Questionmark OnDemand for Government Briefing · 2019/2/15 · 3.1. Perform tests described in the...

C O N F E R E N C E 2 0 1 9

Copyright © 1995-2019 Questionmark Corporation and/or Questionmark Computing Limited, known collectively as Questionmark. All rights reserved. Questionmark is a registered trademark of Questionmark Computing Limited. All other trademarks are acknowledged.

Questionmark OnDemand for GovernmentBriefing28 February 2019

David HuntStacy Poll

Copyright © 1995-2019 Questionmark Corporation and/or Questionmark Computing Limited, known collectively as Questionmark.All rights reserved. Questionmark is a registered trademark of Questionmark Computing Limited. All other trademarks are acknowledged.

CSP •Questionmark Corporation

3PAO • Schellman & Company, LLC

Agency • USDA?

Stakeholders in FedRAMP Process

Slide 2


FedRAMP Governance

Slide 3


System Security

Plan (SSP)

System Assessment Plan (SAP)

System Assessment

Report (SAR)

Documents on OMB MAX

Slide 4

Describes the OnDemand for Government service and how it is secured

Describes how the 3PAO will review the SSP

Describes the findings from the Audit


Trustworthy, secure cloud-based assessment management for U.S. Governmental Agencies

Questionmark OnDemand for Government, provides governmental agencies a cloud-based assessment management system designed to be compliant with FedRAMP and hosted in a FedRAMP certified U.S. data center dedicated to U.S. government needs.

System Description

Slide 5

Copyright © 1995-2019 Questionmark Corporation and/or Questionmark Computing Limited, known collectively as Questionmark.All rights reserved. Questionmark is a registered trademark of Questionmark Computing Limited. All other trademarks are acknowledged.Slide 6

Monitoring ProductionUAT/Staging

VPN Gateway

Database and Domain Controller Subnet

Application Subnet

ETL & Mirror Witness

M

Application Gateway

Mirrored DB servers

Domain Controllers

InternetPlatform Admin

(Requires Multi-factor Authentication)

RDP/3389

Management

Application Subnet

ETL & Mirror Witness

M

Participant Delivery

Application Gateway

Mirrored DB servers

Domain Controllers

Customer Portal

Database and Domain controller Subnet

HTTPS/443

RDP/3389

Platform Admin

Customer

Monitoring

WSUS 8530/8531

Microsoft Azure

GovCloud

HOMIE

Nessus

Virtual Network

HTTPS/443

RDP/3389

WinRM/5985SQL/49164 & 49172

ActiveDirectory*

8834

WSUS

ManagementParticipant Delivery

Customer Portal

HOMIE

WinRM/5985SQL/49164 & 49172

ActiveDirectory*

VPN Gateway

Microsoft AzurePublic

Monitoring

WSUSUpstream

Virtual Network

Octopus Deploy

Octopus Deploy

HTTPS/443

VPN Gateway

Security Monitor

HTTPS/443

RDP/3389

HTTPS/8834

HTTPS/8834

Security Monitor(Requires Multi-factor

Authentication)

HTTPS/8834

Office 365

Dynamics 365(Requires Multi-factor

Authentication)

VSTS(Requires Multi-factor

Authenication)

Veracode(Requires Multi-factor

Authentication)

External Service Providers

OD4G System

Boundaries

Copyright © 1995-2019 Questionmark Corporation and/or Questionmark Computing Limited, known collectively as Questionmark.All rights reserved. Questionmark is a registered trademark of Questionmark Computing Limited. All other trademarks are acknowledged.Slide 7

User Interactions

with the System


Questionmark invests heavily in FedRAMP

Slide 8


Next step: Agency review

Slide 9


The assessment methodology used to conduct the security assessment for the OD4G system is summarized in the following steps:

3.1. Perform tests described in the SAP workbook and record the results

3.2. Identify vulnerabilities related to the CSP platform

3.3. Identify threats and determine which threats are associated with the cited vulnerabilities

3.4. Analyze risks based on vulnerabilities and associated threats

3.5. Recommend corrective actions

3.6. Document the results

How was the Audit Performed?

Slide 10

This Photo by Unknown Author is licensed under CC BY-SA-NC

http://www.seemsartless.com/index.php?pic=897

https://creativecommons.org/licenses/by-nc-sa/3.0/


Schellman expands boundary to include supporting services

Over 250 evidence items provided by Questionmark

Evidence and screenshots collect by Schellman as part of two week in person audit with IT

Infrastructure Manager andInformation Security Officer

The Audit

Slide 11


Questions

Slide 12

C O N F E R E N C E 2 0 1 9


Stacy Poll

Slide 13


Status of ATO

Slide 14

Questionmark can not bring this across the finish line without you.


We want you to achieve your goals and enjoy the

process!

Questionmark’s mission is to provide the highest quality testing and assessment software and support services to enable individuals and organizations reach their goals.

Welcome to Questionmark OnDemand for Government!

Slide 15


Migration Process

Slide 16

Trial Migration

• Upload Database to Microsoft Azure Government Cloud Server

• Scripts Migrates to OnDemand for Government Development environment

Testing and Validation

• Create roles and assign to Administrators

• Customer is allocated a period of time to test / validate the migrated data

• Average time takes 30 days

Production Migration

• After customer approves migration in staging, the process is repeated for production

• Customer can plan for a finite and brief period of down-time based on the results of trial phase


Results, Groups, Schedules Content

▪ Assessments and Questions migrate into new repository

Participants ▪ Migrate with role of Participant▪ Maintains Group membership

Administrators▪ Migrate with no roles

Content▪ Need to assign Authors to Topics

and Assessments permissions

Administrators▪ Need to assign Roles

▪ Need to assign to Topics and Assessments permissions

Your Data in the new Platform

Stays the Same Needs Administration


Migration can only work on a 5.7 Perception database▪ If you are on an older version we will need to assist you with upgrading it to 5.7 prior to the migration.

Root Admin email address▪ You will need to removed your Rood Admins email address from your Perception Database prior to uploading your database

Alternate we will need an email address that is not yet already in use

▪ Give the email address to the Tech overseeing the Migration

Resources files and repository files▪ Leave all things as they are

Do not edit, delete or rename files.

Database Administrator check list :▪ https://www.questionmark.com/content/migrating-from-perception-to-ondemand-for-government

All role and schema owners should be defaults, as specified on the above link.

Make sure that only the default stored procedures are present in your Perception database.

Set database collation SQL_Latin1_General_CP1_CI_AS

Complete Checklist for Database configurations

Run SQL commands as stated in link

Make sure to compress the database backup when creating the .bak file.

Make sure not Web.config files in repository file directories.

Performing the table truncations as listed in link.

Make sure the autogrowth for the database data file is set to By 50 MB, unrestricted growth

If your Perception database is larger than 10 GB, email Questionmark to let them know to expect a "large" database.

Pre Trial Migration

Slide 18

https://www.questionmark.com/content/migrating-from-perception-to-ondemand-for-government


Make a copy of your Repository Files and Shared Repository files

Create a Zip file of the following (Do Not Encrypt and please used copies)▪ Repository Database Named exactly as it is named

▪ Shared Repository files

You will be given the SFTP address to upload directly to the Microsoft Azure Government Cloud Server.

A script will be ran against the file and convert it to your trial migration area.

Once the script runs, You will be given the URL to access

Trial Migration

Slide 19


Set up Roles and Permissions and assign to Administration Have admin users test that they can access the system and see what they were assigned to see

▪ Topic folders assigned Users can see/not see▪ Groups results or access they can see/not see

Graphics show up in assessments Templates are in place and look good Create some test questions with the Next Gen Authoring Building an assessment Publish and deliver assessment Review reports Test any integrations

Validate the area

Slide 20


Trial area looks good? Contact Questionmark to schedule a Live Migration Date

Repeat steps in the Pre Trial Migration slide and Trial Migration slides

Stop use of Perception Once area migration is complete,

▪ Set up Roles and Permissions and assign to Administration

▪ Set up integrations

Live Migration

Slide 21



Questions?

Slide 22

Date post:	28-Sep-2020
Category:	Documents
Upload:	others
View:	0 times
Download:	0 times