The city has a fragmented approach for the recovery of critical IT systems in the event of a major earthquake, fire, terrorist attack or other disaster, Galperin's report found.
"While the city has a robust Emergency Management Department, and individual city departments have their own emergency plans, what’s critically missing is a plan to maintain the key IT operations that underpin everything the city needs to do when disaster strikes, Galperin’s report stated.
He recommended that a steering committee develop a citywide approach to IT business continuity and disaster recovery. The group would bring together the silos of individual departments’ planning.
"With the safety of 4 million people at stake, we need to protect critical IT operations if we don’t want all of our other emergency planning to be compromised," he said. "This report shows we still have work to do.”
Nine IT systems — including the LAPD’s dispatch and network communications systems and the city’s financial management and payroll systems — were identified as critical due to their impact on public safety and services for Los Angeles residents. The report assessed IT disaster recovery plans for nonproprietary city departments and whether Los Angeles’ IT systems are positioned to continue to function after a disaster.
Galperin also urged more spending on the city's IT as critical infrastructure, noting that IT is more than just software or computers. He suggested using bond financing instead of relying on year-by-year budget requests, which often fall short of critical funding needs.
Officials in the Information Technology Agency (ITA), Emergency Management Department (EMD) and LAPD agreed with findings that city departments should coordinate on IT disaster recovery, and they have begun implementing several of the recommendations.
"The resiliency of our communications infrastructure is crucial for the continuity of government and operations for response and recovery," said Aram Sahakian, general manager of the Emergency Management Department. "Effective emergency response depends on communication, and the consequences of communications infrastructure failure during a disaster can be the difference between life and death for those affected. Investing in our city’s IT infrastructure and building alternate communications methods to back up our primary systems are critical."
Ted Ross, CIO and general manager of ITA, agreed.
“As technology becomes more essential to LA’s operations, continued investment in IT disaster recovery is important to ensure city services are available during an emergency,” Ross said.
The audit's key findings:
- Los Angeles does not have a formal citywide IT disaster recovery strategy or business continuity plan.
- Responsibility for IT business continuity and the corresponding disaster recovery is fragmented; no one city agency is responsible.
- Department-level staff do not participate in planning or testing and lack formal IT disaster recovery training.
- City IT disaster recovery planning and testing does not include an adequate number of disaster scenarios.
- Clarify the role of EMD as a lead agency for IT disaster recovery planning.
- Develop and implement a citywide recovery strategy and IT business continuity plan.
- Require key city disaster recovery personnel to undergo training and participate in disaster recovery testing plans and test cases for a variety of scenarios.
- Ensure that core infrastructure components are redundant; back up both data and systems; and facilitate remote access so that IT interruption is avoided or minimized in the event of a disaster.
- Increase funding to expedite an upgrade of key IT infrastructure.