HomeMy WebLinkAbout7 Proposed New PositionAgenda
TRUCKEE DONNER l
Public Utility District
WORKSHOP
To: Board of Directors
From: Ian Fitzgerald
Date: February 13, 2019
Subject: Consideration of Adding a Cyber Security Position to the
Information Technology Department
1. WHY THIS MATTER IS BEFORE THE BOARD
This informational item is before the Board to request consideration of a proposed
addition of an IT Security & Applications Manager position.
2. HISTORY
In the last decade, the District has heavily invested in technology as a way to improve
the business of the District. Technology has revamped the way the District does
business today; reducting costs and improving efficiencies. Examples include:
SCADA, which allows for the automation of commodity delivery; AMI, which has
improved transparency with our rate payers; GIS, which has reduced operational
response; or Business Intelligence, which has enhanced decision making process
through the correlation of data. With each new technology, and business reliance on
technology, however, the risks of a cyber security attack against the District increase
exponentially.
In addition to increasing this attack surface, recent industry events in the last year
have highlighted the real continuing threat of cyber security attacks on critical
infrastructure in this country, particularly electric and water utilities. In early 2018, the
Department of Homeland Security released a report into the public realm that
described how foreign adversaries, had successfully hacked into eight United States
energy companies and had operational control of some electric infrastructure. Later
that year, it became public knowledge that PG&E was fined $2.7 million dollars as a
result of a cyber intrusion that exposed the network design and user credentials of
their SCADA system. Even a mundane ransomware attack, like the one on the City of
Atlanta in the summer of 2018, can have significant financial costs. In this case, the
attack cost the City of Atlanta's taxpayers $17 million dollars in lost wages and
recovery costs. These threats have potential risk to both the District's infrastructure,
budget and customers.
Staff has explored the benefits of adding a position whose primary responsibility would
be to protect the District's IT Infrastructure. The need for securing information assets,
system assets, customer data, and other critical information is increasing quickly, and
is the key responsibility of an IT security professional. In addition to the need to
continually improve the security of the District's digital assets, there is also an
identified need to increase service efficiencies and backup capabilities of existing
borAvAll fult msl;q
ff'trrmrR°o�lwsft�*T
v -Itoq ' [q f, 1'4 48-K" "r'kr' ILftip." 4 OlWA 64: qI'Sw P 1 Me#
"Mc a . s
$ ffl► ' er �. t �` s�r''��= , ro L' Vf 1l "JWJMI V f 't' iltFr 16 r�f M P�" 7 4RO flee J TV
for = I,akjatti 'W j VILerg .Mq"-,O `►.,t .�f+��+.� =Ait [,-v WE OZW - `aft
? 1G$'# + ' wd 1 rl":►s° f lrY'� �`�fi bur n� ' ."qb . R rNI� � T Ald
y��y�y'�f ,y*% Igo' � �.'$+t_�_,mq " 10 _,Q*4—;-K � O _ oat ii� at .A Fvr�4 , �lft- }�. G AL.i
���yyF��Nyy��W��.�. S�k �'{.1 t7 yy , -, �' 9 .{4�RR��iSi 7> s "_IF''{�T= rIW Ti - �s ry (�� L'!'FSviigATI
r10 '-'t ` w'Al a to, wuw~ " r�w .1 °4m 60 TT
,j�Oif -31 ti€�r' try` Gig► lot =i fill
tom��.{{ to r / r'a •,sky D � ak vr* to fimtvt7 y° 1� y :s j� �'�',l' 4.4� try �-�yvbfi
4fli' ,a �^. rl *ham. k .CI"?T H�"d RI ,�:' i�L'-�!!R ,Jl T' 1l.�iwtl� F M "�CrJW �:.�iJ#' 4' +5►►'� �a� �ty: `7�+�
1 y f r E ..�!-`c° wv i ti1`,i S�QF;�Y� J3 F., [ y.�vh Sii� `��f. sif'', i, . K 10
r�rfy���w41�y,,.������
&tNTI t'V 1tC} ` mo
0
_tv v fir[ 1st. - n9, �ef7 4� .jy 'm 0 i 1 t A + , itkw1jol ?, -AJVCt ' To t"QVW
ts, _ r Oft rr -I k_' SIV e)[F °*704 3 a+r�a�� ti� � E' f►r�►- 1►'a��t
�t'1't -��° �,� �t•°:# � _� F��. S �'s.�� ° � Eti�rY[�r ��+ J t"[9� � "`` `�o *��'"��+' � ���[ �,a k��.�r�lf4
6 mimc4aij, I: "4 "J
�,w-AN � , apt r. rf"} a off[ � �► > � t � '��
}jam, �.��',`y�o+,tp�i �k7�i'�31t;FLyk:, 'titl'riii-P .�yr3t7[�'..[g
of Idoe + e�M oT t�� ° ►4 - k L-7 � .%t I- ` I rw to j°tiA' �` ' m ' of it #
3. NEW INFORMATION
Staff is proposing a new IT Security & Applications Manager position within the IT
department. The proposed IT Security & Applications Manager position would perform
the complete design, implementation, troubleshooting, and maintenance of both the
District's security and business application infrastructure.
This position would also fill the mid -level management structure in the Information
Technology department, as seen with other departments within the District. The
primary driver for this hierarchal setting is to increase efficiencies and backup
capabilities to the Information Technology Director / CIO.
As proposed, some of this position's duties and responsibilities would include:
• Develop strategies to respond to and recover from a security breach;
• Develop and implement tools to assist in the detection prevention and
analysis of security threats;
• Monitor networks and systems for security breaches, and perform follow-up
investigations;
• Perform awareness training of the workforce on information security
standards, policies and best practices;
• Aid the IT Director in
o Planning of budgets
o Continued development of the IT Master Plan
o Vender management and contract negotiations;
• Configure, administer and support all components of Citrix infrastructure;
• Configure and administer varying business application suites;
• Continue department leadership during IT Director absences; and
• Backup the primary responsibilities of the IT System Engineer.
A more detail outline of this position's job description can be found in Appendix A - IT
Security & Application Manager Job Description. This proposed position would report
to the Information Technology Director / CIO.
4. FISCAL IMPACT
An in depth analysis has been completed to determine where to fit this position into
the District salary ranges. Multiple objectives were considered when performing the
analysis:
1. Stay consistent with the 2017 salary survey in terms of using comparable
Utilities and positions at a 75th percentile of total compensation (Salary +
Benefits);
2. Identify a salary range that would be attractive enough to recruit higher than
average talent in a high -demand profession across all industries; and
3. Identify a salary range that would provide a retention incentive, so as not to
have continued turnover is a position that is critical to the safety of the District
and its customers.
The result of the analysis concluded that the proposed salary range for this position
should be M46 which scales from $124,728 - $151,608 / year. Resulting data to
s
4
4noT%hMt-'4441 WM
h"r{{f ym)wumj°
�"� �"`,�#� �t�a `� [�i' �f`i°�"� 4 " �~ `15�� "7l 'f °LISIPdG`� _K � N f 7 =�' !�� � � °- � `�s7 IW' ' `ri �•"+ A k �'�9 1��I)P+'r�,
e
° irr `' ric hl tti ° 1jl:w ;j r-#rA
_if'
�k 1! °.�f i!}��C' el �i►�r►r�+74��{�:' :' a �r�� .3"i't�y a. ��.(h `) �'3r k°YL�' �1t1� a"-�
'3*r.w'ro`iem7 tea° {%j q i rixA , i3adpi ° iw'J s vj,,n e io� b1fu
kTka ` Di. - 10 R " �Wf L'u, r
Z.M'JFO;,�' ° , °Ctiw E ear
rF�ftl �a=�u el',MlV4103 &Tti
`a 'Y FLg3rr3-ftG Tativ,10'n 1 r ql.)m4 r -* Iaq,�t } i istiif[g+d" �fa� p
%ailvIA d ��Y6 ` rW3o a�;Mdii:ragow yisf+ v` n 'xr� of ,4PEa r m
"14AVr` G ° A"A ! A Fh
Wf.r g3Lj(,t4,,a �t�e�4[ :.;°- i[. `F�� 1�7J► 4�v� '_t�L9�r
trod 'rAui 'AQWA" t-s; �Uwt °� °��1rx} �;=ft vj .sit°oe °DJV k�-f'r 4�Citi•'_ � f4A7 i
irgif. ,z;irr7istt-ir ,PF m,` r, rf r urfg
ul I c n as vi� ' l!'1 r "vli li9 F,,* a �'4 : ear I Gdr' t! glolleW
support this includes:
- A salary that will be 11.23% below the 75th percentile of comparable
salaries;
- A total compensation package that will be 3.36% above the 75th percentile
of comparable salaries;
- A salary that will be 2.82% below the median of comparable salaries; and
- Over 500 open positions for a IT Security Manager positions nationwide; a
majority of which do not show salaries which is an indication of high
competition.
You will find in Appendix B - Salary Survey for IT Security & Applications Manager,
more in depth details.
This expenditure will be fully funded in the next budget cycle.
5. RECOMMENDATION
Provide input and direction to staff.
Ian Fitzgerald
Information Technology Director / CIO
Michael D. Holley
General Manager
A
4r.-lT7f1"4 "'21V JrLr ' V`�W } ' --L� it�V Jp° U 'tsal .
o !WlbW '3t4r W -,m a`,
! rgle In. s ►c i � � .� �' r s r� tc�r� �n t'' t �r fc t c
f
' atuh iv vtow
»�y� } dip fig z
Appendix A - IT Security & Applications Manager Job Description
Truckee Donner Public Utility District
Job Description
Job Title: IT Security & Applications Manager
Department: Information Technology
Reports To: Information Technology Director / Chief Information Officer
FLSA Status: Exempt
Job Summary Under general direction from the Information Technology Director / Chief
Information Officer, the IT Security & Applications Manager primarily performs the full -stack
design, implementation, troubleshooting, and maintenance of the District's cyber security,
physical security, and business application infrastructure. Secondary responsibilities will to be to
assist the Information Technology Director / Chief Information Officer in the strategic planning
and budgeting of the IT department. This position also serves as Acting Information Technology
Director during any absences of the Information Technology Director / Chief Information Officer.
The position will demonstrate excellent technical competency, reliability in delivering mission
critical infrastructure, and continually ensure the highest levels of accessibility, optimization, and
security. Qualified applicants will have a strong background in cyber and information security,
virtual desktop infrastructure, and application support. Trains staff on the use of technology and
proper security procedures.
Essential Duties and Responsibilities include the following:
Information Security
a) Develop and carry out information security plans and policies
b) Develop strategies to respond to and recover from a security breach
c) Develop and implement tools to assist in the detection prevention and analysis of
security threats
d) Perform awareness training of the workforce on information security standards,
policies and best practices
e) Installation and use of firewalls, segmentation, data encryption, authentication and
other security products and procedures
f) Monitor networks and systems for security breaches, and perform follow-up
investigations
Application Administration
g) Configure, administer and support all components of Citrix infrastructure including
application publishing, system monitoring, troubleshooting, end user support, license
monitoring, and system documentation
h) Configure and upgrade Windows desktop images deployed through Citrix XenDesktop
E�Z
T 40t
01�q�
k'� � � f�,! • ��' � i!'.i�'wn+k'kT� �k `��� r"*1k� E d��r�r r,��� ,n�7,.
mow k,r+rr
zI jip,1 " oe a'RJrm -si'tu"I XA14,m,.. d A ,y��,.�] h'�y}�`gT7 f --: 4d6,V7 i 'SF 411 h ' -mod % �a
TOM* P-Ie4laki C IV-A� i Qc ,47, F r 'fit. `+rr �r ��°1I iw,, e4-%rL-Vjt, N'd -,IN
T T �k`itl- -J?H- —47't lua:sst°'I I `1a.��1s3T Sq gti Cs� s
� a
°`�� ��5}`" ��+�l�1�` �i� � ft�`t `��,� IV, �•I LE�7� I��3��}U`x' � ��° #� �r""�.��E'° �1�� '��' v ��
4 Vm Qr° `f V-A,:' t, a& i ° flu
S. fm, S9 -,bv, 4 +� I'll `fix - j ttt°� IGp, v p rii�t& S t T h ° . s ET a el�t� � aPfvv ° a
=T"V
�' > ° �
i) Configure and administer varying business application suites including but not limited
to: ERP, AMI, MDM, HRIS, and Document Management
j) Assist with system administration tasks, including server upgrades, patch deployments,
application architecture review / design and general best practices.
k) Document and inventory of all business systems and applications
1) Provides classroom and individual training in various software applications
Management
m) Participate in strategic planning with the department director
n) Participate in creating a budget for the department and maintaining it throughout the
year to ensure spending is within set limits
o) Tracking department expenditures and identifying problem areas or opportunities for
improvement
p) Giving presentations to employees to educate them on new initiatives, procedures, or
projects
q) Assisting the department director as needed with all projects and duties
r) Offering assistance to other managerial staff within the company
s) Acting as a department or company representative to other departments, business
partners, stakeholders, and the public
General
t) Desire to work alongside the team to help design information and operational support
systems
u) Ability to be a self-starter. Initiate new technologies, research, and continually increase
knowledge and education
v) Consistently and successfully provide support to internal customers
w) Excellence in communication as a liaison with vendors and other IT personnel to
resolve issues
x) Provides Level 1 & Level 2 General IT Support
y) Performs other duties as assigned
Supervisory Responsibilities
Serves as Acting Information Technology Director during any absences of the Information
Technology Director / Chief Information Officer.
Qualifications To perform this job successfully, an individual must be able to perform each
essential duty satisfactorily. The requirements listed below are representative of the knowledge,
skill, and/or ability required.
1. Bachelor of Science from in Computer Science, Engineering, a similar field or equivalent
experience. Master degree or MBA preferred.
2. Three years in an Information Security role or equivalent
li
SO S :7'a tip" +v'4ib,i;), ' Sia+ fi ,'t,a .:'St ,k r1�fj 1-d j2fCkelt,'
13
Cfh7fC, G is Ireav,itF-%) l:�`#�
°'y,tA',�'�o �'a� �t!�'�"�Y dt`����ix+"ilf''�,'`�-' �[''�[ 4�...°� °�>�`lr[',a .`�fw�h-"��, . d� t�►o� 'T'�}.' r'�
�"Ix�°•LrS ro`] iilt, .,AIgr.% .oQrria �4 is k9 s : 0 •s1+ 1� re f
r
G � �� _ ,+r�" r' � �J• k? , ��v� Y rd r tf1� ti�a'► s� �' �t'��'rSl: � s . 8rt�i �!(G "''.I '�,
tcl;ly 4, f ' foiln s.2,"j4ij�jovlU t; bnL i
a
iff WINS
"Itylja5ej ifr ��r, �'• y t'(�s r l"a, j °t,qG � � a�E rf Ly2 Lksrl i Ylw
Sri a Thu•-UO€ "� €� P . .6�,y;,. r p,• f� rlqwtl 7 rTl k t( P- Orfj q + � °
mp�,�� +
iftll
i CL':• q ` Ct- t "TA P+c77 �Tl �Ca°i [ .' rua�t.;
rrf�� G fit, ° + [ ii a
,.�.��rPoP �11 �., L' Sif ,Fj] i °'�+517,�.aLI `�{�� F � ,�a Y��. P N
'a S :' 1 fl .�{�$�i�' ice! �' E ,��+"! .��y� 1��i "J�� '�s�•"f *�i ��1i111 i'SI�'ii - ;�� �'3� i!� �o � C Lt
r i r�#r�°rr�ir" Cad-�4
° s
e";4
oL k v.7y l� v(, .0 � �'th {i+ ti �C`t---v, _i �:!r, ,s1 � a'C� 'tl ° °t�� ;1"A IN., t ILA+'
#� ,o-� ely't�• w L'S ` =ice ']`� ! � �lPi • s� °.°� �'V � �'' sY ti ° i; {a�T}� -��'��°_rs �#s �� ; C a'tri tr1�[t°; G°" �`Kr�' � 1$E til�i';1�
e i� l`_s,7 ".�`.� 1�b "�..]* �'� `�; , i7 : °L �� r �°�1•e�' � '��PT�r•t� � j �'�� � • o + " o �� �s �� '�' ° i[f1�� ° C
M,
3. Evidence of Security certification (e.g. GIAC, Security+, CompTIA, MSCE Security, CCNA
Security)
4. Evidence of experience with virtualization of desktops and applications
5. Thorough knowledge of the principles and techniques of security applications
6. Possession of a valid driver's license and satisfactory driving record as a condition of initial
and continued employment
Physical Demands The physical demands described here are representative of those that must
be met by an employee to successfully perform the essential functions of thisjob.
While performing the duties of thisjob, the employee is regularly required to sit, stand, and walk.
The employee is regularly frequently required to use their hands and fingers to handle or feel and
to reach with their hands and arms. The employee is occasionally required to stoop, kneel, or
crouch. The employee may occasionally be required to lift and/or move up to 25 pounds. Specific
abilities required by thisjob include close vision and distance vision for driving.
Work Environment The work environment characteristics described here are representative of
those an employee encounters while performing the essential functions of thisjob.
Work is performed indoors and outdoors. Indoors, work is typically performed in the office setting
sitting at a desk, working on a computer. Outdoor work occasionally exposes employee to extreme
weather, various types of terrain at job sites (unlevel, wooded, muddy, etc.) noise, vibrations, the
hazards of the construction site and energized electric facilities.
The employee has normal work hours; although, is all -call during emergencies and must be able
to work after regular hours as needed.
Approved
Date
�r'74G'%1�2�38�. ��.7}� �� ��s�4�£'��6 �s� �'�eE 3� `?6js � ,.�� spa����•t0'', °
"J.,* J.rkf4. ,:;' 5.`3- m6&— Ea ,-C Ja"t�L,vt Uw 9fi��1�"vi
aft r 4Ci
�7i�ihf st3ir6 fe, o Cl�'f A `Li ` Ifs V?¢F ➢�EO °# , % JE"a � �� {ff�'d
. � a r: to as+ °. t� �� ���o,_�a t�1 �,!�pv - j� 1 * o p1` y}��#t�
°t * b4 3 F} Idumba ..'fiv E"���{`i tf� oua 1p Eft h fl � o� �,-?
'JJ� •�� `� a t7t� E�F *.��`t �ff�';p�i'�i'�f7��� � � R3+��.� `�'f° [�+�,r�,�+� ,�>�+1�i(ri�
jog
�y � f
91