Mendocino County Grand Jury
• 2015-2016
• Agency Response
Mendocino County Policy 22 – Who Has Access?
⚠️ Translation Notice: This content has been automatically translated. The original English text is the official version. Translation may contain errors.
⚠️ Este contenido ha sido traducido automáticamente. El texto original en inglés es la versión oficial. La traducción puede contener errores.
Findings and Recommendations 4 findings
F1
Policy 22 is obsolete and requires updating and formal adoption by the BOS. The CEO disagrees wholly with F1. Policy #22 is not obsolete, the intention of the policy is to provide direction on the procurement of computers, software, and other information services equipment. In that context, the policy provides limited direction on the use of County hardware and software and the role of Information Services staff in its maintenance and oversight. The reference in the policy to use of County equipment for communications was not to establish policy on email use, but rather established the ownership of information transmitted and stored on County-owned equipment. The Grand Jury makes reference to an update to Policy 22 that was presented to the Chief Executive Officer (CEO) in 2010, but was never brought to the Board for approval. Upon receipt of the June 15th version of the Grand Jury report the CEO requested a copy of the proposed revised version of Policy 22. This version of the policy that was provided by the Grand Jury Foreperson was dated 2009. There was a proposed revised version of Policy #22, the most recent version of which is dated May 18, 2010. The 2009 version provided by the Grand Jury was an earlier draft of the 2010 “version” and includes significant changes between versions (a total of 146 words were added or deleted between versions). The 2010 policy was prepared for Board of Supervisors consideration at that time, but due to the difficult labor bargaining environment, the Human Resources Director and County Counsel recommended to the CEO that she not advance the proposed revisions at that time. The revised policy was not brought to the bargaining groups for meet and confer or subsequently to Board for consideration since that time. As mentioned above, much is made in the Grand Jury’s report about the proposed revisions to Policy #22, however the irony is the 2010 draft version does nothing to address the allegations upon which the report is drafted. Even if the allegations in the report were true, they would not have been resolved by the Board’s adoption of the proposed policy revisions to Policy #22. Based on this, it is difficult to understand why the Grand Jury provides such detail on the proposed revisions rather than identifying any facts to support the findings. The most recent version of the Grand Jury report states, “In 2016, the CEO informally established a procedure for such access, but the updated policy has not been formally presented to, nor adopted by the Board of Supervisors.” There are several clarifications that need to be made from this language. The CEO procedure was established and implemented in April of 2015, not 2016. This was done based on the CEO’s concerns about the potential for abuse under the previous procedure which allowed management access to the Unlimited Mailbox upon request from a Department Head. The CEO established procedure, put in place in 2015, is summarized as: requests for access to the Unlimited Mailbox are submitted to the Information Services Division of the County Executive Office, the request is forwarded to the Assistant CEO for approval or denial, and the Assistant CEO then notifies the CEO of the request. Information retrieved during a search is then provided to the requesting department head. Further, the Grand Jury should understand the difference between a policy and a procedure. The sentence 3 referenced above conflicts the two. A policy is a framework established, generally by a legislative body, upon which procedures are created, generally by staff, in order to implement the said policy.
No recommendations for this finding
F2
The current Unlimited Mailbox software does not adequately allow for super-user segregation of certain sensitive email accounts, e.g. Sheriff, DA, County Counsel, Board of Supervisors, Grand Jury. The CEO disagrees wholly with F2. As outlined above, the entire premise around the Unlimited Mailbox as described in the Grand Jury report, is erroneous. The Report appears to allege that all County management staff are “super-users”, or can be granted that access upon request. However, County management staff at-large, do not have privileges in the Unlimited Mailbox email archive beyond viewing their own mail history. The County email software is comprised of two separate, interrelated systems: GroupWise and the Unlimited Mailbox email archive. GroupWise is the main email system, active since 2003, responsible for delivering and receiving mail and providing individuals access to their mailboxes. Unlimited Mailbox is the email archiving system, installed in 2010, which holds historical email retrieved from GroupWise since Unlimited Mailbox’s installation. Based on the facts surrounding email searches, there can be two interpretations of the Grand Jury’s use of the term, “super-user”. Discussion of access to email must differentiate between GroupWise and Unlimited Mailbox, and in this finding, the access methodologies and practices of the two systems are being confused and misrepresented. One interpretation of super-user would be an individual that can search the Unlimited Mailbox archive (all emails stored on the County email servers). This authorization, described as Archive Mail Auditor, is granted to three individuals in the County system, the Information Services (IS) Division Manager and two of the IS Network Systems Analysts. The Unlimited Mailbox email archive, when searched by one of the three authorized Archive Mail Auditors, allows undifferentiated access to all archived mail, as is typically required to fulfill litigation and Public Records Act (PRA) requests. The “super-user” level of access is required to search the total archive of County-owned information. Search requests for information under the Public Records Act (PRA), litigation related information, or management information are submitted through either County Counsel and/or the Executive Office and are approved for search of the Unlimited Mailbox by the Assistant CEO, who in turn notifies the CEO. Archive Mail Auditors then produce results which may be redacted by County Counsel to exclude confidential material that is part of those search results. Upon request managers are allowed access to an employee’s GroupWise mailbox provided that they are a direct supervisor of that employee. This access does not extend outside of the specific requested employee, and is most commonly the result of an employee being on vacation or extended leave. Access to an individual user’s GroupWise mailbox can be controlled by the user, and by IS Network Systems Analysts. This is the system for which managers can request 4 access to an employee’s mailbox, in case of absence, termination or investigation. Access can be granted to an individual employee’s mailbox, without granting the manager access to any other employee’s email. Granting access to a user’s GroupWise mailbox does not grant access to the employee’s archived mail or mail from any other employees in the Unlimited Mailbox system. It is also important to note that the Grand Jury identifies a few departments that often handle sensitive information, “e.g. Sheriff, DA, County Counsel, Board of Supervisors, Grand Jury.” While all County departments handle some sensitive information it cannot be assumed that when a department handles some sensitive information, all of the department’s information must be segregated. In using the examples provided by the Grand Jury, each of those departments handles sensitive information in conducting County business, but not all of it is considered confidential. As an illustration, the Board of Supervisors has confidential email communications related to legal issues that are protected by attorney/client privilege. However the vast majority of the email communications are not sensitive and are considered to be public information. Likewise the entirety of the communications within the Sheriff’s Office or County Counsel’s office are not considered confidential. The Grand Jury’s apparent assumption that a “segregation of certain sensitive email accounts” would be acceptable, is a step backward in providing the statutorily required public access and accountability of government operations.
No recommendations for this finding
F3
The limitations of the County email software that allows unrestricted super-user access to employee email by County management puts the County at risk for violating the protected nature of some communications, lends itself to abuse by County management, and exposes the County to unnecessary liability. The CEO disagrees wholly with F3. Again, the current Unlimited Mailbox software does not allow County Department Heads or management unlimited access to the email system as alleged in the report. Unrestricted access to the Unlimited Mailbox email archive is currently granted only to the three employees in Information Services who are Archive Mail Auditors. County managers who need information from the Unlimited Mailbox email archive submit their requests through the Executive Office; requests are then approved or rejected by the CEO’s office. By current procedure, County managers can only search their individual mailbox in the Unlimited Mailbox Archive. The nature of many aspects of County business includes the handling of protected information. The day-to-day responsibilities of County employees include the opportunity to violate the protections afforded the information and/or communications. The process instituted by the CEO in 2015, reduced the risk of any violations around sensitive information from the procedure in place previously. The report makes several references to legal risks and exposure to unnecessary liability. While the Grand Jury does not provide any specifics on what risks or liability they foresee, the Chief Executive Officer believes there is minimal exposure under the current process. 5
No recommendations for this finding
F4
The current bargaining ground rule that allows employee access to the County’s email system for the purposes of bargaining is in direct conflict with provisions of Policy 22, which does not permit email use for non-county business. The CEO disagrees wholly with F4. Finding #4 is both confusing and inaccurate. The finding references “The current bargaining ground rule…” The report does not specify a specific ground rule, likely because the County does not utilize formal “ground rules”, nor has it done so for at least eight years. Based on this information, it is impossible to determine the basis for the reference used to justify the finding. Further, the non-existent ground rules cannot be in conflict with Policy #22, because the policy does not address electronic communications in any significant way. The policy is intended to address procurement issues for information services equipment and infrastructure. Finally, bargaining is considered County business and email communication, within certain parameters, is allowed through County email. This is not in conflict with Policy #22 and it is certainly not in conflict with bargaining ground rules that do not exist.
No recommendations for this finding