Authentication & Authorisation Improvements Project Brief
ENT031 - Authentication & Authorisation Improvements
Project Brief
Document Sign-off
|
Name |
Role |
Date signed off |
|
Graeme Wood |
Project Sponsor |
16/1/18 |
|
Graeme Wood |
Service Owner |
|
|
Maurice Franceschi |
Project Manager |
17/1/18 |
|
Maurice Franceschi |
Programme Manager |
|
Working draft will be version 0.x and 1.x Draft sent for Approval/Review will be version 2.x Approved Project brief will be 3.0 Post-approval changes will be change controlled via Issue Log and Scope Change Page, and version 3.x
Background
A Review of the university’s Authentication and Authorisation Services was undertaken as part of the ENT019 project, with a final report published in November 2017. This report will be review by the ITC in Q1 2018 and decisions will be taken as to the practical recommendations made in the report. These will set out the scope of this project as the report makes a large number of them and not all can be undertaken in a small project.
Scope
Although the complete scope of the project will not be determined until February when the ITC has met, work on a number of Quick Wins can already be undertaken to implement changes across several enhancements that must take place.
Quick Wins (Q1 2018)
- move the registration database to the galera database cluster and enable encryption at rest and in transit
- EdGEL the EASE login, second challenge, password change and registration pages
- change the login process to prompt separately for the username and password, so that we can implement at some point a small picture validation
- EdGEL EASE Friend
The project scope for now will be to do the work above, and will be estimated and resourced accordingly Once the ITC have made their decisions, then the full scope of the project will be set. These could include none, some or all of the following (2017/18 and 2018/19)
- Review of replacement for COSIGN
- Tighter integration of AD and EASE
- Change in Password Policy
- Implement a Multi-Functional Authentication
- Development of Grouper and synchronisation of Grouper with AD
- Format of UUN
- Role-based Access Control and Privilige Management
- Policies on encryption and cryptography
- And other recommendations from the Authentication and Authorisation Review
Changes to Scope will be logged on the Issue Log and also recorded on the Project Scope Change page.
Out of Scope
Any significant work we need to explicitly state we are not doing (that some stakeholders may assume or expect that we will) shall be set out once ITC have met and decided.
Objectives and Deliverables and Success Criteria
|
|
Description of the Objective |
Success Criteria |
|
|
Description of the Deliverables needed to achieve the objective |
|
|
Objective 1 |
move the registration database to the galera database cluster and enable encryption at rest and in transit, by End of March 2018
|
|
|
Deliverable D1.1 |
Database moved to galera cluster |
TBC by project team |
|
Deliverable D1.2 |
Encryption at rest |
TBC by project team |
|
Deliverable D1.3 |
Encryption in transit |
TBC by project team |
|
Objective 2 |
EdGEL the EASE login, second challenge, password change and registration pages by June 2018
|
|
|
Deliverable D2.1 |
An EASE login screen that offers the same user experience and look and feel as EdGel pages |
TBC by project team / stakeholders |
|
Deliverable D2.2 |
And same for second challenge, password change and registration pages |
TBC by project team / stakeholders |
|
Objective 3 |
change the login process to prompt separately for the username and password, so that we can implement at some point a small picture validation by June 2018
|
|
|
Deliverable D3.1 |
A two-step process of authentication |
TBC by project team / stakeholders |
|
Deliverable D3.2 |
|
TBC by project team / stakeholders |
|
Objective 4 |
EdGEL EASE Friend and change process to be in line with EASE by June 2018
|
|
|
Deliverable D4.1 |
An EASE Friend login screen that offers the same user experience and look and feel as EdGEL pages |
TBC by project team / stakeholders |
|
Deliverable D4.2 |
|
|
|
Objective 5 |
|
|
|
Deliverable D5.1 |
|
|
|
Deliverable D5.2 |
|
|
|
Objective 6 |
|
|
|
Deliverable D6.1 |
|
|
|
Deliverable D6.2 |
|
|
This table can be used through Business and Technical Analysis, Design, Build, and Testing/UAT as a Traceability Matrix to ensure the project brief project objectives and deliverables are followed through.
Requirements
Requirements are aligned with objectives and deliverables, and also the opportunity to realise the benefits.
|
|
User/Owner |
MoSCoW |
Set By |
|
Requirement 1 |
registration database to the galera database cluster |
M |
Graeme Wood, Sponsor |
|
Requirement 2 |
enable encryption at rest and in transit |
M |
Graeme Wood, Sponsor |
|
Requirement 3 |
EdGEL the EASE login, second challenge, password change and registration pages |
M |
Graeme Wood, Sponsor |
|
Requirement 4 |
change the login process to prompt separately for the username and password, so that we can implement at some point a small picture validation
|
M |
Graeme Wood, Sponsor |
|
Requirement 5 |
EdGEL EASE Friend
|
S |
Graeme Wood, Sponsor |
Benefits
The benefits that the deliverables will enable or act as a catalyst in making happen. These benefits may be immediate or may be realised after the project has closed.
Requirement 1. i/f and s/w upgrade
Requirement 2. GDPR compliance
Requirement 3. Users will have a more consistent experience Requirement 4. Second factor challenge will bring authentication login in line with contemporary standards
Requirement 5. Users will have a more consistent experience
Governance
Project will have these governance roles by default. Delete/Add/Change as appropriate.
Portfolio Governance
|
Role |
Name |
Division / Group / Team / College / School and Title |
|
Project Sponsor |
Graeme Wood |
ITI, Enterprise Section Head |
|
Programme Owner |
Graeme Wood |
|
|
Programme Manager |
Maurice Franceschi |
ITI, ITI Portfolio Manager |
|
Portfolio Owner |
Tony Weir |
ITI, Director |
|
Portfolio Manager |
Maurice Franceschi |
|
|
Service Owner |
Graeme Wood |
|
Project Board (TBC if we require a project board)
|
Role |
Name |
Division / Group / Team / College / School and Title |
|
Project Sponsor |
|
|
|
Senior User |
Can be Sponsor |
|
|
Senior Supplier |
|
|
|
|
|
|
|
Other Board Members |
|
|
Tolerances
Tolerances in line with general RAG guidelines, to be confirmed with Sposor.
Resources Skills and Cost
Budget 50 days of ITI effort We will have some support from edWeb team
Priority and Funding
Normal Priority. No capital funding.
Project Team
|
Role |
Name |
Division / Group / Team / College / School and Title |
|
Project Manager |
Maurice Franceschi |
|
|
Solution Architect |
Kenny MacDonald |
|
|
Solution Development |
Gavin Gray |
|
|
Testing, Contributor |
TBC – looking for resource from Web Team |
|
|
Service Development |
|
|
|
Communications Assistance |
|
|
Quality of Project and Deliverables / Key Project Milestones
The milestones are a key tool in ensuring that the project process itself is followed as set out by ITI, and that the product deliverables are to the required Quality.
Edit this template to list the key Milestones and who signs off on these milestones. Add milestones for Security, Accessibility, UX, as required.
For medium and large projects, a project plan - MS Project, Gantt, or other - can be added to the Plan Log and revised as project progresses. The approach can be stated here.
You can also mention the approach the project is taking to set, measure and confirm the quality of the deliverables
|
Milestone |
Sign-Off means |
Date of Milestone |
|
Who signs-off (Accountability) |
Start of Project |
Project can begin, is in line with Programme and Portfolio priority, has resource |
19/12/17 |
|
Sponsor, Programme Manager |
End of Planning for Quick Wins |
Project can begin, is in line with Programme and Portfolio priority, has resource |
17/1/18 |
|
Sponsor, Programme Manager |
|
Change of Scope – ITC Decision |
The scope for the project has been set by ITC |
31/3/18 |
|
Sponsor |
|
XXXX |
XXXX |
XXXX |
|
XXXX |
Delivery of the Quick Wins – database encryption |
Change to Service can proceed |
29/3/18 |
|
Sponsor, PMservice owner/ service operations manager (helpline) |
Delivery of the Quick Wins - eDgel |
Change to Service can proceed |
29/6/18 |
|
Sponsor, PMservice owner/ service operations manager (helpline) |
|
Handover to Support |
support can take over running of the Service |
TBC |
|
service owner/ service operations manager (helpline) |
Closure |
Project can close |
27/7/18 TBC |
|
Sponsor, PM |
Other Milestones will be added as Appropriate
|
End of Analysis |
quality and completeness of analysis |
business analyst / business lead / senior user / PM |
|
End of Design |
quality and completeness of design |
technical lead / senior supplier/ business lead / senior user/ PM |
|
End of UI Design |
quality of UI - to show we have designed an interface that is usable, accessible, promotes equality and diversity |
technical lead / senior supplier/ business lead / senior user |
|
End of Build |
quality and completeness of build |
technical lead / senior supplier/ PM |
|
Acceptance |
overall quality of deliverable, UAT has been passed, Intergation testing successful, all components technically checked - fit for delivery to live service |
technical lead / senior supplier /business lead / senior user /business analyst /PM
|
|
Security QA |
satisfies security |
Section Head |
|
Branding QA |
for new, upgraded services, sign-off that branding guidelines for ISG, University, school/college has been followed by the project team |
PM / and as appropriate ...
UoE C&M, college C&M and (pending) ISG Branding Team |
|
Design UI QA |
to show we have built an interface that is usable, accessible, promotes equality and diversity |
Sponsor and Service Owner |
|
EqIA |
For new services or services undergoing substantial change, there must be an Equality Impact Assessment completed, validated by equality office and deposited on eqia website |
PM/ Service Owner / Equality Officer |
|
PIA |
Check if your project needs to undergo a Privacy Impact Assessment |
PM / Service Owner / CISO |
Assumptions
We assume that there will be replacement for Cosign in the short term.
Constraints
Lack of Drupal skills in the ITI division mean that any development will need to be sourced from ISG or external, if we want to develop solution in Drupal.
Risks
No significant risks at outset of project.
Issues
No significant issues at outset of project.
Previous Lessons Learned
We wil review the ENT021 project for lessons.
Dependencies
Are we depending on certain events to take place? Yes – we need ITC to review and approve the recommendations in the review.
Are we dependent on suppliers, or product releases? TBC
Communication
For projects with an array of external stakeholders, a Communication Plan can be created and made available on the ITI Sharepoint space if preferred. The following stakeholders were identified during annual planning Director ITI, Tony Weir Accountable CISO Alistair Fenemore Consult Claire Knowles Inform Matt Hodson Inform ADO Iain Fiddes, Stefan Kaempf also expecting to devote 5-10 days of effort USD and Helpline Inform LTW Inform (specifically, video lecture) L&C Inform AHSS Consult MVM Consult SCE C Consult and we also have Ed Web team USD and Helpline
Run / Grow / Transform
Transform
Alignment with Strategic Vision
This project will deliver benefits, change and innovations in alignment with the IS Strategic Vision and the University's Strategic Vision for 2025. ** Check the Annual Plan on ITI Sharepoint to see how the project's deliverables and benefits have been aligned to Run/Grow/Transform and the Strategic Themes **
|
Student Experience |
Commentary |
|
Student experience and the unique Edinburgh offer |
X |
|
Online and distance learning leaders |
|
|
Library national and international leadership |
|
|
Research and Innovation |
|
|
Research IT and Data Sciences |
|
|
Innovation |
|
|
Collaborative leadership and social responsibility |
|
|
Service Excellence |
|
|
Process improvement, efficiency, quality and best practice |
X |
|
Long-term IS strategic planning and linked professional services |
X |
|
Information Security |
X |
University's Strategic Vision for 2025 the main elements of the vision that this projects contributes have a commentary.
|
Vision Themes |
Commentary |
|
A unique Edinburgh offer for all of our students |
|
|
all of our undergraduates developed as student/ researchers with clear, supported pathways through to Masters and PhD |
|
|
all our students offered the opportunity to draw from deep expertise outside their core discipline |
|
|
a highly satisfied student body with a strong sense of community. |
|
|
Strong and vibrant communities within and beyond the University – making the most of our unique offer of world-leading thinking and learning within one of the world’s most attractive cities |
|
|
Strong and vibrant communities within and beyond the University – making the most of our unique offer of world-leading thinking and learning within one of the world’s most attractive cities |
|
|
A larger, more international staff who feel valued and supported in a University that is a great and collegial place to work, develop and progress |
|
|
More postgraduate students – underpinned by the best support in the sector to ensure we attract the brightest and best regardless of ability to pay |
|
|
A strong culture of philanthropic support focussed especially on our students and on outstanding research capabilities. |
|
|
Many more students benefiting from the Edinburgh experience (largely or entirely) in their own country – supported by deep international partnerships and world- leading online distance learning |
|
|
Sustained world leading reputation for the breadth, depth and interdisciplinary of our research supported by strong growth in research funding and strong international partnerships – drawing from well-established and less well developed sources An estate that matches expectations, responds flexibly to changing student and staff needs, and showcases the University |
|
|
A deeper and earlier collaboration with industry, the public sector and the third sector – in terms of research; knowledge exchange; and in giving our students the best possible set of skills for their future |
|
IS Change Programme - How will this project's Deliverables and Benefits promote the Themes
Indicate if the project deliverables and benefits contribute to the themes with the IS Change Programme.
|
IS Change Programme Theme |
How the project deliverables and benefits contribute to change |
|
Project Management |
|
|
Working Together |
|
|
Standards and Technical Leadership |
X |
|
Staff Learning and Development |
|
|
Service Based Culture |
X |
|
Equality and Diversity |
|
|
Partnerships and Philanthropy |
|
|
Flexible Resourcing |
|
|
Communication and Branding |
X |
Service Excellence - Information and Security
The project focus is on the improvement of our security mechanisms and data storage.
Service Excellence - Process Improvement, efficiency, quality and best practice (Social Responsibility and Sustainability)
Not Applicable
Digital Transformation
This will improve security via industry standard approaches to authentication, and we will be looking for support and guidance and QA from the Edweb team.
IS Change Programme - How will the execution of this project promote the Themes
Indicate if the project itself (during plan, execution, implementation) contributes to the themes with the IS Change Programme.
See the Guidance on the ITI001 Project Brief Template
|
IS Change Programme Theme |
How the project process will contribute to change |
|
Project Management |
|
|
Working Together |
X |
|
Standards and Technical Leadership |
X |
|
Staff Learning and Development |
|
|
Service Based Culture |
X |
|
Equality and Diversity |
|
|
Partnerships and Philanthropy |
|
|
Flexible Resourcing |
|
|
Communication and Branding |
|
Project Sponsor – Project Responsibilities
The sign-off milestones are associated with specific responsibilities of the Sponsor role.
This sets out the Sponsor responsibilities on this project - please review and amend as appropriate for this project and agree with Sponsor
Start of project – Explicitly Included in the Initiation Milestones Sign-Off
- Negotiates and confirms funding for the project
- Ensures the project is in line with organisational strategy and priorities
- Chairs the project board, appoints its members and ensures they are effective
- Advises the project manager of protocols, political risks, issues and sensitivities
- Makes the project visible within the organisation
End of Planning – Explicitly Included in the Planning Milestone Sign-Off
- Works with the project manager to develop the Project Brief
- Ensures a realistic project plan is produced
- Sets tolerance levels for escalation to themselves and to the project board
- Ensures that project team have representation and engagement from users and suppliers
- Helps identify Stakeholders
- Approves Communication Plan
- Agrees on frequency of meetings with Project Manager
- Agrees of frequency of meetings with Project Team
- Agrees on milestones and who signs-off
Development / Execution – ongoing
- Provides strategic direction and guidance to the project manager as directed by the Board
- Approves changes to plans, priorities, deliverables, schedule
- Encourages stakeholder involvement and maintains their ongoing commitment
- Chief risk taker
- Makes go/no-go decisions
- Communicates change in organisational structure, priorities, business benefits or funding
- Helps the project manager in conflict resolution
- Helps resolve inter project boundary issues
- Gains agreement among stakeholders when differences of opinion occur
- Assists the project by exerting organisational authority and the ability to influence
Delivery – Explicitly Included in the Delivery Sign-Off
- Ensures that Service is ready for change
Closure - Explicitly Included in the Closure Milestone Sign-Off
- Helps with publicity for the change delivered
- Ensure that benefits will be managed, measured and realised post-project
- Evaluates the project’s success upon completion