A4

ADMINISTRATIVE REPORT

Date: October 11, 2000
Author/Local: R.Fast/7293

RTS No. 01718

CC File No.

TO:	Council
FROM:	General Manager of Corporate Services Group
SUBJECT:	New Position: Manager, Information Technology Security

RECOMMENDATION

That Council approve a Regular Full Time Exempt position of Manager, Information Technology Security, subject to classification by the General Manager of Human Resources, with funding to be provided from the 2001 operating budget.

.
COUNCIL POLICY

Council approves all regular full time staff positions.

PURPOSE

The purpose of this report is to recommend to Council the creation of a new full time regular exempt position of Manager, Information Technology (IT) Security.

BACKGROUND

Every year the City's external auditors, KPMG, conduct a review of internal controls and business processes as part of their annual audit of the City of Vancouver and make recommendations to management on operational improvement.

KPMG, in their management letter related to their 1999 review recommended that:

'the City establish an Information Technology Security Officer with the necessary authority, capabilities and resources to manage Information Technology Security on an enterprise-wide basis. The Security Officer's responsibilities should include coordination and awareness of IT security issues, monitoring compliance with IT security policies, and assisting in the development of IT security policies and standards on an enterprise-wide basis.'

DISCUSSION

Management at the City agrees that there is a need to establish enterprise-wide IT Security Policies and standards in the City of Vancouver and to continue to create security awareness throughout the organization.

Subject to council approval management will establish an Information Technology Security Manager position which will be separate and distinct from IT delivery functions.

The Manager of IT Security will be responsible for directing, in conjunction with the business units, the overall development and administration of security policies and procedures for the City's electronic data processing environment. In addition the following are some of the important responsibilities of this new position:

· Development and administration of security policies and procedures which includes the elements of Technical Standards for IT security, security architecture, information classification, monitoring standards and risk analysis.

· Development of guidelines for implementing security solutions.

· Identification and elimination of security "gaps" between existing policies and actual security controls.

· Ensuring consistency across all City departments re security policy.

· Performing investigations of security breaches, viruses and inappropriate use of IT at the City.

· Ensuring that adequate procedures and controls are in place to protect all IT assets such as desktops, mainframes, client servers and network components.

· Reviewing all significant information technology and electronic data processing related projects to ensure that the project sponsors have allocated the funding necessary to meet current policies and procedures regarding IT security.

· Performing copyright audits to ensure that violations of copyright are not occurring.

· Perform intrusion tests and security reviews of the router and firewall infrastructure.

· Providing system support and consultation on IT Security matters.

· Evaluation of security software prior to purchase to ensure compliance with city policy.

· Assisting with audits of the IT security environment at the City.

· Establish a security awareness program to educate and remind all departments and employees of the importance of IT security and their responsibility for ensuring that risk is minimized.

· Ensure that as technology changes security controls continue to follow industry best practices.

Some of the duties and responsibilities described above are currently not being done while others are being done as part of ongoing IT management in each of the operating departments. The City still needs to develop enterprise-wide IT security policies and, currently, no individual or group is responsible for managing IT security on an enterprise wide basis.

Dedicated Information Technology Security officers are common in most large complex organizations and are important in the management of information technology security risks.

FINANCIAL IMPLICATIONS

The annual salary for this position will be in the $70,000-$80,000 range plus benefits, subject to review and classification by the General Manager of Human Resources. In addition funding will be required for the following and be provided from the 2001 operating budget:

· One time furniture and computer equipment cost - estimated $10,000.

· Annual training and professional development cost - estimated $2000.

CONCLUSION

In today's world of accelerated information processing, global communication and Internet access, consistent and comprehensive enterprise security is important to the continued success of an organization. The safeguarding of the City's technology infrastructure and information is a critically important component of corporate strategy in helping to support our business objectives and ensuring that information technology risks are appropriately managed and mitigated.

The creation of a regular full time exempt position, Manager Information Technology Security, is also in response to our External Auditor's review of the City's Information Technology environment

*****

General Mgr./Dept. Head:
Date:
This report has been prepared in consultation with the departments listed to the right, and they concur with its contents
Report dated:	October 11, 2000
Author:	Roger Fast
Phone:	7293
Concurring Departments

(c) 1998 City of Vancouver