ITI Project Brief - v 2022

 

Background

 

The University of Edinburgh (UoE) is a public research university in Edinburgh, Scotland. Granted a royal charter by King James VI in 1582 and officially opened in 1583, it is one of Scotland's four ancient universities and the sixth-oldest university in continuous operation in the English-speaking world.

UoE have recently undergone a network refresh, across 159 buildings, to include 12 distribution centres (DC), 2 of which are high priority, Advanced Commercial DC housing high performance computer, Eddie Mark 3 and Researcher Cloud Service, Eleanor, The Easter Bush Hub DC, the world-leading research, work, and study environment.

The changing landscape of information security means that universities are a primary target for bad actors. This challenge is exasperated by limited resources and the requirements of business-as-usual activities.

Scope

 

This project is to perform a penetration test on the UoE’s ECD Linux Compute Cluster (Eddie). This document outlines the scope and deliverables identified from a scoping call between CyberCrowd, European Electronique and UoE.

Eddie Mark 3 is the third iteration of the University’s compute cluster. It consists of over 7,000 Intel Xeon cores with up to 3 TB of memory available on a single compute node. Due to the size of the system, a sample of roughly 140 servers (400 IP addresses) has been agreed as the testing scope. Eddie is not Internet facing; therefore, this test is an Internal penetration test.

The overarching principle of the test is for it to be collaborative between the penetration testers and the team from the University.

 

Objectives and Deliverables and Success Criteria

The testing engagement has the following goals:

  • Test Uni of Edinburgh’s ECD Linux Compute Cluster for its security, safeguards and controls, identify and share any vulnerabilities and exploits

 

  • Ensure that The University of Edinburgh’s ECD Linux Compute Cluster is designed and built-in accordance with secure practises and cannot be subverted using both common and advanced attack methodologies

 

  • Identify vulnerabilities that may be difficult or impossible to detect with automated vulnerability scanning software

 

  • Identify higher-risk vulnerabilities that result from a combination of lower-risk vulnerabilities exploited in a particular sequence

 

  • Provide assurance around the testing and operating practices employed by The University of Edinburgh

 

Requirements

 

Requirement User / Owner MoSCoW Associated Objective/Deliverable (Ox/Dx.x)
Penetration test (subset of) of Eddy Cluster David Fergusson M Penetration test report
       

 

Governance

 

Portfolio Governance  

Role Name Division / Group / Team / College / School and Title
Project Sponsor Tony Weir  
Programme Owner David Fergusson  
Programme Manager Maurice Franceschi  
Service Owner / Service Operations Manager Aaron Turner  

 

Project Board

 

 

Role Name Division / Group / Team / College / School and Title
Executive Tony Weir  
Senior User (may be the Executive) David Fergusson  
Senior Supplier Euroele  

 

Resources Skills and Cost

Budget

 

Project Team

 

Role Name Division / Group / Team / College / School and Title
Project Manager Chris Walker  
Technical Lead and other technicians Aaron Turner  

 

Quality of Project and Deliverables / Key Project Milestones

 

Milestone Sign-Off means Date of Milestone Who signs-off (Accountability)

Start of Project

Project can begin, is in line with Programme and Portfolio priority, has resource

Add initial planning dates for milestones

Sponsor, Programme Manager

End of Planning

Project Brief, Plan, Estimated Budget, Risks, Communication Plan - all approved. Project has resource approved by section head for the estimated effort. Project has funding for effort for other costs.

 

Sponsor, PM, Programme Manager, Section Head(s)

End of Analysis quality and completeness of analysis   business analyst / business lead / senior user / PM
End of Design quality and completeness of design   technical lead / senior supplier/ business lead / senior user/ PM
End of UI Design quality of UI - to show we have designed an interface that is usable, accessible, promotes equality and diversity   technical lead / senior supplier/ business lead / senior user
End of Build quality and completeness of build   technical lead / senior supplier/ PM
Acceptance overall quality of deliverable, UAT has been passed, Intergation testing successful, all components technically checked  - fit for delivery to live service  

technical lead / senior supplier /business lead / senior user /business analyst /PM

 

Security QA deliverable satisifies security   Section Head
Branding QA for new, upgraded services, sign-off that branding guidelines for ISG, University, school/college has been followed by the project team  

PM / and as appropriate ...

UoE C&M, college C&M and (pending) ISG Branding Team

Design UI QA to show we have built an interface that is usable, accessible, promotes equality and diversity   Sponsor and Service Owner
EqIA For new services or services undergoing substantial change, there must be an Equality Impact Assessment completed, validated by equality office and deposited on eqia website   PM / Service Owner / Equality Officer
GDPR / PIA Check if your project needs to undergo a Privacy Impact Assessment   PM / Service Owner / CISO
GoCAB Set the appropriate date for informing GoCAB of the release/change to service   PM

Delivery

Change to Service can proceed

 

Sponsor, PM

service owner/ service operations manager (helpline)

Handover to Support support can take over running of the Service   service owner/ service operations manager (helpline)

Closure

Project can close

 

Sponsor, PM

 

Assumptions

Guidance (please remove)

What are the key underlying assumptions for the project that underpin the planning? For example, that the requirements we have outlined are complete, that all our stakeholders have been identified, that the software we are using is ready and configured, that we have a ready to use TEST environment.

 

Constraints

Guidance (please remove)

Are there constraints on this project? For example, specialist skills are needed, having to deliver in certain windows through the academic year, we need to share a TEST environment with other developers?

 

Risks

Guidance (please remove)

The project manager will ensure that the project team will review the risk log at every team meeting, and project owners update their risks at least once a month or more as appropriate to the project.

 

Issues

Guidance (please remove)

The project manager will ensure all changes to cost/timeline/scope must be recorded in the issue log, and reflected in miletones log, budget and estimations, and the project Scope Change log.

 

Previous Lessons Learned

Guidance (please remove)

Does the ITI Lessons Learned (see ITI Projects Sharepoint) indicate any issues or risks from previous projects? Is any other previous experience pertinent?

 

Dependencies

Guidance (please remove)

Are there other projects or work that this project is dependent on to start or possibly interact with at a later stage - or vice-versa that depend on this project.

Are we depending on certain events to take place?

Are we dependent on suppliers, or product releases?

 

 

Communication

 

Guidance (please remove)

For projects with an array of external stakeholders, a Communication Plan can be created and made available on the ITI Sharepoint space if preferred.

Also confirm that :

Project Sponsor and Project Manager meeting schedule has been agreed with Sponsor.

Project Team meetings schedule has been arranged (these may be combined with Sponsor meetings).

 

Check the ITI Annual Planning Engagement with Stakeholders on ITI Sharepoint to see the level of engagement our partners expect for your project

Check the ITI Forward Look to see if your project wil be using the Major Governance Toolkit.

                          

 

Run / Grow / Transform

Guidance (please remove)

Which activity does the project contribute to? The project could be one or more of R/G/T

Alignment to Strategy 2030 

 

People    
Research    

Teaching and Learning

   

Social and Civic Responsibility

                                                                                      

Project Sponsor – Project Responsibilities

The sign-off milestones are associated with specific responsibilities of the Sponsor role .

Guidance (please remove)

This sets out the Sponsor responsibilities on this project - please review and amend as appropriate for this project and agree with Sponsor

Start of project – Explicitly Included in the Initiation Milestones Sign-Off

  1. Negotiates and confirms funding for the project
  2. Ensures the project is in line with organisational strategy and priorities
  3. Chairs the project board, appoints its members and ensures they are effective
  4. Advises the project manager of protocols, political risks, issues and sensitivities
  5. Makes the project visible within the organisation  

End of Planning – Explicitly Included in the Planning Milestone Sign-Off

  1. Works with the project manager to develop the Project Brief
  2. Ensures a realistic project plan is produced
  3. Sets tolerance levels for escalation to themselves and to the project board
  4. Ensures that project team have representation and engagement from users and suppliers
  5. Helps identify Stakeholders
  6. Approves Communication Plan
  7. Agrees on frequency of meetings with Project Manager
  8. Agrees of frequency of meetings with Project Team
  9. Agrees on milestones and who signs-off

 

Execution – ongoing

  1. Provides strategic direction and guidance to the project manager as directed by the Board
  2. Approves changes to plans, priorities, deliverables, schedule
  3. Encourages stakeholder involvement and maintains their ongoing commitment
  4. Chief risk taker
  5. Makes go/no-go decisions
  6. Communicates change in organisational structure, priorities, business benefits or funding
  7. Helps the project manager in conflict resolution
  8. Helps resolve inter project boundary issues
  9. Gains agreement among stakeholders when differences of opinion occur
  10. Assists the project by exerting organisational authority and the ability to influence  

Delivery – Explicitly Included in the Delivery Sign-Off

  1. Ensures that Service is ready for change

 

Closure - Explicitly Included in the Closure Milestone Sign-Off

 

  1. Helps with publicity for the change delivered
  2. Ensure that benefits will be managed, measured and realised post-project
  3. Evaluates the project’s success upon completion

Project Info

Project
Research Services Architecture Security Review
Code
RSS409
Programme
ITI - Research Services (RSS)
Management Office
ISG PMO
Project Manager
Chris Walker
Project Sponsor
David Fergusson
Current Stage
Initiate
Status
Not Started
Project Classification
Run
Start Date
03-Jan-2023
Planning Date
31-Jan-2023
Delivery Date
30-Jun-2023
Close Date
28-Jul-2023
Overall Priority
Highest
Category
Discretionary

Documentation

Plan