Closure Report
Management Summary
This project has proved to be more complex than originally planned – with several modifications to each of the main areas of budget, time and scope, as well as changes to the personnel involved. The closure report details these changes and should provide an understanding of the difficulties encountered over the project’s duration. One particular difficulty has been the attempt to carry out the declared tasks in the original version of the project brief while the co-ordinates of this work shifted through colleagues in other areas (e.g. ITI) undertaking related tasks, via other projects, and the supplier (Microsoft) modifying some of the overarching framework behind O365 security. This, in turn, was all set against the uncertainties of the work environment of the past 18 months. All of this should be seen as the background against which this project was conducted.
David Watters, Programme Manager
Project Summary
Enhanced security measures are to be applied to the Office 365 environment in place across the university, to prevent misuse and protect university content and user accounts.
The aims of this project within the constraints of time and a fixed budget were to:
- Improve security features associated with the use of e-mail and the Office 365 environment.
- Make better use of the software tools available.
- Communicate and manage change effectively.
Objectives & Deliverables
The deliverables were prioritised using the MoSCoW prioritisation method
M=Must Have; S=Should Have; C=Could Have; W=Want
- Project priority was changed from normal to higher on 7/4/20 piccl 4
No |
Description |
|
Delivered? |
Reason for not delivering |
Output |
O1 |
Tighten access control on Office 365 admin accounts |
|
De-scoped 17/4/20 |
See note 1 |
|
D1.1 |
Reduce the number of users with the Global Administrator (full access) role (current is 24, target is less than 5) |
M |
De-scoped |
See note 2 |
|
D1.2 |
Implement Multi-Factor Authentication (MFA) to Global Administrators, noting the user experience |
M |
De-scoped |
See note 1 |
|
O2 |
Tune mailboxes & mail-flow for security |
|
Partial |
|
|
D2.1 |
Deploy block rules to prevent auto-forwarding by staff |
|
Partial |
See note 3 |
|
D2.2 |
Enable mailbox auditing for all mailboxes across the organisation |
|
De-scoped |
See note 1 |
|
D2.3 |
A review to turn-off mail flow rules that bypass anti-spam protection |
|
De-scoped |
|
|
D2.4 |
To prevent anonymous calendar sharing |
|
De-scoped |
|
|
O3 |
Review tools to protect mailbox accounts |
|
De-scoped 17/4/20 |
See note 1 |
|
D3.1 |
Review and report back client, user encryption option |
M |
De-scoped |
|
|
D3.2 |
Review and report back DMARC, DKIM, SPF tools & current status (Office 365 relay only). |
M |
De-scoped |
|
|
D3.3 |
Review risky user / risky sign-in reports & tools and summarise report of current status in relation to the available tools |
S |
De-scoped |
|
|
O4 |
Data protection measures |
|
Partial |
See note 1 |
|
D4.1 |
Remove TLS 1.0/1.1 and 3DES dependencies |
S |
De-scoped |
|
|
D4.2 |
Set automated notifications for new and trending cloud applications in the organisation |
S |
De-scoped |
|
|
D4.3 |
Review and report the implications or impact of expiring sharing links, including the risk if we don't |
S |
De-scoped |
|
|
D4.4 |
Review and report option to create a custom activity policy to discover suspicious usage pattern
|
S |
De-scoped |
|
|
D4.5 |
Warning banner on external emails
|
|
Yes |
|
Not in original project brief but was added in piccl 2 (4/12/19) change of scope This piccl however did not go to wis
|
O5 |
Impact Assessment |
|
De-scoped 17/4/20 |
See note 1 |
|
D5.1 |
Produce impact, risk, benefits report about enabling policy to block legacy authentication |
C |
De-scoped |
|
Note 1: 16/4/20 reduction in scope piccl 5 - due to
- Resourcing continued to be a challenge;
- Competing project demands and an increase in Service Management activities directly related to staff working from home.
Agreement with Service Managers to de-scope some of the planned activities and instead focus on those tasks that will bring most benefit in Office 365 Security Hardening. All that remained was:
- Tightening access controls on Office 365 administration accounts, specifically, reducing the number of users with the Global Administrator (full-access) role.
- Deploy block rules to prevent auto-forwarding of emails by staff.
- The inclusion of a warning banner on external emails that contain URL's.
It should be noted that MFA was delivered under ENT212
Note 2 D1.1 Admin Access Rights - descoping
Projects website has milestone marked as delivered but the signoff page links to meeting notes of 17/6/20 where it looks like the deliverable has been dropped as incompatible with ENT212 and agreed that the project team focus should turn to other tasks (Progress meeting 17/6/20)
Note 3: Auto-forwarding
Work had started on providing a solution when Microsoft announced an upcoming change of policy. Work started by UoE then dropped to wait on Microsoft delivering their new policy. New groups were set following agreements on how to take forward but delays occurred around this. When a final date was agreed the project was submitted to GoCab but was rejected – not on the technical side but on the communications side. As the project has to close this financial year the updating of comms and the switchover of the Microsoft setting has been handed over to business as usual. See outstanding items section.
Success Criteria
Success Criteria as in Project Brief |
Delivered |
How delivered |
Improvement in Office 365 Security Rating |
|
Will be taken forward by Service Management |
Security and compliance obligations as an IT service provider are enhanced. |
Yes |
Warning banner added to external emails New auto-forwarding policy introduced |
Benefits
Benefit as stated in project brief |
Delivered |
How delivered |
More robust security and compliance is applied to the university's Office 365 subscription |
Yes |
Warning banner added to external emails New auto-forwarding policy will be introduced |
A stronger role based access policy following best practice standards. |
De-scoped |
|
A better understanding of future security initiatives. |
|
Will be taken forward by Service Management |
Analysis of Resource Usage:
Staff Usage Estimate: 100 days (project brief estimate)
Staff Usage Actual: 118 days
Staff Usage Variance: +18%
Explanation for variance
Cost
Project Brief cost |
100d |
|
Changes to costs |
Still 100d |
|
|
Still 100d |
Piccl 12 (27 Aug 20) revised budget of 95d
|
|
110d |
Piccl 16 (23 Oct 20) Following review of budget and milestones budget was approved at 110d split as 19/20=73d; 20/21=37d |
|
118d |
Piccl 24 |
Actual Cost |
118d |
Actual 118d 19/20=73d; 20/21=45d |
Time
Major Milestones |
Project Brief date |
Actual Date |
Reason |
Planning |
16-Mar-18 |
23-Oct-19 |
Resource issues- piccl 1 |
O1 Tighten Access Controls on Office 365 Admin Accounts Complete |
06-Dec-2019 |
De-scoped
|
Piccl 5-removed everything from scope except D1.1 Reduce Global Admin users No actual piccl for descoping of D1.1 but Progress meeting 17/6/20) refers
|
O2 Tune Mailboxes and Mail-flow for Security Complete |
21-Feb-2020 |
De-scoped apart from D2.1
|
Piccl 5-removed everything from scope except D2.1 Deploy block-rules to prevent auto-forwarding
|
D2.1 Deploy block-rules to prevent auto-forwarding
|
n/a |
Taken in BAU |
|
O3 Review Tools to Protect Mailbox Accounts Complete |
06-Mar-2020 |
De-scoped
|
Piccl 5 removed from scope |
O4 Data Protection Measures Complete
|
17-Mar-2020
|
De-scoped
|
Piccl 5 removed everything from scope except D4.5 inclusion of a warning banner on external emails
|
D4.5 Warning banner on external emails that contain URL's |
This was not in the brief – was added on 4 Dec 19 as a change of scope (piccl 2) although was not submitted to wis |
4 Nov 20 |
|
O5 Impact Assessment Complete |
27-Mar-2020 |
De-scoped
|
Piccl 5 removed from scope |
Delivery |
3-Apr-20 |
4 Nov 20 |
Warning banner only See outstanding items for autoforwarding |
DSOR Sign-off
|
20-Apr-2020 |
Warning banner: 16 Nov 20 |
|
Close |
8-May-20 |
23 Jul 21 |
|
Changes to milestones
- Change of scope on 4 Dec 19 added D4.5 Warning banner on external emails (piccl 2 tho this did not go to WIS)
- All milestones were delayed 4 Mar 20 moving delivery to 1 May 20 but closure remaining at 8 May 20 (piccl 3)
- Scope reduction on 16 Apr 20 (piccl 5)
-
Another project replan took place on 27 May 20 for 2 reasons and necessitated a change in milestones. This pushed delivery out to 26 Aug 20 and closure to 4 Sep 20 (piccl 7)
-
“Resource from Service Management continues to be prioritised to undertake alternative work to that of this project. Alternative resource from Service Management has since been assigned however, handover of tasks has yet to be concluded. Work associated with the Communications Strategy has necessitated the use of a Business Analyst to work closely with the Project Manager. The Head of Service Management remains unavailable with his originally intended project work having to be re-assigned.”
-
Warning banner was delayed from 16 Jun to 17 Jul on 7 Jul 20 as the pilot was extended due to a lack of feedback from the initial pilot (extended from a subset of ISG to all of ISG staff along with volunteers from MVM, CSE and CAHSS). Delivery and Closure dates unaffected. (piccl 9 )
-
- Feedback from the extended pilot raised sufficient concerns for the warning banner implementation to be postponed from 15 Jul to 29 Jul. Delivery and Closure dates unaffected. (piccl 11) Reasons included:
- “Operational Services had revealed a shortage of staff to support any increase in Helpline calls that might have resulted from this university wide initiative.
- Some functional areas of the University believe that the introduction of a Warning Banner could hamper their productivity. A wider communication with more detailed explanation of this initiative is required prior to full roll-out.”
- Milestones re-planned again 7 Jul 20 as the responsibility for direction was escalated to ITC. This pushed the two remaining milestones out resulting in Delivery moving to 23 Oct 20 and Closure to 13 Nov 20 (piccl 10)
- Project sponsor time on project curtailed due to work on Covid project . This delayed the comms for the auto-forwarding delivery changed
Personnel changes
- Piccl 6 22/4/20 Project Sponsor: Dave Berry replaced Alex Carter due to his availability. Alex resumed sponsor role on his return.
- Piccl 15 change of PM wef 2/10/20 Sue Woodger replaced Kevin Hone taking over at delivery stage
- Piccl 17 change of Programme Manager wef 17 Nov 20 David Watters took over from Tim Grey
Key Learning Points
-
The warning banner changes have not satisfied all users. Victoria Dishon asked (following feedback from her users) if it was possible to disable the banner for particular UoE mail boxes especially for mailboxes that only receive messages from outside of the University – e.g. ARCHER
- However the conclusion was that the current limitations on the technology prevent us from being able to create these exceptions in a sustainable manner (in particular we were unable to exempt individual accounts or groups due to technical limits of the service. More sophisticated tools are available but a considerable cost (in the region of quarter of million pounds per year) which is not feasible in the current financial environment)
- We agreed to include in the closure report in order to keep an eye on improvements in the technology.
- The auto-forwarding delivery was rejected by GoCab, around comms and not technical implementation. We should note that we need to make sure that enough/more notice is given to stakeholders so that they have enough time to take in the changes and feed through to their staff.
- The strong resistance to changes in email behaviour was not anticipated by the service. Perhaps more use consultation should have been done at the start.
Outstanding Issues
Service Management to take forward: developing the mechanism for bouncing messages for ex-staff yet - confident it could be done with a PowerApp/Flow but has to be set up.
Auto-forwarding
Following GoCab rejection on 13 July 21 communications and the exemption form need to be updated. As the project has to close this financial year this work has been taken into business as usual and will be completed by Service Management. Suggested timeline is as follows:
What |
Who |
When |
Update closure report |
Project Services |
asap |
Refining the exemption form text |
Service Management with input from college IT leads |
By 30 Jul 21 |
PROJECT CLOSES |
Project Services |
By 30 Jul 21 |
Update comms text
Address comms to people who are already forwarding Say what people should be doing if they want to apply for an exemption/timescales Timescales for doing this to be agreed |
Service Management |
By 30 Jul 21 |
Agree deploy to live date (switchover of settings) |
Service Management |
By 4 Aug |
Take back to GoCab |
Service Management |
By 5 Aug to get into GoCab of 10 Aug |
Deploy comms |
Service Management |
11 Aug 21 |
Create alert |
Service Management |
11 Aug 21 |
Switchover auto-forwarding setting from 'allow' to ‘automatic’
Assuming 3 weeks after comms to let people apply for their exemptions ( timescales to be agreed as part of updating comms)
|
ITI |
1 Sep 21 Need to confirm with John |