The URL can be used to link to this page

Home My WebLink About2024-09-10 Policy & Services Committee Summary MinutesPOLICY & SERVICES COMMITTEE SUMMARY MINUTES Page 1 of 5 Regular Meeting September 10, 2024 The Policy & Services Committee of the City of Palo Alto met on this date in Council Chambers and by virtual teleconference at 7:00 P.M. Present In-Person: Kou (Chair), Lythcott-Haims, Tanaka Absent: Council Member Tanaka joined at 7:03 PM. Call to Order Chair Kou called the meeting to order. The Clerk took roll and declared there was a quorum. Public Comments There were no public comments. Agenda Items 1. Office of the City Auditor Presentation of the Technology Applications Disaster Recovery Preparedness Assessment Audit Report City Auditor Kate Murdock voiced that the audit looked at the City’s current Disaster Recovery Plan for high-priority applications. Baker Tilly Partner Brian Nichols presented the audit findings and recommendations. He stated his team oversaw the performance of the technology applications disaster preparedness assessment. He displayed a slide with the overall objectives. The goal had been to assess the current Disaster Recovery Plan focused on high-priority applications and the supporting City infracture to identify documentation adequacy and to determine if any additional requirements needed to be documented. They were additionally looking to assess the current recovery capabilities and develop recommendations for any identified gaps. He spoke of the positives, which included the City having a continuity of operations plan, disaster recovery and business continuity process documents, backup procedure documents, and a formal communications plan. The findings had been placed in two categories – tactical findings and governance strategic-related findings. He defined the tactical and the strategic findings. There were six SUMMARY MINUTES Page 2 of 5 Policy & Services Committee Meeting Summary Minutes: 9/10/2024 findings, all of which the City had reviewed, and management had provided responses and timelines for remediation. Council Member Lythcott-Haims asked if the City was in a bronze, silver, or gold category as it related to disaster preparedness on the tech side. Baker Tilly Nichols answered that the documentation and the governance of the processes was there. The majority of the items they had identified were enhancements to continue to mature the capabilities of the IT-recovery services. Overall it was a well-structured, formalized function and well documented with the teams understanding their roles and responsibilities. Council Member Tanaka inquired if hacking prevention had been investigated; what had been found to be the biggest risk; and how much of the technology was cloud-based or hosted by a third party. Baker Tilly Nichols replied that they had not been specifically focused on a ransomware perspective but it was more recovery of the overall critical IT services and systems. He thought that was a key aspect defined within the City’s preparedness of the continuity of operations plan, disaster recovery, and backup procedures focusing on restoring services and systems in a timely manner if a security incident occurred. As for the biggest risk, he thought there was a heavy focus on some of the most critical IT services, which was where any kind of recovery preparedness would start, but there were also additional layers of focus. Looking beyond critical IT services and into the more broader IT applications and capabilities continued to mature. There was a need to enhance the business impact assessments to enable identification of critical City operations as well as the recovery objectives for those services. There should be ongoing review to align the criticality of IT services and the recovery objectives to the City’s needs as things evolved over time. He explained that the City could improve and mature on tactical technical areas. He did not know how much of the technology was cloud-based or hosted by a third party. Assistant City Manager Kiely Nose would follow up with an answer to how much of the technology was cloud-based or hosted by a third party. Chair Kou referenced Packet Page 14 and queried why there were three tiers to the criticalities listed. She was concerned that the recovery time objectives were 72 to 120 hours and questioned if that could be improved. She requested the status of the Business Impact Analysis. She asked if the backup processes should be improved and if there had been exercises to ensure that the SOPs would run smoothly; where IT would operate from; if the auditor was satisfied with the response related to Finding 5; and if the audit had been passed down from the former auditor. Assistant City Manager Nose responded that GIS was used in conjunction with deployment of Police and Fire resources. IT was working with OES on the Business Impact Analysis. The first focus would be on core City systems, and then the ongoing impacts and the broader aspects of individual department resources would be the next phase. She explained that actions were SUMMARY MINUTES Page 3 of 5 Policy & Services Committee Meeting Summary Minutes: 9/10/2024 being taken to make departments aware of the work to be done on the continuity plans. More granular questions would need to be presented to the IT team for follow-up. They would ensure that the SOPs would be kept up to date, although it was always an area of improvement. Where IT would operate from would depend on the situation, which she explained. She needed to confer with IT to determine if there was a “second” designated place, but the continuity of operations would be planned for. The audit had been passed down from the former auditor. Baker Tilly Nichols answered that recovery times and backup processes could be improved. They were satisfied with the response concerning Finding 5. MOTION: Council Member Kou moved, seconded by Council Member Lythcott-Haims, to recommend the City Council approve the Technology Applications Disaster Recovery Preparedness Assessment Audit Report. MOTION PASSED: 3-0 2. Discussion and Recommendation to Council on a potential reimbursement policy, allowing up to $2,000 annually per Council Member, for specified purposes Deputy City Manager Chantal Cotton Gaines stated that Council had asked if there was a way for the City to dedicate up to $2,000 per Council member, allowing them to recoup some of their costs related to their service. The Attorney’s Office had assembled a draft policy, which was being presented to P&S for review and feedback. It could be recommended to Council or further work could be done if it did not match the intent. If approved by Council, it would make a change to the Procedures and Protocols Handbook. Assistant City Attorney Mark Vanni voiced that a draft policy had been compiled and, if it should move forward, the Staff Memo explained the thought process regarding the policy. This was just an idea, and staff would need to develop protocols, etc. He mentioned that a peer stipend could not be done; however, they felt a partial reimbursement for cell phones, etc., substantiated with receipts was within the letter and spirit of the law. Council Member Lythcott-Haims queried how the 25-percent reimbursement had been arrived at. She found it fitting for her cell phone but not for her Zoom account. She questioned why only cell phone bills would be capped. Assistant City Attorney Vanni outlined how the 25-percent reimbursement number had been arrived at, although another percentage could be used. Reimbursement of 100 percent would require that a device be used for official business only. He referenced Section 2.1 and specified that the cap would apply to technological purchases, not just cell phone bills. Council Member Tanaka echoed Council Member Lythcott-Haims’ comments. He voiced that his expenses exceeded $2,000 annually. He discussed the cost for staff managing this, and he suggested it not be so prescriptive. SUMMARY MINUTES Page 4 of 5 Policy & Services Committee Meeting Summary Minutes: 9/10/2024 Deputy City Manager Cotton Gaines remarked that the policy draft was trying to be mindful that the more cumbersome it was the less likely it would be of use to Council members but that it also followed existing accounting and other sets of principles. Chair Kou questioned what the process would be. She noted that this related to communication tools, not paper, etc., which she thought was good, but she wanted that to be understood. Deputy City Manager Cotton Gaines replied that staff had recommended the process start with the City Clerk’s office and then be submitted to the Administrative Services Department. Applying this reimbursement policy to events, etc., would be tricky. Assistant Director of Administrative Services Christine Paras added that they were developing a simple process, and she outlined what that may involve. Assistant City Attorney Vanni understood that this would relate to cell phone usage and technology purchases. If the policy was to include events, it would require several additional parameters. Council Member Lythcott-Haims asked if interns were paid and if they were from the Palo Alto area or the broader region and if Council members had access to the pool of interns. She spoke of expenses being reimbursed within 60 days of the incurred expense, and she assumed that annual expenses, such as her Zoom account, would qualify. She inquired if the budgeted amount not rolling over year over year related to the fiscal or calendar year. She asked Council Member Tanaka if he could articulate a simpler process, which he had spoken about. Deputy City Manager Cotton Gaines answered that interns were paid for the most part, although some were volunteers or on a school-credit basis. Intern recruitment was not restricted by geography. As for Council members having access to the pool of interns, the Committee had explored the idea of interns and paid assistants, which she thought was outside this policy and that there would need to be a deeper discussion. She confirmed that annual bills could be submitted at the time of a Council member receiving such a bill. The budgeted amount not rolling over year over year was on the fiscal year cycle. Council Member Tanaka supported interns being available to Council members and that they be paid. He suggested the process be flexible and not so stringent, such as allowing extensions and simply signing off on an expense. He thought there should be a $2,000 limit. Chair Kou queried how an intern might be assigned to work for a single Council member and how they would serve the whole Council versus one Council member. She spoke of interns wanting to expand their understanding of government operations and different departments, so she thought assignment to one Council member needed to be further explored because she felt interns should be exposed to as much as possible. SUMMARY MINUTES Page 5 of 5 Policy & Services Committee Meeting Summary Minutes: 9/10/2024 Deputy City Manager Cotton Gaines responded that assigning an intern to a single Council member had not yet been addressed and was not part of this policy. Staff would have to give it some consideration. She explained why funding interns had not been included in this program. MOTION: Council Member Lythcott-Haims moved, seconded by Council Member Tanaka, to recommend the City Council include the draft reimbursement policy in the City Council Procedures and Protocols Handbook. Council Member Lythcott-Haims appreciated Council Member Tanaka’s interest in a more simplified process. Rather than encumbering the motion and revising the draft, she was sure that Council Member Tanaka would raise the issue with Council and that there would be a discussion. Chair Kou voiced that she did not support it because she took the position voluntarily. MOTION PASSED: 2-1, Kou no Deputy City Manager Cotton Gaines asked if this discussion could be taken to the next discussion about the Procedures and Protocols Handbook at Council, which may be in December. Council Member Lythcott-Haims replied that it depended on when it would come back because this would offer financial relief for those who were concerned about costs. She did not want it to take years to implement. Deputy City Manager Cotton Gaines remarked it would be a separate item if the schedule was too far out. Future Meetings and Agendas Deputy City Manager Chantal Cotton Gaines did not have an exact list for October, so she would later share it with the Chair. There were several items coming in October, November, and December, and she would share the tentative list with the Committee. There would be a couple audits in October. They were looking to reschedule the November meeting, due to a special City Council meeting to replace the Veterans Day Council meeting, so the Clerk’s Office would reach out to Committee members to find a replacement date. Adjournment: The meeting was adjourned at 7:50 PM.