Report compiled by David Watters (Programme Manager) for Alex Carter (Programme Sponsor)
Section 1: Programme Summary
Programme Manager's Commentary
This reporting month shows a mixed bag across the programme of some of the bumps in the road that were reported last month still causing delays or updates, a major incident with one project and the two newer projects picking up speed. This has led to a mixture of RAG statuses, with one Amber, one Red and the other three listed as Green
The IDM DB migration project was okayed to use the IDM TEST environment after People & Money put the new IDM interface into LIVE just before Christmas. However, this remains a risk because some issues have arisen and so IDM TEST has been used to work on fixes. COM045 has therefore updated the remaining milestones and these are expected to be approved soon.
The O365 Security Hardening project has been adjusted dates-wise because of the delays around the comms related to auto-forwarding and a date to implement these changes. This needs to be resolved with the Project Sponsor soon.
The Staffmail migration work is the one that is reported as Red. The MI team and Project Manager are continuing to work on a resolution to this and are keeping all concerned up to date with progress.
The VRS Rewrite project was submitted to WIS in the first week of December and the PM immediately started work on the project brief. This is expected to be completed by the end of January. One concern is to make sure that the necessary development staff are secured to work on this.
The Wiki Crowd Implementation project has continued with the drafting of the project brief and this was recently issued for review by the project team. Resources have been booked and work is expected to start in early February.
In summary, a traditionally slow month (December) with the long holidays did not see 'huge' amounts of effort expended though there was some positive news with good work progressing. We do need to keep an eye on the pieces of work that require attention so that things can get moving with these again.
An agreement had been made with People and Money that COM045 could proceed with the TEST upgrade. Resourcing and milestones have been revised in line with commencing in January, however this will need to be reviewed as further bug fixes were applied to People and Money w/c 04/01/2021
TEST VM environment has been built and ready for the upgrade and switchover
Dependency on People and Money has delayed the TEST environment build, there continues to be bug fixes required in People and Money, so further delays could happen
Submit the proposed milestone dates to WIS for formal approval
Upgrade and switch over the database and repoint SOA and Weblogic
Piccl 19 moved delivery date for auto-forwarding and closure out as sponsor unable to give his time to project due to his work on the Covid application project
Issues to be resolved by sponsor are:
There has been feedback from the warning banner deployment which means some significant changes. Service Management colleagues have been asked to supply an estimate for these changes and to agree if they are to be completed as part of this project (which means reviewing the budget) or as BAU.
Comms plan and comms test still to be agreed by sponsor so we have switched the auto-forwarding to ‘allow’ meantime until we can get the comms out. It will then be switched back to ‘automatic’
Sponsor to agree where warning banner changes to be made
Sponsor to approve comms plan and comms text for auto-forwarding
Agree date for auto-forwarding comms to go out
Comms to be distributed
Auto-forwarding status reverted to ‘automatic’ after comms out – date to be agreed
Project is AMBER
Description: Comms still have to be resolved for the auto-forwarding but project sponsor priority has been on Covid application project.
Impact: Delivery and closure milestones extended and may be again depending on PS availability
Plan: PS to agree comms and delivery date. PM to ask if he can delegate if time not available
In the last month, several migrations were successfully completed. See report for Week ending 04.12.2020
Up to Tuesday 15th December 2020, the project has successfully migrated 10 batches of accounts from Staffmail to O365. The mails are migrated in two steps. Step 1 is an initial process that migrates the majority of a user's email objects. Step two migrates the remainder of the most recent emails.
A serious issue has occurred with batch 11. This batch migrated 189 accounts 140 functional accounts and 49 staff accounts, the vast majority from colleagues in the School of Informatics. As part of the first step, we create a CSV file with two columns for source and target which is uploaded into a third party data migration tool. The CSV file is uploaded to the user interface of the 3rd party migration tool. There is no systematic check within the tool that the file is correctly formatted. There are checks in place to detect account duplication within the CSV file, however, loading the csv into the migration tool is a manual process. The data in this source file became out of sync and resulted in 48 staff receiving mail items belonging to another colleague in the same school. The total number of mail items effected is 2.4 million.
The service was notified at 10:30 on Wednesday 16th December 2020 by a member of staff in Informatics. This was immediately regarded to be a serious issue and a Major Incident (MI) within Information Services was declared at 12:15 on Wednesday 16th December 2020. The MI team met three times per day since the MI was declared. The MI team is made up of colleagues from Service Management, Project Services, User Services, School of Informatics, InfoSec, Data Protection and is lead by Lisa McDonald.
Regular communications have been issued to colleagues impacted by this incident. An MS Teams channel was created to facilitate comms to impacted users. Also, a Q&A session led by Alex Carter and Gavin McLachlan was held on Thursday 17th December 2020 from 15:00 - 16:30. Colleagues in Informatics are understandably very upset about this incident. With emotions occasionally spilling over. The Data Protection Officer Dr Rena Gertz advised that after consultation colleagues in Legal the University would not declare this data breach with the ICO. However, in the Q&A session on Thursday, this information was met with a very negative reaction. To the extent that two members of staff indicated that they would report this to the ICO, should the University not do so. Taking this feedback into consideration and after a discussion with the Data Protection Officer, the Deputy Secretary for Compliance decided that this incident should be reported to the Information Commissioners Office (ICO). The ICO was informed on Friday 18th December 2020 at 18:00 hrs. It is worth pointing out that there is no evidence of any unlawful access or any negative impact on students or other third parties, there will be no notification to these parties.
The MI Team acted quickly to investigate the technical options available to rectify the wrongly migrated mail items. A possible solution was identified where all mail items in a users' O365 account prior to 30.11.2020 would be removed per script. Colleagues worked over the weekend through to the following Tuesday, however, upon checking the results, some mailboxes were not correctly cleared out, rendering this solution unusable. The MI was suspended on Tuesday 22nd December 2020.
The MI will remain open until the issue with wrongly migrated mail.
A new process for removing the contaminated mailboxes is being worked on with the highest priority.
RAG Commentary RED The project is reporting as RED due to the consequences of wrongly migrated content. The MI team are evaluating options to resolve the contaminated mailboxes, a proposed process from Microsoft was not successful.