The URL can be used to link to this page

Home My WebLink About2024-09-10 Policy & Services Committee Agenda PacketPOLICY AND SERVICES COMMITTEE Regular Meeting Tuesday, September 10, 2024 Council Chambers & Hybrid 7:00 PM Policy and Services Committee meetings will be held as “hybrid” meetings with the option to attend by teleconference/video conference or in person. Information on how the public may observe and participate in the meeting is located at the end of the agenda. The meeting will be broadcast on Cable TV Channel 26, live on YouTube https://www.youtube.com/c/cityofpaloalto, and streamed to Midpen Media Center https://midpenmedia.org. VIRTUAL PARTICIPATION CLICK HERE TO JOIN (https://cityofpaloalto.zoom.us/j/94618744621) Meeting ID: 946 1874 4621 Phone: 1(669)900‐6833 PUBLIC COMMENTS General public comment for items not on the agenda will be accepted in person for up to three minutes or an amount of time determined by the Chair. General public comment will be heard for 30 minutes. Additional public comments, if any, will be heard at the end of the agenda. Public comments for agendized items will be accepted both in person and via Zoom for up to three minutes or an amount of time determined by the Chair. Requests to speak will be taken until 5 minutes after the staff’s presentation or as determined by the Chair. Written public comments can be submitted in advance to city.council@CityofPaloAlto.org and will be provided to the Council and available for inspection on the City’s website. Please clearly indicate which agenda item you are referencing in your subject line. PowerPoints, videos, or other media to be presented during public comment are accepted only by email to city.clerk@CityofPaloAlto.org at least 24 hours prior to the meeting. Once received, the Clerk will have them shared at public comment for the specified item. To uphold strong cybersecurity management practices, USB’s or other physical electronic storage devices are not accepted. Signs and symbolic materials less than 2 feet by 3 feet are permitted provided that: (1) sticks, posts, poles or similar/other type of handle objects are strictly prohibited; (2) the items do not create a facility, fire, or safety hazard; and (3) persons with such items remain seated when displaying them and must not raise the items above shoulder level, obstruct the view or passage of other attendees, or otherwise disturb the business of the meeting. CALL TO ORDER PUBLIC COMMENT Members of the public may speak inperson ONLY to any item NOT on the agenda. 13 minutes depending on # of speakers. Public Comment is limited to 30 minutes. Additional public comments, if any, will be heard at the end of the agenda. ACTION ITEMS 1.Office of the City Auditor Presentation of the Technology Applications Disaster Recovery Preparedness Assessment Audit Report 2.Discussion and Recommendation to Council on a potential reimbursement policy, allowing up to $2,000 annually per Council Member, for specified purposes FUTURE MEETINGS AND AGENDAS Members of the public may not speak to the item(s) ADJOURNMENT PUBLIC COMMENT INSTRUCTIONS Members of the Public may provide public comments to teleconference meetings via email, teleconference, or by phone. 1. Written public comments may be submitted by email to city.council@cityofpaloalto.org. 2. For in person public comments please complete a speaker request card located on the table at the entrance to the Council Chambers and deliver it to the Clerk prior to discussion of the item. 3. Spoken public comments for agendized items using a computer or smart phone will be accepted through the teleconference meeting. To address the Council, click on the link below to access a Zoom‐based meeting. Please read the following instructions carefully. You may download the Zoom client or connect to the meeting in‐ browser. If using your browser, make sure you are using a current, up‐to‐date browser: Chrome 30 , Firefox 27 , Microsoft Edge 12 , Safari 7 . Certain functionality may be disabled in older browsers including Internet Explorer. Or download the Zoom application onto your smart phone from the Apple App Store or Google Play Store and enter in the Meeting ID below. You may be asked to enter an email address and name. We request that you identify yourself by name as this will be visible online and will be used to notify you that it is your turn to speak. When you wish to speak on an Agenda Item, click on “raise hand.” The Clerk will activate and unmute speakers in turn. Speakers will be notified shortly before they are called to speak. When called, please limit your remarks to the time limit allotted. A timer will be shown on the computer to help keep track of your comments. 4. Spoken public comments for agendized items using a phone use the telephone number listed below. When you wish to speak on an agenda item hit *9 on your phone so we know that you wish to speak. You will be asked to provide your first and last name before addressing the Council. You will be advised how long you have to speak. When called please limit your remarks to the agenda item and time limit allotted. CLICK HERE TO JOIN Meeting ID: 946‐1874‐4621 Phone: 1‐669‐900‐6833 Americans with Disability Act (ADA) It is the policy of the City of Palo Alto to offer its public programs, services and meetings in a manner that is readily accessible to all. Persons with disabilities who require materials in an appropriate alternative format or who require auxiliary aids to access City meetings, programs, or services may contact the City’s ADA Coordinator at (650) 329‐2550 (voice) or by emailing ada@cityofpaloalto.org. Requests for assistance or accommodations must be submitted at least 24 hours in advance of the meeting, program, or service. California Government Code §84308, commonly referred to as the "Levine Act," prohibits an elected official of a local government agency from participating in a proceeding involving a license, permit, or other entitlement for use if the official received a campaign contribution exceeding $250 from a party or participant, including their agents, to the proceeding within the last 12 months. A “license, permit, or other entitlement for use” includes most land use and planning approvals and the approval of contracts that are not subject to lowest responsible bid procedures. A “party” is a person who files an application for, or is the subject of, a proceeding involving a license, permit, or other entitlement for use. A “participant” is a person who actively supports or opposes a particular decision in a proceeding involving a license, permit, or other entitlement for use, and has a financial interest in the decision. The Levine Act incorporates the definition of “financial interest” in the Political Reform Act, which encompasses interests in business entities, real property, sources of income, sources of gifts, and personal finances that may be affected by the Council’s actions. If you qualify as a “party” or “participant” to a proceeding, and you have made a campaign contribution to a Council Member exceeding $250 made within the last 12 months, you must disclose the campaign contribution before making your comments. 1 Regular Meeting September 10, 2024 Materials related to an item on this agenda submitted to the Board after distribution of the agenda packet are available for public inspection at www.CityofPaloAlto.org/agendas. POLICY AND SERVICES COMMITTEERegular MeetingTuesday, September 10, 2024Council Chambers & Hybrid7:00 PMPolicy and Services Committee meetings will be held as “hybrid” meetings with the option toattend by teleconference/video conference or in person. Information on how the public mayobserve and participate in the meeting is located at the end of the agenda. The meeting will bebroadcast on Cable TV Channel 26, live on YouTube https://www.youtube.com/c/cityofpaloalto,and streamed to Midpen Media Center https://midpenmedia.org.VIRTUAL PARTICIPATION CLICK HERE TO JOIN (https://cityofpaloalto.zoom.us/j/94618744621)Meeting ID: 946 1874 4621 Phone: 1(669)900‐6833PUBLIC COMMENTSGeneral public comment for items not on the agenda will be accepted in person for up to threeminutes or an amount of time determined by the Chair. General public comment will be heardfor 30 minutes. Additional public comments, if any, will be heard at the end of the agenda.Public comments for agendized items will be accepted both in person and via Zoom for up tothree minutes or an amount of time determined by the Chair. Requests to speak will be takenuntil 5 minutes after the staff’s presentation or as determined by the Chair. Written publiccomments can be submitted in advance to city.council@CityofPaloAlto.org and will be providedto the Council and available for inspection on the City’s website. Please clearly indicate whichagenda item you are referencing in your subject line. PowerPoints, videos, or other media to be presented during public comment are accepted onlyby email to city.clerk@CityofPaloAlto.org at least 24 hours prior to the meeting. Once received,the Clerk will have them shared at public comment for the specified item. To uphold strongcybersecurity management practices, USB’s or other physical electronic storage devices are notaccepted. Signs and symbolic materials less than 2 feet by 3 feet are permitted provided that: (1) sticks, posts, poles or similar/other type of handle objects are strictly prohibited; (2) the items do not create a facility, fire, or safety hazard; and (3) persons with such items remain seated when displaying them and must not raise the items above shoulder level, obstruct the view or passage of other attendees, or otherwise disturb the business of the meeting. CALL TO ORDER PUBLIC COMMENT Members of the public may speak inperson ONLY to any item NOT on the agenda. 13 minutes depending on # of speakers. Public Comment is limited to 30 minutes. Additional public comments, if any, will be heard at the end of the agenda. ACTION ITEMS 1.Office of the City Auditor Presentation of the Technology Applications Disaster Recovery Preparedness Assessment Audit Report 2.Discussion and Recommendation to Council on a potential reimbursement policy, allowing up to $2,000 annually per Council Member, for specified purposes FUTURE MEETINGS AND AGENDAS Members of the public may not speak to the item(s) ADJOURNMENT PUBLIC COMMENT INSTRUCTIONS Members of the Public may provide public comments to teleconference meetings via email, teleconference, or by phone. 1. Written public comments may be submitted by email to city.council@cityofpaloalto.org. 2. For in person public comments please complete a speaker request card located on the table at the entrance to the Council Chambers and deliver it to the Clerk prior to discussion of the item. 3. Spoken public comments for agendized items using a computer or smart phone will be accepted through the teleconference meeting. To address the Council, click on the link below to access a Zoom‐based meeting. Please read the following instructions carefully. You may download the Zoom client or connect to the meeting in‐ browser. If using your browser, make sure you are using a current, up‐to‐date browser: Chrome 30 , Firefox 27 , Microsoft Edge 12 , Safari 7 . Certain functionality may be disabled in older browsers including Internet Explorer. Or download the Zoom application onto your smart phone from the Apple App Store or Google Play Store and enter in the Meeting ID below. You may be asked to enter an email address and name. We request that you identify yourself by name as this will be visible online and will be used to notify you that it is your turn to speak. When you wish to speak on an Agenda Item, click on “raise hand.” The Clerk will activate and unmute speakers in turn. Speakers will be notified shortly before they are called to speak. When called, please limit your remarks to the time limit allotted. A timer will be shown on the computer to help keep track of your comments. 4. Spoken public comments for agendized items using a phone use the telephone number listed below. When you wish to speak on an agenda item hit *9 on your phone so we know that you wish to speak. You will be asked to provide your first and last name before addressing the Council. You will be advised how long you have to speak. When called please limit your remarks to the agenda item and time limit allotted. CLICK HERE TO JOIN Meeting ID: 946‐1874‐4621 Phone: 1‐669‐900‐6833 Americans with Disability Act (ADA) It is the policy of the City of Palo Alto to offer its public programs, services and meetings in a manner that is readily accessible to all. Persons with disabilities who require materials in an appropriate alternative format or who require auxiliary aids to access City meetings, programs, or services may contact the City’s ADA Coordinator at (650) 329‐2550 (voice) or by emailing ada@cityofpaloalto.org. Requests for assistance or accommodations must be submitted at least 24 hours in advance of the meeting, program, or service. California Government Code §84308, commonly referred to as the "Levine Act," prohibits an elected official of a local government agency from participating in a proceeding involving a license, permit, or other entitlement for use if the official received a campaign contribution exceeding $250 from a party or participant, including their agents, to the proceeding within the last 12 months. A “license, permit, or other entitlement for use” includes most land use and planning approvals and the approval of contracts that are not subject to lowest responsible bid procedures. A “party” is a person who files an application for, or is the subject of, a proceeding involving a license, permit, or other entitlement for use. A “participant” is a person who actively supports or opposes a particular decision in a proceeding involving a license, permit, or other entitlement for use, and has a financial interest in the decision. The Levine Act incorporates the definition of “financial interest” in the Political Reform Act, which encompasses interests in business entities, real property, sources of income, sources of gifts, and personal finances that may be affected by the Council’s actions. If you qualify as a “party” or “participant” to a proceeding, and you have made a campaign contribution to a Council Member exceeding $250 made within the last 12 months, you must disclose the campaign contribution before making your comments. 2 Regular Meeting September 10, 2024 Materials related to an item on this agenda submitted to the Board after distribution of the agenda packet are available for public inspection at www.CityofPaloAlto.org/agendas. POLICY AND SERVICES COMMITTEERegular MeetingTuesday, September 10, 2024Council Chambers & Hybrid7:00 PMPolicy and Services Committee meetings will be held as “hybrid” meetings with the option toattend by teleconference/video conference or in person. Information on how the public mayobserve and participate in the meeting is located at the end of the agenda. The meeting will bebroadcast on Cable TV Channel 26, live on YouTube https://www.youtube.com/c/cityofpaloalto,and streamed to Midpen Media Center https://midpenmedia.org.VIRTUAL PARTICIPATION CLICK HERE TO JOIN (https://cityofpaloalto.zoom.us/j/94618744621)Meeting ID: 946 1874 4621 Phone: 1(669)900‐6833PUBLIC COMMENTSGeneral public comment for items not on the agenda will be accepted in person for up to threeminutes or an amount of time determined by the Chair. General public comment will be heardfor 30 minutes. Additional public comments, if any, will be heard at the end of the agenda.Public comments for agendized items will be accepted both in person and via Zoom for up tothree minutes or an amount of time determined by the Chair. Requests to speak will be takenuntil 5 minutes after the staff’s presentation or as determined by the Chair. Written publiccomments can be submitted in advance to city.council@CityofPaloAlto.org and will be providedto the Council and available for inspection on the City’s website. Please clearly indicate whichagenda item you are referencing in your subject line. PowerPoints, videos, or other media to be presented during public comment are accepted onlyby email to city.clerk@CityofPaloAlto.org at least 24 hours prior to the meeting. Once received,the Clerk will have them shared at public comment for the specified item. To uphold strongcybersecurity management practices, USB’s or other physical electronic storage devices are notaccepted.Signs and symbolic materials less than 2 feet by 3 feet are permitted provided that: (1) sticks,posts, poles or similar/other type of handle objects are strictly prohibited; (2) the items do notcreate a facility, fire, or safety hazard; and (3) persons with such items remain seated whendisplaying them and must not raise the items above shoulder level, obstruct the view orpassage of other attendees, or otherwise disturb the business of the meeting.CALL TO ORDERPUBLIC COMMENT Members of the public may speak inperson ONLY to any item NOT on the agenda. 13 minutes depending on # ofspeakers. Public Comment is limited to 30 minutes. Additional public comments, if any, will be heard at the end ofthe agenda.ACTION ITEMS1.Office of the City Auditor Presentation of the Technology Applications Disaster RecoveryPreparedness Assessment Audit Report2.Discussion and Recommendation to Council on a potential reimbursement policy,allowing up to $2,000 annually per Council Member, for specified purposesFUTURE MEETINGS AND AGENDASMembers of the public may not speak to the item(s) ADJOURNMENT PUBLIC COMMENT INSTRUCTIONS Members of the Public may provide public comments to teleconference meetings via email, teleconference, or by phone. 1. Written public comments may be submitted by email to city.council@cityofpaloalto.org. 2. For in person public comments please complete a speaker request card located on the table at the entrance to the Council Chambers and deliver it to the Clerk prior to discussion of the item. 3. Spoken public comments for agendized items using a computer or smart phone will be accepted through the teleconference meeting. To address the Council, click on the link below to access a Zoom‐based meeting. Please read the following instructions carefully. You may download the Zoom client or connect to the meeting in‐ browser. If using your browser, make sure you are using a current, up‐to‐date browser: Chrome 30 , Firefox 27 , Microsoft Edge 12 , Safari 7 . Certain functionality may be disabled in older browsers including Internet Explorer. Or download the Zoom application onto your smart phone from the Apple App Store or Google Play Store and enter in the Meeting ID below. You may be asked to enter an email address and name. We request that you identify yourself by name as this will be visible online and will be used to notify you that it is your turn to speak. When you wish to speak on an Agenda Item, click on “raise hand.” The Clerk will activate and unmute speakers in turn. Speakers will be notified shortly before they are called to speak. When called, please limit your remarks to the time limit allotted. A timer will be shown on the computer to help keep track of your comments. 4. Spoken public comments for agendized items using a phone use the telephone number listed below. When you wish to speak on an agenda item hit *9 on your phone so we know that you wish to speak. You will be asked to provide your first and last name before addressing the Council. You will be advised how long you have to speak. When called please limit your remarks to the agenda item and time limit allotted. CLICK HERE TO JOIN Meeting ID: 946‐1874‐4621 Phone: 1‐669‐900‐6833 Americans with Disability Act (ADA) It is the policy of the City of Palo Alto to offer its public programs, services and meetings in a manner that is readily accessible to all. Persons with disabilities who require materials in an appropriate alternative format or who require auxiliary aids to access City meetings, programs, or services may contact the City’s ADA Coordinator at (650) 329‐2550 (voice) or by emailing ada@cityofpaloalto.org. Requests for assistance or accommodations must be submitted at least 24 hours in advance of the meeting, program, or service. California Government Code §84308, commonly referred to as the "Levine Act," prohibits an elected official of a local government agency from participating in a proceeding involving a license, permit, or other entitlement for use if the official received a campaign contribution exceeding $250 from a party or participant, including their agents, to the proceeding within the last 12 months. A “license, permit, or other entitlement for use” includes most land use and planning approvals and the approval of contracts that are not subject to lowest responsible bid procedures. A “party” is a person who files an application for, or is the subject of, a proceeding involving a license, permit, or other entitlement for use. A “participant” is a person who actively supports or opposes a particular decision in a proceeding involving a license, permit, or other entitlement for use, and has a financial interest in the decision. The Levine Act incorporates the definition of “financial interest” in the Political Reform Act, which encompasses interests in business entities, real property, sources of income, sources of gifts, and personal finances that may be affected by the Council’s actions. If you qualify as a “party” or “participant” to a proceeding, and you have made a campaign contribution to a Council Member exceeding $250 made within the last 12 months, you must disclose the campaign contribution before making your comments. 3 Regular Meeting September 10, 2024 Materials related to an item on this agenda submitted to the Board after distribution of the agenda packet are available for public inspection at www.CityofPaloAlto.org/agendas. POLICY AND SERVICES COMMITTEERegular MeetingTuesday, September 10, 2024Council Chambers & Hybrid7:00 PMPolicy and Services Committee meetings will be held as “hybrid” meetings with the option toattend by teleconference/video conference or in person. Information on how the public mayobserve and participate in the meeting is located at the end of the agenda. The meeting will bebroadcast on Cable TV Channel 26, live on YouTube https://www.youtube.com/c/cityofpaloalto,and streamed to Midpen Media Center https://midpenmedia.org.VIRTUAL PARTICIPATION CLICK HERE TO JOIN (https://cityofpaloalto.zoom.us/j/94618744621)Meeting ID: 946 1874 4621 Phone: 1(669)900‐6833PUBLIC COMMENTSGeneral public comment for items not on the agenda will be accepted in person for up to threeminutes or an amount of time determined by the Chair. General public comment will be heardfor 30 minutes. Additional public comments, if any, will be heard at the end of the agenda.Public comments for agendized items will be accepted both in person and via Zoom for up tothree minutes or an amount of time determined by the Chair. Requests to speak will be takenuntil 5 minutes after the staff’s presentation or as determined by the Chair. Written publiccomments can be submitted in advance to city.council@CityofPaloAlto.org and will be providedto the Council and available for inspection on the City’s website. Please clearly indicate whichagenda item you are referencing in your subject line. PowerPoints, videos, or other media to be presented during public comment are accepted onlyby email to city.clerk@CityofPaloAlto.org at least 24 hours prior to the meeting. Once received,the Clerk will have them shared at public comment for the specified item. To uphold strongcybersecurity management practices, USB’s or other physical electronic storage devices are notaccepted.Signs and symbolic materials less than 2 feet by 3 feet are permitted provided that: (1) sticks,posts, poles or similar/other type of handle objects are strictly prohibited; (2) the items do notcreate a facility, fire, or safety hazard; and (3) persons with such items remain seated whendisplaying them and must not raise the items above shoulder level, obstruct the view orpassage of other attendees, or otherwise disturb the business of the meeting.CALL TO ORDERPUBLIC COMMENT Members of the public may speak inperson ONLY to any item NOT on the agenda. 13 minutes depending on # ofspeakers. Public Comment is limited to 30 minutes. Additional public comments, if any, will be heard at the end ofthe agenda.ACTION ITEMS1.Office of the City Auditor Presentation of the Technology Applications Disaster RecoveryPreparedness Assessment Audit Report2.Discussion and Recommendation to Council on a potential reimbursement policy,allowing up to $2,000 annually per Council Member, for specified purposesFUTURE MEETINGS AND AGENDASMembers of the public may not speak to the item(s)ADJOURNMENTPUBLIC COMMENT INSTRUCTIONSMembers of the Public may provide public comments to teleconference meetings via email,teleconference, or by phone.1. Written public comments may be submitted by email to city.council@cityofpaloalto.org.2. For in person public comments please complete a speaker request card located on thetable at the entrance to the Council Chambers and deliver it to the Clerk prior todiscussion of the item.3. Spoken public comments for agendized items using a computer or smart phone willbe accepted through the teleconference meeting. To address the Council, click on the linkbelow to access a Zoom‐based meeting. Please read the following instructions carefully.You may download the Zoom client or connect to the meeting in‐ browser. If usingyour browser, make sure you are using a current, up‐to‐date browser: Chrome 30 ,Firefox 27 , Microsoft Edge 12 , Safari 7 . Certain functionality may be disabled inolder browsers including Internet Explorer. Or download the Zoom application ontoyour smart phone from the Apple App Store or Google Play Store and enter in theMeeting ID below.You may be asked to enter an email address and name. We request that youidentify yourself by name as this will be visible online and will be used to notify youthat it is your turn to speak.When you wish to speak on an Agenda Item, click on “raise hand.” The Clerk willactivate and unmute speakers in turn. Speakers will be notified shortly before theyare called to speak.When called, please limit your remarks to the time limit allotted. A timer will beshown on the computer to help keep track of your comments.4. Spoken public comments for agendized items using a phone use the telephone numberlisted below. When you wish to speak on an agenda item hit *9 on your phone so weknow that you wish to speak. You will be asked to provide your first and last name beforeaddressing the Council. You will be advised how long you have to speak. When calledplease limit your remarks to the agenda item and time limit allotted.CLICK HERE TO JOIN Meeting ID: 946‐1874‐4621 Phone: 1‐669‐900‐6833Americans with Disability Act (ADA) It is the policy of the City of Palo Alto to offer its publicprograms, services and meetings in a manner that is readily accessible to all. Persons withdisabilities who require materials in an appropriate alternative format or who require auxiliary aids to access City meetings, programs, or services may contact the City’s ADA Coordinator at (650) 329‐2550 (voice) or by emailing ada@cityofpaloalto.org. Requests for assistance or accommodations must be submitted at least 24 hours in advance of the meeting, program, or service. California Government Code §84308, commonly referred to as the "Levine Act," prohibits an elected official of a local government agency from participating in a proceeding involving a license, permit, or other entitlement for use if the official received a campaign contribution exceeding $250 from a party or participant, including their agents, to the proceeding within the last 12 months. A “license, permit, or other entitlement for use” includes most land use and planning approvals and the approval of contracts that are not subject to lowest responsible bid procedures. A “party” is a person who files an application for, or is the subject of, a proceeding involving a license, permit, or other entitlement for use. A “participant” is a person who actively supports or opposes a particular decision in a proceeding involving a license, permit, or other entitlement for use, and has a financial interest in the decision. The Levine Act incorporates the definition of “financial interest” in the Political Reform Act, which encompasses interests in business entities, real property, sources of income, sources of gifts, and personal finances that may be affected by the Council’s actions. If you qualify as a “party” or “participant” to a proceeding, and you have made a campaign contribution to a Council Member exceeding $250 made within the last 12 months, you must disclose the campaign contribution before making your comments. 4 Regular Meeting September 10, 2024 Materials related to an item on this agenda submitted to the Board after distribution of the agenda packet are available for public inspection at www.CityofPaloAlto.org/agendas. 4 8 9 3 Policy & Services Committee Staff Report From: City Manager Report Type: ACTION ITEMS Lead Department: City Auditor Meeting Date: September 10, 2024 Report #:2406-3133 TITLE Office of the City Auditor Presentation of the Technology Applications Disaster Recovery Preparedness Assessment Audit Report RECOMMENDATION Baker Tilly, in its capacity serving as the Office of the City Auditor (OCA), performed a citywide risk assessment that assessed a wide range of risk areas, including strategic, financial, operational, compliance, technological, and reputation risks. The purpose of the annual risk assessment was to identify and prioritize risks to include in the annual audit plan. During the FY 2022 citywide risk assessment, the OCA identified the following inherent risks and related to technology applications disaster preparedness and recovery: •Risks related to possible inadequacy of disaster recovery plans related to high priority applications and supporting infrastructure •Risks related to possible inadequacy of disaster recovery capabilities EXECUTIVE SUMMARY The OCA conducted an audit of the disaster recovery preparedness based on the approved Task Order 4.19. The objectives of this audit were to: 1) Assess the current disaster recovery plan for high priority applications and supporting infrastructure to identify the adequacy of documentation and identify additional documentation requirements. 2) Assess the current disaster recovery capabilities 3) Develop recommendations to remediate identified capability gaps and to update disaster recovery documentation The audit found that while the Information Technology Department had a comprehensive Continuity of Operations Plan, this was focused on operational continuity in the event of a Item 1 Item 1 Staff Report Item 1: Staff Report Pg. 1 Packet Pg. 5 of 24 4 8 9 3 disaster or other incident and did not provide as much information for recovery methods, procedures or processes. Audit findings and recommendations relate to the following areas with a focus on a need to formalize documentation for operational practices: •Continuing efforts to improve Business Impact Analysis efforts including recovery time objectives •Formalizing maintenance requirements related to resilience mechanisms •Formalizing system backup procedures •Formalizing restoration testing to ensure system operations •Encrypting backup solutions •Formalize disaster recovery plan and testing The attached report provides a more detailed summary of the analysis, audit findings, recommendations, and timeline for implementation of corrective action plans. FISCAL/RESOURCE IMPACT The necessary resources to implement these recommendations will be dependent on the results of the updates to standard operating procedures related to resiliency mechanisms maintenance requirements, results of the planned Disaster Recovery and Business Continuity project, and other approved revisions and updates to policies and procedures. STAKEHOLDER ENGAGEMENT The Office of the City Auditor worked primarily with the Information Technology Department, as well as, additional stakeholders, including the City Manager’s Office and City Attorney’s Office, as necessary. ENVIRONMENTAL REVIEW Council action on this item is not a project as defined by CEQA because the audit activities do not involve any commitment to any specific project which may result in a potentially significant physical impact on the environment. CEQA Guidelines section 15378(b)(4). ATTACHMENTS Attachment A: Technology Applications Disaster Preparedness Assessment APPROVED BY: Kate Murdock, City Auditor Item 1 Item 1 Staff Report Item 1: Staff Report Pg. 2 Packet Pg. 6 of 24 1 BACK July 2024 City of Palo Alto Office of City Auditor Technology Applications Disaster Preparedness Assessment Item 1 Attachment A - Technology Applications Disaster Preparedness Assessment Item 1: Staff Report Pg. 3 Packet Pg. 7 of 24 Contents Baker Tilly Advisory Group, LP and Baker Tilly US, LLP, trading as Baker Tilly, operate under an alternative practice structure and are members of the global network of Baker Tilly International Ltd., the members of which are separate and independent legal entities. Baker Tilly US, LLP is a licensed CPA firm that provides assurance services to its clients. Baker Tilly Advisory Group, LP and its subsidiary entities provide tax and consulting services to their clients and are not licensed CPA firms. © 2024 Baker Tilly Advisory Group, LP. EXECUTIVE SUMMARY...................................................................................................1 INTRODUCTION...............................................................................................................3 DETAILED ANALYSIS.....................................................................................................5 AUDIT RESULTS..............................................................................................................8 Item 1 Attachment A - Technology Applications Disaster Preparedness Assessment Item 1: Staff Report Pg. 4 Packet Pg. 8 of 24 1 Executive Summary Purpose of the Audit Baker Tilly US, LLP (Baker Tilly or BT), in its capacity serving as the Office of the City Auditor (OCA) for the City of Palo Alto (the City), conducted an audit of the disaster recovery preparedness based on the approved Task Order 4.19. The objectives of this review were to: 1) Assess the current disaster recovery plan for high priority applications and supporting infrastructure to identify the adequacy of documentation and identify additional documentation requirements. 2) Assess the current disaster recovery capabilities. 3) Develop recommendations to remediate identified capability gaps and to update disaster recovery documentation. Report Highlights Finding 1: Lack of Business Impact Analysis (BIA) (Page 8)The City has not established a BIA to define critical assets across the City. Key Recommendations The City should continue with the planned BIA efforts to gain an understanding of criticalities and RTOs of the assets within the City. Finding 2:Lack of Formalized Maintenance Requirements (Page 8)The City does not have formalized maintenance requirements for resiliency mechanisms. Key Recommendations The City should formalize maintenance requirements for resiliency mechanisms through policies and procedures. Finding 3:Informal and Inconsistent Backups (Page 9)The City does not have a formalized Backup Policy to outline backup requirements. The city does not have a formal process for monitoring and remediating backup failures. Key Recommendations The City should formalize backup requirements for key systems through a Backup Policy. The City should outline backup failure requirements as part of the Backup Policy. Finding 4:Lack of Formalized Restoration Testing (Page 9)The City does not perform system wide or planned restoration testing. Key Recommendations The City should establish a process to test the ability to restore data and systems from backups on a periodic basis. Finding 5:Unencrypted Backups for Synology Appliance Item 1 Attachment A - Technology Applications Disaster Preparedness Assessment Item 1: Staff Report Pg. 5 Packet Pg. 9 of 24 2 EXECUTIVE SUMMARY (Page 10)The data stored locally within the Synology backup solution is not encrypted. Key Recommendations The City should configure the Synology appliance to be encrypted locally. Finding 6:Lack of Detailed Disaster Recovery Plan and Test (Page 10)The City does not have a detailed Disaster Recovery Plan or formalized process to test disaster recovery processes. Key Recommendations The City should continue efforts to implement a detailed Disaster Recovery Plan that outlines actions to be taken to restore operations and recover data in the event of a disaster. The plan should be tested on an annual basis. Item 1 Attachment A - Technology Applications Disaster Preparedness Assessment Item 1: Staff Report Pg. 6 Packet Pg. 10 of 24 3 Introduction Objective The objectives of this review were to: 1) Assess the current disaster recovery plan for high priority applications and supporting infrastructure to identify the adequacy of documentation and identify additional documentation requirements. 2) Assess the current disaster recovery capabilities. 3) Develop recommendations to remediate identified capability gaps and to update disaster recovery documentation. Background Information systems are vulnerable to various interruptions ranging from mild (e.g., short-term power outages, accidental equipment damage, equipment failure) to severe (e.g., vandalism, equipment destruction, natural disasters, virus, attackers). A disaster recovery plan along with resiliency mechanisms and backups will allow the City to prepare for disruptions. Without adequate controls and preparation, the effects can lead to catastrophic financial loss in the form of lost revenue, recovery costs, or impact critical membership services, as well as technological consequences, such as losing integral or sensitive data. Scope The scope of this assessment was limited to the disaster recovery of high priority applications and supporting infrastructure that is controlled by the City’s Information Technology team. Methodology To achieve the audit objective #1, the OCA performed the following procedures: •Conducted interviews with identified IT personnel and key stakeholders to gain an understanding of the operating environment •Conducted interviews and gathered supporting documentation to determine what the City deemed as high priority applications •Gathered and analyzed evidence to determine if the City had adequate documentation of the disaster recovery process. To achieve the audit objective #2, the OCA performed the following procedures: •Conducted interviews with identified IT personnel and key stakeholders and performed observations of facilities to determine the current disaster recovery capabilities. •Gathered and analyzed evidence to determine whether the City had adequate technical controls required to recover from a disaster. To achieve the audit objective #3, the OCA performed the following procedures: •Compared current state documentation and capabilities to industry best practices to develop recommendations to strengthen the City’s disaster preparedness. Item 1 Attachment A - Technology Applications Disaster Preparedness Assessment Item 1: Staff Report Pg. 7 Packet Pg. 11 of 24 4 INTRODUCTION 1 Government auditing standards require an external peer review at least once every three (3) years. The last peer review of the Palo Alto Office of the City Auditor was conducted in 2017. The Palo Alto City Council approved a contract with Baker Tilly U.S, LLP for internal audit services for October 2020 through June 2022 with an extension through June 2025. City Council appointed Kate Murdock, Audit Manager in Baker Tilly’s Risk Advisory practice, as City Auditor in May 2024. As a result of transitions in the Audit Office and peer review delays due to the COVID pandemic, an external peer review is targeted for 2025. It should be noted that Baker Tilly’s most recent firmwide peer review was completed in October 2021 with a rating of “Pass”. The scope of that peer review includes projects completed under government auditing standards. A report on the next firmwide peer review should be available later in 2024 Compliance Statement This audit activity was conducted from September 2023 to November 2023 in accordance with generally accepted government auditing standards, except for the requirement of an external peer review1. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Organizational Strengths During this audit activity, we observed that the City has the following areas of strength as it relates to disaster preparedness: - Appropriate resiliency mechanisms to ensure that on-premise solutions would be able to run in the event that there was a power outage. - A documented Continuity of Operations (COOP) plan that outlines how IT would continue to support the rest of the city in the event of a disaster. - Backups are configured to run on critical systems and retained for a period of time determined to be appropriate by the business. - Initial criticality rating and recovery time objectives (RTO)’s have been established for services to guide recovery efforts based on business need. The Office of the City Auditor greatly appreciates the support of the Information Technology Department in conducting this audit activity. Thank you! Item 1 Attachment A - Technology Applications Disaster Preparedness Assessment Item 1: Staff Report Pg. 8 Packet Pg. 12 of 24 5 Detailed Analysis Disaster Recovery Documentation BT noted that the City maintains a formalized Continuity of Operations (COOP) plan for the Information Technology Department. Per inspection of this plan, BT noted that the plan outlines the roles and responsibilities of personnel involved, the activation of the COOP, the implementation of the COOP, and details various steps that IT personnel would need to perform in order to continue operations. BT noted that the COOP primarily focused on the continuity of IT functions in the event of a disaster or other incident; but did not outline recovery methods, procedures, or processes. Further, BT noted that the City is in the process of reviewing and updating the COOP to ensure alignment with current practices. BT noted that the City maintains a formalized Disaster Recovery & Business Continuity Process (DR-BCP) and System Back-Up Procedure document. Per inspection, BT noted that the document outlines the backup methodology for the five critical information technology services which include SAP, GIS, internet services, e-mail services, and network services. BT noted that this document outlines the backup requirements, type of information backed up, and frequency of backup. Additionally, BT obtained and inspected the Summary of Data Backup Services document and noted that it outlined the backup services used for the critical applications; however, the document has not been updated to reflect recent changes in the environment. In the event of a disaster, the Office of Emergency services, through the Emergency Operations Center activation, would manage communication, including internal and external communications. The Office of the CIO may also have direct communication with constituents where required. For external communication, there is a standard template that is used to communicate these instances. All City employees are deemed disaster employees and receive training upon hire in order to gain an understanding of their roles and responsibilities as it relates to disasters. Further, the IT department is involved in an annual COOP test through various City activities; however, the IT specific COOP is not formally tested on a regular cadence. While the City has defined processes for backups and continuity, there is no formalized policy or procedure document that outlines requirements and actions to be taken during a disaster. BT further noted that there are plans in place to further strengthen the disaster recovery plan, including performing an analysis to re-classify critical assets; but this project is currently on hold. Item 1 Attachment A - Technology Applications Disaster Preparedness Assessment Item 1: Staff Report Pg. 9 Packet Pg. 13 of 24 6 DETAILED ANALYSIS Criticality BT noted that the City has a defined Asset Classification strategy in which assets are categorized within the following tiers: - Tier 1: Assets which will have direct impact on public safety and or public’s well-being. - Tier 2: Assets which have indirect impact on public safety and or public’s well-being. - Tier 3: Assets which have data confidentiality, legal, and financial impact. - Tier 4: Assets which have NO direct/indirect impact on public safety/security and does not host any confidential, legal, and financial data. BT noted that the following IT supported assets have the below designated criticalities: IT Supported Assets Tier GIS 1 Internet Services Network Services E-Mail Services File Services VoIP Telephone 2 SAP 3 BT further noted that Recovery Time Objectives (RTO) have been defined for the critical functions as 72 to 120 hours. While criticality and RTO have been established across IT assets, the criticality is not rooted in an organizational wide Business Impact Analysis (BIA) which may result in misaligned recovery efforts due to lack of business input. Item 1 Attachment A - Technology Applications Disaster Preparedness Assessment Item 1: Staff Report Pg. 10 Packet Pg. 14 of 24 7 DETAILED ANALYSIS Resiliency Capabilities BT noted that the City has deployed various resiliency capabilities across the IT controlled infrastructure. BT noted that UPS devices are deployed across the city and have enough power to maintain services until the generators are turned on. BT noted that there are two generators that are located in the Civic Center Office building that are used to provide power to the IT networking closets and the rest of the building in the event of a power outage. Additionally, there is a fuel contract to ensure that the generator does not run out of fuel in the event of an extended outage. Further, BT noted that there are redundant fiber internet feeds in place to guard the City from an internet outage. Similarly, there are redundant phone systems in place. Maintenance and testing for UPS and generators occurs on a defined schedule and alerts are actively monitored by either the IT Operations or Maintenance teams. If there are alerts that require changes to the environment, these changes would follow the established change management process and be documented within the ITSM tool. The resiliency mechanisms listed above would support solutions and services that are hosted on-premises. For SAP, which is hosted in AWS, the City relies upon the vendor to provide resiliency. BT noted that the City is currently working on establishing a recovery site with AWS or Azure to aid in the recovery of on-prem solutions in a long-term disaster. Backups BT noted that backups are in place and managed for the critical applications and services throughout the city. BT noted that there are 3 main backup methods: 1. SAP Backups – BT noted differential backups occur daily and full backups occur weekly, with transaction log backups taken every 15 minutes and are managed and monitored by EPI-use. These backups are stored in AWS and retained for 7 years. BT further noted that in the event of a disaster, the City would share responsibility with EPI-use to perform restoration and recovery efforts. 2. Rubrik – BT noted that Rubrik is used to backup on-prem SQL databases, windows volumes, virtual machines, the GIS system, and servers. Backups are taken on a daily, weekly, and yearly basis and are monitored by the IT Operations team. After 45 days, the data backed up using Rubrik is transferred from the local appliance to Azure and retained for 2 years. 3. Synology – BT noted that Synology is utilized to perform backups of the file services. Backups are taken on a daily basis and stored for 360 days in Azure. For City managed backups, alerts are sent to the IT Operations team on a daily basis for monitoring purposes. Consecutive backup failures that require a change within the system would be documented within the ITSM tool; however, this process is not consistently followed. Further, backup configuration changes would follow the City's established change management processes. While file or folder level restores occur during the normal course of business, there is currently not a process in place to do failover testing. Item 1 Attachment A - Technology Applications Disaster Preparedness Assessment Item 1: Staff Report Pg. 11 Packet Pg. 15 of 24 8 Audit Results Finding 1: Lack of Business Impact Analysis (BIA) The City has not yet completed a BIA to define the critical assets across the City. Without knowledge from the various departments within the city, disaster recovery efforts including backup configurations and restorations (including Recovery Time Objectives (RTO)) may not be in alignment with the City’s needs due to the lack of a BIA. Recommendation The City should continue the planned Business Impact Analysis (BIA) efforts to gain a comprehensive understanding of the assets within the environment, including RTOs and criticality ratings associated with those assets and be used to update RTOs and criticality ratings, where necessary. Management Response Responsible Department(s): Information Technology + Business Units Concurrence: Agree Target Date: Ongoing Action Plan: IT and in collaboration with the City’s Office of Emergency Services operations will continue to partner with departments to define critical assets and update the disaster recovery plan and IT security risk register as required. This will be an ongoing activity to address upgraded and newly acquired technology solutions as part of the ongoing emergency operations preparation work Finding 2: Lack of Formalized Maintenance Requirements The City does not have formalized maintenance requirements for resiliency mechanisms for solutions and services that are hosted on-premises in the means of policies or procedures. Formalization, supports maintenance and resiliency mechanism testing in alignment with expectations. Further, the roles and responsibilities to perform these actions may not be known to employees in the event of turnover. Recommendation The City should establish a formal standard operating procedure (SOP) that outlines the requirements and steps to perform maintenance and testing on resiliency mechanisms in alignment with best practice and vendor recommendations. This SOP should outline the roles and responsibilities, as well as any documentation requirements when actions are taken. Management Response Responsible Department(s): Information Technology + Facilities Concurrence: Agree Target Date: Q2 CY 2025 Action Plan: IT has initiated a planned Disaster Recovery and Business Continuity project and will include this recommendation as a deliverable. Item 1 Attachment A - Technology Applications Disaster Preparedness Assessment Item 1: Staff Report Pg. 12 Packet Pg. 16 of 24 9 Finding 3: Informal and Inconsistent Backups The City has a defined Disaster Recovery & Business Continuity (DR- BCRP) plan, but it does not outline requirements of backups such as schedule, retention, and storage requirements. This may lead to inaccuracies in configurations or misalignment with business need. Additionally, the City monitors backup failures on an ad-hoc basis but does not have a formal process to action consecutive failed backups. Failed backups may result in a loss of data in the event of a disaster Recommendation The City should expand the Disaster Recovery & Business Continuity (DR- BCP), System Back-Up Procedure, and/or establish a Backup Policy to formalize the backup requirements including schedule, retention, and storage requirements for critical business functions. This procedure and/or policy should be updated to align with current business practices and include details on any vendor reliance for backups. Additionally, the procedure and/or policy should outline roles and responsibilities related to recovery and backup. Additionally, this procedure and/or policy should outline monitoring requirements and actions to be taken for failed backups based on the City’s determined thresholds. Once established, the procedure and/policy should be reviewed on an annual basis to ensure alignment with business needs. Further, formal tracking of corrective action plans should be documented within the ITSM tool, including the root cause of the failure, responsible part, and the actions taken. Management Response Responsible Department(s): Information Technology Concurrence: Agree Target Date: Q2 CY 2025 Action Plan: As noted in the assessment, the City does maintain system back-ups for the critical applications and services throughout the city though acknowledges this level of detail is not included in the DR-BCRP plan. IT has initiated a planned Disaster Recovery and Business Continuity project and will ensure current processes are documented formally in the updated plan. Finding 4: Lack of Formalized Restoration Testing The City performs ad-hoc single file restorations as part of business-as- usual, but does not perform testing on the ability to restore a system or larger data set from backups. This may lead to inability to restore data in the event of a disaster due to issues with restoration processing or misconfigured backups. Recommendation The City should establish a formal process to test the ability to restore from backups on a periodic basis. This process should be expanded to a larger set of data or system, rather than ad-hoc file restores. This process should be formally documented, including roles and responsibilities. Further, the results of the test should be documented with any corrective action plans for failures monitored through resolution. Management Response Responsible Department(s): Information Technology Concurrence: Agree Target Date: Q2 CY 2025 Item 1 Attachment A - Technology Applications Disaster Preparedness Assessment Item 1: Staff Report Pg. 13 Packet Pg. 17 of 24 10 Action Plan: A formal process is not documented, however restores for both single files and bare metal restores are performed as required. IT has had a planned Disaster Recovery and Business Continuity project since 2021. We have initiated the project and ensure this recommendation is a deliverable. Finding 5: Unencrypted Backups for Synology Appliance One of the City’s backup solutions, Synology, is not configured to be encrypted at the local appliance which may lead to loss of data. Recommendation The City should configure Synology to encrypt backup data that is stored on the local appliance. Management Response Responsible Department(s): Information Technology Concurrence: Do not Agree Target Date: Addressed Action Plan: There is a local backup (Snapshot) of the S: Drive that is unencrypted by design in order to facilitate file restoration at the user level and is only accessible to authorized IT administrators. For DR backups the data is encrypted in the cloud and not on the appliance. Cloud backups are used for recovery in the case of data loss. Finding 6: Lack of Detailed Disaster Recovery Plan and Test The City maintains a formal IT Continuity of Operations Plan (IT COOP) which outlines roles, responsibilities, communications and plan to continue people operations in the event of a disaster; however, this plan does not detail the actions to be taken to restore and recover infrastructure and data in the event of a disaster. Various department COOP’s are tested on an annual basis, however, an IT specific disaster recovery test is not performed. Recommendation The City should continue efforts to implement a detailed Disaster Recovery Plan. The established plan should include details on roles, responsibilities, communications, and actions to be taken to restore data and recovery infrastructure and systems in the event of a disaster. The plan should be reviewed and approved by leadership on an annual basis. Additionally, the plan should be tested on an annual basis through tabletop exercises or other testing scenarios. Management Response Responsible Department(s): Information Technology Concurrence: Agree Target Date: Q2 CY 2025 Action Plan: Item 1 Attachment A - Technology Applications Disaster Preparedness Assessment Item 1: Staff Report Pg. 14 Packet Pg. 18 of 24 11 IT has initiated a planned Disaster Recovery and Business Continuity project and will ensure current processes are documented formally in the updated plan. Item 1 Attachment A - Technology Applications Disaster Preparedness Assessment Item 1: Staff Report Pg. 15 Packet Pg. 19 of 24 Policy & Services Committee Staff Report From: City Manager Report Type: ACTION ITEMS Lead Department: City Manager Meeting Date: September 10, 2024 Report #:2408-3411 TITLE Discussion and Recommendation to Council on a potential reimbursement policy, allowing up to $2,000 annually per Council Member, for specified purposes RECOMMENDATION Staff recommends that the Policy and Services Committee further discuss the referral from the City Council related to City Council Discretionary Expenditures and make a recommendation to the City Council for inclusion in the City Council Procedures and Protocols Handbook. BACKGROUND On March 12, 2024, the Policy and Services Committee revisited a Council referral to consider allocating $2,000 annually from the Council contingency fund for each Council member. This allocation would cover expenditures aligned with Council-defined purposes. The discussion was a continuation from February 13, 2024, where the Committee decided to further examine program details and compare similar initiatives in neighboring jurisdictions. During the March 12 meeting, staff presented similar programs in neighboring jurisdictions and reviewed the requirements under Cal. Govt. Code section 53232.2, which allows reimbursement for “actual and necessary expenses incurred in the performance of official duties” and requires certain procedures for implementing such a policy. The Committee showed interest in implementing a policy for reimbursing expenses for cellular phone use and technology when used for official business. ANALYSIS Given the recent increase in Council salaries, a direct stipend, which would be taxable, is not feasible as it would surpass Charter salary limits. Instead, the proposed policy focuses on reimbursements for actual expenses, which are not considered taxable income and are regulated under Section 53232.2 of the Government Code. In conformance with Section 53232.2, the draft policy establishes a written policy for allowable reimbursement with Item 2 Item 2 Staff Report Item 2: Staff Report Pg. 1 Packet Pg. 20 of 24 monitoring and reporting requirements. The draft policy includes a provision for full reimbursement of technology purchases used solely for official business and 25% reimbursement for dual personal and official use, up to an amount established by the Council. If the City fully reimburses a Council Member for a physical device, the device must be returned to the City at the end of the Council Member's service. However, the City may allow the Council Member to keep the device if it is determined that the device has no value or is no longer useful to the City. The 25% reimbursement rate stated above also applies to cellular phone usage. The partial rate of reimbursement is intended to account for the difficulty in distinguishing between personal and official uses and will allow for some reimbursement when a Council Member uses their own device for official business. The Committee could recommend a change to this percentage if it reasonably believes that Council members use their personal devices for City business more frequently than one-quarter of the time. All other technology expenditures not specifically covered by the proposed policy would require prior Council approval. Any questions regarding the appropriateness of an expense should be resolved by the Council before the expense is incurred. Reimbursements needing Council approval can be processed in batches as a single item and placed on the Council’s Consent agenda. The Council and Policy and Services Committee has discussed allocating up to $2,000 annually to each Council Member for official expenditures. However, the draft policy does not specify the total annual allocation for Council reimbursements, allowing flexibility in determining the overall available funds if in the future the Council wishes to allocate more money for reimbursements. The amount can be set by resolution or during the budget process. The total budgeted amount will not roll over to the next fiscal year, preventing Council Members from carrying over unspent funds for future use. All claims for reimbursement will need to be supported with documentation and submitted using the City's official expense report forms within 60 days of incurring the expense. The documentation required may depend on the expenditure. An itemized receipt is required however for certain expenses a summary-level receipt, in lieu of a detailed or itemized receipt, may be acceptable. Any claims that are non-compliant or lack proper documentation will be disapproved. Additionally, all expense reports are subject to audit. Approved reimbursements will be processed within 30 days. Item 2 Item 2 Staff Report Item 2: Staff Report Pg. 2 Packet Pg. 21 of 24 The proposed policy aims to balance the flexibility and convenience of a stipend—currently unfeasible due to the Council’s salary caps—with the Government Code's requirement that expenses be actual, necessary, and supported by documentation. FISCAL/RESOURCE IMPACT The total amount allocated for Council reimbursements would be determined as part of the annual budget development process. However, depending on the program parameters discussed such as the appropriate means of budgeting and the reimbursement process, staff time resources to administer the program will be needed, primarily in the City Clerk and Administrative Services Departments and would need to be further assessed in alignment with final policy complexity, implementation, and Council requests. ENVIRONMENTAL REVIEW Not a project. ATTACHMENTS Attachment A: Draft Councilmember Reimbursement Policy, August 2024 APPROVED BY: Ed Shikada, City Manager Item 2 Item 2 Staff Report Item 2: Staff Report Pg. 3 Packet Pg. 22 of 24 Draft Reimbursement Policy August 2024 1. PURPOSE This Policy establishes the guidelines and standards regarding reimbursement of actual and necessary expenses of the City Council incurred in the performance of official City duties. Council members may incur expenses in fulfilling the responsibilities as an elected official. All expenditures of public funds must be related to the performance of City business. Council members may be reimbursed for actual and necessary expenses incurred in the performance of authorized City business and official duties in conformance with this Policy. 2. AUTHORIZED EXPENSES Communications tools (e.g., cellular phones, data plans, computers, and Internet access) are necessary for Councilmembers to fulfill their official responsibilities of communication with constituents, City staff, and others. In lieu of the City providing communication tools to each Council member, Council members are expected to use personal devices in the course of their duties. 2.1 Technology Purchases Reimbursement Council members may be reimbursed for technology purchases that are essential for performing official duties. These purchases include, but are not limited to, computers, tablets, software, and subscriptions services (e.g., internet, Zoom, etc.). If the technology purchase will be used exclusively for official business, the Council member will be reimbursed for all the actual cost of the purchase up to a total dollar amount established by the Council. If the technology purchase will be used for personal use as well as official business, Council members will be reimbursed 25% of the actual cost of the purchase up to a total dollar amount established by the Council. Considering the difficulty in parsing out official use versus personal use in this circumstance, this shall be considered a reasonable amount to represent the reimbursement for actual costs associated with the technology purchase. 2.2 Cellular Phone Usage Reimbursement Council members will be reimbursed 25% of the actual total monthly cost of the use of their cellular phone up to a total dollar amount established by the Council. Considering the difficulty in parsing out official use versus personal use in this circumstance, this shall be considered a reasonable amount to represent the reimbursement for actual costs associated with the use of their cellular phone. Item 2 Attachment A - Draft Reimbursement Policy, August 2024 Item 2: Staff Report Pg. 4 Packet Pg. 23 of 24 2.3 Expenditures Requiring Council Approval Except as set forth in this Section, all other expenditures require prior approval by the Council at a public meeting. Any questions regarding the propriety of a particular type of expense should be resolved by the Council before the expense is incurred. 3. MONITORING AND REPORTING All expenses and claims for reimbursement shall be submitted on City expense report forms within 60 days of the incurred expense. All expense reports shall be accompanied by documentation showing that the expenses comply with this Policy for expenditure of public resources. Inability to provide such documentation in a timely manner may result in the expense being borne by the Councilmember. Reimbursements that do not comply with this policy will not be approved. Expense reports are subject to audits. Approved reimbursements will be processed and issued within 30 days of approval. Item 2 Attachment A - Draft Reimbursement Policy, August 2024 Item 2: Staff Report Pg. 5 Packet Pg. 24 of 24