Project Management

Our company’s internal network is constantly under attack from several Advanced

Persistent Threats (APT’s) which have on occasion successfully penetrated our perimeter protections and removed sensitive data from our internal network. Because of this fact, most systems connected to the corporate intranet cannot be trusted to store highly sensitive corporate data and extra protection must be provided to ensure our company’s most proprietary information remains protected and is never again compromised.

The intent of this project is to design and implement a Secure Collaboration Environment

(SCE) enclave where members of the Information Technology (IT) and Information Security (IS) staff, along with key customers within the Engineering and Management organizations, can perform data, voice and video collaboration in a secure manner and with the appropriate need-to-know protection levels seamlessly integrated.

This isolated enclave will be used to perform sensitive design work and to store sensitive deliverables and documents related to our most critical IT and IS activities performed on our company’s network. This high assurance enclave is being built to strengthen the IT Security and Controls that are available and will be designed with multiple layers of security protection (a defense-in-depth approach). The SCE project team must deliver this enclave on time, within the projected budget, and while meeting all the identified requirements.

The project will be sponsored by the Director of IT and will involve several functional managers from across IT-Architecture, IT-Operations, IS, Data Center Management (DCM), Finance, Facilities and others. The sponsor ranks this project as one of the highest priorities within the IT organization.

The primary business benefit that will be provided when this enclave is complete is the assurance that highly sensitive corporate data is safeguarded. Otherwise, APT’s will continue to siphon our critical, corporate information which, if lost, could result in the loss of key programs, resulting in loss of personnel, and potentially billions of dollars of lost revenue.

The following three high level objectives must be achieved:

1. Schedule – The SCE enclave must be in production in calendar year 2014

2. Cost – Capital & expense items must remain within the approved budget ($2.0M)

3. Quality – SCE solution implemented must meet all identified requirements

The following critical success factors must be achieved:

1. Successful and secure audio/video collaboration within the SCE enclave

2. Successful and secure data collaboration within the SCE enclave

3. Successful implementation of a Virtual Desktop Infrastructure (VDI) environment supporting multiple projects and customer groups (multi-tenant)

4. Successful encryption of all sensitive corporate data while at rest

5. Accessibility to the SCE enclave from both home and work environments

6. Penetration / Vulnerability Assessments complete and close-out of all mitigations

7. Information Security (IS) buy-off of SCE design, configuration and processes 8. Satisfied customers within SCE

The following 5 gate reviews or product development milestones must be completed and all liens closed prior to the next gate (see Figure 1 below):

1. Opportunity Evaluation (OE)

2. Preliminary Design Review (PDR)

3. Critical Design Review (CDR)

4. Production Readiness Review (PRR)

5. Project Closure

Figure 1 – Project Lifecycle

All the forms of company resources will be needed to complete the SCE project:

1. Money - Capital and expense monies will be required to build SCE. Capital will be needed to purchase the end-user devices, routers, packet filters, switches, servers, SAN, backup hardware, KVM, and audio/video appliances. Expense items will also need to be purchased to cover the system software, consulting and training items, and other low value assets not requiring capital. Direct and indirect costs will be associated with the SCE project. These costs include labor costs, travel expenses, overhead facility costs, and reward/recognition costs. Details will be provided in Section 3.5.

2. Manpower - Resources from several different departments will be required to design, install, and maintain the SCE environment over its lifecycle. Executive Management, Project Management, IT, IS, Finance, Facilities, Data Center Management (DCM), HR, Procurement, Receiving, Training and several other departments will need to be engaged. Details will be provided in Section 2.2.

3. Equipment – Existing computing equipment residing on the corporate network will be required to provide the home access, routing, authentication, monitoring, alerting and other capabilities needed. SCE must integrate into the existing corporate equipment yet remain autonomous and secure.

4. Facilities - The SCE enclave racks will reside within two corporate data centers. Power, cooling, electrical, rack space and other facility components will be needed to house this effort. Personnel working this effort will need desks and conference rooms to use to collaborate and perform daily work assignments.

5. Materials – Various materials will be used during the SCE project. These items include training materials, equipment used to properly rack-mount the equipment, shipping materials, consumables required for the end-user devices and personnel, and many more will be needed to ensure project success.

6. Information/Technology – Subject matter experts within IT will be needed to assist with the hosting of key applications within the SCE environment. Much information will be gathered, modified and leveraged to install, configure and maintain this enclave. IS staff will be needed to ensure threat modeling, vulnerability assessments and penetration testing is performed. New key technologies will be leveraged ensuring this environment is secure, yet providing all the functionality required by the customers. Several vendors and subject matter experts within the company will need to be engaged.

The following major constraints were identified and must be addressed:

1. Cost must be within the budget submitted in the long-range business plan.

2. Project schedule must be baselined and approved by the project sponsor.

3. Solutions must meet the detailed requirements and will be verified.

4. Integration efforts must not disrupt the ongoing business in any way.

5. High availability must be built into the design to eliminate single points of failure.

6. Limited support staff is available to maintain the enclave over its lifecycle.

7. Corporate policies are binding and must be adhered to at all times.

8. Outsourcing of operations staff will not be allowed due to security concerns.

9. End-user device performance must be equal or better than that seen on Intranet.

10. The Enclave must reside in at least two of the corporations three Data Centers.

The following problem areas have been identified & the corresponding mitigations noted:

1. Resource Availability – Human resources are extremely limited across the IT and IS organizations at this time. The SCE project has received the highest priority ranking from the leadership team and the functional managers will ensure that all tasks assigned to them will be fulfilled by the most qualified individual(s) available. Functional Management has committed to ensure resource availability is closely watched and they will work with the Project Manager to ensure resources are available on a timely basis.

2. Changing Requirements – Changing requirements and the resulting scope creep are often the cause of project failure. A change management tool, process and board will be created to ensure the project requirements are only modified when needed. Any change impacting schedule, cost or quality must be approved by the board and by the project sponsor before being implemented.

3. Use of Emerging Technologies – Several applications and processes to be used within the SCE enclave are considered non-standard within the company. These non-standard items will require the use of consultants for installation and configuration purposes. Formal training will also be provided to the support staff.

4. High Complexity – The SCE enclave involves a high-level of complexity and will require assistance from several Enterprise Subject-Matter-Experts (SME’s) and vendors. The installation and configuration of this enclave will be performed in layers and will be done in a pre-production environment first. The project manager will be required to interface with several functional managers to ensure the proper resources are assigned.

5. Scalability – The SCE enclave will need to be able to scale to support additional use cases and corresponding users if initial rollout to production is a success. Scalability will be documented as a hard requirement and will be emphasized during the entire design process. Hardware and software will be selected based on this scalability requirement.

6. Security – The SCE enclave will need to be built with as many layers of security as possible. A defense-in-depth approach will be leveraged and Information Security will be intimately involved in the entire lifecycle of the project. RedTeam reviews, vulnerability assessments and third-party penetration testers will be used to ensure the environment is as hardened as possible.

The following are the major events and milestones for the SCE project.

Note: A more detailed project plan will be shown later in this document in section 3.4.

The project will leverage an organizational layout as depicted in Figure 2. The project will leverage a matrix organizational form where the Project Manager maintains project control (through functional managers) over all resources, including cost and personnel.

The sponsor of the project is the Director of the IT organization who reports directly to the CIO. The Project Manager will report to the IT Director for the duration of the project.

The Project Manager will work with Functional Managers from across the IT-Architecture, IT-Operations, IS, Finance, DCM, Facilities and other departments in assigning the proper resources to the various tasks. A System Architect residing in the IT organization will be assigned to the project and assume the lead technical role. A Security Architect residing in the IS organization will be assigned to cover all security aspects of the project. The Project Manager must rely on the System and Security Architects to ensure the proper tasking is entered into the project plan and the appropriate linkages applied.

Finance

DCM

HR

IS

IT

CIO

Project Mgr

Architecture

Operations

Others

Figure 2 – Organizational Structure

{Estimates of level of effort requirements in terms of skills, expertise, and strategies for locating and recruiting qualified people.}

* Denotes SCE Core Team Member

Skillsets required to implement the SCE project will be identified early on in the effort. Functional Managers in the areas that have been identified as in scope will identify if they have the required skillsets in their group. If so, those individuals will be recruited to assist with the project. If not, the Functional Managers will determine if formal training is available/required or if headcount is needed to fulfill the need. Human Resources, the Functional Manager, Technical Leads, and the System Architect will be involved in the interview and selection process if additional headcount is required.

Many new technologies will be introduced that are not current corporate standards. Consulting may be needed to ensure knowledge is properly transferred to the right employee. Several vendors will need to be engaged in this effort and that engagement will be performed by the System Architect and the Security Architect.

The SCE project is a very complex effort requiring a significant amount of training for the IT architecture and operations teams. The System Architect will need to understand how the various components within SCE will integrate and that effort will require familiarization with the many products involved.

Vendor discussions will be needed to ensure the System Architect, Security Architect and the Technical Leads understand the technology prior to testing and eventually implementation. IT Operations staff will need to be trained to be able to support the environment over its lifecycle.

Production Infrastructure

The Secure Collaboration Environment (SCE) production infrastructure is composed of an isolated enclave located in two of the company’s strategic Data Centers. The SCE environment resides in two racks within each of these Data Centers (See Figure 3). The hardware and software in these racks is maintained by the various IT admins assigned to the project along with Data Center Management personnel. A high-level infrastructure drawing is also helpful to get an understanding of the enclave boundary (See Figure 4).

Rack #1 Rack #2

Figure 3 – SCE Production Infrastructure

CappelMurray-CappelMurray-EMIS7365-MPP-20130423 (1) Printed On: 1/30/2014 Page 2 of 24

CappelMurray-CappelMurray-EMIS7365-MPP-20130423 (1) Printed On: 1/30/2014 Page 8 of 24

Figure 4 – SCE Infrastructure Diagram

The SCE high assurance enclave is composed of the following physical hardware:

· 3 Cisco Routers (Two in an HA Pair and One Spare)

· 3 Packet Filters (Two in an HA Pair and One Spare)

· 3 Cisco Switches (Two in a Stacked Configuration and One Spare)

· 1 Tandberg MCU Appliance

· 1 Tandberg VCS Appliance

· 1 HP MSL2024 Tape Library

· 1 HP DL380 Gen7 Server (Backup/Restore Server)

· 1 HP DL380 Gen7 Server (Depot Server)

· 2HP DL380 Gen7 Servers (SQL 2008 R2 Servers)

· 1 Integrated KVM and KVM Switch

· 3 HP DL380 Gen7 Servers (VMware ESXi Host – Desktop Workloads)

· 3 HP DL380 Gen7 Servers (VMware ESXi Host – Server Workloads)

· 2 Brocade Fiber Channel Switches

· 3 HP SAN Enclosures

The SCE production infrastructure also contains a significant amount of Commercial-OffThe-Shelf (COTS) software which resides on the physical and virtual devices in the rack.

The SCE environment is administered using a zero client device (which must reside at an admins desk at work) which then connects to a virtual desktop residing within SCE. All traffic between the zero client and the virtual desktop is encrypted. The administrator will select which admin desktop pool (of which we have twelve) they would like to connect to. Each admin desktop pool is designed for a specific purpose and each pool is controlled using packet filter rules that allow only certain data flows required to complete work related to that pool’s specific purpose.

Customers of the SCE environment, needing to perform design work or collaboration for a specific project, connect using a dedicated laptop which has been issued to them to use on security-related projects. Using that laptop, they connect into a virtual desktop residing within SCE. All traffic between the laptop and the virtual desktop is encrypted. The customer will select which customer desktop pool they would like to connect to based on the project environment they need to work. Each customer desktop pool is designed for a specific project and each pool is controlled using packet filter rules that allow only certain data flows required to complete work related to that pool’s project.

Enterprise Services

The SCE infrastructure is dependent on the following six Enterprise services:

· Network Time Protocol (NTP) Service

· Mail Relay Service

· Decipher Service

· Perimeter Service

· Public Key Infrastructure (PKI) Service

· DCM Service

The first service that SCE is dependent on is the Enterprise NTP service. Enterpriseprovided NTP servers provide time to the SCE-owned routers which act as the authoritative time source for all internal SCE devices.

The second service that SCE is dependent on is the mail relay service. Alerts originating from within the SCE environment from the security tool management consoles are sent to the Enterprise mail relay servers and emails are then sent to group mailboxes where administrators receive the alerts via their mail client.

The third service that SCE is dependent on is the decipher service. Alerts originating from within the SCE environment from the security tool management consoles are sent to the Enterprise decipher servers where administrators receive the log entries and can act on the alerts.

The fourth service that SCE is dependent on is the perimeter service. Juniper security appliances are used to host a special instance of connect.Enterprise.com which SCE customers will access to connect their specialty laptops to the Enterprise network from home or at work. Host checking (laptop antivirus configuration, patch level, etc.), user authentication (SecureBadge) and device authentication (local certificate on laptop) will all be verified prior to establishing the IPsec tunnel to the Enterprise network.

The fifth service that SCE is dependent on is the Enterprise PKI service. Customers will be authenticating using their SmartCard credentials. Admins will be authenticating using their admin SmartCard credentials. Certificates provided by the PKI team are loaded on the domain controllers within SCE to enable use of these two forms of two-factor authentication. Certificate Revocation List (CRL) checking is also performed and leverages the PKI service.

The sixth service that SCE is dependent on is the Data Center Management (DCM) service. Power, cooling, network connectivity and rack space are provided by the Phoenix DCM service. They also provide the physical security required to protect this high assurance enclave.

The project can be broken down into eight major work packages.

1. Opportunity Evaluation – This initial phase of the project is essentially the preliminary evaluation of the project. It involves performing a preliminary risk assessment and feasibility study.

2. Planning – This work package involves refinement of the elements in the opportunity evaluation. It also identifies the resources required and the establishment of time, cost and performance parameters. This phase also includes the initial preparation of the documentation necessary to support the project.

3. Requirements Definition – This phase involves gathering all the requirements for the project. These include sponsor, user, security, facilities and development requirements.

4. Preliminary Design – This phase includes completing the initial design activity including hardware and software components, monitoring and alerting plan, change management and configuration management activities.

5. Design Finalization – This work package completes the design cycle and includes validating that all the detailed requirements have been met.

6. Development and Test – This phase involves developing the test plans, installation of the pre-prod environment where testing will occur, and performing the test plans and any mitigation that may follow.

7. Implementation – This work package involves performing the capital and expense acquisitions, installing the production components, and integrating customers into the production environment.

8. Close Out – This phase involves capturing lessons learned, releasing the personnel from the project, and closing out the charge numbers.

The table below lists personnel assigned to the project and their roles & responsibilities.

Role Responsibility Personnel

Executive Sponsor Owner and Sponsor of the Project Childs

Business Manager IT Focal Performing Opportunity Evaluation Crowell

Project Manager Overall Owner of Schedule and Budget Cappel

As discussed previously, the project plan can be broken down into eight major work packages. This section will display each of the work packages in further detail.

Financing the SCE project involves approval at the Chief Financial Officer (CFO) level. The project was rated a Priority 1 project which is the highest that can be attained. Direct and indirect funding is required for the SCE project. The following is a breakdown of the SCE budget and the timing required for each outlay.

A set of detailed Test Plans will be created during the Development and Test work package. Test plans will cover the following components: end-user devices, hardware installation, software functionality, monitoring and alerting, high availability (fail-over tests), disaster recovery scenarios, vulnerability assessments and penetration tests.

These test plans will be executed once the installation of the pre-production environment (in the lab environment), which will mimic production, is completely installed. The following table provides additional detail regarding execution of these test plans.

If findings are uncovered during these test plans, CR’s will be generated and the appropriate changes made to eliminate any issues. Once all CR’s are complete, an additional round of testing will commence.

A weekly change control board will be established for the SCE project. This board will be chaired by the Change Focal and all Core Team members will be invited to this meeting. Any change requests that could impact the schedule, cost, requirements or planned implementation will require a Change Record (CR) to be entered using the change management tool and will need to be voted on in the change board meeting. If a proposed change cannot wait for the next weekly board meeting, a vote may be taken by email after the Change Record (CR) has been entered into the change management tool.

If the change board approves the CR, the recommended change must still be approved by the Project Sponsor before being implemented into the system. Once the change has been implemented, any affected documentation under configuration management will be updated accordingly.

The SCE project will hold a weekly core team meeting to discuss schedule and cost performance metrics, issues, help needed items and other special topics. The core team includes: the Executive Sponsor, Business Manager, Project Manager, System Architect, Security Architect, Customer Focals, Functional Managers, Change Management Lead, and the Configuration Management Focal.

The Schedule Performance Index (SPI) and Cost Performance Index (CPI) will be computed by the Project Manager on a weekly basis and presented at the core team meeting. Significant dips in the SPI or CPI will be discussed and an attempt will be made in the meeting to determine the cause and mitigate the issue.

All projects within the company leverage Clarity as the standard project and portfolio management tool. Updates to the Clarity plates will also be performed in this weekly core team meeting to ensure significant accomplishments, new issues, new risks and any help needed items are captured and reported out to management.

A monthly project update will be given to the Executive Sponsor and schedule, cost and performance will be discussed in detail. The project plan will also be updated to reflect the status of all tasks at the moment the review is held.

The following documents will be produced to satisfy the various gate reviews:

Document Gate Assigned

Risk Management Analysis Opportunity Evaluation

Feasibility Study Opportunity Evaluation

Project Statement Preliminary Design Review

Project Plan Preliminary Design Review

Communication Plan Preliminary Design Review

Preliminary Requirements Preliminary Design Review

Detailed Requirements Critical Design Review

Technology Infrastructure Critical Design Review

Threat Model Analysis Critical Design Review

Installation Documents Production Readiness Review

Operational Level Agreement Production Readiness Review

Service Level Agreement Production Readiness Review

Technical Monitoring Plan Production Readiness Review

Security Compliance Checklist Production Readiness Review

Corporate Compliance Checklist Production Readiness Review

Vulnerability Assesments Production Readiness Review

Penetration Testing Results Production Readiness Review

Lessons Learned Study Project Closure

Once the Production Readiness Review gate is completed, purchase orders for the capital and expense items for production will be released. Hardware and software will then be received and installed into the two Data Centers and the SCE enclave will have been built. While waiting for the hardware to be received, several processes will be established (i.e., change management and configuration management). Once the enclave hardware and software is installed, integration with the Enterprise services established, and monitoring and alerting setup, the SCE enclave will be ready to receive its first customers.

The System Architect, Customer Focals and other key members of the core team will provide overview briefings and key documentation regarding the concept of operations within the SCE enclave to new customers. The customers will be shown how to perform design activities and how to store key data within the SCE environment. Customer Testers who were involved in the development and test work package (WBS 6.0) will also be available to train new users within their particular work area.

Section 3.4 depicts the major tasks involved with the implementation work package. As one can see, integration of customers into SCE will run from October through December of calendar year 2014.

This section is really not applicable.

The SCE enclave is not replacing any similar solution. In fact, this enclave is a first of its kind on the corporate network. It will be providing a new environment to protect design data and documents that otherwise would have to rely on far fewer controls residing on the corporate intranet and would therefore be vulnerable to the APT’s we face.

When one compares the cost of implementing the SCE enclave (approximately $2.0 million in direct costs, including labor) and the potential results from terabytes worth of valuable, proprietary design data and documentation being siphoned off our corporate network and used against, the economic justification becomes pretty clear.

Studies are done yearly analyzing the cost of a single data breach. Last year the most expensive data breach event cost a company nearly $31 million to resolve. The least expensive total cost of a data breach for a company was $750,000. The impact to a company’s reputation can be hard to quantify.

Risk items will be tracked on a weekly basis and presented at the weekly SCE core team meeting. Risk worksheets like the one shown in Figure 5 will be used to present the risk and the risk reduction plan.

Figure 5 – Risk Worksheet

Section 1.5 of this document presented six areas of uncertainty and risk: resource availability, changing requirements, use of emerging technologies, high complexity, scalability and security.

Various contingency plans will be introduced to ensure none of these items cause a significant delay in schedule or introduce potential work failure should they occur.

The SCE enclave will not be put into production until several internal IT controls and compliance requirements are met. In fact, review of these requirements will be performed during the Production Readiness Review (PRR) and must be verified before that gate is considered closed.

The following controls and compliance requirements are considered in scope for SCE and the appropriate corporate policy is noted:

Requirement Corporate Policy

Configuration Management PRO-1268, Configuration Management

Requirements and Objectives

Enterprise Architecture PRO-6919, Enterprise Information

Technology Architecture

IT Infrastructure PRO-6921, Information Technology

Infrastructure

IT Preparedness PRO-6651, Business Continuity

Management

Information Protection PRO-2227, Information Protection

Information & Application Security PRO-2227, Information Protection

Corporate Identity PRO-42, Corporate Identity Program

COTS PRO-9, Proper Contacts with Suppliers

The standard meetings being held to discuss the SCE project include the weekly core team meeting, monthly customer brief, and the monthly sponsor brief. During the test and implementation phases of the project, the team will also be holding daily tag up meetings to ensure the team remains focused on the daily installation and configuration responsibilities. During the duration of the project, special topic meetings will be held to focus on one particular area of interest and will be attended by those related to the topic.

All of these meetings will be held using WebEx and a teleconference as the team is geographically dispersed. The Project Manager will host and facilitate these standard meetings. The daily tag up meetings will be hosted by the System Architect and the special topic meetings will be held by the team member who called the meeting.

During these meetings, notes will be recorded by the Project Manager and posted on the SharePoint site for those unable to attend. Decisions will also be captured and posted on the team’s SharePoint site.

Outside of the meeting, email, voicemail and instant messaging will be available to prepare or follow-up on a meeting item.

Communications will flow between the Employees, Functional Managers, Project Manager, Customers, and Executive Sponsor as depicted in Figure 6.

Formal meetings with the customer will be done by the Executive Sponsor and the Leadership Team, whereas status and project tasks involving the customer will be performed by the Project Manager. The customer will provide feedback to both the Executive Sponsor and the Project Manager.

Employees will take direction and provide feedback to and from both their Functional

Managers and the Project Manager. Functional Managers will work closely with the Project Manager to ensure the appropriate resources are directed at the tasks and that the schedule is being met.

Customer

Executive

Sponsor

Project

Manager

Functional

Managers

Employees

Figure 6 – Communication Channels

A standard cadence will be used for the meetings scheduled for the SCE project. Weekly Core Team Meetings and Change Board Meetings will occur for the duration of the project. Monthly briefs will be given to the Customer group as well as the Sponsor. Special topic meetings will occur as new issues or concerns arise and will be scheduled when required. Daily tag up meetings will occur during the Test & Implementation phases only to ensure installations occur on time and daily focus is maintained.

Communication Event Frequency

Daily Tag Up (Test & Implementation Phases Only) Mon, Wed, Fri @ 8:00 AM

Weekly Core Team Meeting Tue @ 10:00 AM

Weekly Change Board Meeting Thu @ 10:00 AM

Monthly Customer Brief 1ST Tue of Month @ 2:00 PM

Monthly Sponsor Brief 1st Thu of Month @ 2:00 PM

Special Topic Meetings When Required

The various communication events to be held during the SCE project are listed below.

Communication Event Delivery

Daily Tag Up (Test & Implementation Phases Only) Mon, Wed, Fri @ 8:00 AM

Weekly Core Team Meeting Tue @ 10:00 AM

Weekly Change Board Meeting Thu @ 10:00 AM

Monthly Customer Brief 1ST Tue of Month @ 2:00 PM

Monthly Sponsor Brief 1st Thu of Month @ 2:00 PM

Special Topic Meetings When Required

The Weekly Core Team meeting will leverage a standard template that records attendance, agenda items, records action items and meeting minutes taken during the meeting. This standard template will be used for every meeting so team members are familiar with the formatting and have a way of catching up if they happened to miss a meeting.

The Weekly Change Board will leverage the same standard template as the Weekly Core Team meeting and the meeting will also focus on the Change Management Tool and its use to discuss specific CR’s.

The Monthly briefs will leverage a standard PowerPoint deck with agenda items that are regularly used so the recipients understand the format and what content to expect. The Sponsor Brief will contain SCE team performance metrics (CPI and SPI); whereas, the

Customer Brief will contain generic team performance and more customer-facing topics.

The Special Topic Meetings will be more free-flowing and will leverage whatever format is appropriate for the particular topic being discussed. This could be a Visio diagram, PowerPoint deck, or a Word document representing the issue or topic at hand.

The Daily Tag Up meeting will leverage a four-panel chart in the format shown in Figure 7. This format will ensure the team stays focused on the daily tasks at hand, yet has access to availability, help needed items and future tasks to be worked.

Figure 7 – Four-Panel Chart

The approval process will be required for any change impacting schedule, cost or quality (or scope). Changes must be approved by the SCE change board and then by the project sponsor before being implemented. Once the change is implemented, any corresponding documents that are affected by the change and under configuration management will be updated accordingly.

Proposed changes not impacting schedule, cost or quality must only be approved by the SCE change board. Once the change is implemented, any corresponding documents that are affected by the change and under configuration management will be updated accordingly.

Proposed changes that cannot wait for the weekly change board meeting will be entered as a change request in the change management tool and voted upon using email.

By capturing a change request when recommended changes to the system are needed, all changes will be captured and can be used to assist with troubleshooting should an issue arise.

Risk items will be tracked on a weekly basis and presented at the weekly SCE core team meeting. The standard risk worksheet shown in Figure 5 will be leveraged and presented by the Project Manager at the Core Team Meeting. Actions resulting from the discussion of the risk item will be tracked by the Project Manager and status given at the SCE Core Team meetings.

The Core Team will need to agree upon the level of the concern and the data entered on the risk worksheet. The team will work together in the Core Team Meeting to discuss the issue and collaborate on possible mitigations. Risk items will also be gathered using the Clarity Project and Portfolio Management tool where visibility will be given to the Leadership team and the Executive Sponsor.

The standard PowerPoint deck used by the Project Manager to update the Executive Sponsor will contain the open risk worksheets to visibility can be raised to the Sponsor.

Members of the SCE project are listed in Section 3.3. Contact information for all team members is listed below to facilitate communication on the team.

Note: I cannot list the contact information recommended as it is sensitive information that I cannot give out. However, I will populate the table with the requested columns…

Name Address Office Cell Pager Home Email Address

Bill Childs

Kathy Crowell

Murray Cappel

Jon Owens

Paul Dodd

Ron Smith

Eric Yi

Dottie Meyer

Aldous Yee

Todd Smith

Richard Ginter

Mark Humphrey

Jonathan Brach Ton Do

Gene Lanzi

Steph Davis

Ed Ott

Tom Thomas Dale Beverly

Eric Leonard Others…

CappelMurray-CappelMurray-EMIS7365-MPP-20130423 (1) Printed On: 1/30/2014 Page 10 of 24

CappelMurray-CappelMurray-EMIS7365-MPP-20130423 (1) Printed On: 1/30/2014 Page 10 of 24