Project Charter - Template - WikiLeaks · Web viewSKS Hosting Project Charter Problem Statement and Background SKS, Japan’s Home Entertainment inventory and sales transaction system,

SKS Hosting ProjectCharter

1. Problem Statement and BackgroundSKS, Japan’s Home Entertainment inventory and sales transaction system, is currently running on outdated, end-of-life (EOL) infrastructure that is no longer supported. Past audit has identified that the above poses risk from both a security and vulnerability standpoint. The opportunity exists to move the current infrastructure hosting from the SPE APAC that does not have the requisite platform/infrastructure expertise, to SPE’s Chandler Data Center, internally supported by the Enterprise Infrastructure Services (EIS) Group. By doing so, three EOL components will be upgraded and the infrastructure will be centrally managed by EIS Group to provide improved support and platform availability. Additionally, as a result, existing Level 4 and 5 infrastructure vulnerabilities will be reduced by approximately 60%.2. Objectives The primary objective is to move the SKS application to Chandler Data Center to have its infrastructure hosted and supported by SPE’s EIS group. Additional objectives are to:

Use supported technology Improve security via reduced vulnerabilities (*Please see Appendix for additional

information) Improve availability Leverage operational and cost efficiencies Lower the Total Cost of Ownership (TCO), including support and maintenance costs

3. Scope Set up and provision Non-Production and Production infrastructure Procurement of licenses Installation, configuration, and testing of SKS Application and middle-tier components

(WebSphere [WAS]) Migration of all batch/cron jobs Functional and Performance Testing of Application and batch/cron jobs Vulnerability Testing Deployment and Hypercare Decommissioning of old infrastructureOUT OF SCOPE Application or middle-ware upgrade Application or batch job enhancements Any security or vulnerability-related issues tied to application or middle-ware

4. Options/Alternatives Leave as is: Maintain infrastructure hosting with SPE APAC: Does not have the requisite

platform/infrastructure expertise and vulnerabilities will remain Replace/upgrade application: Not cost effective ($1.5M)

SKS Hosting Project Charter Version 1.0, 2/14/20145. Assumptions

Project will upgrade Operating System (Application, Reporting, and Database Servers), Database only

Greenlight will require inputs from Information Security on security handling (e.g., exceptions)

Current security/vulnerability metrics for the application will remain the same ORMC will continue to provide SKS application support

6. Constraints

7. High-level RisksRisk Impact Mitigation OptionsExisting Security Issues Project Not Greenlit

Schedule delaysScope Creep

Meet with Information Security to obtain agreement and/or apply for necessary exceptions and approvals

Set up separate, isolated virtual environment (infrastructure and platform)

Vulnerabilities Production Deployment / Go-Live Delay Procurement of necessary licenses Schedule delays Engage Procurement as early as possible

Old version of software Vendor will not support software running on newer version of Operating System (WebSphere v5 on Solaris 10, which will not be supported by IBM)WAS v5.1 is incompatible with Java v 1.6 and has to run on Java version 1.4.2 to make it compatible

Accept risk

Communication/Language Challenges Schedule delays Establish robust communication plan and meeting schedule

Complex network landscape to determine firewall ports to be opened

Schedule Engage Networking Team to assist defining existing landscape and in timely resolution of requests

8. Project BudgetItem Estimated CostInternal Labor $34,000

External Labor $32,000Software and Licenses $6,000+?Hardware $50,000TOTAL

9. StakeholdersThese are the individuals who have a positive or negative vested interest in the project. Stakeholders can be project team members and most likely would be a part of the project Steering Committee. For clear definition of Stakeholder roles, please see the attached Appendix page.

Version 1.0 Page 2 of 7

SKS Hosting Project Charter Version 1.0, 2/14/2014

Business Unit Stakeholders Title/Role

IT Stakeholders Title/RoleStephen Andujar CIOSim Choo Regional CIO, Asia PacificFerdinand Fattorini sVP, Enterprise Infrastructure Services (EIS)Kenneth Lee Executive Director, Global Technology Services (GTS)Tsuboi Katsuyuki Director, IT, Asia PacificAlexander Glass Manager, IT, Asia Pacific

10. Resource PlanIn this section please detail out the resource plan for this project. Is the project managed by the BRM organization and the development work is to be done by ADM? Is design and development work being done by a 3rd party Vendor?

Role Named Resource Responsible Organization Project Manager Laura Pastoriza SPEBRM, APAC Alexander Glass SPETechnical Director, APAC Tsuboi Katsuyuki SPETechnical Lead, ORMC Ashish Deopuria ORMCApplication Sys Admin Madhu Siddula, Konatham

VeerareddyORMC

Application DBA Manoj Kumar ORMCUnix Admin Chuck Rigsby SPESolaris Admin TBD SPENetwork Engineer TBD SPEDBA Notonesh Bhattacharya SPE

11. Project BenefitsIf your project’s proposed budget is under $100,000, you do not need to complete the section below. Please list your project benefits by bullet point. If your project’s proposed budget is above $100,000, please complete the section below. This will assist with the Benefits Realization of your project.

Benefit Accountable Person Metric Tracking Time Frame

TrackingStart Date Report Source

Version 1.0 Page 3 of 7

SKS Hosting Project Charter Version 1.0, 2/14/2014

Security Improvements Reduced number of Vulnerabilities

WebInspect and Qualys Scans

Increased Data Center Availability Data Center Up time

Service-Now

Hosting Cost Savings Hosting Costs Removed

Current Infrastructure Hosting Costs

Improved Visibility via Centralized Change Management and Tracking IT Change Control

Service-Now

ANYTHING ELSE????

12. Required Signatures

Required SignaturesLine of Business CFOSignature Name Date

Customer- BusinessSignature Name Date

Executive Sponsor- BusinessSignature Name Date

Product Manager – BusinessSignature Name Date

VP- Information SecuritySignature (Electronic

Signature)Name Jason Spaltro Date

CIOSignature Name Date

Sponsoring DCIO/VPSignature Name Date

Project ManagerSignature Name Date

VP – Enterprise Infrastructure Services Signature (ELECTRONIC

SIGNATURE)

Name Ferdinand Fattorini

Date

DisclaimerVersion 1.0 Page 4 of 7

SKS Hosting Project Charter Version 1.0, 2/14/2014The purpose of this Project Charter is to define a business problem/opportunity. The information contained in this document is preliminary and by no means certain. Cost estimates and schedule dates are contingent upon findings discovered within the Inception and Elaboration Phases of the project. The total project cost is currently only an estimate and should be viewed as only an estimate. The anticipated benefits are subject to change as well but once defined may be tracked for benefits realization post go live.

13. Appendix

The following Appendix includes the security and vulnerability issues discovered during the Proof of Concept (POC) to have as reference for Information Security review for future handling.

Old version of softwareo WebSphere v5: IBM Only Supports WebSphere v5 on Solaris 9; we plan on running

WebSphere on Solaris 10, which will not be supported by IBMo Java: WAS v5.1 is incompatible with Java v 1.6 and has to run on Java version 1.4.2

to make it compatible Security Issues

o Hardcoded user ids/passwords in application and batch jobso Batch jobs use ftp, not sftpo Storage of Password in DB table not encrypted

Vulnerabilitieso *POC Server Level: o **POC App Level: Apache Expect Header Cross-Site Scriptingo ***Current SKS Production Environmento ****Summary Comparisono *****Future Plans post SKS Hosting Project

*POC Server Level Report Summary:

IP address Level 5 Level 4 Level 3172.22.160.101 10 9 10172.22.167.101 0 0 2172.22.180.71 8 9 10

Version 1.0 Page 5 of 7

SKS Hosting Project Charter Version 1.0, 2/14/2014

**POC Application Level Report Summary:

Sr. # Vulnerability Severity Problem / QC

Ticket Remarks

Current ScanSR0044439  Issue Status

1 Apache Expect Header Cross-Site Scripting High PRB0060949 Must  be fixed

2 Possibility Of Session Fixation Medium NA Should be fixed before moving into production.

3 Malicious HTTP Method Enabled Medium NA Should be fixed before moving into production.

4 SSL Cookie Not Used Medium NA Should be fixed.

5 Cross-Frame Scripting Medium NA Dangerous to steal click. Need to fix at earliest.

6 Information Leakage Low NA Should be fixed.7 Form Autocomplete Active Low NA Should be fixed in production

***Current SKS Production Report Summary:

Production SKS Japan (86 in total):Level 5 confirmed: 28 vulnerabilitiesLevel 4 confirmed: 58 vulnerabilities

****Summary Comparison: The decrease in vulnerabilities is caused by the following upgrades that were made to the POC environment. • Solaris 10 vs. Solaris 9.• Oracle 10g vs. Oracle 8i.• AIX Web Farm vs. Solaris database server• Java version 1.4.2 to make it compatible with WAS 5.1 vs. Java 1.2

*****Future Plans Post-SKS Hosting Project:Future plans are around upgrading/potential re-platforming after the SKS Hosting Move, which would be up to the business to make the decisions on future investments. See below for additional details:

• Future plans for SKS (e.g., replacement, retirement, re-platform): Java platform upgrade (Websphere upgrade or migration to other platform) Subsystem integration to SKS (IOS : Initial Order System)

Version 1.0 Page 6 of 7

SKS Hosting Project Charter Version 1.0, 2/14/2014 Reporting enhancement. (Tableau?) Job scheduler upgrade (JP1 upgrade for Windows 2012 platform or migration to other

scheduler)• Timeframe for that plan (e.g., in next 2 years, next 4, 8, etc.):

Java platform upgrade to be started after server relocation. Other timelines are unknown.

Version 1.0 Page 7 of 7