Budget & Performance Subcommittee March 11, 2016 1 Dr. Carlton - - PowerPoint PPT Presentation

Budget & Performance Subcommittee March 11, 2016

1 Dr. Carlton B. Goodlett Place, City Hall, Room 305 San Francisco, CA 94102

1

AGENDA

• 1. Call to Order by Chair
• 2. Roll Call
• 3. Approval of Minutes
• 4. FY 2016-17 & FY 2017-18 Budget Presentations
• 5. Discussion and Action: FY 2016-17 and FY 2017-18 Non-General Fund Project

Recommendations

• 6. Discussion: FY 2016-17 and FY 2017-18 General Fund Budget Projects
• 7. Public Comment
• 8. Adjournment

2

• 3. Approval of Minutes

Action Item

3

• 4. FY 2016-17 and FY 2017-18 Budget

Presentations

Theme: Network

4

Project Objective.

In order to meet the higher network bandwidth needs to support airport operations, Public Wi-Fi, airlines, and tenants the SFO network access switches must be upgraded to support 10G links. The current access layer network switches have a limit of 1G.

Major Stakeholders

• ITT
• Revenue Development
• Aviation Management
• Terminal Management
• Airlines
• Tenants

AIR - Access Layer Refresh 10G

5

Problem Trying to Solve

Overall network bandwidth demand has steadily continued to rise in order to accommodate Public Wi-Fi traffic, and to meet the network demand of the Airport Commission, airlines and tenants. In order to meet this demand the SFO network access switches must be upgraded to support 10G links. This will help mitigate any future network service degradation that could be caused by network traffic congestion.

AIR - Access Layer Refresh 10G

6

Project Implementation Stages/Phases

AIR - Access Layer Refresh 10G

Phase 1 Phase 2

Dates: July 2017 – June 2018 July 2018 – June 2019 Description:

• Complete design for Phase

1 implementation

• Procurement, provisioning
• f Phase 1 equipment
• Customer coordination for

Phase 1 upgrades

• Complete Phase 1

customer upgrades

• Complete design for Phase

2 implementation

• Procurement, provisioning
• f Phase 2 equipment
• Customer coordination for

Phase 2 upgrades

• Complete Phase 2

customer upgrades

7

AIR - Access Layer Refresh 10G

Project Budget FY 16-17 FY 17-18 Number of FTE FTE Classifications Salary & Fringe Software Hardware $1,500,000 $1,500,000 Professional Services $350,000 $350,000 Materials & Supplies Unknown at this time Unknown at this time Total Project Cost $1,850,000 $1,850,000

8

Project Objective

Implement a Dense Wavelength Division Multiplexing (DWDM) infrastructure which is a technology that puts data from different sources together on a common optical infrastructure. This solution will allow network bandwidth services, such as Metro-Ethernet, and SONET to be converged across a common optical

• infrastructure. DWDM will provide a more efficient utilization of existing fiber infrastructure, alleviate

network capacity constraints, ease provisioning and network troubleshooting, and will meet the expected technology standard to match the requirements of the airlines and tenants.

Major Stakeholders

• Airlines
• Airport Revenue Development
• ITT

AIR - Dense Wave Division Multiplexing Transport

9

Problem Trying to Solve

The rapid growth of in the number of airline carriers and changing nature of airport business necessitates: a) Better utilization of existing fiber b) Alleviation of network bandwidth capacity constraints c) Accurate measurement on infrastructure usage d) Faster provisioning of new service requests The implementation of DWDM technology will allow for a more efficient utilization

• f existing fiber assets and alleviate bandwidth capacity constraints on the SFO

Network.

AIR - Dense Wave Division Multiplexing Transport

10

Project Implementation Stages/Phases

AIR - Dense Wave Division Multiplexing Transport

Phase 1 Phase 2

Dates: July 2016 – June 2017 July 2017 – June 2018 Description:

• Complete design for Phase

1 and 2

• Procurement and

installation of Phase 1 equipment

• Customer coordination for

Phase 1 migration

• Complete Phase 1 customer

migration

• Add new services
• Procurement and

installation of Phase 2 equipment

• Customer coordination for

Phase 2 migration

• Complete Phase 2 customer

migration

• Add new services

11

AIR - Dense Wave Division Multiplexing Transport

Project Budget FY 16-17 FY 17-18 Number of FTE FTE Classifications Salary & Fringe Software $228,000 Hardware $5,572,000 $4,550,000 Professional Services $1,200,000 $450,000 Materials & Supplies Unknown at this time Unknown at this time Total Project Cost $7,000,000 $5,000,000

12

Project Objective

• To improve Wi-Fi coverage, capacity, performance and availability in the International

Terminal for passengers and airline operations, Customs immigration processing, baggage handling & reconciliation, and all other airline Wi-Fi indoor and outdoor requirements.

• To identify and eliminate Airfield Wi-Fi interference caused by signal injection from

disparate Wi-Fi networks. Interference has a negative impact to Airfield operations. Major Stakeholders

• Passengers
• Airlines
• Custom Border Patrol & Immigration
• Airport Operations

AIR - Wi-Fi Improvements

13

Problem Trying to Solve

• Flight delays caused by insufficient operational Wi-Fi coverage required to scan, route and

load baggage.

• Flight delays caused by Wi-Fi inference between disparate Wi-Fi systems.
• Wi-Fi coverage in the International Terminal, gates, baggage make-up locations and ramp

and baggage loading areas is significantly insufficient for Airline operations, baggage processing and passenger public Wi-Fi access.

• There is no public Wi-Fi in the Custom Border Patrol and Immigration Service area. Wi-Fi is

required for mobile passport processing, which reduces passenger processing time.

• Below The Wing baggage loading is adversely affected due to Wi-Fi interference between

Boarding Areas G and F. This problem contributes to airline delays.

• Current Wi-Fi infrastructure in these areas is greater than 10 years old and difficult to

support, maintain and keep secure.

AIR - Wi-Fi Improvements

14

Project Implementation Stages/Phases

AIR - Wi-Fi Improvements

Phase 1 Phase 2 Phase 3 Phase 4 Dates: October 2015 March 2016 August 2016 August 2017 Description: Solicit Wi-Fi

• perational

requirements & procure Wi-Fi design, engineering and implementation Professional Services. Design and Implement Wi-Fi network for CBP and International G gates, outdoors and baggage make-up

• area. Resolve

Airfield Interference between G and F gates. Design and Implement Wi-Fi network for International A gates, outdoors and baggage make-up areas. Design and Implement Wi-Fi network for the International G and A Arrivals and Departure levels and Above The Wing airline requirements and Airline and Airport

• perational indoor

requirements.

15

AIR - Wi-Fi Improvements

Project Budget FY 16-17 FY 17-18 Number of FTE 4 4 FTE Classifications 1x1054, 2x1044, 1x1042 1x1054, 2x1044, 1x042 Salary & Fringe $378,000 $378,000 Software $1,000,000 $400,000 Hardware $1,600,000 $1,500,000 Professional Services $1,200,000 $800,000 Materials & Supplies

• Total Project Cost

$4,178,000 $3,078,000

16

Project Description

To improve Wi-Fi coverage, capacity, performance and availability in the International Terminal for passengers and airline operations, Customs immigration processing, baggage handling & reconciliation, and all other airline Wi-Fi indoor and outdoor requirements. To identify and eliminate Airfield Wi-Fi interference caused by signal injection from disparate Wi-Fi

• networks. Interference has a negative impact to Airfield operations.

AIR - Wi-Fi Improvements

Status Comment Scope Schedule 25% Complete Budget Total Project Cost Total COIT Funding Total Other GF Funding Total NGF Funding Total NGF + GF Funding Total Spent $6,460,000

• $6,460,000

$6,460,000 $2,500,000 Project Start: October 2015 Project End: August 2017

17

Project Objective Replace Water Enterprise radio system Major Stakeholders Water Enterprise in 7 counties of Northern California

SFPUC Water Radio System

18

Current state (SFPUC Wastewater, Power Streetlights, and Customer Service use the high band CCSF system. The City Distribution Division also uses the CCSF system to support the Fire Department. No planned changes.) In the other 6 counties and for City Distribution daily ops, a legacy low band radio system is in place. Low band system has limited functionality, is hard to use, is not inherently portable and is not ideal for use during a major event.

SFPUC Water Radio System

19

How will we solve it Retained AECOM Consulting to advise

• Best known and planned option: Lease space on a non P25 Commercial UHF

Radio system with DR priority, guaranteed coverage and SLAs

• Includes radios, maintenance and refresh
• 5 year lease
• Once the new system is up, SFPUC will investigate future options

Other options not fully played out yet

• Build a system or
• Lease to own

SFPUC Water Radio System

20

Project Preliminary Implementation Stages/Phases

SFPUC Water Radio System

Phase 1 Phase 2 Phase 3 Phase 4 Dates: April 2016 August 2016 January 2017 April 2017 Description: Create RFP Evaluate Proposals Complete Contract Implemented

21

SFPUC Water Radio System

Project Budget FY 16-17 FY 17-18 Number of FTE

• FTE Classifications
• Salary & Fringe
• Software
• Hardware
• Lease

$1,365,000 $1,365,000 Materials & Supplies

• Total Project Cost

$1,365,000 $1,365,000

Internal Project Manager 50% time on lend from Water SFPUC IT and PM will perform UAT and vendor management

22

• 4. FY 2016-17 and FY 2017-18 Budget

Presentations

Theme: Security

23

Project Objective Advance SFPUC Information Security Major Stakeholders Water, Power, Sewer

SFPUC Information Security Enhancements

24

SFPUC Information Security Program Current State

• 5 networks, some are isolated, some are connected with firewalls
• 12 Security Policies (Data security, hardening (4), BYOD, Password, Lock

Screen, Sys Admin, Patching, Provisioning/Deprovisioning, Incident Response,

• Misc. (Remote Control SW/Cameras/Antivirus/Web Filtering/Net encryption)
• External and internal penetration tests done ~ every other year

SFPUC Information Security Enhancements

25

Current SFPUC IT Security Roles & Responsibilities 1) CISO and Analyst – identifies vulnerabilities, educates & stays abreast of threats 2) Technical (Infrastructure) Operations:

• Web filtering, Anti-Virus, secure remote access, Mobile Device Management
• Server and desktop hardening and patching
• Network hardening, wireless network encryption, firewalls
• Security monitoring and alerting
• New employee orientation security training
• Secure asset disposal
• Help Desk security support
• IDS/IPS systems on main Business network Internet Link & on HHWP Control net
• Closes most vulnerabilities on Business and Water SCADA nets

3) Business Applications - Completing provision & deprovisioning workflow 4) DBA’s – Secures databases

SFPUC Information Security Enhancements

26

Enhancements 1) Expand Intrusion Detection and Protection (IDS/IPS) / Next Generation Firewall (NGFW) to our 3 other Business Network Internet points of presence and to the firewalls where we connect networks. Replace the IDS/IPS that we have on our primary Business Network Internet presence. Considering Cisco and Palo Alto NGFWs. 2) Our HHWP team has Rapid 7 on their Control network for NERC CIP compliance. Implement a vulnerability management tool such as Rapid 7 or Tenable. These tools have different strengths:

• Tenable’s Security Center has a continuous security scan capability and some log

correlation

• Rapid 7 has built in Pen testing

SFPUC Information Security Enhancements

27

Some criteria for Vulnerability tool selection are:

• Asset Discovery
• Compliance
• Malware Detection
• Anomaly Detection
• Integration with Patch Management, MDM, and Threat Intelligence
• Alerting and Notification
• Vulnerability Analytics
• Vulnerability Mitigation Management
• Assurance Report Cards
• Pen testing

Some criteria for a NGFW selection are: Threat id, low false positives, usability, cost

SFPUC Information Security Enhancements

28

Future SIEM tool? NGFWs on internal network?

SFPUC Information Security Enhancements

29

Project Preliminary Implementation Stages/Phases

Phase 1 Phase 2 Phase 3 Phase 4 Dates: April 2016 May 2016 July 2016 6 months after procurement Description: Choose VM tool Choose NGFW Implement VM tool Implement NGFW

30

SFPUC Information Security Enhancements

SFPUC Information Security Enhancements

Project Budget FY 16-17 FY 17-18 Number of FTE

• FTE Classifications
• Salary & Fringe
• Software
• Hardware
• VM Subscription & NGFW

Maintenance $205,000 $205000 Materials & Supplies

• Total Project Cost

$205,000 $205,000 This is allocated from the annual SFPUC IT consulting and equipment budget Plan to purchase the NGFW for approximately $400K from this years IT budget (Carryovers)

Project Objective:

The airport is a large and complex environment, truly a “city” of its own with +35,000 employees, partners, vendors and

• contractors. Within this “city”, there are administrative, federal,

state and city government requirements. This project will provide airport employees, partners, vendors and contractors a one-password secure and strongly authenticated access to Airport resources and assets utilizing a mobile device-based Multi-Factor Authentication (MFA) solution. Additional objectives of SSO include:

AIR - Single Sign On (SSO) and Multi-Factor Authentication (MFA)

32

Strengthened cybersecurity position

• One user profile to disable at termination, more secure mobile access, users have fewer passwords to

manage, built-in multi-factor authentication to ensure appropriate and current access to information and resources

• Provide secure access by non-commission users and the ability to enforce access to applications based on

network & location

• Support all future Department of Homeland Security/TSA recommendations for authentication and access

as indicated by U.S. House of Representatives Report 114-396, the TSA Reform and Improvement Act of 2015 Create airport ITT efficiencies

• Reduced number of password resets and ability to extend mobile access with little admin overhead
• Manage external vendor accounts and their access to applications
• Integrate airport biometric badging system (current and future), into SSO
• Provide a central dashboard to assign applications, control access, and monitor license and user activity

Increased user productivity

• Improved user experience; less time spent on password resets, same day access to apps and services
• Provide the ability for users to self-service password resets
• Provide one credential to access workstation, email, and applications

Major Stakeholders:

SFO ITT, & all airport users, including: employees, vendors, partners, and contractors

AIR - Single Sign On (SSO) and Multi-Factor Authentication (MFA)

33

Problem Trying to Solve:

• 1. Simplifying access to Airport resources and assets while hardening our security posture.
• 2. Position a ready to use method for applying secure access to existing and new systems.
• 3. Reduce necessity for users to remember multiple long and cumbersome passwords.
• 4. Improve monitoring and management of user access.
• 5. Replace hardware tokens with a scalable MFA solution.

AIR - Single Sign On (SSO) and Multi-Factor Authentication (MFA)

34

Project Implementation Stages/Phases

Phase 1 Phase 2 Phase 3 Dates:

FY 16/17 FY 17/18 FY 18/19

Description: RFP, vendor selection, plan , prep, test, & deploy to airport employees Plan , prep, test, & deploy to airport contractors Plan , prep, test, & deploy to airport vendors and partners

AIR - Single Sign On (SSO) and Multi-Factor Authentication (MFA)

35

AIR - Single Sign On (SSO) and Multi-Factor Authentication (MFA)

Project Budget FY 16-17 FY 17-18 FY 18-19 Number of FTE 5 5 5 FTE Classifications 1053 x 1 1054 x 2 1070 x 2 1053 x 1 1054 x 2 1070 x 2 1053 x 1 1054 x 2 1070 x 2 Total Project Cost $500,000.00 $500,000.00 $500,000.00

36

• 4. FY 2016-17 and FY 2017-18 Budget

Presentations

Theme: Operations

37

Project Objective

• Implement a comprehensive support system that will allow Airport staff & partners to monitor all

systems, networks and applications on a single platform.

• Provide predictive analytics, event correlation, event notification and automated problem

resolution capability to improve our ability to take preemptive & corrective actions.

• Implement a communications tool that takes advantage of social networking and communities of

interests to improve our operational service levels and connect our support staff directly to the customer. Major Stakeholders

• Airport Commission Staff
• Airlines
• Tenants and Concessions

AIR IR - Comprehensive Support Pla lan

38

Problem Trying to Solve

• Passenger delays caused by uncoordinated event notification and automated problem

resolution.

• Inability to communicate immediately with the wider Airport community.
• Reactive rather than proactive response to equipment failures.
• Absence of a common platform to monitor the wide variety of systems, network and

applications required for operations at the Airport.

• Events that impact the performance and availability of systems are not correlated from a

problem avoidance perspective - limited capabilities in the area of predictive analysis and problem resolution.

AIR IR - Comprehensive Support Pla lan

39

Project Implementation Stages/Phases

AIR IR - Comprehensive Support Pla lan

Phase 1 Phase 2 Phase 3 Dates: March 2017 September 2017 March 2018 Description: Solicit comprehensive monitoring and social support solution alternatives Select vendors and procure services Design, configure and implement

40

AIR IR - Comprehensive Support Pla lan

Project Budget FY 16-17 FY 17-18 Number of FTE 3 3 FTE Classifications 1x1043 1x1054 1x1052 1x1043 1x1054 1x1052 Salary & Fringe $335,000 $335,000 Software $450,000 $750,000 Hardware $100,000 $250,000 Professional Services $300,000 $150,000 Materials & Supplies

• Total Project Cost

$1,185,000 $1,485,000

41

Project Description

1. Implement a comprehensive support system that will allow Airport staff & partners to monitor all systems, networks and applications on a single platform. 2. Provide predictive analytics, event correlation, event notification and automated problem resolution to improve our ability to take preemptive & corrective actions. 3. Implement a communications tool that takes advantage of social networking and communities of interests to improve our operational service levels and connect our support staff directly to the customer.

AIR IR - Comprehensive Support Pla lan

Status Comment Scope Schedule 5% Complete Budget Total Project Cost Total COIT Funding Total Other GF Funding Total NGF Funding Total NGF + GF Funding Total Spent $3,150,000 $75,000 Risks & Issues Project Start: January 2016 Project End: March 2018

42

• 5. FY 2016-17 and FY 2017-18 Non-General

Fund Project Recommendations

Discussion and Action Item

43

• 6. Discussion: FY 2016-17 and FY

2017-18 General Fund Budget Projects

44

• 7. Public Comment

45