Vision_and_Scope. Self-Service Tracking System (2009)

Vision and Scope Template

Self-Service Tracking System Vision and Scope 1.3

Vision and Scope For

Self-Service Tracking SystemFINAL 1.4Prepared by Teri Butler

Automated Business Systems

07/29/09Table of Contents

iiTable of Contents

Revision Historyii1.Business Requirements11.1.Background11.2.Business Opportunity11.3.Business Objectives and Success Criteria21.4.Customer Needs21.5.Business Risks32.Vision of the Solution32.1.Vision Statement32.2.Major Features32.3.Assumptions and Dependencies43.Scope and Limitations43.1.Scope of Initial Release53.2.Scope of Subsequent Releases53.3.Limitations and Exclusions54.Business Context54.1.Stakeholder Profiles65. Attachments75.1 Attachment A7

Approved by

1. Alex Kosmides, Ad hocNorthwest Workforce Development Council2. Anne Goranson-Salas, Pacific Mountain Area Director, Employment Security Department

3. Erin Mundinger North Central Area Director,Employment Security Department4. Gary Smith, Northwest Workforce Development Council

5. John Loyle, Pacific Mountain Workforce Development Council6. Karen Harmon, WorkSource Vancouver,Employment Security Department

7. Michael Choy, Snohomish County Workforce Development Council8. Frankie Arteaga, Spokane County Area Director, Employment Security Department

9. Peg Waldron Spokane Workforce Development Council10. Rick SandlerECDD, Employment Security Department

11. Sylvia Duran Benton Franklin Workforce Development Council12. Valerie Stevens, Tacoma/Pierce County Workforce Development Council

13. Jennifer ThorntonWSID, Employment Security Department14. Doric Olson ECDD, Employment Security Department

Date Approved ___July 29, 2009______

Revision History

NameDateReason For ChangesVersion

Teri Butler11/19/08First draft1.0

Teri Butler12/09/08To determine clearer business objectives1.1

Teri Butler12/29/08To continue clarification of business objectives1.2

Teri Butler01/12/09Submit approved modifications to workgroup1.2

Rachel Johnston01/29/09Added additional assumptions & scope of second release1.3

Rachel Johnston1/29/09Approved document with revisions1.3

Teri Butler07/29/09Added approved feature- enable single login with Go2WorkSource.com

In so doing, removed exclusion 3.31.4

1. Business Requirements

1.1. Background

The Washington Workforce Association (WWA) and the Washington State Employment Security Department (ESD) Self-Services Tracking workgroup was formed in March, 2008. The executive sponsors are Lisa Nisenfeld, Chair of the Workforce Washington Association and Executive Director of the Southwest Washington Workforce Development Council, and Paul Trause, ESD Deputy Commissioner. The workgroup was charged to recommend how the WorkSource system as a whole should track self-services, including all possible options such as eliminating the WorkSource Membership System (WMS), having WMS remain as is, having WMS interface with SKIES, or whatever works best to track self-services, and is the best possible way to track self-services for the WorkSource system.

1a. The workgroup identified three alternative solutions for self-service tracking, which are listed below in rank order. WMS is decommissioned and WWA & ESD jointly design a new web front end with a direct interface to SKIES.

WMS physically moves onto ESD hardware located behind the firewall and a one-way interface from WMS to SKIES is added.

WMS remains as is but is modified to meet ESD security and risk concerns. A one-way interface from WMS to SKIES is added.

1b. Attachment A, WWA/ESD Self-Services Tracking Workgroup Recommendations

The workgroup determined the best direction to take would be to decommission the WMS and replace it with a web-based tracking system that sends data from the resource room workstations to SKIES. The system would be jointly designed by the WWA and ESD. 1.2. Business Opportunity

The business problem to be solved is to replace the existing WMS tracking system with one which is uniformly and consistently used, connected to SKIES, located securely behind the state firewall, where data collected from self-service job seekers is sent directly to SKIES where it can be used to meet customer tracking requirements.The proposed WWA and ESD jointly-designed web front end with a direct interface to SKIES is characterized by the following:

It is the only alternative that will meet all of the business requirements identified by the workgroup.

It will eliminate dual systems, multiple customer registrations, and redundant data entry. In accordance with the workgroup assumptions, the scope of the new system will be based upon the current functionality of WMS, and from the high level business recommendations, adds functionality and moves the system behind the state firewall. It will be developed and hosted by ESD. All short and long-term costs will be absorbed by ESD. ESD will assume responsibility for the maintenance, support and enhancement of the system based on input from the governing board.1.3. Business Objectives and Success Criteria

BO-1 Provide a new Self-Service Tracking system which meets all business requirements identified by the phase 1 teamBO-2 Provide a Self-Service Tracking system that would be hosted by ESD BO-3 Requirements are agreed upon by the Self Service Tracking System workgroup who have solicited information from staff through a wholly collaborative effort

BO-4 Permit easy, fast updates BO-5 Enable job seekers in WorkSource centers to self-register without, or with minimal, staff assistanceBO-6 Enable self-service customer to register once, in one system onlyBO-7 Eliminate or reduce staff need to enter duplicate seeker registration data into SKIES

BO-8 Collect data needed to meet customer tracking requirements

BO-9 Enable more flexible and expanded reporting of customer services and customer flow through the SKIES Data Warehouse to support accessing the data collected in BO-8BO-10 ESD will have responsibility for system maintenance and supportBO-11 Use WorkSource Information Technology Advisory Board and the SKIES Change Control Board to prioritize change requests for the new tracking system as part of SKIES.1.4. Customer Needs

Self-service job seekers of the WorkSource system using a center or affiliate site and WorkSource system staff of the Workforce Development Councils (WDCs) and ESD would be the beneficiaries of the new Self-Service Tracking system. The new system would be located in all offices, accessible, at minimum, from each PC in each resource room and each freestanding kiosk. It would be a user-friendly welcome to job seekers which would include a self-registration screen and a login system for subsequent sessions. Data collected would be used to create new and updated records of self-service usage which would be sent to the Data Warehouse for the purpose of meeting self-service customer tracking and reporting requirements of the WorkSource service delivery system. 1.5. Business Risks

No risks have been identified associated with the development of this system but rather risks of not developing it. The greatest risk would be the continued use of WMS for 2 reasons:

1) the potential exposure of WorkSource customer data stored on a system which is located neither securely behind the state firewall nor within an agency owned system 2) while self-service job seekers use WorkSource resources daily, this usage is not being adequately collected for self-service reporting numbers due to inconsistent use.2. Vision of the Solution

2.1. Vision Statement

The WMS shall be decommissioned and the Self-Service Tracking Workgroup Phase 2 shall jointly design a new web front end with a direct interface to SKIES.

The new Self-Service Tracking system will enable job seekers to self-register with the WorkSource system reducing the need for staff to re-register this seeker. Workgroup recommendations fell into these categories: to collect self-service registration data to be sent directly to SKIES, and to reduce the need of staff to create a new registration after a self-service customer has already completed one, and to track over time self-service, in-office sessions. When the new Self-Service Tracking system is implemented with its direct delivery of data to SKIES:

Job seekers would experience decreased frustration if the systems to which they are asked to register in order to receive WorkSource services are minimized

Staff would gain increased efficiency by elimination of redundant registrations

Staff would gain increased efficiency if provided a more complete picture of job seeker usage of WorkSource systems

Staff and management would gain increased quality of reports by the collection of self-service data sent directly to SKIES

2.2. Major Features

MF-1 System would present a self-service registration/login welcome screen, at a minimum, on each resource room PC and free-standing kiosk, which would collect data about seeker characteristics and services they intend to request per sessionMF-2 Key seeker characteristics and services will be captured and sent to the data warehouse. The data elements to be included, both required and optional, would be determined by this workgroup. MF-3 Data collected would be secured behind the state firewall MF-4 System would recognize an existing seeker registration, which would prevent a new registration but would enable seeker to update/modify previously entered seeker dataMF-5 System would interface with SKIES by sending data collected from each user session to meet self-service customer tracking requirements

MF-6 System would enable more flexible and expanded reporting of self-service usage through the SKIES data warehouse

MF-7 System would interface with Go2WorkSource.com to enable seeker to user a single login to access both self service WorkSource systems.2.3. Assumptions and DependenciesAS-1 The scope of the initial release will be limited to replicating the current functionality of WMS in order to decommission WMS as soon as possible. AS-2 Additional functionality may be incorporated into the initial release if it can be done without significantly affecting the project schedule.

AS-3 The existing WMS data will need to be converted.

AS-4 The functional requirements preparation, as well as development and testing schedules, will be coordinated between SKIES and Go2WorkSource business and development teams.

AS-5 Proposed data elements, service listings and other business related system attributes will be communicated to the ultimate users of the new tracking system through the existing SKIES Change Control Board (SCCB). AS-6 Additional data sent to SKIES by the Self-Service Tracking system will not negatively impact SKIES system performance.

AS-7 Implementation and installation in each resource room would be coordinated among the ESD IT Field Support group, SKIES/Go2WorkSource business teams, and WDC technical staff.AS-8 Staff training will be provided through existing training infrastructure prior to implementation.AS-9 The system will maintain a transaction history of modifications made by the seeker to the existing record.AS-10 Touch screen technology will not be included in this initial release.

AS-11 Opt Out Data Sharing will be accommodated in accordance with RCW 50.13.060DE-1Should a technical change be required to complete the development of a system feature, this Vision and Scope document would require review and could require a modification.3. Scope and Limitations

3.1. Scope of Initial Release

The scope of the initial release will be limited to replicating the current functionality of WMS. This limitation is to meet a fundamental business need for the Self-Service Tracking project, which is to decommission WMS as soon as possible to eliminate potential security risks. Additional functionality may be incorporated into the initial release if it can be done without significantly affecting the project schedule.

3.2. Scope of Subsequent Releases

Business requirements that were outside of the scope of the initial release and could not be added to the initial release without significantly affecting the project schedule will be included in one or moresubsequent releases. Information Technology Services Division will provide a cost estimate on the development effort needed to support touch screen technology for a subsequent release.3.3. Limitations and Exclusions

Revised 07/29/09 to include: At this time, an interface between the Self-Service Tracking system and Go2WorkSource.com is not included as part of this project.4. Business Context 4.1. Stakeholder Profiles

StakeholderMajor ValueAttitudesConstraints

job seekersLess confusion over registrations

Less duplication of registration information More efficient service from staff

Less frustration from customers who prefer self-entry of basic information only onceIncreased positive experience with the self-service process and WorkSource systemRequirement to enter more data may reduce willingness to use the system

Responsibility to remember a password

Responsibility to provide reasons for WorkSource visit

staffReduced redundant data entry

Time saved that can be used to provide more service

More reliance on in-office self service to complete registration

Modifications to the system, routed through the SKIES Change Control Board, will be conveyed to staff to help insure consistent use and understanding of new features

More time to work with seekers resulting in reduced workload stressPotential resistance of some seekers Potential increased instruction time with some seekers

managersStaff efficiency increased

Self-service data more complete

Ability to better manage staff coverage Ability to more accurately track self- service activityIncreased satisfaction due to improved staff efficiency, customer service, and availability of reports

5. Attachments5.1. Attachment AWWA/ESD SELF-SERVICES TRACKING WORKGROUP

RECOMMENDATIONS

September 12, 2008SUMMARY

The WWA/ESD Self-Services Tracking Workgroup recommends decommissioning the WorkSource Management System (WMS) and replacing it with a web-based tracking system that is directly connected to SKIES. The system would be jointly designed by the Washington Workforce Association (WWA) and the Washington State Employment Security Department (ESD).

WORKGROUP CHARGE

The WWA/ESD Self-Services Tracking Workgroup (workgroup) was formed in March 2008. The executive sponsors of the workgroup are Lisa Nisenfeld, the Executive Director of the Southwest Washington Workforce Development Council and Paul Trause, the ESD Deputy Commissioner. The workgroup was charged to recommend how the WorkSource system as a whole should track self-services, including all possible options such as not having WMS anymore, having WMS remain as is, having WMS interface with SKIES, or whatever works best to track self-services, and is the best possible way to track self-services for the WorkSource system.

ALTERNATIVES CONSIDEREDThe workgroup identified three alternative solutions for self-service tracking, which are listed below in rank order.

A. WMS is decommissioned and WWA & ESD jointly design a new web front end with a direct interface to SKIES.

B. WMS physically moves onto ESD hardware located behind the firewall and a one-way interface from WMS to SKIES is added.

C. WMS remains as is but is modified to meet ESD security and risk concerns. A one-way interface from WMS to SKIES is added.

Recommended AlternativeThe workgroup unanimously selected Alternative A, to decommission WMS and replace it with a WWA & ESD jointly designed web front end with a direct interface to SKIES, as the recommended alternative. Key facts related to the recommended alternative:

It is the only alternative that will meet all of the business requirements identified by the workgroup

It will eliminate dual systems, multiple customer registrations and redundant data entry

In accordance with the workgroup assumptions, the scope of the new system will be based upon the current functionality of WMS

It will be developed and owned by ESD

All short and long-term costs will be absorbed by ESD

ESD will assume responsibility for the maintenance, support and enhancement of the system

PRIORITY

Given the WMS security issues identified by the workgroup, it is recommended that WWA and ESD assign the highest priority to the design, development and implementation of the recommended alternative. To expedite the project, the workgroup recommends charging the current workgroup, under the existing executive sponsors and co-chairs, to revise membership as necessary and prepare the business requirements for the new tracking system as soon as possible.

RELATIVE COSTS

The relative difference in the estimated cost to ESD between Alternative A and Alternative B is very small, approximately $12,000.

Alternative A: $36,000 to $48,000 and a three to four month effort

Alternative B: $24,000 to $36,000 and a two to three month effort

The evaluation of the alternatives looked at the relative difference in cost to ESD between Alternatives A and B. Costs for Alternative C were not compared, as this alternative has no ESD related costs. Cost estimates do not include the cost for the SKIES interface, as this cost will be the same for both alternatives. Development costs are based upon the work being done by a contractor.

Exhibit 1, WWA/ESD Self-Services Tracking Workgroup, Comparison of Alternatives, contains a detailed comparison between the three alternatives.

These recommendations are submitted on behalf of the workgroup by the Co-Chairs, Peg Waldron for WWA and Rick Sandler for ESD.Attachment.EXHIBIT 1

WWA/ESD SELF-SERVICE TRACKING WORKGROUP

COMPARISON OF ALTERNATIVES

BUSINESS PROS AND CONSRecommended Alternative

Alternative A.

The WorkSource Management System (WMS) is decommissioned and WWA & ESD jointly design a new web front end with a direct interface to SKIES.

ESD

WWA

PRO

CON

PRO

CON

1. Alternative meets all business requirements.

2. ESD issues with WMS are completely resolved.

3. Eliminates dual systems and multiple registrations.

4. Eliminates redundant data entry.

5. ESD and WWA jointly design a new system based upon modern and easily modified technology.

6. ESD gets data needed to meet customer tracking requirements.

7. Customers will be able to self-register.

8. Opportunity for more flexible and expanded reporting thru the SKIES Data Warehouse.

9. Reduced operating and long-term costs.

10. Reduced time needed to support, maintain and enhance.

11. More nimble system creates opportunity to support new and emergent business needs.

1. ESD absorbs short & long-term costs.

2. ESD assumes responsibility for the maintenance, support and enhancement of the tracking system.

3. ESD will have to develop this alternative.

1. Alternative meets all business requirements.2. ESD issues with WMS are completely resolved.

3. ESD absorbs short & long term costs.

4. ESD assumes responsibility for the maintenance, support and enhancement of the tracking system.

5. ESD and WWA jointly design a new system based upon modern technology.

6. Customers will be able to self-register.

7. ESD develops this alternative.

8. Opportunity for more flexible and expanded reporting thru the SKIES Data Warehouse, without reliance on ESD.

9. More nimble system creates opportunity to support new and emergent business needs.

1. ESD owns the new system.

2. The prioritization of enhancements and modifications would be done through the SKIES Change Control Board (or a possible variant), which may result in delays.

BUSINESS PROS AND CONSAlternative B.

WMS physically moves onto ESD hardware located behind the firewall and a one-way interface from WMS to SKIES is added.

ESD

WWA

PRO

CON

PRO

CON



3. Some redundant data entry is reduced (SKIES).


1. Alternative does not meet all identified business requirements.

2. Dual systems must be maintained and multiple registrations will be required. (Does not meet business requirement A.2 on page 12)


4. ESD assumes responsibility for the maintenance, support and enhancement of WMS and the WMS to SKIES interface.

5. ESD will have to modify WMS and develop the interface.

6. Customers will not be able to self-register. (Does not meet business requirement A.3 on page 12)





2. WWA transfers ownership of WMS to ESD.

3. The prioritization of WMS enhancements and modifications would be done through the SKIES Change Control Board (or a possible variant), which may result in delays.


5. Old technology will make it difficult to accommodate future business needs.


BUSINESS PROS AND CONSAlternative C.

WMS remains as is but is modified to meet ESD security and risk concerns. A one-way interface from WMS to SKIES is added.ESD

WWA

PRO

CON

PRO

CON



3. Some redundant data entry is reduced (SKIES).




3. ESD absorbs short & long-term costs.

4. ESD assumes responsibility for the development and modification of the WMS to SKIES interface.


1. WWA retains ownership of WMS.


3. The priority for WMS enhancements and development continues to be controlled by WWA.



2. WWA continues to absorb short & long-term costs for WMS.


4. WMS technology platform is not updated.

5. WWA will have to modify WMS to enhance security, at WWAs expense.

6. Old technology will make it difficult to accommodate future business needs.


TECHNICAL ASSESSMENT OF THE ALTERNANTIVES

Recommended Alternative

Alternative A:

Jointly design a new web front end that would have WorkSource Membership System (WMS) functionality, data maintained on SKIES and equipment located on Employment Security Departments Information Systems network with the following conditions:

ConditionsWWA Cost ImpactsESD Cost Impacts

Must meet security requirements described in Attachment B, ESD Security Assessment of the WMS System.

1. The new web front end will need to support ESDs security concerns.

2. Network and Server capacity need to be sized for expanded use. NONE ITSD Network support (absorbed at current level)

New front end design will need to meet all identified business and reporting needs.1. Project established with project oversight and team members identified.

2. Information will need to be available for reporting purposes.NONE WSOD Business Analyst (absorbed at current level)

Developer

Net development cost in contractor dollars = $36,000 to $48,000 and three to four months effort.

Alternative B:

WorkSource Membership System (WMS) physically moves behind the firewall on Employment Security Departments Information Systems network with the following conditions:



1. WWA will need to share WMS code and server with Employment Security Departments Information Technology Services Division staff.

2. Need to ensure that network and server capacity are sized for expanded use.

3. ESD standard for maintaining & managing support for WMS would require the move to Sql server or Oracle database.

4. WMS would be located on ESD VM ware & cluster

5. WMS will need to be modified to meet specific security requirements identified through the risk assessment. For example, use an identifier other than SSN once customer has registered in system with SSN.

6. RAK will need to be installed.NONE ITSD Network support (absorbed at current level)

Software licensing costs @ $2,000

Developer

Net development cost in contractor dollars = $24,000 to $36,000 and two to three months effort.

WMS will need to be modified to meet all identified business and reporting needs.1. Interface needs to be developed between WMS and SKIES.

2. Information will need to be available for reporting purposes.NONE Developer, cost TBD

WSOD Business Analyst (absorbed at current level)

SKIES Data Warehouse (absorbed at current level)

Alternative C:

WorkSource Membership System (WMS) remains as is with the following conditions:



1. WWA will need to verify that WMS can comply with all security concerns.

2. WMS will need to be modified by WWA to meet security concerns.

3. Need to ensure that network and server capacity are sized for expanded use.

4. WWA will need to install RAK. Encrypt stored PII

Add password authentication layer to login or eliminate personalized "Welcome" greeting.

Limit WMS website access to a list of IP addresses

Add data input validation routine

Retain independent evaluator to verify vendors due diligence

Conduct a penetration test ITSD Network support (absorbed at current)

Data sharing contracts reviewed

WMS will need to be modified to meet all identified business and reporting needs.1. An interface will need to be developed between WMS and SKIES.

2. Information will need to be available for reporting purposes. Create script to populate WMS data warehouse

Developer, cost TBD

WSOD Business Analyst (absorbed at current level)

SKIES Data Warehouse (absorbed at current level)

Attachment A, Business Requirements and Assumptions

Attachment B, ESD Security Assessment of the WMS System

Attachment A, Business Requirements and Assumptions

The team looked at various alternatives and determined that any of the systems recommended would need to be modified in order to meet the business needs listed below. The team also identified the assumptions listed below:

A. Business Requirements

The recommended alternative must operate on a technically stable and maintained environment and must have the capability to:

1. Meet the minimum security requirements described in Attachment B, ESD Security Assessment of the WMS System.

2. Track customer activity in one system to eliminate redundant data entry by staff and eliminate customer confusion due to multiple registrations in different systems.

3. Allow customers to register themselves.

4. Supply the data needed to for ad hoc or canned reporting.

5. Track the majority of customers that use self-services in the resource room.

6. Track what self-services customers need when they come into the WorkSource Centers.

7. Enable the customer to record the self-service activity they are requesting.

8. Track the number of customers that are not receiving staff assisted services but use the resource room.

9. Track the number of customers that receive staff assisted services and use the resource room for their continued needs.

10. Track the number of customers that use resource rooms to determine when staff resources are needed to support a high volume of customer use.

11. Track the services provided to customers by staff in the resource rooms.

B. Assumptions

1. The development and implementation of the recommended alternative should be a priority for ESD and WWA.

2. The definition of Self-Service is not within scope of the workgroups charge.

3. Alternatives and costing will be based on the equivalent functionality of the existing WMS.

4. Opt Out functionality and process must be incorporated into the recommended alternative but will not be included in cost estimates developed by the workgroup.

5. ITSD Network support will not require any additional hardware or capacity.

Attachment B, ESD Security Assessment of WMS

Security Recommendations

1. ESD has a potential liability in having PII data stored on machines outside of its control. Potential mitigation steps include:

Changing the SSN tracking number to another value

Assigning a unique ESD identifier to replace the SSN and use that value

Encrypting the data on the vendors server so the data is never in clear text

Hosting WMS within the State Governmental Network (SGN)

Developing a new self-service tracking system that is compliant with security requirements

2. Put in place a comprehensive ESD/WWA WMS usage agreement.

3. WWA should perform a vulnerability assessment on the InCommand server and follow-up with any remedies.

4. Evaluate the encryption algorithm used to encrypt the swipe card.

5. Data stored on the local PCs under RAK should to be encrypted.

6. Access lists should be put in place at InCommand to prevent unauthorized access to the website.

7. Place an input validation routine on the website input field to accept only valid data and or eliminate special characters unique to SQL like the single quote, double quote, equal sign, greater than sign, less than sign, double dash , etc.

8. Purge the test data.

Areas of Concern

The security recommendations above address the following areas of concern that were identified during the assessment:

1. The SSN is personally identifiable information (PII) that is stored offsite on a vendors computer. ESD is liable for any breach of PII that is stored on the vendors server, as covered by State law RCW 19.255.010 Disclosure, notice Definitions Rights, remedies (http://apps.leg.wa.gov/rcw/default.aspx?cite=19.255.010) and RCW 42.56.590 Personal information Notice of security breaches. (http://apps.leg.wa.gov/RCW/default.aspx?cite=42.56.590).

2. ESD does not have a use agreement or data sharing agreement with WWA to ensure appropriate stewardship of PII and to safeguard the use of state resources.

3. ESD does not have control of the security of the vendors server and cannot ensure that the vendor will perform their job to keep the data safe. The processes and protocols used by the vendor to protect the data are unknown to ESD. There is presently no independent audit verification of the vendors due diligence.

4. There are no data input validation routines on the website to enter the customers membership number. This means that numeric and alphabetic data can be entered, including special characters unique to SQL. Since there is no data input validation performed, the site may be vulnerable to other types of attacks such as SQL injections. A penetration test was not performed to see if a hacker could access the site. Such a test was not conducted because it is unethical to hack a system without the permission of the owner.

5. The website is on the Internet and there have been occasions when this website has been down and unavailable. A system called RAK is being developed to remedy the situation. RAK will store the data (SSN, name and services) locally on the PC until the website is available. The concern here is if the data is stored on the PC while waiting to be forwarded to the wstrack.org website, the data could be harvested from the PC. It is also of concern that the data is kept in a file and erased with the Windows erase utility. The windows erase utility does not physically delete the file. It only removes the pointer to the data, which could be forensically recovered.

6. The encryption used to write to the magnetic strip on the swipe card is a proprietary algorithm that uses a multi step process that is cryptographically weak. In other words, it has the potential to be cracked given enough time and energy. The algorithm should be independently evaluated to determine the likelihood of such an occurrence and to ensure that due diligence has been exercised, as is required under Washington State security breach laws.

7. Some WorkSource clients have expressed a concern about using their SSN for tracking purposes.

8. The website is accessible to anyone on the Internet just by typing in the URL. This means that the site is vulnerable to being hacked through an Internet browser because there are no access control limits.

9. ESD does not have access to the network topology of InCommand Inc and it does not appear that the website is protected by a firewall or an Intrusion Detection System (IDS). Note: the firewall and IDS could be in stealth mode.

10. The data in the database has test account information in it that allows the public access. For example, it is possible to gain access by typing in a SSN of 123-45-6789. The system returns Hi George.

Copyright 1999 by Karl E. Wiegers. Permission is granted to use, modify, and distribute this document.

Date post:	20-Nov-2015
Category:	Documents
View:	214 times
Download:	0 times

Vision_and_Scope. Self-Service Tracking System (2009)

Documents