Smart Card Implementation “Project Management and Implementation Best

Practices”

Smart Card Implementation “Project Management and Implementation Best

Practices”

Chris Cikanovich,Director of Government Programs

June 4, 2002

Chris Cikanovich,Director of Government Programs

June 4, 2002

2

Topics of DiscussionTopics of Discussion

• Implementation of a formal “Process Plan”– Phase I – Strategy– Phase II – Definition– Phase III – Design– Phase IV – Development– Phase V – Integration– Phase VI - Development

• Implementation of a formal “Process Plan”– Phase I – Strategy– Phase II – Definition– Phase III – Design– Phase IV – Development– Phase V – Integration– Phase VI - Development

3

Implement Process PlanImplement Process Plan

- Business Requirements

- Functional Requirements

- Budget definition

- Subcontractor selection

- Subcontractor Agreements

- Project Management Plan

- Define project team

- High Level Design/ Design Specs

- Functional Specification

- Low Level Design

- Test Plan

- QA Plan

- Coding

- Unit Tests

- Documentation (user Manual, quick start guide, trouble shooting guide)

- Integration Tests

- System Tests

- Acceptance Testing

- Support team Training

- Pilots

- Help desk / Customer Service

- Platform Maintenance

- Product Release

- Delivery

DefinitionPhase II

DesignPhase III

DevelopmentPhase IV

IntegrationPhase V

DeploymentPhase VI

- Define value proposition

- Define project objectives

- Create estimated budget

-Obtain management approval

StrategyPhase I

4

Phase I - StrategyPhase I - Strategy

• Objective: – Program Value Proposition– Program Objectives– Project Budget– Management Approval

• Objective: – Program Value Proposition– Program Objectives– Project Budget– Management Approval

5

Defining The Value PropositionDefining The Value Proposition

– Financial• Off-line payment• Reducing fraud• Cashless payment• Web-based

transactions

– GSM• Network

authentication• Remote application

download• Store preferences

and user profile data

– Financial• Off-line payment• Reducing fraud• Cashless payment• Web-based

transactions

– GSM• Network

authentication• Remote application

download• Store preferences

and user profile data

– Loyalty• Strengthening the

merchant/consumer relationship by offering purchase incentives

– Loyalty• Strengthening the

merchant/consumer relationship by offering purchase incentives

Smart card technology addresses the value proposition from multiple directions

6

Defining The Value PropositionDefining The Value Proposition• The value proposition for implementing ID security programs is based on the cost of “non-security”

and loss or compromise of critical information or unauthorized access to specific locations– Loss of critical information

• Classified information• R&D data• Customer data• Financial statements• Human Resource data

– Unauthorized access to locations• Government/Commercial facilities• Unauthorized access to critical information• Regions (US Territory or other government property)

– “Unknown” Cyber Attacks• No immediate evidence of the attack provides the hacker time to “guide” through ones

organization– Alter permissions to physical and logical access systems– Obtain employee personal information– Copy, alter or delete end user information through networked PCs– Copy, alter or delete end user information through dial-up services

• The value proposition for implementing ID security programs is based on the cost of “non-security” and loss or compromise of critical information or unauthorized access to specific locations

– Loss of critical information• Classified information• R&D data• Customer data• Financial statements• Human Resource data

– Unauthorized access to locations• Government/Commercial facilities• Unauthorized access to critical information• Regions (US Territory or other government property)

– “Unknown” Cyber Attacks• No immediate evidence of the attack provides the hacker time to “guide” through ones

organization– Alter permissions to physical and logical access systems– Obtain employee personal information– Copy, alter or delete end user information through networked PCs– Copy, alter or delete end user information through dial-up services

The ROI is not necessarily based on increasing revenue, however,

based on the fact that you have eliminated the ability for unauthorized

users to gain access to mission critical information

7

Outline Project ObjectivesOutline Project Objectives

• Define the clear program goals/objectives – Create a mission statement for your project which

reinforces the overall objective

• Determine the overall investment objective and start with mission critical systems – If budget constraints exist define the system components

that are most critical to ensuring the program goals/objectives are met

• Define the clear program goals/objectives – Create a mission statement for your project which

reinforces the overall objective

• Determine the overall investment objective and start with mission critical systems – If budget constraints exist define the system components

that are most critical to ensuring the program goals/objectives are met

8

Phase II - DefinitionPhase II - Definition

• Objective: – Define project scope– Define project team

• Outline roles & responsibilities– Select technology providers, required

subcontractors and execute appropriate agreements

– Define functional requirements– Develop project management plan

• Objective: – Define project scope– Define project team

• Outline roles & responsibilities– Select technology providers, required

subcontractors and execute appropriate agreements

– Define functional requirements– Develop project management plan

9

Identify Project Team and Site LeadersIdentify Project Team and Site LeadersProject Lead

(Individual, Service, AgencyOr Government Body

Project Lead(Individual, Service, Agency

Or Government Body

Supplier Manager

Supplier Manager

• Contracts• Deliverables

• Contracts• Deliverables

Card Production

Card Production

•Card Body Requirements• Testing (PhysicalAccess and PKI)• Manufacturing• Fulfillment

•Card Body Requirements• Testing (PhysicalAccess and PKI)• Manufacturing• Fulfillment

Reader andInstall

Reader andInstall

• Functional and technical specs.• Distribution/Installation

• Functional and technical specs.• Distribution/Installation

PKI Implementation

PKI Implementation

• Integration • Implementation

• Integration • Implementation

PhysicalAccess

PhysicalAccess

• Technology• Implementation• Badging Station

• Technology• Implementation• Badging Station

IssuanceStations

IssuanceStations

• Define locations• Integration with CMS, AMS, KMS and Directory Services

• Define locations• Integration with CMS, AMS, KMS and Directory Services

10

Project Management Roles & ResponsibilitiesProject Management Roles & Responsibilities

• The following are the absolute requirement for a successful project (even when managed internally)– Ensure there is project dedication from management oversight

(corporate, Service, Agency or local government)• IT projects are complex and without objectives, dedication,

commitment from corporate management, IT projects can become expensive programs

– Assign overall project manager• For multi-location programs assign site leaders who report to

the overall project manager and coordinate all project and user communication for those individual sites

– Strong program and project management disciplines– Well defined responsibilities for key personnel (CTO, MIS Manager,

Security Officer, Human Resource Manager, etc)

• The following are the absolute requirement for a successful project (even when managed internally)– Ensure there is project dedication from management oversight

(corporate, Service, Agency or local government)• IT projects are complex and without objectives, dedication,

commitment from corporate management, IT projects can become expensive programs

– Assign overall project manager• For multi-location programs assign site leaders who report to

the overall project manager and coordinate all project and user communication for those individual sites

– Strong program and project management disciplines– Well defined responsibilities for key personnel (CTO, MIS Manager,

Security Officer, Human Resource Manager, etc)

11

Identify Technology SuppliersIdentify Technology SuppliersInfrastructureInfrastructure IntegrationIntegration ImplementationImplementation Life Cycle SupportLife Cycle Support

Des

crip

tion

• PKI

• Physical Access

• Smart Cards

• Smart Card Readers

• ID issuance stations

• Connectivity

• Card/Application management system

• PKI/LDAP

• Server components

• ID issuance components

• Deployment

• ID issuance process

• Help Desk

Part

ners

• Baltimore

• Entrust

• VeriSign

• DST

• FDR

• TSYS

• DataCard

• SchlumbergerSema

• Oberthur

• Gemplus

• Identicard

• Identix

• ActivCard

• PKI Provider

• In-House

• EDS

• Northrop Grumman

• Maximus

• SchlumbergerSema

• In-House

• Outsourced Call Center

• PKI Provider

• In-House

• EDS

• Northrop Grumman

• Maximus

• SchlumbergerSema

12

Project Management PlanProject Management Plan

• Your project management plan should outline:– Duration for the overall project and individual

design, development, integration, testing and deployment phases

– Responsible party for the delivery of the individual phases

– All key milestones and dependencies for the individual phases

– Project resource requirements and constraints

• Your project management plan should outline:– Duration for the overall project and individual

design, development, integration, testing and deployment phases

– Responsible party for the delivery of the individual phases

– All key milestones and dependencies for the individual phases

– Project resource requirements and constraints

13

Functional RequirementsFunctional Requirements• Your functional requirements outline the feature set

for the individual products, applications or systems required including:– PKI– Issuance station– Physical access solution– Logical access solution– LDAP services– Issuance process– Card Management System

• Your functional requirements outline the feature set for the individual products, applications or systems required including:– PKI– Issuance station– Physical access solution– Logical access solution– LDAP services– Issuance process– Card Management System

14

Phase III DesignPhase III Design• Objective:

– Understand the current user/technology infrastructure

– Create design specification• Outline the solution architecture• Understand the current user environment

– Create functional specification– Outline/implement test plan

• Objective: – Understand the current user/technology

infrastructure– Create design specification

• Outline the solution architecture• Understand the current user environment

– Create functional specification– Outline/implement test plan

15

Defining The ArchitectureDefining The Architecture• Create project plan for each critical system• Create architectural diagrams for all systems• Clearly outline and understand where all systems interact and the

impact on each system– Network– Physical access– CMS (Card Management System)– PKI (secure room environment for CA/RA services)– Directory Services (LDAP)– Redundancy Systems

• Define any systems/services which will be outsourced and how that system will integrate within your environment

• Define all security policies associated with:– Physical access– Card, Application and Key management

• Create project plan for each critical system• Create architectural diagrams for all systems• Clearly outline and understand where all systems interact and the

impact on each system– Network– Physical access– CMS (Card Management System)– PKI (secure room environment for CA/RA services)– Directory Services (LDAP)– Redundancy Systems

• Define any systems/services which will be outsourced and how that system will integrate within your environment

• Define all security policies associated with:– Physical access– Card, Application and Key management

16

Understanding The Current EnvironmentUnderstanding The Current Environment

• ID Issuance process– Physical location (impact of new technologies based on the current

environment)– Does the current card body support new technologies such as

integrated chips and have characteristics that ensure card body durability

• PC Platforms – 98, 2000, NT4, XP, etc?– Impact – smart card reader devices (USB support not provided under

NT4)– Browser support – Integration of smart card support (implementation of

required middleware software)– e-Mail support – Does the current “corporate” standard provide

interfaces for signature and encryption capability

• ID Issuance process– Physical location (impact of new technologies based on the current

environment)– Does the current card body support new technologies such as

integrated chips and have characteristics that ensure card body durability

• PC Platforms – 98, 2000, NT4, XP, etc?– Impact – smart card reader devices (USB support not provided under

NT4)– Browser support – Integration of smart card support (implementation of

required middleware software)– e-Mail support – Does the current “corporate” standard provide

interfaces for signature and encryption capability

17

• Physical access – Is there an existing system?– Proprietary or based on WIGEN standard (backend communication

protocol for physical access systems)?– If proprietary – can the card body support chip technology and post

printing processes (example: MAT finishes typically result in poor post printing quality)

– Reader interface• Does the reader interface both with the required Contactless

technology and the back-end protocol (typically Wiegand)

• Physical access – Is there an existing system?– Proprietary or based on WIGEN standard (backend communication

protocol for physical access systems)?– If proprietary – can the card body support chip technology and post

printing processes (example: MAT finishes typically result in poor post printing quality)

– Reader interface• Does the reader interface both with the required Contactless

technology and the back-end protocol (typically Wiegand)

Understanding The Current EnvironmentUnderstanding The Current Environment

Panel

Door Readers

(Contactless card –Mifare, HID, etc.)

Imaging System (Badges)

Access ServerRights and Policies

RS-232/485 converter

Standard Wiegand Output

18

Phase IV - DevelopmentPhase IV - Development• Objective:

– Develop or modify any core technology/software that is required to complete the implementation of your system

• Card Management System• Client Middleware• Install wizard (client installation package for

middleware software, reader drivers, etc)

• Objective: – Develop or modify any core technology/software that

is required to complete the implementation of your system

• Card Management System• Client Middleware• Install wizard (client installation package for

middleware software, reader drivers, etc)

19

Phase V - IntegrationPhase V - Integration

• Objective:– Integration of core software/hardware

components• LDAP (Directory services with key systems

such as HR, Payroll, Physical Access) • PKI Server components as required• Card Management System with LDAP

• Objective:– Integration of core software/hardware

components• LDAP (Directory services with key systems

such as HR, Payroll, Physical Access) • PKI Server components as required• Card Management System with LDAP

20

Example DiagramExample Diagram

PKI Engine (Intelligence Manager)

WebAccess

File encryption

ICE

Interface(CSP/PKCS)

CardManager

SecureE-mail

PC Card Reader

VPN PKISign-on

WebCMSTools

Java 2Plugin

21

Phase VI - DeploymentPhase VI - Deployment

• Objective: – Train user and customer support staff– Successfully deploy user components

• Smart Cards• Readers• Middleware software• Physical access systems• Issuance stations

– Define and establish customer/field support services (help desk)

• Objective: – Train user and customer support staff– Successfully deploy user components

• Smart Cards• Readers• Middleware software• Physical access systems• Issuance stations

– Define and establish customer/field support services (help desk)

22

TrainingTraining• Implementing a well defined end-user training program is key to a

successful project for several reasons– Provides an understanding of the purpose behind the

implementation (increased security, enhanced employee-based services through telecommunication via VPN, enhanced password management, physical access control to critical systems, etc.)

– Familiarizes the end-user with new technologies, terms and processes

– Increases end-user awareness of security policies and practices– Enforces the goal and objectives behind the initial project launch

• End users should be trained on all relevant aspects of the security system– Smart Card issuance process– Client software support– VPN access– “PKI 101”– Smart card reader installation/use– Security policies and procedures

• Implementing a well defined end-user training program is key to a successful project for several reasons– Provides an understanding of the purpose behind the

implementation (increased security, enhanced employee-based services through telecommunication via VPN, enhanced password management, physical access control to critical systems, etc.)

– Familiarizes the end-user with new technologies, terms and processes

– Increases end-user awareness of security policies and practices– Enforces the goal and objectives behind the initial project launch

• End users should be trained on all relevant aspects of the security system– Smart Card issuance process– Client software support– VPN access– “PKI 101”– Smart card reader installation/use– Security policies and procedures

23

Managing The DeploymentManaging The Deployment• Program management is key to deploying a successful smart card-

based corporate security solution• Define the program management team based on:

– Regions (North America, South America, Europe)– Regional Locations (States, Cities, etc.)– Campus locations– Buildings within individual locations

• Define deployment process– Card issuance (HR, Corporate Security, etc.)– Reader implementation (MIS Team)– Client Software deployment (Web Download, self install, MIS)

• Include the employee population in communications regarding events around deployment – Implement Intranet site to disseminate information– Impact on operations (if any)– Impact on operational policies and procedures

• Program management is key to deploying a successful smart card-based corporate security solution

• Define the program management team based on:– Regions (North America, South America, Europe)– Regional Locations (States, Cities, etc.)– Campus locations– Buildings within individual locations

• Define deployment process– Card issuance (HR, Corporate Security, etc.)– Reader implementation (MIS Team)– Client Software deployment (Web Download, self install, MIS)

• Include the employee population in communications regarding events around deployment – Implement Intranet site to disseminate information– Impact on operations (if any)– Impact on operational policies and procedures

24

Field SupportField Support

• Implement a formal “Field Support” guideline document that provides trouble shooting and technical support information for the employee population (physical document and web-based)

• For multi-national corporations, provide regional support that is capable of supporting procedures and operations unique to geographical regions

• For corporations who’s business relies on 24 hour services, support and communication, provide 24x5 technical support. If the budget is there provide 24x7 technical support– If technical support is outsourced ensure that the contracted party

are technology specialists within the PKI, VPN and IMS space.– Avoid contracting with “1-800” specialist that are not familiar with

your environment

• Implement a formal “Field Support” guideline document that provides trouble shooting and technical support information for the employee population (physical document and web-based)

• For multi-national corporations, provide regional support that is capable of supporting procedures and operations unique to geographical regions

• For corporations who’s business relies on 24 hour services, support and communication, provide 24x5 technical support. If the budget is there provide 24x7 technical support– If technical support is outsourced ensure that the contracted party

are technology specialists within the PKI, VPN and IMS space.– Avoid contracting with “1-800” specialist that are not familiar with

your environment

Communication and responsiveness are the key to quality field support

25

Contact information . . .Contact information . . .

Chris CikanovichSchlumberger NISDirector , Government Programs

Chris.Cikanovich@slb.com

Chris CikanovichSchlumberger NISDirector , Government Programs

Chris.Cikanovich@slb.com