April 30, 2002
Local governments may manage their computer systems in-house, by outside vendors, by an intergovernmental computer collaboration, or by a combination of these three approaches. This report recommends that counties, cities, and school districts adopt certain best practices as they consider how they want to manage their computer systems.
Recommended Best Practices:
Before deciding how to manage their computer systems, local governments should make sure that: information technology has the support of top officials, staff have the capacity to estimate total costs and manage contracts, jurisdictions identify the services that should be automated, staff plan for computer system replacements, and jurisdictions know where information technology fits within their organizations.
Local governments should judge a management option based on whether it has complete inventories of equipment, sets standards for computer hardware and software, follows a clearly documented program to control the day-to-day operations of the computer system, communicates computer system policies and procedures to people using the system, and monitors compliance with the policies.
Local governments should also ensure that the computer systems are managed by staff who have sufficient expertise, receive ongoing training, and provide training and support to computer users.
Finally, local governments should look for management options that use trained professionals to assess the computer system's security risks, develop security policies based on the risks, manage user accounts and employee access to the system, install and monitor firewalls and antivirus software, develop backup procedures and disaster recovery plans, and test security procedures.
In addition to these recommendations, the review found that:
All of Minnesota's counties, school districts, and large cities use personal computers and have computer networks, but 27 percent of cities with 500 or fewer residents do not use any personal computers.
Nearly all of Minnesota's local governments use their own staff to manage some part of their computer systems, but most also rely on computer vendors or intergovernmental computer collaborations to maintain parts of their hardware or to support software applications.
The core elements of a computer system are its hardware, software, and data, but to be complete, a computer system also needs the staff, facilities, and a management program to support the core. While most local governments have computer systems in place, the systems' complexity varies. Most counties, school districts, and large cities have computer networks, but just 11 percent of cities with populations under 500 have networked computers and 27 percent reported having no personal computers at all.
Local governments' options for managing their computer systems are to rely on their own staff, join an intergovernmental computer collaboration, work with computer vendors, or use a mix of these options.Minnesota Local Governments Use a Variety of Options to Manage Their Computer Systems
An intergovernmental computer collaboration is a group of local governments cooperating on common technology objectives and governed by a joint powers agreement. All Minnesota counties belong to one or more of three computer collaborations designed to meet certain data processing needs unique to counties, such as computing property taxes. One city-oriented computer collaboration exists and offers a range of automated services from business licensing to utility billing. School districts may receive technology services from collaborations known as "service cooperatives" and regional management information centers, which exist around the state.
Based on a fall 2001 survey of local governments, counties and school districts were more likely than cities to report using computer collaborations to manage at least some of their computer systems. The computer collaborations provide local governments with specialized technological expertise, staff networking opportunities, chances to avoid purchasing certain equipment or software, and a degree of control over the design of customized software applications. At the same time, local governments that use collaborations have to spend more time and effort to plan and work with other members of the group, and they need to be aware that relying on a third party for their core technology services holds some risks. Plus, there is a loss of individual control inherent with group decision making.
By contrast, computer vendors are private firms that sell or coordinate hardware, software, management expertise, and support for networks and computers. Forty percent of cities, compared with 22 percent of counties and 14 percent of school districts, reported using computer vendors for most or all of their computer systems' updating, security, and daily operations. Computer vendors offer local governments specialized expertise and opportunities to avoid hiring their own staff or purchasing certain equipment or software. On the other hand, local governments that work with vendors need to follow careful contract management practices and be aware of the risks involved with relying on a third party for technology services. Further, they may have little control over pricing, schedules, and service features.
Most local governments use their own staff to manage at least some of the daily operations of their computer systems. About 84 percent of counties, 71 percent of cities, and 86 percent of school districts reported that their own staff perform most or all of their computer systems' upkeep. Using their own staff to manage computer systems gives local governments a high degree of control over the services but carries the costs of employing highly skilled personnel.
Most of Minnesota's local governments use a mix of options to manage their computer systems. About three-quarters of the local governments surveyed, including most counties and school districts, reported using two or three management options to maintain their computer systems. About one-quarter, mostly small and medium-sized cities, reported using a single option to maintain computer systems, and that option was most often a jurisdiction's own staff.
Local Governments Should Prepare to Evaluate Options for Managing Computer Systems
Before local governments decide which options work best for their computer systems, they should prepare themselves to evaluate the options. Preparation means, first, that the local governments' top officials should understand and support the role of information technology in getting the governments' work done. Second, local governments should determine where technology staff best fit within their jurisdiction's organization. Third, they should be prepared to fully estimate computer systems' costs, which requires estimates of total costs over the life cycle of equipment as well as the hiring, compensation, and ongoing training costs for staff. They also need the capacity to set spending priorities among competing technology projects.
Fourth, because managing computer systems often involves working with external providers, local governments should be prepared to follow appropriate contract management practices and assess providers' financial stability. Fifth, local governments should determine what services need to be automated because only the technology that clearly supports their programs and data should be used. Sixth, because technology evolves rapidly, and to avoid fragmented computer systems, local governments need to follow planned computer replacement programs. Finally, local governments should be prepared to assess management options within the context of their own unique demographic, financial, and political characteristics. For example, jurisdictions in some rural areas of the state may have limited opportunities to hire appropriately trained technology staff, forcing them to consider other options.
Local Governments Should Follow Best Practices in Evaluating Management Options
The report identifies three best practices that are important when evaluating options for managing computer systems. It recommends that, regardless of which options are under consideration, local governments use the best practices to help judge the options' effectiveness.1. A Framework Should Be in Place to Guide the Management of a Computer System
Good asset management requires use of an up-to-date inventory of computer system equipment that describes hardware and equipment configurations. Local governments should ensure that whoever manages their computer system maintains complete inventories. Those who maintain computer systems should follow documented management programs with clear and specific procedures for daily operations and control of the system. They need to communicate technology policies and procedures to the jurisdictions' staff who use computers, and they should monitor adherence to the policies.
Periodically, the policies and procedures need to be updated.
Example: The city of Fergus Falls developed policies to communicate acceptable computer uses to city staff. Developed jointly by managers and staff, the policy covers various procedures, including security measures that forbid the reproduction of software and require users to change passwords every 90 days. All employees who use the computer system must sign a statement indicating that they have read the policy. The city's information systems staff supplement the written guidelines with activities such as using inventory software to track which software applications reside on the computer network.
2. Knowledgeable Staff Should Maintain and Use the Computer System
In determining who should manage computer systems, local governments should look for options with properly trained staff who bring a high level of expertise to operating the computer system. Local governments should determine that a process is in place to recruit and retain technology staff. They need assurances that technology staff receive ongoing training to keep their skills current in a world of rapidly changing technologies. Similarly, they need to determine that whoever manages the computer system has an adequate plan for user training and will provide user support to local government staff expected to work with computers.
Example: In the Robbinsdale Area School District, the technology and media services department offers financial incentives to keep their staffs' technology skills up-to-date. Employee contracts contain provisions for certification stipends, which are awarded whenever staff successfully complete training programs as part of their approved training plans. The district also pays registration fees for technology-related courses that staff attend.
3. Computer Systems Should Be Secure
Local governments should look for computer system managers who understand and can control security risks. In assessing their options, local governments should seek computer managers who conduct risk assessments of the systems' security and base security policies on the identified risks. Computer managers should limit users' access to certain computers and data and actively manage users' password accounts. They need to install and monitor "firewalls" and antivirus software, have procedures in place to backup data, and develop a disaster-recovery plan. Because security risks change over time as new vulnerabilities arise, computer system managers should monitor and periodically audit their security procedures. Whoever manages the computer system must have staff who are appropriately trained to protect it.
Example: Anoka County contracted for an extensive assessment of its computer system, with one component focusing on security. Among other tests, the assessment included "penetration" testing whereby consultants tried to circumvent security controls to gain access to the computer system. Following the assessment, information systems staff developed a plan to systematically implement specific recommendations, such as formally documenting procedures for data backups.
The Program Evaluation Division was directed to conduct this study by the Legislative Audit Commission in May 2001. For a copy of the full report, entitled "Managing Local Government Computer Systems: A Best Practices Review (02-09)", 92 pp., published on April 30, 2002, please call 651/296-4708, e-mail Legislative.Auditor@state.mn.us, write to Office of the Legislative Auditor, Room 140, 658 Cedar St., St. Paul, MN 55155, or go to the webpage featuring the report. Staff who worked on this project were Jody Hauer (project manager), Jan Sandberg, Kathryn Olson, Carrie Meyerhoff, and Leah Goldstein Moses.