1. Network Project
This project is requirement of my course work for the subject so and so. This network project is essential to provide us the oversight we required in the field of networking. While doing this project we will learn how things shape from when we start the project and how they end. The Practical aspects of any networking models are aimed to achieve after writing this project report.
In this project we are required to pass through the complete development life cycle from start to end. We will install the Windows servers 2003 and Active directory and will focus on exploring the options offered by both the software. We will try to implement these in different environments like University campuses, Enterprise environments and big networking organizations.
2. Project description
In this project we will define Windows 2003 server, what are the features that are useful for our desired goals. Along with these we will also try to plan and implement Active directory. But unlike project proposal we will use strategic techniques to reach our aims and objectives.
2.1. Windows Server 2003
Windows server 2003 © Microsoft is a step in the evolution of Microsoft’s server operating systems. Windows Server 2003 is well-known for its advantages that give it edge over other competitive server operating systems. It is famous for its stability, security and user friendliness. Even its predecessor Windows 2000 is not able to compete with the fame Windows server 2003 has gained. Microsoft claims that the windows 2003 perform remarkably by taking less time at set up and is a step ahead in providing ease to its customer when it comes to configure it. Windows Server 2003 simplifies branch server management, improves identity and access management, reduces storage management costs, provides a rich Web platform, and offers cost-effective server virtualization (Chellis, Perkins and Sterbe, 2005).
2.2. Active Directory
An active directory is a very common term these days but it can be different to many people.
2.2.1. Standards-based directory server
To some institutions that care about anything or everything to get standardized, Active directory is good solution. In this standard-based directory system, protocols like LDAP and Kerberos provide access to other network computers. These two protocols are good to provide vision of directory while internal database appears as a X.500 data model which is only exposed directly to the rest of the world via LDAP.
2.2.2 Proprietary directory server
According to the perspective of Microsoft their product Active directory is compatible with both LDAP and Kerberos as these both are standard in Internet Technologies. This compatibility claim of Microsoft to its potential customer using Active Directory is much more advantageous for the other people than Microsoft’s clients. Microsoft uses a technology for client server communication called RPC, which is an acronym for Remote procedure calls.
2.2.3 Simple directory server
Active directory is an administration system and an implementation of LDAP directory services produced by Microsoft. A windows network can be administered using this simple and easy GUI interface. It allows the administrator to assign various policies, enable him to install programs to many computers on network and apply critical updates in very little time. It operates the information and settings from a single, central and organized database concerning an organization. It has ability to network large installations with millions of objects (Chellis at el. , 2005).
3. Project Scope
This interim project focuses on planning and designing Windows 2003 Server and Active Directory. Project initiatives to include a number of security and assurance related features and applications. The features described may be of general interest to the campus community, but are specifically aimed at the operability and integrity of the network.
3.1 Aims and Objectives
The goal of this project is to develop and implement complementary systems providing the following services along with other services required by the project:
Ã User and group account profiles
Ã Disk management and fault tolerance strategies
Ã Remote users
Ã Backup and restore procedures
Ã Active Directory architecture and design
Ã Network services
3.2. Target Audience
A target audience may be any group of people who are interested in some project or desired by the project objectives to appeal to consume what ever they are producing.
A target audience can be people of a certain age group, gender, marital status, etc. Other groups, although not the main focus, may also be interested.
Our target audience could be any company, university or organization which has inclination of installing and configuring Windows 2003 server or an Active directory server or both. Typically following companies can benefit from our project:
Ã Pharmaceutical labs
Ã University Computer labs
Ã Central Databases
Ã Chemical labs to store data
Ã Small and medium sized organizations
Ã Engineering companies
Ã Biological labs
Ã Large sized organizations
3.3. Customer Requirements
Our customer is a very strong market company called Tansdata. Transdata is a sister company of a Steel producing company who is a big financial giant. This is a new company (established two years back) but because of its strong back ground it is already an Icon in the emerging market today.
Our company is planning to open up two trans-continental branches. One is already finished while the other is being constructed and would complete in next four year. This company desires to establish a secure network which has one central database at each branch. They also wish to take proper backups everyday and would like to replicate data to all the other network servers to avoid any risk.
Besides this, they also wish to run local networks which would connect to this vast network. However, it is not necessary that every node on the LAN would connect to this vast network. They want big user groups and strong policies to be enforced to avoid any unwanted access on the network.
4. Team members
Our team contains five members each having different skills but these all are active team players:
4.1. Roles of each team member
Graphic Designing, Documentation and Networking
Documentation and Networking
Documentation and Networking
5. Project Schedule
5.1. Detailed time-line describing goals of each week
Phase 1: Sever 2003 Network
Part 1: Planning the Network Infrastructure
Ã Understanding Computer Roles and Specifications
Ã Locating ; Identifying Network Resources
Ã The OSI Reference Model
Ã The Physical Network Infrastructure
Ã The Logical Network Infrastructure
Part 2: Determine IP Address Requirements
Ã IP Addressing
Ã IP Address Configuration
Ã DHCP Deployment ; Configuration
Ã Installing and Configuring a DHCP Server
Part 3: Determine Name Resolution Requirements
Ã NetBIOS Name Resolution
Ã LM HOSTS file
Ã WINS Servers and Push/Pull Replication
Ã NetBIOS Name Cache
Ã DNS Name Registration
Ã Planning DNS Security
Ã Troubleshooting Client Configuration Problems
Ã Troubleshooting Server Configuration Problems
Ã Configure the DNS Server Service in Active Directory
Part 4: Using Routing and Remote Access
Ã WAN Topologies
Ã WAN Technologies
Ã An Overview of Static Routing
Ã A Review of Dynamic Routing
Ã Securing Remote Access
Ã Common Troubleshooting Tools
Ã Configure a dial-up RAS Server ; Manage authentication
Part 5: Server Clustering
Ã The types of server cluster available with Windows Server 2003
Ã Designing a Clustering solution
Ã The Installation and configuration of network load balancing clusters
Ã The Installation and configuration of server clusters
Ã Creating a Network Load Balancing Cluster
Part 6: Identify the Default Security Settings
Ã Planning a Security Framework
Ã NTFS Permissions
Ã Share Permissions
Ã Registry Permissions
Ã Active Directory Permissions
Ã Account Policy
Ã Audit Policy
Ã Auditing Resources ; the Event Viewer
Part 7: Plan and deploy Security Configuration
Ã Reviewing Group Policy
Ã Baseline Security Configuration
Ã Create a Role Specific Configuration
Ã Deploy a Role Specific GPO
Ã The Security Configuration Wizard (SCW)
Ã Create a test and deployment plan
Ã Managing security configuration with security templates
Ã Deploying security templates with group policy
Ã The Security Configuration and Analysis Tool
Ã Modify and Applying a Security Template
Part 8: Secure Communications using Digital Certificates ; IPSec
Ã An introduction to a Public Key Infrastructure (PKI)
Ã Plan and Design a PKI
Ã Install and Manage Certificates
Ã Plan an IPSec Deployment
Ã Deploy IPSec
Ã Creating an IPSec Policy
Part 9: Design a Security Infrastructure
Ã Determine Internet Security Requirements
Ã Plan a Security Update Infrastructure
Ã Secure Wireless Networks
Ã Provide Secure Network Administration
Ã Installing, Synchronizing and configuring SUS
Part 10: Maintain Server Availability
Ã Using the Performance Console
Ã Using Network Monitor
Ã Monitor Server Services
Ã Planning a Backup Strategy
Ã Using Volume Shadow Copy Service (VSS)
Ã Using Automated Systems Recovery (ASR)
Ã Recovering Files Using the Shadow Copy Service
Phase 2: Active Directory
Part 1: Plan and Install an Active Directory Structure
Ã Logical ; Physical Components of Active Directory
Ã An Introduction to the Active Directory Schema
Ã An Introduction to Global Catalog Servers and Universal Group Caching
Ã Replication Partitions
Ã Planning the Active Directory Infrastructure Design
Ã Verifying the Active Directory Installation
Ã Troubleshooting the Active Directory Installation
Ã Removing Active Directory from a Domain Controller
Ã Promote ; Configure a 2003 Server into a Domain Controller
Part 2: An Overview of Active Directory Administration
Ã Administrative Tools
Ã Forest and Domain Functional Levels
Ã Operational Master Roles
Ã Restructuring a Domain
Ã Renaming a Domain Controller
Ã Creating a new MMC to configure the schema
Ã Using the NETDOM command to rename a Domain Controller
Part 3: Manage and Configure Trust Relationships
Ã Managing Trust Relationships
Ã The types of trust relationship
Ã Managing and configuring trusts using the AD Domains and Trusts snap-in
Ã Using the NETDOM command to configure trusts
Ã Creating and Administering a Forest Trust
Part 4: Configure Sites and Manage Replication.
Ã The Replication Process
Ã The Replication topology
Ã The Replication Protocols
Ã Sites, Site links and attributes
Ã Bridgehead Servers
Ã Monitoring and Troubleshooting Replication
Ã The Global Catalog and Universal Group Caching
Ã Application Directory Partitions
Ã Configuring Sites and Site Links
Part 5: Manage ; Configure Users and Groups
Ã Create and Manage User Accounts in Active Directory
Ã Managing User Profiles ; Home Folders
Ã Smart Card Authentication
Ã Manage Group Membership in Active Directory
Ã Group Scopes and Group Nesting
Part 6: Administer Active Directory Objects ; Implement an OU Structure
Ã Controlling Access to Active Directory Objects
Ã Understanding Organizational Units
Ã The DSMOVE.EXE command line tool
Ã Finding objects in the Directory
Ã The DSQUERY command line tool
Part 7: Plan ; Implement Group Policy
Ã Group Policy components
Ã Linking GPO’s and Administrative templates
Ã Group Policy Inheritance and GPO conflicts
Ã Delegation of control of a GPO
Ã Planning Group Policy
Ã An Introduction to the Group Policy Management Console (GPMC)
Ã Troubleshooting Group Policy
Ã Create, modify and Delegate control of a GPO
Part 8: Managing the User Environment with Group Policy
Ã Resultant Set of Policy (RSoP)
Ã Reviewing Folder Redirection and Offline Files
Ã The deployment of software using group policy
Ã Planning and preparing software deployment
Ã Maintaining software deployment with group policy
Ã Deploying & Assigning Software with Group Policy
Part 9: Software Restriction policy & Security Templates
Ã Implementing software restriction policies
Ã Default Security Levels
Ã Software Restriction Policy Rules
Ã Software Restriction Policy Recommendations
Ã Troubleshooting Software Restriction Policy
Ã Audit Policy and the Security Log of the Event Viewer
Ã What are security templates
Ã Managing security configuration with security templates
Ã The default security templates which are available
Ã Deploying security templates with group policy
Ã The Security Configuration and Analysis Tool
Ã Modifying and Applying a Security Template
Part 10: Managing Active Directory Back-up & Restore
Ã Backing up Files and Folders
Ã The Types of Backup
Ã Restoring Files and Folders
Ã System State Data
Ã Non-Authoritative Restore & Authoritative Restore
Ã Active Directory Database Maintenance using the NTDSUTIL command.
Ã What are security templates
Ã Backing up System State Data on a Domain Controller
Part 11: Monitor and Troubleshoot Performance
Ã The System Monitor Tool
Ã Performance Logs and Alerts
Ã Typical Active Directory Objects and Counters
Ã Managing Active Directory Performance via Command Line
Ã Troubleshooting Performance Logs and Alerts
Ã Configuring a Performance Log and Generating a Report
Phase 3: Routing and Remote Access
Part 1: Routing and Remote Access
Ã User Authentication
Ã Authentication Protocols
Ã Internet Authentication Service (IAS)
Ã Remote Access Policies
Ã Packet Filters
Ã Routing Protocols
Ã Demand-Dial Routing
Phase 4: Disk management and fault tolerance
Part 1: Veritask anti backup (Windows default Service)
Part 2: Nova net (Service)
Part 3: Rapid Access Disk (Tool)
Phase 5: Network Services
Part 2: DNS
Part 3: Windows Update Service
Part 4: Remote Installation Service
Part 5: Windows Internet Name Service (WINS)
Phase 6: IIS
Ã Enabling Web Service Extensions
Ã Creating Web or FTP Sites
Ã Creating Virtual Directories in IIS
Ã Renaming Virtual Directories
Ã Configuring Authentication
Ã Creating Application Pools in IIS
Ã Creating and Isolating Applications in IIS
Ã Obtaining and Backing Up SSL Certificates
Ã Backing Up and Restoring the Metabase in IIS
Ã Redirecting Web Sites in IIS
Ã Hosting Multiple Web Sites
Ã Assigning Resources to Applications in IIS
Ã Controlling Access to Applications in IIS
Ã Enabling ASP.NET
Ã Enabling ASP Pages in IIS
Ã Saving Configurations
Ã Starting and Stopping Services
Ã Configuring Recycling in IIS
Ã Administering Servers from the Command Line in IIS
Ã Administering Servers Remotely in IIS
Ã Enabling Network File System Support
5.2. Project Development Life Cycle
Project development lifecycle includes following four phases which our project will also go through:
5.2.1. Analysis Phase
During analysis phase, we will complete all our planning and research. We will also try to reach to some conclusion that may be finalized in the next phase. Following phases are our deliverables for Analysis Phase:
Ã Planning the Network Infrastructure
Ã Research and plan IP Address Requirements
Ã Research and plan Name Resolution Requirements
Ã Analyzing the Routing scheme and Remote access routes
Ã Plan for server Clustering
Ã Plan Security Configuration
Ã Plan and Install an Active Directory Structure
Ã General Overview of Active Directory Administration
Ã Research the information on Trust Relationship
Ã Search for Replication techniques
Ã Plan for the User and Groups Scheme
Ã Plan Group Policy
Ã Restriction and Security Planning
Ã Backup and Restore planning
Ã Troubleshoot planning
Ã Disk management and fault tolerance planning
Ã Network Services (DHCP and DNS) planning
Ã IIS planning
5.2.2. Design Phase
During design phase we will look at architecture feasibility and will start making design of all those phases that we have decided (after careful analysis) to implement in our network project. On completion of our design phase we will have following deliverables of this phase:
Ã Designing IP infrastructure
Ã Determine IP Address Requirements
Ã Determine Name Resolution Requirements
Ã Designing Routing scheme and Remote Access possibilities
Ã Design the Server Clustering techniques
Ã Design Security Configuration possibilities
Ã Design Plan for an Active Directory Structure
Ã Designing Active Directory Administration
Ã Manage Trust Relationships
Ã Design lay out plan for replication
Ã Design Users and Groups Scheme
Ã Design Group policy
Ã Designing Restriction policy and Security templates
Ã Backup and restore design
Ã Troubleshoot design
Ã Disk management and fault tolerance design
Ã Network Services (DHCP and DNS) designing
Ã IIS designing
5.2.3. Implementation Phase
By the time we will reach implementation phase we will have enough analysis and designing of our project deliverables and one after another we will start implementing our network designs while we will keep testing our installation, configuration and settings so that it may not create any problem at the time of processing in real world environment. At the end of implementation we will have following deliverables:
Ã Implementing IP infrastructure
Ã Implementing IP Address Requirements
Ã Implementing Name Resolution Requirements
Ã Using Routing and Remote Access
Ã Implementing Server Clustering
Ã Deploy Security Configuration
Ã Install an Active Directory Structure
Ã Implementing Active Directory Administration
Ã Configure Trust Relationships
Ã Configure Sites and Manage Replication
Ã Manage & Configure Users and Groups
Ã Administer Active Directory Objects & Implement an OU Structure
Ã Plan & Implement Group Policy
Ã Managing the User Environment with Group Policy
Ã Software Restriction policy & Security Templates implementation
Ã Managing Active Directory Back-up & Restore
Ã Monitor and Troubleshoot Performance
Ã Disk management and fault tolerance implementation
Ã Network Services (DHCP and DNS) installation and configuration
Ã Windows Internet Name Service (WINS) installation and configuration
Ã IIS installation and configuration
5.2.4. Testing Phase
Since testing and implementation goes hand in hand we will test every thing we have mentioned above and at the end our deliverables of this phase will be:
Ã A good IP infrastructure
Ã Functional IP Addresses with all their Requirements meet
Ã Tested Name Resolution scheme will all its Requirements
Ã Successful Routing and Remote Access
Ã Tested and successful Server Clustering
Ã Strong Security Configuration
Ã Fully functional Active Directory Structure
Ã Smooth Active Directory Administration
Ã Properly managed Trust Relationships
Ã Tested and configured Sites and Manage Replication
Ã Fully Managed and Configured Users and Groups
Ã Administered Active Directory Objects and Implemented OU Structure(s)
Ã Strongly Implemented Group Policy
Ã Managed User Environment with Group Policy
Ã Well maintained Software Restriction policy and Security Templates
Ã Managed Active Directory Back-up and Restore
Ã Good Monitoring and Troubleshoot Performances
Ã Best Disk management and fault tolerance
Ã Functional Network Services (DHCP and DNS)
Ã Configured Windows Internet Name Service (WINS)
Ã Well managed IIS
5.3. Acceptance Criteria
The acceptance criteria decide the satisfaction level of a component, system or a deliverable. Acceptance Criteria is the success measure of each component, system or deliverable. It describes on what level and quality a deliverable in the acceptable state. It is used by both sponsors (if any) and the team members to know when a deliverable is acceptable and can be approved (Haugan, 2002). In our case our fully functional and smoothly administered network would be the acceptance criteria for the project.
6. Graphical interface design
Network diagrams are the best to explain the plans, especially when they are evolving constantly. It broadens mind and also help to make better picture of hypothetical idea. This would be any network diagrams that show the whole company layout by site, with the connection methods in between. This map does not have to be identical to, but should resemble something similar to Figure 1. If it doesn’t exist, it needs to be made first, before anything else is done. Without a map, or a diagram of the current network, you will find it somewhat difficult to plan a Windows Server 2003 deployment across the network.
In this example we will consider our customer the Transdata Company. They are in 3 separate locales, one location in the US, one location in the UK, and one location in Asia. It is also important for the understanding that where a site exist. Since we think our network to be multi-continental therefore it is good to focus this scenario.
Figure 1: The US – UK – ASIA company connections for Transdata Company
When you plan for something, it means you want to consider every possibility. That is why we know that we don’t just have to see at Directory traffic. We also have to assess WINS traffic if used (NetBIOS, Broadcasts, etc), Multicast traffic, Application traffic such as File and print sharing at the very minimum level, email, Internet access etc.
Figure 2: Services to consider on network
Fig 3: Overview of Network Infrastructure with Replication and backup point of view
As could be seen from Figure 3, when replication traffic patterns are added, we can see that a single file request if too large (like 50 MB) pulled over that WAN link connecting the sites that alone could cause an issue on that link. We have to consider this when planning and designing.
Lastly, look at one more concept of what could happen (and where we should also take consideration in) is an unexpected thing such as ‘Virus Outbreaks’, a Link going down because our provider had an accident (such as a cut fiber that leaves us dead in the water). In figure 4 we have planned some major issues visualizing them as ‘going on’:
Ã We have a Virus outbreak on our LAN, this is causing saturation on our 10/100 Mbps switch, causing slowdown to the servers (especially the DC) on our local subnet. Other issues could be, excessive broadcast/multicast traffic affecting your LAN, routers and so on.
Ã We have a Link that dropped to one of our remote offices. Today, we have no Disaster Recovery (DR) lines set up, no replication, a DC is then cutoff and on an island. These are some serious assumptions that project needs to care about.
Figure 4: Overview of Network with Virus breakdown
7. Report design
7.1. Status Reports
Describe the format, frequency, and distribution of status reports during the project lifecycle.
Describe the process used to update the weekly status reports, i.e. in order to provide the approvers with information about recent completions, accomplishments, and effort expended.
Describe the format, frequency, and distribution of monthly reports during the project lifecycle.
8. Deployment plan
When planning and designing a Windows Server 2003 deployment that spans a global Wide Area Network (WAN), understanding how the base operating system communications subsystems function will help us to size our lines appropriately, plan a site link architecture that follows a planned design and so on. When placing domain controllers (DCs) on a network, they need to be designed so that they can help us to control bandwidth consumption, through them – site links can be used. It is very important to assess our network properly before deployment.
If we do not assess properly, problems such as an under assessment of the unknown effect on our telecommunications lines when rolling out Windows Server 2003 in our corporate network will raise its ugly head right in front of us and our bosses, we could cause problems not only to the current data traversing the network, but also to the directory service that Windows Server 2003 relies on – Active Directory Service (ADS or ‘AD’ for short). Directory corruption is not fun to deal with, hence why backups are so important, but to keep yourself from having to restore or deal with major issues, planning the replication strategy to ‘avoid’ corruption in the first place would be wise. We need getting our access, plan, design, and avoid disaster.
9. Support plan
Data corruption happens all the time, Directories are nothing more than data files that can be corrupted and a poorly performing directory system will only eventually become corrupted and cause issues. Consider the NTDS.DIT file, nothing more than a file, nothing more than the ‘Active Directory database’. Problems with our directory will cause an unstable environment which breeds nothing but problems such as users being able to logon, then not being able to log on are big issues. To not consider what may affect our network bandwidth in our plan is technical suicide, most of what a company relies on to do business comes across such telecommunication lines, and Ethernet based network switches phones, email, Instant Messaging (IM), file transfers, Internet access, application access, printing and so on so ensuring that we assess all that was just mentioned in our planning stages will help lessen the risk of something bad happening not only to our directory, but also to the other systems running on the network.
In today’s large environments, it is imperative to get the most out of your network bandwidth so that businesses can continue to operate, and the businesses do not overspend on telecommunications costs which can get out of control very quickly if not monitored carefully. Our data transmission speed can be affected by any excessive traffic created by applications and services, which is not an easy job.
10. Network Management
Network professionals in the new millennium are facing the most difficult network challenges of their careers. They must manage the critical infrastructure that provides the foundation for business. Today’s business applications are often stored in server farms and based on intranets, extranets, and e-commerce over the Internet. As these networked applications become more sophisticated, companies are demanding more robust network services. For the corporation, support to be a world-class competitor in today’s market, the network must be available 7×24 and have the necessary bandwidth available to service its internal as well as external customers. Understanding this need is only a small part of the task at hand. The network manager must not only have the proper infrastructure to direct this critical traffic to the proper destination, but just as importantly must also have the necessary hardware and software tools deployed to proactively manage this environment.
As a network professional one must know the value of information and needs to monitor the critical resources of his enterprise and detect performance issues, network intrusions, error conditions, as well as be familiar with traffic flows. Real-time data gathering is required for evaluating current conditions as well as for troubleshooting problems. Data collected for days, weeks, and months is necessary to provide a means of establishing a network baseline and to track long-term traffic trends for forecasting future capacity requirements. Properly formatted reports of this data can provide the network professional with the proof required by management to approve expenditures when network expansion or changes are indicated.
Although there are many different vendors selling network management solutions, they share one thing in common, the need for statistics to drive their applications. But where does this data come from, and does each application require a unique data collector? Fortunately, for standards-based applications, the answer is ‘No’. At the core of any good management strategy is the use of intelligent management agents embedded within the networking infrastructure. Vendors are developing an intelligent infrastructure based on industry standards that provides the network manager with the necessary data to make intelligent decisions. The data is readily available from Management Information Bases
(MIBs) embedded within routers and switches as well as Network Analysis Modules (NAMs), which utilize the remote monitoring (RMON) MIB. RMON-based queries are not the only method of network monitoring, but because of their applicability to numerous network management functions, they are of great value.
The data collected by these intelligent agents can be viewed in real time for a quick glance or for troubleshooting. In addition, the data can be stored in a database for historical viewing, reviewing, network base lining, and trending.
11. Change Control
Tracking, recording and auditing of all changes administered to the network and its devices.
Today’s issues far exceed connectivity and access. In the asset management area, the LAN administrator must control all of the devices on the network. He must know which devices are added or removed, and where they got added to or removed from.
In the area of operations management, administrators need to know the versions of software that their networks are running, and the state of all devices. Strong network operations management also ensures that there are no rogue devices on the network. It indicates where upgrades are needed, and whether licenses are up to date.
Change control is another major IT initiative. Network monitoring tools administrators to take snapshots of the network, and can even be automated to take network snapshots whenever there is a change. These changes become an audit trail for purposes of tracking and accountability. They allow a LAN manager to troubleshoot problems that might have occurred because of a specific change.
12. Risk Management
“Te chance of something happening that will have an impact upon objectives” (Australian and New Zealand Standards – Risk Management Standard)
There can be a number of risks that can cause impairment if they are not mitigate or reduced in the beginning. In our case these risks can be reputational risk, compliance and infrastructural risks. On further scrutiny, we can realize that if we just take a good hold on our compliance and infrastructure we will not have most destructive risk which is reputational risk. For risk reduction and mitigation we need to consider following:
Risk management is an essential tool of good management practice and governance. It is the process whereby there is shared awareness and understanding within the organization of:
The nature and extent of the risks it faces
The extent and categories of risks regarded as acceptable
The likelihood and potential impact of the risks materializing
Its ability to reduce the incidence and impact on the organization of risks that do materialize.
This process involves:
Regular and ongoing monitoring and reporting of risk including early warning mechanisms
Appropriate assessment of the cost of operating particular controls relative to the benefit obtained in managing the related risk. For example the University might decide some areas of operation are over controlled relative to the risks faced
At least annually, a review of the effectiveness of the systems of internal control in place
Reporting the results of the review, and explaining the action being taken to address any significant concerns that are identified.
12.1. Risk Identification
Risk identification is the process of determining what, how and why things may happen. Risk should be considered at the earliest stages of project planning, and risk management activities should be continued throughout a project. Risk exposure may arise from the possibility of economic, financial or social loss or gain, physical damage or injury, or delay.
Possible attacks to Transdata:
Possible attacks to Transdata may include:
Ã “Physical attacks – threats posed to the IT infrastructure
Ã Logical attacks – threats posed to the software
Ã Errors by people
Ã Technical failure
Ã Infrastructure failures (Cache Server failure, Database Server failure, Error Messages etc)
12.2. Risk analysis
Risk analysis is the systematic use of available information to determine how often specified events may occur and the magnitude of their consequences. Monitoring is an essential job at Transdata for such risk analysis. It may also do further good to Transdata after the applying proper risk prevention.
Secondly, if you are aware that certain virus attacks are possible for your website, you may prepare for it before hand. Similar is with Denial of Service attacks.
Third probably you know through risk analysis that your software has a little problem with some action, which is important for you company at such situations risk mitigation is a good option.
12.3. Risk Evaluation
Risk evaluation determines whether the risk is tolerable or not and identifies the risks that should be accorded the highest priority in developing responses for risk treatment. Intolerable risks for Transdata are the System failures, Infrastructural failures, unless swift action is taken, any problems with this e-commerce site will be immediately obvious to the world.
Other Intolerable risk is Technical failure which customer can identify. For example, if user has a credit card that is good in all means, its authentication failure may cause user to think something is wrong with it. On knowing its working perfectly, the user may never come back to your website as e-commerce customers typically have very little loyalty, so if your website is unavailable they will simply move on to one of your competitors. In addition, technical failure can have a significant impact, not only on your customers but also on key trading partners.
12.4. Risk Treatment
Risk treatment establishes and implements management responses for dealing with risks, in ways appropriate to the significance of the risk and the importance of the project. Transdata will benefit from all four-risk treatment strategies:
Risk Treatment Strategies
There are four major Risk Treatment Strategies:
1. Risk Prevention (Including Risk Avoidance)
Risk prevention strategies are directed to eliminating sources of risk or reducing substantially the likelihood of their occurrence. Transdata can also prevent risks by applying following procedures:
Ã Alternative approaches: The selection of alternative approaches to deal with the problem situations would do a lot good to Transdata.
Ã Professional Assistance: Transdata should have formal processes and quality assurance procedures done by professionals to avoid software problems
Ã Inspections and Audits: Transdata should have regular inspections and audits of the system and networks.
Ã Education and Training: Educating and training the staff of potential risks and for the sake of skills enhancement.
Ã Security Measures: Physical protection to the system by proper firewalls and anti-viruses programs is must to avoid the likelihood to losses specially data.
Ã Avoid User Confusion: Transdata should provide user with proper password retrieval methods, to avoid confusion mention the fields “must” to fill, and validate user before starting the process.
Ã Regular Back ups: Regular backups of data should be taken and should be transferred on tapes and to all the other branches of the company.
2. Risk Mitigation
Impact mitigation is directed to minimizing the consequences of risks. Some risks, such as those associated with economic variations or extreme weather conditions, cannot be avoided. The likelihoods of other risks arising may be reduced by risk prevention strategies, but the risks may still occur. In these cases, risk management must be directed to coping with their impacts, and ensuring that adverse consequences for the project and the project criteria are minimized. Impact reduction strategies include:
Ã Contingency planning: Transdata would strongly need a contingency plan in order to deal with the un-measured risks or the risk those have a likelihood of appearing again and again. For example the Denial of Service attacks in business like ours are very common. Since, contingency plan is an impact-reduction measure it will always help our company to deal with this issue and the like.
Ã Engineering and structural barriers: Transdata should not take any actions that could exacerbate the problem. For example, if there is a problem with accessing files from a back-up tape using a tape drive, you should investigate whether the problem is caused by the drive, rather than just assuming there is a problem with the tape and then potentially damaging others by placing them in a faulty drive.
Ã Separation or relocation of an activity and resources: Transdata should take care that its internal network should be separate and they should not have Internet access. Few PC in the sub net of this external network should allow users to use Internet. Server Farm should be part of the external network.
Ã Quality assurance: Quality Assurance is must for Transdata as when the procedures are assured; it becomes easy to detect the problems earlier. Where you have a risk that you can’t eliminate, you should ensure that you have a fail-safe method of detecting the problem if it occurs.
Ã Contract terms and conditions: Transdata should sign contracts with anti-virus providers for increased security of the network. It should also provide clear terms and conditions on the website to aware user of its rights and limitations.
Ã Regular audit and Checks: Regular audits and checks to detect compliance or information security breaches is one the things which e-widget should always take care of because in continuous or recurring processes, a failure may occur silently, and its impact will grow over time. If you identify this type of risk you should build in a periodic check to detect the problem as soon as possible.
Ã Crisis management and disaster recovery plans: “Disaster recovery plans should be tested if possible. A test could be a simple paper exercise where different people run through different parts of the recovery procedure involved.” However, it does not provide any exercise of it prevention. For example, escape and evacuation plans are essential in many areas for mitigating the consequences of major fires, but they do not avoid the need for proper prevention measures such as the use of fire retardant materials, sprinkler systems and the like.
Ã Document the Procedures: Document procedures for dealing with likely threats, and train your staff in their use. For example, there are many ways that a virus can get into your system, so you should have plans for quarantining affected parts of the system so that the problem doesn’t spread.
3. Risk Transfer
“A general principle of risk management is that risks should be the responsibility of those best able to control and manage them. However, sharing a risk with a contractor or supplier does not transfer it fully, and it may not really eliminate the risk – it just transforms it into a ‘contractor failure’ or ‘contractor performance’ risk. In these circumstances it is critical to ensure the contractor has a system in place for managing risk effectively, otherwise the project may end up with additional risks”.
In our project (Transdata), contracts require sound risk management processes to be developed and implemented by the contractors, sub-contractors or suppliers of products or services, as part of control and oversight procedures. This process of allocation is called risk sharing rather than risk transfer because risks are rarely transferred completely or shed entirely. For example, Credit safe transfer is must for our company, if the company we work with will not provide us with the required security, the problem will be increased on our part.
Another way of risk transfer for our company is Insurance. “Insurance is a well-known risk sharing strategy. It is normally used for physical assets and a limited range of commercial risks, particularly for the low probability but high impact residual risks that may remain after other risk treatment actions have been implemented. Sharing a risk with another party will usually incur a cost, for example an insurance premium, which provides a direct measure of the cost of sharing the risk. It should be noted that an insurance contract, like most contracts, is also a process that transforms the risk into something different: in this case, the insured party now has a credit risk that the insurer will not pay the full amount of a claim or will delay payment.”
4. Risk Retention
Sometimes risks cannot be avoided or transferred, or the costs of doing so would be high. In these circumstances, the organization must retain the risks. In our case all of our concerns are almost solved. But no one can always sure of 100% risk removal. There will always be new IT-related risks that we have not covered. For example, new virus, new attacks and fraud tricks are a big portion of our risk retention.
However, certain other risks like software procedure that need a lot of capital, a mechanism which is better for us but have but reduce speed like cryptography that needs within network may increase security but at the expense of robustness of network are also retained for the sake of betterment of functionality of our e-commerce.
13. Customer Satisfaction
To keep the customer attracted and satisfied we have ensured three basic rules besides all the preparations we have done to deal with unexpected situations:
13.1. Regular Meetings with Customer
There should be regular meetings with customer in which customer would receive a briefing of project progress and likely changes that the project may counter. If the customer approve of the change then this would be one of the biggest achievement in winning customer satisfaction
13.2 Status Report Submission
A regular status report should be submitted to the Customer. Frequency and duration of submission should be as per customer’s demand.
13.3. Deliverables checklist
We already have a deliverable checklist which is required to be delivered after the completion of the phase. These deliverables should be double checked and should be conveyed to customer through reports or during the meeting’s briefing, as per customer demand.
14. Network monitoring
Network monitoring gives the ability to monitor the activities of the applications and the devices to ensure expected and normal operations. On the other hand it helps to detect problems and take the necessary actions to correct them. It can guide you to discover the security holes opened through your network intentionally by attackers or unintentionally such as disabled or unused suspicious services that may be enabled by mistake.
Network monitoring could be achieved through the following:
Ã Using an accurate and complete Logging System for almost all devices.
Ã Using almost all the available traffic monitoring tools including bandwidth monitoring, packet sniffing, IDSs etc.
Logging can give detailed information about any access or change of any network resources. Frequently, uses of traffic monitoring tools help you to distinguish between normal traffic and suspicious ones. There are many free network-monitoring tools that can help you to easily enhance your security; you do not have to care too much about the budget.
The free tools are such as Kiwi Syslog Daemon, Backlog for logging purposes and Ethereal, MRTG, Snort (IDS), for traffic monitoring purposes.
It is a very difficult task to monitor a network perfectly, especially when it is a big network. Most of the beginners face difficulties in understanding and analyzing the logs and the network traffic flows. This requires a lot of time and constant struggle to make one used to of these technical things. It is most of the time suggested to at least learn monitoring before doing job because it makes life problematic and haphazard when you don’t know it.
15. Network Traffic Monitoring
Network traffic monitoring is an important aspect of network management and security. For example, observations may reveal the effects of events such as a network failure, an operational failure or a security incident on network traffic effects a great deal. There are several other usages of network traffic monitoring e.g. in Quality of Service estimation, bandwidth planning etc. But, in routine network monitoring, the interest is on events. If there are no events of interest, the network manager probably won’t want to “look” at the traffic.
The traffic data in such cases is destined for archiving. From there it will probably be backed-up on off-line media or discarded. Present monitoring systems do not have a mechanism of detecting events of interest. So it appears that the operator will either look at all the traffic to detect events of interest or will not look at the traffic at all. It is always better to suggest that one should use data from a network to examine the utility and effectiveness of the approach.
In conjunction with Expert System technology and automated alarm thresholds, both the interactive behavior of communicators on the network and the statistics concerning performance of the network can be monitored. For example, the statistics can be automatically evaluated to confirm that they haven’t exceeded allowable limits. By establishing an effective network monitoring solution you will:
Ã Monitor complete real-time and historical performance metrics for the network.
Ã Isolate and describe potential network problems before they impact the end-user.
Ã Obtain measurements and trend information to allow for accurate capacity planning.
Ã Make effective use of your available network bandwidth.
Ã Monitor performance to validate service level agreements.
Ã Respond to network outages and errors without having to wait until an end-user calls to complain (“proactive network management”)
Ã Categorize network performance to help prioritize the work flow of the support team.
Word Count: 7, 572.
Microsoft (2007). Retrieved from: http://technet.microsoft.com/en-us/default.aspx Retrieved on: January 16, 2007.
Chellis, James; Perkins, Charles and Strebe, Matthew (2005). MCSE: Networking essentials, Study Guide. Network Press, SYBX.
Haugan, Gregory T. (2002) Effective Work Breakdown Structures (The Project Management Essential Library Series), Project Management Institute, pp.100, ISBN 1-56726-135-3
The basics of project risk management (2004) Retrieved on February 21, 2007 from http://media.wiley.com/product_data/excerpt/17/04700228/0470022817.pdf