Project Management and Data Security

Transcription

1 Project Management and Data Security 1 Project Management Agile Project Management Methodology Mediasphere applies a structured approach and Best Practice Project Management in the development of all projects. The single most important stage is developing a clear understanding of the client s project requirements and articulating these as accurate functional requirements. As part of our project management process, our team complete the following tasks and services 1. The application of your stylesheet and logo to the login page and all portal pages including: Home Page Login Page and self-registration pages Training Dashboard Course Dashboard Manager Dashboard Base certificate design 2. The inclusion of the link to your terms and conditions and/or privacy statement 3. The inclusion of your key contact into the site 4. The addition of your Google Analytics code into the portal 5. The build of the database for your InductNow training portal 6. Assistance in setting up your hierarchical Training Group structure 7. The deployment of the standard InductNow modules in the Lion LMS 8. The set-up of alerts 9. The negotiated dates for your webinar training session 10. The negotiated dates for your beta release and site launch The management for the planning, design and deployment of the Training Portal is coordinated by our Project Manager with published production and communication schedules. Most sites can be released within 4 weeks. The Project Management for the planning, design and deployment of the Training Portal includes the following Project Plan. The image below provides an indicative Project Plan Schedule that details the tasks and the workflow that applies to the build of the training portal. 1 P a g e M e d i a s p h e r e A l l R i g h t s R e s e r v e d

2 User Acceptance Testing User Acceptance Testing (UAT), end user testing of the system to ensure data and system functionality. UAT is one of the final stages of the project and occurs before you as the client accepts the new system. The UAT document provides a passed failed pending status on the following elements: 1. Technical performance on the portal 2. Design and usability approval 3. Mapping to deliver the listed client requirements Mediasphere will provide the client with access to their portal on the development server to complete the UAT process at the end of the production schedule. 2 P a g e M e d i a s p h e r e A l l R i g h t s R e s e r v e d

3 Mediasphere maintains a fully functional version on the development server as the client may wish to upgrade aspects of the portal in the future. All upgrades are applied with the same testing regime before being uploaded to the production version of the portal. Implementation Timeline The Project Implementation timeline is negotiated with the client to ensure that both parties can meet the prescribed project deliverables. The project timeline usually takes between 3 to 6 weeks to build the training portal. Project Schedule and Milestones The Project Schedule involves the following tasks: Corporate Induction Project Plan Section 1 - Data Gathering 1. Client to provide site domain name with account details 2. Client to provide desired launch date for portal Beta and live releases 3. Client to provide that will be used as the contact for the site 4. Client to provide logo (in eps or with working files format) and stylesheet 5. Client to provide details of the data integration of the Single-Sign-On, LDAP or webservices 6. Client to consider Training Group names and hierarchy (Client will add these after the training session) 7. Client to provide SSL certificate for the site (if required) 8. Client to provide site terms and conditions and privacy statement that will be added to the link on the login page 9. Client to provide data to be imported into the database in CSV format (if part of the project scope) 10. Client to provide confirmation information on required courses or provide details on what courses Mediasphere will be building as per project quotation Section 2 - Build of the LMS for the Client Project Creation of development site on the server Deployment of specified InductNow and Lion LMS modules Set number of annual Learner Accounts to be assigned to the portal Customise settings to client defaults Add Client Administrator to Portal 3 P a g e M e d i a s p h e r e A l l R i g h t s R e s e r v e d

4 Apply the Design including logo and client stylesheet to the portal Apply the design to Course Dashboard and Certificates Client data and custom programming to integrate client requirements Section 3 - Technical Testing and Client UAT Technical Testing of the Training Portal Client User Acceptance Testing Issue and bug-fixing Build of the Single-Sign-On Facility, LDAP or webservice / API with client database DNS site switchover Client Training (provision of documentation) Support commences with SLA Project Milestones The Project Milestones comprise of the following: Milestone 1: Milestone 2: Milestone 3: Milestone 5: Deployment of the LMS with modules and database on the development server Application of the client design to the training portal The build of the custom programming and data integration and SSL certificate User Acceptance Testing, Training and Site Launch 4 P a g e M e d i a s p h e r e A l l R i g h t s R e s e r v e d

5 Hosting Services and Data Management This proposal includes a license for the Mediasphere Lion LMS Platform which is hosted at Mediasphere data warehouse facility - Rackspace. Rackspace provide the following services: Physical security Keycard protocols, biometric scanning protocols and round-the-clock interior and exterior surveillance monitor access to every one of our data centres. Only authorised data centre personnel are granted access credentials to our data centres. No one else can enter the production area of the data centre without prior clearance and an appropriate escort. Every data centre employee undergoes multiple and thorough background security checks. Conditioned power Should a total utility power outage ever occur, all of our data centres power systems are designed to run uninterrupted, with every server receiving conditioned UPS (Uninterruptible Power Supply) power. Our UPS power subsystem is N+1 redundant, with instantaneous failover if the primary UPS fails. If an extended utility power outage occurs, on-site diesel generators can run indefinitely. Precision environment Network Every data centre's HVAC (Heating Ventilation Air Conditioning) system is N+1 redundant. This ensures that a duplicate system immediately comes online should there be a HVAC system failure. Every 90 seconds, all the air in our data centres is circulated and filtered to remove dust and contaminants. Our advanced fire suppression systems are designed to stop fires from spreading. Dedicated to our customers hosting needs only Always high-performance bandwidth Nine network providers, for multiple redundancies Fibre carriers enter at disparate points to guard against failure Network topology and configuration automatically improves in real time Configuration, co-developed with Cisco, guards against single points of failure at the shared network level (extendable to your VLAN environment) Cisco and Arbor Networks work with us to continually improve monitoring and security Network technicians We require that the networking and security teams working in our data centres be certified. We also require that they be thoroughly experienced in managing and monitoring enterprise-level networks. Our Certified Network Technicians are trained to the highest industry standards. Core routing equipment Only fully redundant, enterprise-class routing equipment is used in Rackspace data centres. Fibre carriers enter our data centres at disparate points to guard against service failure. 5 P a g e M e d i a s p h e r e A l l R i g h t s R e s e r v e d

6 Technical Support Service Level Agreement After the launch of your site, Mediasphere s Support Service Level Agreement (SLA) is initialised. Please refer to the Portal Terms and Conditions agreement for all provisions. Security of Your Training Data Mediasphere understands the critical importance of protecting your data. As Mediasphere, an accredited govt provider, delivers secure online training solutions for major corporations, governments, organisations and education institutions, we provide a high level of security on three levels, hardware, application and database. Identity Theft Protection Identity theft refers to fraud that involves someone pretending to be someone else for their own gain. We apply the current best practice to protect your users identity theft including: Encrypted user password in database with strong encryption technique such as MD5 or SHA-1 Use alpha numeric combination and case sensitive for user passwords. Minimalist approach in storing and displaying user private information. Secure Access Policies All users on your training website will be assigned the privileges based on their user level. This protection provides security with regard to access to administration portal. Your site administrator will have the access rights to add or delete any additional administration accounts. These administration accounts can be set as administrators or editors. There is also the option for your administrator to create additional administration accounts and set permissions and access rights to various modules. SSL Encryption and Certificates Clients may request that Mediasphere add SSL encryption to the administration portal and the front end user portal. The SSL certificates provided by the client encrypt the data on the site. After the secure connection is made, the session key is used to encrypt all transmitted data. SSL allows sensitive information such as credit card numbers, private information and login credentials to be transmitted securely. Normally, data sent between browsers and web servers is sent in plain text leaving you vulnerable to eavesdropping. If an attacker is able to intercept all data being sent between a browser and a web server they can see and use that information. More specifically, SSL is a security protocol. Protocols describe how algorithms should be used; in this case, the SSL protocol determines variables of the encryption for both the link and the data being transmitted. The cost of applying your SSL certificate to your portal is a one-off fee of $550 inc. GST. 1 Session Hijacking Protection Mediasphere uses file system based tracking for all users sessions to mitigate session hijacking and Cross-Server Scripting (XSS) potential. This means that every time a user logs on to your portal, it generates a new session value and stores the value in the database. On every page of training portal 1 Based on the client providing Mediasphere with their SSL Certificate. Mediasphere can guide the process if required. 6 P a g e M e d i a s p h e r e A l l R i g h t s R e s e r v e d

7 where authentication is required, the user session will be compared with the one stored in database. As the session is renewed, this guarantees a user dynamic session value, which makes it harder to duplicate or follow, thus providing a higher level of security. Defamation of Site Protection Mediasphere protects against defamation of the site by preventing unauthorised access to file servers. Our systems feature data validation on all forms and write access on files and folders permission (executable, read and write). The file upload directory has read / write access permissions to prevent malicious users from executing code remotely to gain access to the site. IP Tables Software Firewall Security IP Tables is a software firewall that provides a key layer of security. The software firewall controls all access to and from the server on designated ports, IP addresses and TCP and UDP layers. The firewall allows certain users from range of IP addresses to make requests to a designated port on the server or from server to IP addresses. Load Balancing If your training portal is an enterprise solution with high volumes of traffic, Mediasphere can provide access to load balancing technology for annual upgrade. Load balancing technology provides two identical servers that are configured with identical specification and capacity. With the layer technology, it automates the distribution of website traffic between both servers. With this technology, it is capable to serve millions of user with static HTML request. When it comes to database interaction, generating image, and streaming video we can provide high quality streamed traffic to your users. SQL injection Protection SQL injection is a form of attack on a database-driven web site in which the attacker executes unauthorized SQL commands by taking advantage of insecure code on a system connected to the Internet. SQL Injection is a very common attack on search forms, login forms and most forms that send requests to server to access the server database. Mediasphere guards the input data submitted by user to eliminate unwanted code or SQL commands to be passed into the processing script. This is achieved by including all permissible file extensions (i.e. PDF, jpeg, js) and block all scripting type statements and non-approved file extensions. Data Back Up and Disaster Recovery Your Training portal is supported with a comprehensive and responsive Back-up and Disaster Recovery Program. This program includes the following: The client database is backed up 3 times a day The client files are backed-up once a day These back-ups are then stored for an addition 7 days All data on Rackspace servers are backed-up off network on Mediasphere secure servers once a week and this data is stored for 12 months Production workflows abide by privacy legislation with strict protocols assigned to client database access. 7 P a g e M e d i a s p h e r e A l l R i g h t s R e s e r v e d

8 About Mediasphere Mediasphere Holdings Pty Ltd (ACN ) is a leading elearning and software development company that delivers cloud based training portals and websites for the government, corporate and education sectors. In 2007, Mediasphere was awarded the Mincom Award as the most innovative ICT Company in Queensland and now provides our industry leading software to clients in Australia, New Zealand, China, Japan, North America and Europe. Mediasphere has developed its own SaaS platforms and provides a total solution with e-commerce, e-marketing, custom programming, content development, APIs, webservices, hosting and support services. It has also developed a library of interactive products for the education and corporate sector which is marketed globally. SERVICES Mediasphere s services include: Cloud based corporate induction portals Cloud based assessment and accreditation portals Online assessment, tracking and reporting modules Online course and assessment development services Digital content multimedia design and development iphone, android and tablet applications Access to a suite of compliant workplace courses Corporate websites, member portals and training hubs Government, commercial and educational web and graphic design services Data integration, API and webservices Online e-commerce Solutions 8 P a g e M e d i a s p h e r e A l l R i g h t s R e s e r v e d

9 PRODUCTS AND MARKETS Mediasphere has developed a range of elearning platforms to serve four distinct elearning markets. These markets and matching products include: Market Sector 1. Compliance, Competency and Productivity Training 2. Continuing Professional Development (CPD) Training 3. Certifications, Accreditations and Qualifications Training 4. Custom Training Portals with e-commerce Gateways Market Description Organisations that host online inductions, staff training and contractor / volunteer on-boarding and require our software to manage their portals. Professional organisations and peak bodies that deliver online CPD for the members and stakeholders and require our software to manage their portals. Business, government and tertiary institutions that deliver accredited training with assessors, verifiers and employer dashboards on our software. Business, government, content experts and institutions that market and sell their courses and training events on our software. Mediasphere Online Training Products Mediasphere Lion LMS has developed a range of plugins to provide the exact training platform you require. Contact Mediasphere on for more information on the product suite. 9 P a g e M e d i a s p h e r e A l l R i g h t s R e s e r v e d

10 AWARDS Mediasphere provides the market with elearning solutions and the company has received a range of awards from both industry and government to recognize the innovation and quality: Our awards include: IEAA Excellence Award in International Education, 2009 (Queensland Government Education Department Study Abroad ESOS Compliance Program) Mincom Connect Award 2007 most innovative ICT company in Queensland ICT Premiers Export Award Regional Award AIMIA National Finalist 2005, 2004, 2003 AIIA Award Finalist 2005 IDP Award for Excellence and Innovation in International Education 2003 Australian Flexible Learning Framework Queensland Awards 2003, 2004 Annual Learning Technologies Recognition (ALTR) Award 2004 GOVERNMENT CERTIFICATION GITC FRAMEWORK VERSI ON 5 Mediasphere is accredited as a signatory to Government Information Technology Contracting (GITC) Framework - Version 5 - Q P a g e M e d i a s p h e r e A l l R i g h t s R e s e r v e d