To: Board of Supervisors
Department or Agency Name(s): Information Systems
Staff Name and Phone Number: John Hartwig 565-6055
Vote Requirement: Majority
Supervisorial District(s): Countywide
Title:
Title
Contract with Evolver, LLC for Information Technology (IT) Resiliency Risk Assessment & Business Impact Analysis
End
Recommended Action:
Recommended action
Authorize the Information Systems Director to execute a professional services agreement with Evolver, LLC to perform a baseline IT risk and cyber-security assessment and business impact analysis and provide organizational recommendations for a sustained program in business continuity to ensure effective emergency response, continuity of government, and minimal disruption to public services in an amount not to exceed $350,000.
end
Executive Summary:
The contract before the Board is for consulting services to assess risks to County IT infrastructure, quantify the loss impact of physical and cybersecurity threats, identify the highest value risks to mitigate, evaluate proposed technical design developed by County staff, assess the County’s IT resiliency and cybersecurity capabilities to comparable organizations, and make recommendations for a sustained program to ensure effective emergency response, continuity of government, and minimal disruption to public services.
The total vendor cost of the engagement is not to exceed $350,000, funded from $1.7 million previously allocated for IT Resiliency during FY 18-19 budget hearings.
This engagement will take place over approximately nine months. The deliverables will be a set of reports to inform County executive management of our current state, benchmark us in comparison to peers, and provide a framework to prioritize future technology resiliency decisions.
Discussion:
The County of Sonoma has been deeply affected by wildfires in 2017, 2019, and 2020, by major flooding in early 2019, and by a global pandemic in 2020 which still continues. These events have served to heighten awareness of the potential loss that could result from a disruption of Information Technology services and gave impetus to establish the IT Resiliency Program. The services sought in the Request for Proposals are in alignment with the framework established by the Office of Recovery and Resiliency, Strategic Priority CP4: Community Preparedness and Infrastructure, with the goal to “make County government more adaptable to provide continued services in disasters through comprehensive planning, a more empowered workforce, and improved facilities and technology.”
Vendor Selection
A request for proposal (RFP) was issued on January 13, 2020 seeking consulting services. The RFP was sent to vendors and posted through the County’s vendor portal. Nine proposals were received.
Evaluators from departments with relevant knowledge and experience contributed to the formal RFP process, rating criteria, proposal evaluation, and finalist interviews. Participants were asked to score each vendor on the information provided in each proposal and the qualifications of the consultant staff. Of the finalists, Evolver was determined to best meet the full requirements of the County.
The engagement is projected to last for approximately nine months and will take place in two phases. In addition to the core services supported by the Information Systems Department, the scope of work includes options to review the IT environments maintained by Sheriff, Human Services, and the Sonoma County Water Agency.
Project Timeline
Phase 1 is scheduled to take place over five months during which the consultant will compile data through documentation and stakeholder workshops and interviews. Deliverables from this phase will include a set of reports detailing:
1. Threats against County IT infrastructure and their estimated likelihood;
2. Calculations of monetary and other loss impacts of physical and cybersecurity threats;
3. A Baseline Risk Report showing the top risk based on likelihood of the threat and the associated impact loss; and,
4. An analysis of technical designs developed by County staff to improve IT service resiliency.
5. An assessment of Sonoma County’s IT resiliency and cybersecurity capabilities in comparison to similar organizations, including staffing and the use of limited resources.
The deliverables from this phase will provide County executive management with data and context to prioritize future technology investments.
Phase 2 is scheduled to take place over three months and will conclude with a report containing recommendations for a sustained program in Business Continuity to ensure effective emergency response, continuity of government, and minimal disruption to public services, by addressing human factors such as training, process development, and updates to existing plans.
Week |
Function |
Activities |
1-2 |
Phase 1 Kick-Off |
• Introductions • Analysis Orientation • SOW Review • Scope Clarification • Threat Assessment |
3-6 |
Data Gathering, Part 1 |
• Asset Resiliency • Loss Impact |
7-9 |
Data Gathering, Part 2 |
• Additional Data Gathering • Data Collection Executive Review & Submittal |
9-10 |
Baseline Risk Report |
• Report Drafting • Baseline Risk Assessment |
11 |
Assessment Review |
• Staff Review • Receive Comments |
12-13 |
Technical Design Review |
• Review of Options |
14-17 |
Technical Design Trade-Off Review |
• Review of Options against Risk Assessment |
18-19 |
Final Phase 1 Deliverables |
• Phase 1 Deliverables • Review & Comment |
20-22 |
Phase 2 Kick-Off |
• Introductions • Comparative Organizations • SOW Review • Scope Clarification • Analysis Orientation |
23-24 |
Data Gathering, Part 1 |
• Workshop, Organization 1 • Comparative Analysis |
25-26 |
Data Gathering, Part 2 |
• Workshop, Organization 2 • Comparative Analysis |
27-28 |
Analysis Status Check |
• Data Analysis • Comparative Data Structure |
29-30 |
Draft Study Report |
• Draft Study Report |
Prior Board Actions:
April 30, 2019, 2019-0497, established the IT Resiliency Program, including Development and issuance of a Request for Proposal for IT Disaster Recovery/Business Continuity Consultant to a) assess current and future risks to County IT infrastructure and facilities b) evaluate proposed technical designs including network redesign and utilization of cloud based office productivity and collaboration suite (e.g. to replace Microsoft Office on-site systems) for IT service resiliency, as well as to offer additional options, c) provide organizational recommendations for a sustained program in Business Continuity to ensure effective emergency response, continuity of government, and minimal disruption to public services and d) assess staffing and use of limited resources.
Fiscal Summary
Expenditures |
FY 20-21 Adopted |
FY21-22 Projected |
FY 22-23 Projected |
Budgeted Expenses |
$350,000 |
|
|
Additional Appropriation Requested |
|
|
|
Total Expenditures |
$350,000 |
|
|
Funding Sources |
|
|
|
General Fund/WA GF |
|
|
|
State/Federal |
|
|
|
Fees/Other |
|
|
|
Use of Fund Balance |
$350,000 |
|
|
Contingencies |
|
|
|
Total Sources |
$350,000 |
|
|
Narrative Explanation of Fiscal Impacts:
Funding for the Information Technology (IT) Resiliency Risk Assessment & Business Impact Analysis is provided by the $1.7 million authorized by the Board.
Staffing Impacts: |
|
|
|
Position Title (Payroll Classification) |
Monthly Salary Range (A-I Step) |
Additions (Number) |
Deletions (Number) |
|
|
|
|
|
|
|
|
|
|
|
|
Narrative Explanation of Staffing Impacts (If Required):
N/A
Attachments:
Professional Services Agreement
Exhibit A-Scope of Work
Exhibit B-Insurance Requirements
Information Technology (IT) Resiliency Risk Assessment and Business Impact Analysis Request for Proposal
Related Items “On File” with the Clerk of the Board: