Report 98023 Summary - August 1998
Year 2000 Computer Problem:
Progress May Be Overly Optimistic and Certain Implications Have Not Been Addressed
RESULTS IN BRIEF
As the year 2000 fast approaches, state agencies are rushing to fix their critical computer projects to allow the continued delivery of essential products and services to Californians. However, fixing almost 700 of the State's critical computer projects may not be as far along as reported in the April 1998 quarterly report published by the Department of Information Technology (DOIT) and reported to the Legislature.
Furthermore, many state agencies have not addressed all facets of the year 2000 problem and, therefore, may not actually be ready for the next millennium. Specifically, agencies are prematurely declaring their critical projects complete that have not been thoroughly tested. Critical projects are those so important that their failure would cause a significant negative impact on the health and safety of Californians, on the fiscal or legal integrity of state operations, or on the continuation of essential state agency programs.
Thus far, none of the agencies reporting on completed critical projects to the DOIT have rigorously tested their information-technology systems, comprised of one or more critical projects, in an isolated environment where the computer's internal clock is set to dates in the next century to make sure the systems will continue to function after the year 2000. Moreover, several agencies responsible for remediating large, complex systems have yet to even schedule such tests at either of the State's two data centers. While all critical projects may not need this type of testing, we believe the fact that none of the 10 agencies reporting completed critical projects to the DOIT has used such testing on those projects is cause for concern. Moreover, in many cases the amount of time agencies are allocating to test their critical projects falls far short of the 50 percent to 70 percent of total project time and resources that others in the industry have spent on testing.
In addition, many of the State's critical computer projects and systems depend on data exchanges with other entities, such as counties and the federal government. Yet not all agencies have completed the necessary steps to ensure that data transmitted through these interfaces will work seamlessly with the State's computer systems into the next century. Even if agencies successfully fix their own critical computer systems, they still may not be able to deliver expected products and services in the next millennium if their data-exchange partners' systems are not year 2000-ready.
Finally, the managers of most state agencies have yet to ensure that their agencies have established appropriate business-continuation plans in the event of failures or delays caused by the year 2000 problem. Agencies appear to be focusing exclusively on fixing critical computer systems and choosing not to involve the individuals responsible for program delivery in determining what to do if critical systems do not work as intended or are delayed. However, rather than using staff involved with remediation, we believe the managers responsible for the agencies' core business processes should establish work groups of program staff and dedicate sufficient resources to develop business-continuation plans to ensure that the agencies maintain the delivery of essential products and services in the event of year 2000-induced failures or delays.
To ensure uninterrupted delivery of essential products and services to Californians, the Governor's Office should ensure that all state agencies take the following steps:
- Provide the Department of Information Technology (DOIT) with accurate information about the status of their year 2000 remediation efforts. Specifically, the estimated completion dates for each phase of remediation, including final completion, should reflect the agency's best estimate for the actual completion dates and should be updated whenever circumstances affecting a project's status change.
- Thoroughly and comprehensively test the remediation for each critical project. For larger, complex projects associated with systems that support the delivery of services to Californians where interruption would be unacceptable, agencies should also consider testing the system in an isolated computer environment using a time machine. Moreover, prior to declaring a project complete, tests of any internal interdependencies, external data exchanges, 20th and 21st century date recognition, and the impacts from embedded systems such as desktop computers, should be complete and the project acceptance tested and approved by agency managers responsible for the business functions.
- Protect their computer systems from missing or corrupted data supplied by external parties. Specifically, agencies should identify their data-exchange partners, develop
schedules for testing and implementing new date formats, and thoroughly test data supplied by external parties.
- Establish business-continuation planning groups, made up of managers from major business units, experts in relevant functional areas, business-continuation and disaster-recovery specialists, operational analysts, and contract specialists. These planning groups should then follow a structured approach to develop a business-continuation plan for each core business process and infrastructure component affected by the year 2000 problem.
- Continue to collect and analyze information state agencies provide on their overall progress. If, after analyzing the reported information, something appears anomalous-such as too little test time-contact the agency for an explanation.
- Continue to collect information from agencies on their
data-exchange partners. In addition, take appropriate
follow-up action if it appears that agencies are not testing their interfaces with data-exchange partners.
- Require agencies, as part of their monthly reporting, to indicate whether they have business-continuation plans that ensure that each core business function will continue uninterrupted if the critical computer systems supporting those functions fail to work or are delayed because of year 2000 problems.
The Department of Information Technology (DOIT), responding on its own behalf and that of the Governor's Office, stated that our observations and conclusions have substantial merit. In addition, three of the four agencies we reviewed concur with our recommendations and believe them to be consistent with industry standards and best practices.
The State Treasurer's Office (STO) believes the methodology we used to determine the accuracy of reported project status differs from that used by the STO and perhaps other agencies and, therefore, believes it projects are closer to being fully remediated than was indicated in our report.