Smart Card Implementation “Project Management and Implementation Best Practices” Smart Card Implementation “Project Management and Implementation Best Practices” Chris Cikanovich, Director of Government Programs June 4, 2002 Chris Cikanovich, Director of Government Programs June 4, 2002
25
Embed
Smart Card Implementation - Secure Technology Alliance · 04/06/2002 · – Does the current card body support new technologies such as integrated chips and have characteristics
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Smart Card Implementation “Project Management and Implementation Best
Practices”
Smart Card Implementation “Project Management and Implementation Best
Practices”
Chris Cikanovich,Director of Government Programs
June 4, 2002
Chris Cikanovich,Director of Government Programs
June 4, 2002
2
Topics of DiscussionTopics of Discussion
• Implementation of a formal “Process Plan”– Phase I – Strategy– Phase II – Definition– Phase III – Design– Phase IV – Development– Phase V – Integration– Phase VI - Development
• Implementation of a formal “Process Plan”– Phase I – Strategy– Phase II – Definition– Phase III – Design– Phase IV – Development– Phase V – Integration– Phase VI - Development
merchant/consumer relationship by offering purchase incentives
– Loyalty• Strengthening the
merchant/consumer relationship by offering purchase incentives
Smart card technology addresses the value proposition from multiple directions
6
Defining The Value PropositionDefining The Value Proposition• The value proposition for implementing ID security programs is based on the cost of “non-security”
and loss or compromise of critical information or unauthorized access to specific locations– Loss of critical information
• Classified information• R&D data• Customer data• Financial statements• Human Resource data
– Unauthorized access to locations• Government/Commercial facilities• Unauthorized access to critical information• Regions (US Territory or other government property)
– “Unknown” Cyber Attacks• No immediate evidence of the attack provides the hacker time to “guide” through ones
organization– Alter permissions to physical and logical access systems– Obtain employee personal information– Copy, alter or delete end user information through networked PCs– Copy, alter or delete end user information through dial-up services
• The value proposition for implementing ID security programs is based on the cost of “non-security” and loss or compromise of critical information or unauthorized access to specific locations
– Loss of critical information• Classified information• R&D data• Customer data• Financial statements• Human Resource data
– Unauthorized access to locations• Government/Commercial facilities• Unauthorized access to critical information• Regions (US Territory or other government property)
– “Unknown” Cyber Attacks• No immediate evidence of the attack provides the hacker time to “guide” through ones
organization– Alter permissions to physical and logical access systems– Obtain employee personal information– Copy, alter or delete end user information through networked PCs– Copy, alter or delete end user information through dial-up services
The ROI is not necessarily based on increasing revenue, however,
based on the fact that you have eliminated the ability for unauthorized
users to gain access to mission critical information
• The following are the absolute requirement for a successful project (even when managed internally)– Ensure there is project dedication from management oversight
(corporate, Service, Agency or local government)• IT projects are complex and without objectives, dedication,
commitment from corporate management, IT projects can become expensive programs
– Assign overall project manager• For multi-location programs assign site leaders who report to
the overall project manager and coordinate all project and user communication for those individual sites
– Strong program and project management disciplines– Well defined responsibilities for key personnel (CTO, MIS Manager,
Security Officer, Human Resource Manager, etc)
• The following are the absolute requirement for a successful project (even when managed internally)– Ensure there is project dedication from management oversight
(corporate, Service, Agency or local government)• IT projects are complex and without objectives, dedication,
commitment from corporate management, IT projects can become expensive programs
– Assign overall project manager• For multi-location programs assign site leaders who report to
the overall project manager and coordinate all project and user communication for those individual sites
– Strong program and project management disciplines– Well defined responsibilities for key personnel (CTO, MIS Manager,
Security Officer, Human Resource Manager, etc)
11
Identify Technology SuppliersIdentify Technology SuppliersInfrastructureInfrastructure IntegrationIntegration ImplementationImplementation Life Cycle SupportLife Cycle Support
Des
crip
tion
• PKI
• Physical Access
• Smart Cards
• Smart Card Readers
• ID issuance stations
• Connectivity
• Card/Application management system
• PKI/LDAP
• Server components
• ID issuance components
• Deployment
• ID issuance process
• Help Desk
Part
ners
• Baltimore
• Entrust
• VeriSign
• DST
• FDR
• TSYS
• DataCard
• SchlumbergerSema
• Oberthur
• Gemplus
• Identicard
• Identix
• ActivCard
• PKI Provider
• In-House
• EDS
• Northrop Grumman
• Maximus
• SchlumbergerSema
• In-House
• Outsourced Call Center
• PKI Provider
• In-House
• EDS
• Northrop Grumman
• Maximus
• SchlumbergerSema
12
Project Management PlanProject Management Plan
• Your project management plan should outline:– Duration for the overall project and individual
design, development, integration, testing and deployment phases
– Responsible party for the delivery of the individual phases
– All key milestones and dependencies for the individual phases
– Project resource requirements and constraints
• Your project management plan should outline:– Duration for the overall project and individual
design, development, integration, testing and deployment phases
– Responsible party for the delivery of the individual phases
– All key milestones and dependencies for the individual phases
– Project resource requirements and constraints
13
Functional RequirementsFunctional Requirements• Your functional requirements outline the feature set
for the individual products, applications or systems required including:– PKI– Issuance station– Physical access solution– Logical access solution– LDAP services– Issuance process– Card Management System
• Your functional requirements outline the feature set for the individual products, applications or systems required including:– PKI– Issuance station– Physical access solution– Logical access solution– LDAP services– Issuance process– Card Management System
14
Phase III DesignPhase III Design• Objective:
– Understand the current user/technology infrastructure
– Create design specification• Outline the solution architecture• Understand the current user environment
– Create functional specification– Outline/implement test plan
• Objective: – Understand the current user/technology
infrastructure– Create design specification
• Outline the solution architecture• Understand the current user environment
– Create functional specification– Outline/implement test plan
15
Defining The ArchitectureDefining The Architecture• Create project plan for each critical system• Create architectural diagrams for all systems• Clearly outline and understand where all systems interact and the
impact on each system– Network– Physical access– CMS (Card Management System)– PKI (secure room environment for CA/RA services)– Directory Services (LDAP)– Redundancy Systems
• Define any systems/services which will be outsourced and how that system will integrate within your environment
• Define all security policies associated with:– Physical access– Card, Application and Key management
• Create project plan for each critical system• Create architectural diagrams for all systems• Clearly outline and understand where all systems interact and the
impact on each system– Network– Physical access– CMS (Card Management System)– PKI (secure room environment for CA/RA services)– Directory Services (LDAP)– Redundancy Systems
• Define any systems/services which will be outsourced and how that system will integrate within your environment
• Define all security policies associated with:– Physical access– Card, Application and Key management
16
Understanding The Current EnvironmentUnderstanding The Current Environment
• ID Issuance process– Physical location (impact of new technologies based on the current
environment)– Does the current card body support new technologies such as
integrated chips and have characteristics that ensure card body durability
• PC Platforms – 98, 2000, NT4, XP, etc?– Impact – smart card reader devices (USB support not provided under
NT4)– Browser support – Integration of smart card support (implementation of
required middleware software)– e-Mail support – Does the current “corporate” standard provide
interfaces for signature and encryption capability
• ID Issuance process– Physical location (impact of new technologies based on the current
environment)– Does the current card body support new technologies such as
integrated chips and have characteristics that ensure card body durability
• PC Platforms – 98, 2000, NT4, XP, etc?– Impact – smart card reader devices (USB support not provided under
NT4)– Browser support – Integration of smart card support (implementation of
required middleware software)– e-Mail support – Does the current “corporate” standard provide
interfaces for signature and encryption capability
17
• Physical access – Is there an existing system?– Proprietary or based on WIGEN standard (backend communication
protocol for physical access systems)?– If proprietary – can the card body support chip technology and post
printing processes (example: MAT finishes typically result in poor post printing quality)
– Reader interface• Does the reader interface both with the required Contactless
technology and the back-end protocol (typically Wiegand)
• Physical access – Is there an existing system?– Proprietary or based on WIGEN standard (backend communication
protocol for physical access systems)?– If proprietary – can the card body support chip technology and post
printing processes (example: MAT finishes typically result in poor post printing quality)
– Reader interface• Does the reader interface both with the required Contactless
technology and the back-end protocol (typically Wiegand)
Understanding The Current EnvironmentUnderstanding The Current Environment
Panel
Door Readers
(Contactless card –Mifare, HID, etc.)
Imaging System (Badges)
Access ServerRights and Policies
RS-232/485 converter
Standard Wiegand Output
18
Phase IV - DevelopmentPhase IV - Development• Objective:
– Develop or modify any core technology/software that is required to complete the implementation of your system
– Define and establish customer/field support services (help desk)
22
TrainingTraining• Implementing a well defined end-user training program is key to a
successful project for several reasons– Provides an understanding of the purpose behind the
implementation (increased security, enhanced employee-based services through telecommunication via VPN, enhanced password management, physical access control to critical systems, etc.)
– Familiarizes the end-user with new technologies, terms and processes
– Increases end-user awareness of security policies and practices– Enforces the goal and objectives behind the initial project launch
• End users should be trained on all relevant aspects of the security system– Smart Card issuance process– Client software support– VPN access– “PKI 101”– Smart card reader installation/use– Security policies and procedures
• Implementing a well defined end-user training program is key to a successful project for several reasons– Provides an understanding of the purpose behind the
implementation (increased security, enhanced employee-based services through telecommunication via VPN, enhanced password management, physical access control to critical systems, etc.)
– Familiarizes the end-user with new technologies, terms and processes
– Increases end-user awareness of security policies and practices– Enforces the goal and objectives behind the initial project launch
• End users should be trained on all relevant aspects of the security system– Smart Card issuance process– Client software support– VPN access– “PKI 101”– Smart card reader installation/use– Security policies and procedures
23
Managing The DeploymentManaging The Deployment• Program management is key to deploying a successful smart card-
based corporate security solution• Define the program management team based on:
– Regions (North America, South America, Europe)– Regional Locations (States, Cities, etc.)– Campus locations– Buildings within individual locations
• Include the employee population in communications regarding events around deployment – Implement Intranet site to disseminate information– Impact on operations (if any)– Impact on operational policies and procedures
• Program management is key to deploying a successful smart card-based corporate security solution
• Define the program management team based on:– Regions (North America, South America, Europe)– Regional Locations (States, Cities, etc.)– Campus locations– Buildings within individual locations
• Include the employee population in communications regarding events around deployment – Implement Intranet site to disseminate information– Impact on operations (if any)– Impact on operational policies and procedures
24
Field SupportField Support
• Implement a formal “Field Support” guideline document that provides trouble shooting and technical support information for the employee population (physical document and web-based)
• For multi-national corporations, provide regional support that is capable of supporting procedures and operations unique to geographical regions
• For corporations who’s business relies on 24 hour services, support and communication, provide 24x5 technical support. If the budget is there provide 24x7 technical support– If technical support is outsourced ensure that the contracted party
are technology specialists within the PKI, VPN and IMS space.– Avoid contracting with “1-800” specialist that are not familiar with
your environment
• Implement a formal “Field Support” guideline document that provides trouble shooting and technical support information for the employee population (physical document and web-based)
• For multi-national corporations, provide regional support that is capable of supporting procedures and operations unique to geographical regions
• For corporations who’s business relies on 24 hour services, support and communication, provide 24x5 technical support. If the budget is there provide 24x7 technical support– If technical support is outsourced ensure that the contracted party
are technology specialists within the PKI, VPN and IMS space.– Avoid contracting with “1-800” specialist that are not familiar with
your environment
Communication and responsiveness are the key to quality field support
25
Contact information . . .Contact information . . .
Chris CikanovichSchlumberger NISDirector , Government Programs