Closure Report

Management Summary 

This project has proved to be more complex than originally planned – with several modifications to each of the main areas of budget, time and scope, as well as changes to the personnel involved. The closure report details these changes and should provide an understanding of the difficulties encountered over the project’s duration. One particular difficulty has been the attempt to carry out the declared tasks in the original version of the project brief while the co-ordinates of this work shifted through colleagues in other areas (e.g. ITI)  undertaking related tasks, via other projects, and the supplier (Microsoft) modifying some of the overarching framework behind O365 security. This, in turn, was all set against the uncertainties of the work environment of the past 18 months. All of this should be seen as the background against which this project was conducted.

David Watters, Programme Manager 

 

Project Summary

Enhanced security measures are to be applied to the Office 365 environment in place across the university, to prevent misuse and protect university content and user accounts.

The aims of this project within the constraints of time and a fixed budget were to:

  • Improve security features associated with the use of e-mail and the Office 365 environment.
  • Make better use of the software tools available.
  • Communicate and manage change effectively.

 

Objectives & Deliverables

The deliverables were prioritised using the MoSCoW prioritisation method

M=Must Have; S=Should Have; C=Could Have; W=Want

  • Project priority was changed from normal to higher on 7/4/20 piccl 4

No

Description

 

Delivered?

Reason for not delivering

Output

O1

Tighten access control on Office 365 admin accounts

 

De-scoped 17/4/20

See note 1

 

D1.1

Reduce the number of users with the Global Administrator (full access) role (current is 24, target is less than 5)

M

De-scoped

See note 2

 

D1.2

Implement Multi-Factor Authentication (MFA) to Global Administrators, noting the user experience

M

De-scoped

See note 1

 

O2

Tune mailboxes & mail-flow for security

 

Partial

 

 

D2.1

Deploy block rules to prevent auto-forwarding by staff

 

Partial

See note 3

 

D2.2

Enable mailbox auditing for all mailboxes across the organisation

 

De-scoped

See note 1

 

D2.3

A review to turn-off mail flow rules that bypass anti-spam protection

 

De-scoped

 

D2.4

To prevent anonymous calendar sharing

 

De-scoped

 

O3

Review tools to protect mailbox accounts

 

De-scoped 17/4/20

See note 1

 

D3.1

Review and report back client, user encryption option

M

De-scoped

 

D3.2

Review and report back DMARC, DKIM, SPF tools & current status (Office 365 relay only).

M

De-scoped

 

D3.3

Review risky user / risky sign-in reports & tools and summarise report of current status in relation to the available tools   

S

De-scoped

 

O4

Data protection measures

 

Partial

See note 1

 

D4.1

Remove TLS 1.0/1.1 and 3DES dependencies​

S

De-scoped

 

D4.2

Set automated notifications for new and trending cloud applications in the organisation​

S

De-scoped

 

D4.3

Review and report the implications or impact of expiring sharing links, including the risk if we don't

S

De-scoped

 

D4.4

Review and report option to create a custom activity policy to discover suspicious usage pattern

 

S

De-scoped

 

D4.5

Warning banner on external emails

 

 

 

 

Yes

 

Not in original project brief but was added in piccl 2 (4/12/19) change of scope

This piccl however did not go to wis

 

O5

Impact Assessment

 

De-scoped 17/4/20

See note 1

 

D5.1

Produce impact, risk, benefits report about enabling policy to block legacy authentication

C

De-scoped

 

 

Note 1:  16/4/20 reduction in scope piccl 5 - due to

  • Resourcing continued to be a challenge; 
  • Competing project demands and an increase in Service Management activities directly related to staff working from home.

Agreement with Service Managers to de-scope some of the planned activities and instead focus on those tasks that will bring most benefit in Office 365 Security Hardening.  All that remained was:

  • Tightening access controls on Office 365 administration accounts, specifically, reducing the number of users with the Global Administrator (full-access) role.
  • Deploy block rules to prevent auto-forwarding of emails by staff.
  • The inclusion of a warning banner on external emails that contain URL's.

It should be noted that MFA was delivered under ENT212

Note 2 D1.1 Admin Access Rights - descoping

Projects website has milestone marked as delivered but the signoff page links to meeting notes of 17/6/20 where it looks like the deliverable has been dropped as incompatible with ENT212 and agreed that the project team focus should turn to other tasks (Progress meeting 17/6/20)

 

Note 3: Auto-forwarding

Work had started on providing a solution when Microsoft announced an upcoming change of policy. Work started by UoE then dropped to wait on Microsoft delivering their new policy. New groups were set following agreements on how to take forward but delays occurred around this. When a final date was agreed the project was submitted to GoCab but was rejected – not on the technical side but on the communications side. As the project has to close this financial year the updating of comms and the switchover of the Microsoft setting has been handed over to business as usual. See outstanding items section.

 

Success Criteria

Success Criteria as in Project Brief

Delivered

How delivered

Improvement in Office 365 Security Rating

 

Will be taken forward by Service Management

Security and compliance obligations as an IT service provider are enhanced.

Yes

Warning banner added to external emails

New auto-forwarding policy introduced

 

Benefits

Benefit as stated in project brief

Delivered

How delivered

More robust security and compliance is applied to the university's Office 365 subscription

Yes

Warning banner added to external emails

New auto-forwarding policy will be introduced

A stronger role based access policy following best practice standards.

De-scoped

 

A better understanding of future security initiatives.

 

Will be taken forward by Service Management

 

 

Analysis of Resource Usage:

Staff Usage Estimate:  100 days (project brief estimate)

Staff Usage Actual: 118 days

Staff Usage Variance: +18%

Explanation for variance

Cost

Project Brief cost

100d

 

Changes to costs

Still 100d

  • Piccl 3 (4 Mar 20) reduced budget to 50d – due to a reprioritisation of tasks
    • Although submitted to WIS on 13 Mar 20 it was submitted under Changes to major milestones - It did not have a corresponding budget change so was not updated by PMO so the budget remained in ASTA at 100d. A priccl had been submitted for the change but no budget change.
  • Piccl 5 (16 Apr 20) said budget remains at 50d though scope was reduced – was actually still 100d
  • Piccl 7 (27 May 20) highlighted that although no additional funding was available at the present time to increase the budget the project is continuing at risk with an expectation that the budget would be found either from under spend or suspension of other projects currently being reviewed within the portfolio. Still at 100d

 

Still 100d

Piccl 12 (27 Aug 20) revised budget of 95d  

  • Current budget 50 days (78 days used to far) Revised 95d split as 19/20 = 73d; 20/21 = 22d
  • Although submitted to WIS on 28 Aug 20 it was submitted under Changes to major milestones and had the comment ‘Alex Carter will follow up on the budget position’. It did not have a corresponding budget change so was not updated by PMO – budget in ASTA remained at 100d

 

110d

Piccl 16 (23 Oct 20) Following review of budget and milestones budget was approved at 110d split as 19/20=73d; 20/21=37d

 

118d

Piccl 24

Actual Cost

118d

Actual 118d 19/20=73d; 20/21=45d

 

Time

Major Milestones

Project Brief date

Actual Date

Reason

Planning

16-Mar-18

23-Oct-19

Resource issues- piccl 1

O1 Tighten Access Controls on Office 365 Admin Accounts Complete 

06-Dec-2019

De-scoped

 

Piccl 5-removed everything from scope except D1.1 Reduce Global Admin users

No actual piccl for descoping of D1.1 but Progress meeting 17/6/20)  refers

 

O2 Tune Mailboxes and Mail-flow for Security Complete

21-Feb-2020

De-scoped

apart from D2.1

 

Piccl 5-removed everything from scope except D2.1 Deploy block-rules to prevent auto-forwarding

 

D2.1 Deploy block-rules to prevent auto-forwarding

 

n/a

Taken in BAU

O3 Review Tools to Protect Mailbox Accounts Complete

06-Mar-2020

De-scoped

 

Piccl 5 removed from scope

O4 Data Protection Measures Complete

 

17-Mar-2020

 

 

De-scoped

 

Piccl 5 removed everything from scope except D4.5 inclusion of a warning banner on external emails

 

D4.5 Warning banner on external emails that contain URL's

This was not in the brief – was added on 4 Dec 19 as a change of scope (piccl 2) although was not submitted to wis

4 Nov 20

O5 Impact Assessment Complete

27-Mar-2020

De-scoped

 

Piccl 5 removed from scope

Delivery

3-Apr-20

4 Nov 20

Warning banner only

See outstanding items for autoforwarding

DSOR Sign-off

 

20-Apr-2020

Warning banner: 16 Nov 20

 

Close

8-May-20

23 Jul 21

 

 

Changes to milestones

  • Change of scope on 4 Dec 19 added D4.5 Warning banner on external emails (piccl 2 tho this did not go to WIS)
  • All milestones were delayed 4 Mar 20 moving delivery to 1 May 20 but closure remaining at 8 May 20 (piccl 3)
  • Scope reduction on 16 Apr 20 (piccl 5)
  • Another project replan took place on 27 May 20 for 2 reasons and necessitated a change in milestones. This pushed delivery out to 26 Aug 20 and closure to 4 Sep 20 (piccl 7)

    • “Resource from Service Management continues to be prioritised to undertake alternative work to that of this project. Alternative resource from Service Management has since been assigned however, handover of tasks has yet to be concluded. Work associated with the Communications Strategy has necessitated the use of a Business Analyst to work closely with the Project Manager. The Head of Service Management remains unavailable with his originally intended project work having to be re-assigned.”

    • Warning banner was delayed from 16 Jun to 17 Jul on 7 Jul 20 as the pilot was extended due to a lack of feedback from the initial pilot (extended from a subset of ISG to all of ISG staff along with volunteers from MVM, CSE and CAHSS). Delivery and Closure dates unaffected. (piccl 9 )

  • Feedback from the extended pilot raised sufficient concerns for the warning banner implementation to be postponed from 15 Jul to 29 Jul. Delivery and Closure dates unaffected. (piccl 11) Reasons included:
    • “Operational Services had revealed a shortage of staff to support any increase in Helpline calls that might have resulted from this university wide initiative. 
    • Some functional areas of the University believe that the introduction of a Warning Banner could hamper their productivity. A wider communication with more detailed explanation of this initiative is required prior to full roll-out.”
  • Milestones re-planned again 7 Jul 20 as the responsibility for direction was escalated to ITC. This pushed the two remaining milestones out resulting in Delivery moving to 23 Oct 20 and Closure to 13 Nov 20 (piccl 10) 
  • Project sponsor time on project curtailed due to work on Covid project . This delayed the comms for the auto-forwarding delivery changed

 

Personnel changes

  • Piccl 6 22/4/20 Project Sponsor: Dave Berry replaced Alex Carter due to his availability.  Alex resumed sponsor role on his return.
  • Piccl 15 change of PM wef 2/10/20 Sue Woodger replaced Kevin Hone taking over at delivery stage
  • Piccl 17 change of Programme Manager wef 17 Nov 20 David Watters took over from Tim Grey

Key Learning Points

  • The warning banner changes have not satisfied all users. Victoria Dishon asked (following feedback from her users) if it was possible to disable the banner for particular UoE mail boxes especially for mailboxes that only receive messages from outside of the University – e.g. ARCHER

    • However the conclusion was that the current limitations on the technology prevent us from being able to create these exceptions in a sustainable manner (in particular we were unable to exempt individual accounts or groups due to technical limits of the service. More sophisticated tools are available but a considerable cost (in the region of quarter of million pounds per year) which is not feasible in the current financial environment)
    • We agreed to include in the closure report in order to keep an eye on improvements in the technology.
  • The auto-forwarding delivery was rejected by GoCab, around comms and not technical implementation. We should note that we need to make sure that enough/more notice is given to stakeholders so that they have enough time to take in the changes and feed through to their staff. 
  • The strong resistance to changes in email behaviour was not anticipated by the service.  Perhaps more use consultation should have been done at the start.

 

Outstanding Issues

Service Management to take forward: developing the mechanism for bouncing messages for ex-staff yet - confident it could be done with a PowerApp/Flow but has to be set up.

 

Auto-forwarding

Following GoCab rejection on 13 July 21 communications and the exemption form need to be updated. As the project has to close this financial year this work has been taken into business as usual and will be completed by Service Management. Suggested timeline is as follows:

What

Who

When

Update closure report

Project Services

asap

Refining the exemption form text

Service Management with input from college IT leads

By 30 Jul 21

PROJECT CLOSES

Project Services

By 30 Jul 21

Update comms text

 

Address comms to people who are already forwarding

Say what people should be doing if they want to apply for an exemption/timescales

Timescales for doing this to be agreed

Service Management

By 30 Jul 21

Agree deploy to live date (switchover of settings)

Service Management

By 4 Aug

Take back to GoCab

Service Management

By 5 Aug to get into GoCab of 10 Aug

Deploy comms  

Service Management

11 Aug 21

Create alert

Service Management

11 Aug 21

Switchover auto-forwarding setting  from 'allow' to ‘automatic’

 

Assuming 3 weeks after comms to let people apply for their exemptions ( timescales to be agreed as part of updating comms)

 

ITI

1 Sep 21

Need to confirm with John

 

 

 

 

Project Info

Project
Office 365 Security Hardening
Code
COM051
Programme
ISG - Communication (COM)
Management Office
ISG PMO
Project Manager
Sue Woodger
Project Sponsor
Alex Carter
Current Stage
Close
Status
Closed
Project Classification
Grow
Start Date
09-Sep-2019
Planning Date
25-Oct-2019
Delivery Date
14-Jul-2021
Close Date
23-Jul-2021
Overall Priority
Higher
Category
Compliance

Documentation

Close