs, color-coded and labeled cables, etc.)? O 2 137 Hardware Refreshment Does the IT organization have a formal refreshment plan for desktops? Servers? Y 3 Y 138 Hardware Refreshment Does the IT budget provide dedicated funds for the refreshment / renovation of desktop PCs, etc. per year? Y 3 Y Packet Pg. 133 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 80 Best Practice Conformance Nbr Dimension / Category Best Practice Factor Yes, No, Other Score (3,2,1) Doc Avail- able? Comments (NL = Comment from NexLevel) Security / Information Protection 139 Network Security Does the IT organization routinely perform perimeter of other testing to ensure that intrusions are blocked and reported? If so, when was the last time that this testing was performed? N NL – See recommendation 3.3.1 140 Network Security Does the IT organization have procedures in place to control wireless access (such as MAC addresses to access point, encrypted login stream, etc.)? Y 3 141 Physical Security Does the IT organization monitor access to sensitive IT and business areas? Y 3 142 Data Protection Does the IT organization have procedures in place to manage user passwords (such as requiring strong passwords and periodic changing of passwords)? O 1 NL – This and other security related polices should be reviewed, updated, and adopted by the City 143 Data Protection Does the City have a formal process to notify IT when employees are terminated or out on extended leave? N SLO - NO FORMAL PROCESS OR ASSIGNMENT OF DUTY NL – This and other security related polices should be reviewed, updated, and adopted by the City 144 Data Protection Does the City have a formal process for requesting network and application access for new users? O 2 Y SLO - CITY STAFF NOT FOLLOWING PROCESS CONSISTENTLY NL – This and other security related polices should be reviewed, updated, and adopted by the City 145 Desktop Security Does the City have a formal user security policy regarding data sensitivity, confidentiality, etc.? O 1 SLO - IT REQUEST NL – This and other security related polices should be reviewed, updated, and adopted by the City 146 Desktop Security Does the City have formal procedures in place to ensure that all users are familiar with, and conform to, the security policy? N SLO - NO POLICY NL – This and other security related polices should be reviewed, updated, and adopted by the City 147 Desktop Security Does the City have formal procedures to ensure the security of information on mobile and portable systems (such as the encryption)? O 1 NL – This and other security related polices should be reviewed, updated, and adopted by the City Packet Pg. 134 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 81 Best Practice Conformance Nbr Dimension / Category Best Practice Factor Yes, No, Other Score (3,2,1) Doc Avail- able? Comments (NL = Comment from NexLevel) Security / Information Protection 148 Data Backups Does the IT organization perform backups on a regularly scheduled basis? If yes, what is the schedule? If yes, what is the process (i.e., disk to disk to tape, etc.)? Y 3 Y SLO - NIGHTLY DISK TO DISK, SNAPSHOT, TAPE NL – The process used by ITD appears to meet best practices and ensures effective backup(s) of data 149 Data Backups Does the IT organization have multiple backup devices, e.g., mirroring, redundant servers, removable media, etc.?) Y 3 NL - See # 148 150 Data Backups Does the IT organization routinely backup critical application information? Y 3 NL - See # 148 151 Data Backups Does the backup include documentation, configuration settings, and system software? O 2 SLO – SLOIT NL – See #148 152 Data Backups Does the IT organization routinely verify and test backups? O 1 153 Business Continuity and Disaster Recovery Does the City have a formal IT business continuity plan that identifies mission critical applications, their availability requirements, and the maximum duration that the application can be down? O 1 SLO - SLA DOES NOT COVER ALL MISSION CRITICAL APPLICATIONS NL – Could not determine if a Business Continuity Plan exists from documentation provided by ITD. 154 Business Continuity and Disaster Recovery Has the IT organization systematically identified all single points of failure and the actions required to remediate them? O 1 SLO - NOT DOCUMENTED, NOT ALL REMEDIATED 155 Business Continuity and Disaster Recovery Does the IT organization have the ability (people, plans, processes, procedures, and other resources) needed to react to a service interruption and resume service in an acceptable timeframe? Y 3 Y SLO - ALSO HAVE AN EOC PLAN, CONSULTANTS ON RETAINER Packet Pg. 135 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 82 Best Practice Conformance Nbr Dimension / Category Best Practice Factor Yes, No, Other Score (3,2,1) Doc Avail- able? Comments (NL = Comment from NexLevel) Security / Information Protection 156 Business Continuity and Disaster Recovery Does the IT organization have a disaster recovery plan? If so, please indicate when the plan was last updated? O 1 SLO - LAST PLAN 1999 NL – See recommendation 3.3.1 157 Business Continuity and Disaster Recovery Does the IT organization conduct regular exercises to validate the disaster recovery plan and to ensure that systems and applications can be recovered as planned? If so, please provide the date of the most recent exercise. N NL – See #156 158 Emergency Operations Center (EOC) Does the City have an emergency operations center? Y 3 Y 159 Emergency Operations Center (EOC) Does the IT organization have personnel assigned to support the EOC? Y 3 Y 160 Emergency Operations (EOC) Does the City routinely conduct drills to ensure that the EOC is fully functional and can be brought online in a timely manner? Y 3 Y 161 Emergency Operations (EOC) Does the City have plans for the activation of an alternate EOC if needed? Y 3 Y SLO - CORP YARD, UNTESTED 162 Virus/Spam Protection Does the IT organization deploy software to control viruses, spyware, other malware, and e- mail spam on user desktops? If yes, please indicate in the comments section: What vendors / products / versions are used? Does the IT organization have enterprise licenses for these products? Y 3 Y SLO - ESET, MCAFEE PROXY SAAS, EMAIL SAAS Packet Pg. 136 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 83 Best Practice Conformance Nbr Dimension / Category Best Practice Factor Yes, No, Other Score (3,2,1) Doc Avail- able? Comments (NL = Comment from NexLevel) Security / Information Protection 163 Virus/Spam Protection Does the IT organization apply updates to this software in an automated and timely manner? Y 3 Y 164 Cybersecurity, Intrusion Detection and Management Does the IT organization have a cybersecurity plan in place for the detection, reporting, management, and response to intrusions? Is the plan conformant to recognized cybersecurity frameworks such as NIST? N 165 Cybersecurity, Intrusion Detection and Management Does the IT organization routinely review logs to identify incoming and outgoing traffic to potentially suspicious or malicious sites? O 1 SLO - RETROACTIVE ISP NOTIFICATION 166 Cybersecurity, Intrusion Detection and Management Does the IT organization have an independent testing organization routinely perform perimeter and other testing to ensure the adequacy of controls? N SLO - NO INTERNAL PEN TEST, SOME PCI EXTERNAL SCAN NL – See recommendation 3.3.1 167 Cybersecurity, Mobility If users access City information or services using remote devices has the IT organization adopted appropriate procedures (such as mobile device management) to secure these devices from use by unauthorized individuals? O 1 SLO - AVAILABLE MDM, MERAKI & O365 168 Patch Management Is security patching up to date on all components including servers, routers, switches, and desktops? O 2 SLO - MOST SERVERS & DESKTOPS; SWITCHES & ROUTERS ON VENDOR PROVIDED 169 Patch Management Is patching of the servers automated? O 2 SLO - NOT ON CRITICAL SERVERS 170 Patch Management Does the IT organization have formal (i.e. documented), change management procedures for infrastructure patches and upgrades? N NL – See recommendation 3.3.2 171 Patch Management Does the IT organization apply patches and hot fixes in a timely manner according to the severity of the issue and as per vendor recommendations? Y 3 N Packet Pg. 137 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 84 Best Practice Conformance Nbr Dimension / Category Best Practice Factor Yes, No, Other Score (3,2,1) Doc Avail- able? Comments (NL = Comment from NexLevel) IT Administration 172 IT Organization Is there an organization chart for the IT organization? Y 3 Y SLO - ORG CHART 173 IT Organization Are the functional responsibilities for each unit and staff member clearly delineated? Y 3 Y SLO - ORG CHART & JOB DESC 174 IT Organization Does the IT organization have a resource management plan to ensure that it can continue to meet user requirements in the future? N NL – See recommendation 3.3.3 175 IT Organization Does the IT organization have formal job descriptions for each position? Y 3 Y SLO - HR JOB DESC 176 IT Organization Does the IT organization have a succession plan for each position? O 1 N SLO - INFORMAL REDUNDANCY & CROSS TRAINING NL – See recommendation 3.3.3 177 IT Organization Does the IT Organization have a training / development plan for each position? O 1 SLO - INFORMAL AND BASED ON REQUEST 178 Procurement, Contracts and Vendor Management Does the IT organization rely on contractors, outside vendors or interns to assist with support? If so, does it have procedures to ensure that their work is documented and conforms to standards? O 2 SLO - KBOX, NO STANDARDS 179 Procurement, Contracts and Vendor Management Does the IT organization review all procurements of IT goods and services? Y 3 Y SLO - PURCHASING POLICY 180 Procurement, Contracts and Vendor Management Are all IT contracts centralized and accessible by IT? Y 3 Y 181 Procurement, Contracts and Vendor Management Does the IT organization have contracts tracking and management process in place? O 2 SLO - MONTHLY MEETINGS Packet Pg. 138 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 85 Best Practice Conformance Nbr Dimension / Category Best Practice Factor Yes, No, Other Score (3,2,1) Doc Avail- able? Comments (NL = Comment from NexLevel) IT Administration 182 Procurement, Contracts and Vendor Management Does the IT organization regularly meet with IT vendors? Y 3 183 Procurement, Contracts and Vendor Management Are SLAs specified in vendor contracts? Y 3 Y SLO - SLA TEMPLATE NL – See recommendation 3.3.2 184 Procurement, Contracts and Vendor Management Does the IT organization generally have positive vendor relationships? Y 3 185 Software License Management Does the IT organization have a central repository for all IT licenses? O 1 186 Software License Management Does the IT organization handle license renewals on a timely basis? O 2 187 Software License Management Does the IT organization have a formal license management/auditing process? N 188 Inventory Management Does the IT organization have a hardware and software inventory control system? O 2 SLO - KACE 189 Inventory Management Does the IT organization have a current inventory of servers, desktops, printers, applications, etc.? O 2 SLO - COST ALLOCATION, KACE 190 Budget Are all technology maintenance contracts budgeted within the IT organization? O 2 191 Budget Does the City have a formal process for submitting items for the IT budget? Y 3 Y 192 Technical Documentation Are operational procedures documented (i.e. backups)? O 1 193 Technical Documentation Does the IT organization maintain a master vendor list with contact information? O 2 Packet Pg. 139 1 City of San Luis Obispo Information Technology Assessment Report August 29, 2017 Page | 86 Best Practice Conformance Nbr Dimension / Category Best Practice Factor Yes, No, Other Score (3,2,1) Doc Avail- able? Comments (NL = Comment from NexLevel) IT Administration 194 Policies and Procedures Does the IT organization plan have a process for the periodic review and update of additional policies and procedures? O 1 SLO - OUT OF DATE NL – See recommendation 3.3.2 195 IT Documentation Does the IT organization maintained detailed and current technical documentation for the City's IT infrastructure? O 1 SLO - SPECIFIC SYSTEMS (RADIO SYSTEM) 196 Tactical Workplan Does the IT organization maintain a tactical work plan that details the tasks assigned to each staff member, the duration of the tasks, and the start and completion dates? N NL – ITD should develop a series of technical “blueprints” for the daily operation and management of ITD (annual work plans, network diagrams, configuration settings/pictures, etc.) Packet Pg. 140 1 2017 Citywide IT Strategic PlanSeptember 5, 2017Presentation to City Council09-05-2017 Item 1, Staff Presentation Council RecommendationsRecommendations to CouncilProvide staff with direction on desired changes and/or commentsAcceptance the 2017 IT Assessment and 2017-22 IT Strategic Plan09-05-2017 Item 1, Staff Presentation Presentation OutlineIT Strategic Plan Project Update OverviewIT Assessment OverviewIT Strategic Plan OverviewSummary and Questions09-05-2017 Item 1, Staff Presentation 2017 IT Strategic Plan Update ProjectPurposeEnable the optimum allocation of the City’s technology resources to achieve the greatest benefits for the City’s investmentsApproachReviewed and validated progress since last planning effort2011 IT Assessment / 2012 IT Strategic PlanCompleted a “Voice of the User” SurveyInterviewed ITD and City department staffPerformed an IT Assessment / Data GatheringIdentified and prioritized technology projects09-05-2017 Item 1, Staff Presentation Current IT Environment09-05-2017 Item 1, Staff Presentation Roadmap to Success09-05-2017 Item 1, Staff Presentation 2011/12 IT Assessment and Plan Progress27151CompletedIn ProcessOn Hold20962CompletedIn ProcessNot StartedCancelledIT Assessment RecommendationsIT Strategic Plan Projects09-05-2017 Item 1, Staff Presentation Voice of the User Survey – 2017 vs. 2011• Improvement demonstrated in all 12 comparable questions• Improvement ranged from 5% - 38% 09-05-2017 Item 1, Staff Presentation Voice of the User Survey – 2017 vs. 2014Percentage Improvement by Survey Selection Criteria13%32%31%2% 0%0%5%10%15%20%25%30%35%SignificantlyBetterSlightly Better No Change Slightly Worse SignificantlyWorse09-05-2017 Item 1, Staff Presentation 2017 IT Best Practices AssessmentITD’s conformance with best practices is outstanding and surpasses many of its’ peer organizations09-05-2017 Item 1, Staff Presentation 2017 Technology Enterprise SWOT Analysis09-05-2017 Item 1, Staff Presentation 2017 IT Assessment RecommendationsWith the building blocks set, NexLevel worked with all City departments to complete an IT Assessment that resulted in seven specific recommendations:Take steps to ensure the security and sustainability of City’s IT environmentAdopt additional IT Best PracticesExpand ITD to improve its ability to support current and emerging user requirementsDevelop a Business Application PortfolioTake steps to improve its collaboration/communication with City departmentsDevelop an Enterprise Data ArchitectureAugmentation of IT resources to include DBA and Help Desk Technician09-05-2017 Item 1, Staff Presentation Setting IT Direction – The Building BlocksTo empower the City to provide excellent service to the communityTo connect people to information and technology solutions1) Innovation, 2) Integration, 3) Information09-05-2017 Item 1, Staff Presentation Enablers for Continuous ImprovementEngaged citywide IT GovernanceProactive resource prioritization and managementAdaptation to changeShared ownership with City Department business applicationsContinue to invest in training for IT staff and add additional expertise to support future technology initiatives09-05-2017 Item 1, Staff Presentation IT Projects – 5 Year CIPFY 2017/18FY 2018/19FY 2019/20FY 2020/21Q1‐Q2Q3‐Q4Q1‐Q2Q3‐Q4Q1‐Q2Q3‐Q4Q1‐Q2Q3‐Q4South Hills Radio SiteMotion ERPNetwork Security UpgradeSQL Server ClusterPD SAN ControllersStorage Capacity ReplacementFirewall ReplacementMicrosoft Office UpdateUPS Battery Backup SystemServer Operating System SoftwareVoIP Telephone SystemRadio Handhelds & MobilesECC Blade ComputersECC Equipment ReplacementTait Radio System UpgradeIrrigation SystemVirtual Private Network ReplacementDispatch Radio ConsolesAudio Recording System ReplacementCitywide Wireless SystemUPS Battery Backup SystemPublic Surveillance CamerasPD SAN ControllersRadio Handhelds & MobilesRadio Handhelds & MobilesFY 2020/21Q1‐Q2Q3‐Q4Radio Handhelds & MobilesFleet ManagementIT OrganziationIT Best PracticesApplication PortfolioIT PlansEnterprise Data ArchitectureCollaboration and CommunicationITPolice and ITPOLICE AND FIREFINANCEPOLICEPUBLIC WORKSCITY‐WIDEIT ASSESSMENT RECOMMENDATION09-05-2017 Item 1, Staff Presentation Summary and Council RecommendationsRecommendations to CouncilProvide staff with direction on desired changes and/or commentsAcceptance the 2017 IT Assessment and 2017-22 Strategic Plan09-05-2017 Item 1, Staff Presentation