¶ … initiatives require bold solutions, and the Abu Dhabi Plan for 2030 represents an excellent opportunity to provide timely and cost-effective solutions that will help achieve the visionary goals of the Government's leadership, past and present. The Plan requires the Urban Planning Council to oversee the management of the Plan and ensure it remains on schedule and on budget. Beyond these fundamental needs, a number of other priorities have been incorporated into the overall Plan, making project management a particularly challenging enterprise. Moreover, because of the sensitivity of the performance data that is involved, it is vitally important that collaboration between affected stakeholders remains secure. Conventional approaches such as telephonic, postal or emailed exchanges are all vulnerable to delay and misinterpretation at best and compromise by others at worst. Therefore, the secure communications network envisioned in this study represents a useful framework in which to provide key stakeholders with access to the information they need when they need it, as well as providing varying levels of access to the system depending on specific user credentials and requirements. A summary of the research and important findings are presented in the concluding chapter, together with recommendations for future studies.
Table of Contents
Chapter 1: Introduction
Statement of the Problem
Purpose of Study
Importance of Study
Objectives of the Study
Scope of Study
Rationale of Study
Overview of Study
Chapter 2: Review of Related Literature
Chapter 3: Methodology
Data Collection
Calculations
Technical Information
Chapter 4: Results
Failure Analysis
Safety Analysis
Chapter 5: Discussion
Chapter 6: Conclusion, Recommendations and Future Research Suggestions
Table 1. Types of information security attacks
Table 2. Identifying relevant project performance metrics for the secure communications network
Table 3. Representative commercial software applications for PPM secure collaboration and data sharing
Table 4. Components of the solution's System Security Plan
Table 5. Risk assessment of Abu Dhabi's information technology resources
List of Figures
Figure 1. Conceptual design of the capital district looking southeast in Plan 2030
Figure 2. Project flow pursuant to Plan Abu Dhabi 2030: Urban Structure
Framework Plan
Security Considerations in Portfolio Project Management Software for e-Government Applications
Chapter 1: Introduction
Recently, the Government of Abu Dhabi announced its ambitious Plan Abu Dhabi 2030: Urban Structure Framework Plan, representing a comprehensive plan for the development of the city of Abu Dhabi in coming years. This overarching plan is intended to guide the planning and decision-making process for policymakers for the coming decades. In addition, the Government of Abu Dhabi also announced the establishment of a new Urban Planning Council that is tasked with the oversight of the plan's implementation as well as the additional development of the corresponding urban planning policy (Plan Abu Dhabi 2030, 2010). The promotional literature for the plan states that the initiative was created in response to the vision of His Highness Sheikh Khalifa bin Zayed Al Nahyan, President of the UAE and Ruler of Abu Dhabi, based on the need to continue the achievement of the grand design originated by the late Sheikh Zayed bin Sultan Al Nahyan as well as to respond to the needs of the dynamic Abu Dhabi in its expanding role as a global capital city (Plan Abu Dhabi 2030, 2010). The Plan contains ten policy statements that contain relevant specifications for a wide range of specific project performance measures, including land uses, building heights and transportation plans; these ten policy statements articulate the Government's goals for the entire metropolitan area of Abu Dhabi pursuant to the Plan. By 2030, the Plan projects the city's population to increase to more than 3,000,000 residents. In response to this growth, the Plan also includes provisions for expanded new areas of Emirati housing that are based on traditional family structures of local communities; in addition, a wide range of housing alternatives at differing price ranges is being integrated as a priority for the Plan as shown in Figure __ below (Plan Abu Dhabi 2030, 2010).
Figure 1. Conceptual design of the capital district looking southeast in Plan 2030
Source: Urban Structure Framework Plan, 2010 at http://gsec.abudhabi.ae/Sites/GSEC/Content/EN/PDF/Publications/plan-abu-dhabi-mandate-and-executive-summary, property=pdf.pdf
The ambitious plans articulated in Plan 2030 are being implemented during a period in the city's development that is also characterized by significant events in the marketplace that may introduce some constraints to progress or otherwise affect the management of the project. For example, in his description of the Plan, Williams emphasizes that, "Being a net lender rather than a borrower has enabled Abu Dhabi to cushion its economy against the global recession. Despite all these great fundamentals to show Abu Dhabi as the perfect place to invest, there will be the worry amongst property investors that it will jump on the bandwagon, creating an over-supply of property and little thought to its development plan" (2009, p. 30). On the one hand, the Plan was formulated in large part to respond to these marketplace forces. In this regard, Williams notes that, "Dubai has experienced an over-supply of property, causing prices to freefall in a recession whilst its citizens can do nothing but sit in traffic on Sheikh Zayed road and watch. Investors will be cautious that they are not caught out again; because Abu Dhabi helped fund a large part of Dubai's construction boom, though, they have sat back and made notes as the skyscrapers penetrated the clouds. The result has been the creation of Plan Abu Dhabi 2030, a grand master plan dictating the development of Abu Dhabi city in considerable detail" (Williams, 2009, p. 30). On the other hand, though, even the bold vision articulated in the Plan may not be adequate to meet the city's current, short- and long-term needs. For example, Williams adds that, "Despite projections that the population of Abu Dhabi will rise from more than one million to more than three million by 2030, the city of Abu Dhabi is being built to incorporate expected demand; however, developers cannot build fast enough to meet demands of the current growing population, never mind those that are expected to call Abu Dhabi their home in 2030" (2009, p. 30). The high priority assigned by the Central Government to the Plan's success is also made clear by this authority: "Developments are restricted, making over-supply virtually impossible. Developers do not have a free rein of where and how much to build, the plans are meticulous, building work remains on schedule no matter the global economy. Furthermore, $200 billion is being spent to ensure the infrastructure is built first" (Williams, 2009). Given the enormity of the investments that are involved, it is important to identify opportunities to facilitate the management of the project. Therefore, to realize the goals of Plan Abu Dhabi 2030: Urban Structure Framework Plan, though, it is vitally important for the project's leadership and engineering teams to have access to a collaborative project management system that ensures sufficient information security, a need that directly relates to the issue considered in this study which is discussed further below.
Statement of the Problem
The project idea consists of enhancement unified portfolio management software with project management application for all Abu Dhabi government entities that will address the relevant security issues that are involved. Although these security considerations differ from stakeholder to stakeholder, a good example of what types of sensitive information is involved concerns the budgetary data used for Portfolio Project Management applications. In this case, at the beginning of every year Department of Finance (DOF) issue yearly budget for all Abu Dhabi government upon their needs to fund their projects on the plan for each year. Before issuing the budget each government propose their project to the Executive Council in order to study the projects and approve its budget upon the need of Abu Dhabi Government. (Note: Entities on the government propose their projects on papers and electronic copy on CD that means no security of the information especially if it's military information). Once the idea is approved by the Executive Council the case will be forwarded to the Department of Finance (DOF) in order to issue the budget. After that Executive Council & Department of Finance (DOF) they follow the project statues by asking the owner of the project to submit reports about the project statues.
Purpose of Study
Upon what we had described about the manual work we want to build unified software and secure it to help Abu Dhabi government representative by Executive Council to study the projects, follow up them through one system by one click. However it helps them saving money from waste. For example Abu Dhabi municipality is working on AL Salam Street, they build the infrastructure and they specify their needs from the equipment; at the same time Etisalat would like to connect Fiber Cable on that area. Instead of waiting to complete AL Salam Street to be done from work, Etisalat will be working in parallel with municipality without crash the infrastructure again. Also using the same material; by building this technology we allow the decision maker to see the requirement from each project and decide on the right decision, saving money, time and effort. The following diagram represents the structure of the idea.
Figure 2. Project flow pursuant to Plan Abu Dhabi 2030: Urban Structure Framework Plan
Objectives of the Study
The overarching objective of this study is to build a solid portfolio management application that connects all the local governments of Abu Dhabi emirates in ways that will allow them to collaborate on various projects pursuant to Plan Abu Dhabi 2030 through one unified system from their offices without wasting time on face-to-face meetings, as well as introducing the potential for the leaking of information through channels that provide the opportunity for unauthorized access. This objective also include the need to develop a solid it security infrastructure by building strategies, recruiting qualified staff, implementing the latest technologies and best practices as identified in the research.
The study was guided by the following specific objectives:
1. Achieve cost effectiveness once the portfolio management software is applied to the needs of the Abu Dhabi Government;
2. Identify how much the solution will save in terms of time, money, and efforts if it is applied;
3. Determine how the initiative will affect the utilization of existing resources;
4. Identify optimum approaches for ensuring the project is updated regularly and monitored with regards to its budget; and,
5. The risks the will inevitably be faced.
Importance of Study
Information security has become one of the most important and challenging issues facing today's organizations. With pervasive use of technology and widespread connectedness to the global environment, organizations increasingly have become exposed to numerous and varied threats (Rotvold, 2008). Information security is the process and techniques of protecting information, data, system infrastructures, networks, and so forth. It protects its availability, privacy and integrity from any unwanted habits from any malicious actions by accessing to stored information on computer databases has increased greatly. A lot of companies and industries store business information and individual information on computer than ever before. Much of the information stored is highly confidential and not for public viewing. That means data are more valued than the money. All the businesses are fully dependent on information especially Military, Governments (E-Government), Banks, etc. Most of the information nowadays is now gathered, analyzed, processed and stored on database computers. That information exchanged and transmitted across networks through LAN (Local Area Network) and WAN (Wide Area Network) to other computers.
Scope of Study
The core principles of Information Security are: Confidentiality, Integrity and Availability. Confidentiality, Integrity, Availability, Authenticity, Risk management is the main concept of securing any it infrastructure (portfolio for Abu Dhabi government). Also we should include Incident response plans
Rationale of Study
According to Essex (2005), a wide range of increasingly sophisticated project management tools have been introduced in recent years and these project management tools and their corresponding analytical methodologies have transformed the manner in which large projects are managed today. In almost every way, information technology has influenced project management or has the ability to do so if approached in thoughtful ways. The field of collaborative software solutions has identified a number of different approaches that can be used for these purposes, with a secure intranet representing one of the more common and cost-effective alternatives that are available. In this environment, the need security in these collaborative communications networks directly relates to the criticality and sensitivity of the information that is introduced on the network. Therefore, it is important to ensure that the collaborative project management environment remains secure from the start and throughout its administration.
Overview of Study
This paper used a six-chapter format; chapter one introduced the topic under consideration, a statement of the problem, the purpose and importance of the study, as well as its scope and rationale. Chapter two provides a critical review of the relevant and peer-reviewed literature, and chapter three presents the study's methodology, a description of the study approach, the data-gathering method and the database of study consulted. Chapter four presents the research results, including failure and safety analyses. Chapter 5 provides a discussion of the research and chapter 6 presents the study's conclusion and recommendations for directions in future study.
Chapter 2: Review of Related Literature
Project Portfolio Management
One of the most significant contributions to the field of project management in recent years has been Project Portfolio Management. In many projects, the costs that are involved makes the need for effective project management essential. For example, according to Wideman (2006), "Because project management has moved from the domain of capital infrastructure projects to any type of endeavor that qualifies as a 'project.' Then, with the advent of business automation systems through the use of computers and the concomitant software development, the opportunity for innovative value-added projects has burgeoned to the point where 'only the sky is the limit'" (p. 1). Given the enormity of the Abu Dhabi Plan 2030, the full-speed ahead approach being used to achieve its ambitious goals, and the need for more housing in the short-term, effective project management tools such as the Project Portfolio Management approach represents a valuable addition to project management. Despite these advantages, many organizations fail to select projects that are suitable for the tenets of PPM and the results are either less than expected or even used to formulate misguided and expensive decisions that are based on poor data quality (Wideman, 2006).
The PPM approach is fairly recent in origin, and its use continues to be redefined as experience in real-world settings accumulates. According to Wideman, though, the PPM has demonstrated efficacy, making it particularly well suited to the needs of the Plan: "Though it is still evolving, the solution is to be found in effective Project Portfolio Management, ("PPM" for short), and this is not just another trendy label or fad. It is true that some would like to view PPM as just another technique of project management, but it is not that either. PPM is literally 'above and beyond' project management because it spans all the way from the vision of the executive suite, through project management to the actual realization of benefits, to the enterprise and consequent successful competitive positioning" (Wideman, 2006, p. 3).
As noted above, the origins of PPM are relatively recent, with its origins being traced to the closing years of the 20th century when the concept of organizing projects into so-called "portfolios" and then applying the same types of cost-benefit analyses that have been used with investment securities analyses in the past became popular, especially for software engineering applications such as the one that forms the focus of the solution described in this study. In response to the combination of newly identified applications for these technologies and innovations in their development, a number of vendors began offering portfolio management software suites at the time that included features such as the ability to schedule events and analysis data in real-time ways using packages such as Microsoft Project (Essex, 2005). Concomitantly, server-based enterprise project management (EPM) tools were also introduced, with these tools using a ground-up approach that permitted project managers to group projects in programs or portfolios according to various attributes as well as allowing them to share their collective data over a network, sometimes applying minimal portfolio analysis (Essex, 2005).
While an increasing number of PPM applications are being introduced and existing versions are being refined in response to user needs, there are still some significant problems that have been associated with its use, particularly when the number of users that are involved are as large as those in the Plan 2030 case. In this regard, Essex emphasizes that:
Although portfolio management have brought the benefits of integration to some organizations, many it managers say they still cannot get a single view of all their projects, the data for which often still reside in separate Excel spreadsheets, schedulers and time-sheet tools. 'They say, 'I can't see or control the projects-there's no visibility into what I'm doing.' All they have is a loose collection of tools that are not connected in any way. What they need to see is [project] status. You could simplify a lot of that by letting them see centralized project data. That could solve a good portion of their needs, and some level of portfolio management for the rest." (2005, p. 46)
According to Cooper, Edgett and Kleinschmidt (1999), while many large organization have the same types of decentralization that has increasingly characterized the Government of Abu Dhabi, there are some important differences between the entity type and level that should be taken into account during the PPM design, implementation and administration steps as follows:
1. Large projects: In some firms, the magnitude of certain projects demands that they be reviewed at a higher level than the business unit senior management. Such approvals go right to the top of the organization. An example sis a new product project involving a major capital expenditure. The result is that the BU manages a portfolio of projects, most of which are likely within its spending and approval levels. Portfolio management is thus self-contained within the business unit; however, there is also a portfolio of major projects, which is the domain of the senior executives in the corporation. Thus there is a project portfolio management process at the top of the corporation, one that focuses on a few major projects, is centralized, and includes projects from all business units.
2. Cross-Business Unit projects: Some projects involve several business units and might be dealt with centrally. For example, platform projects could cut across business unit boundaries. In some firms, these multi-business unit projects are simply part of each participating business unit's portfolio. In other firms, however, there may be a desire to deal with such projects centrally, thus requiring a centralized portfolio management approach, much like that described above for large projects. Although such projects are limited to the few largest platform projects, or the ones that involve several business units the point still must be made that project portfolio management also occurs centrally, even in decentralized firms. These same approaches can be used at the top of the corporation as well in centralized portfolio management (Cooper et al., 1999, p. 137).
Given the existing governmental hierarchy in place and the assigned responsibilities for achieving the goals of the Plan, it is clear that the Plan contains elements of both of these types of projects, making the need for careful design from the outset vitally important. In this regard, Seider (2006) suggests that effective project portfolio management for larger projects requires a mix of "sales, marketing and engineering strategies and tactics. It is best accomplished using scenario analysis and visualization models. Good visual models can reduce complex system behaviors to relationships more easily understood by practitioners and executives. Interactive visual models are helpful in evaluating one scenario vs. another" (2006, p. 44).
Although every PPM setting will be unique, there are some typical steps involved in its implementation that can help managers guide the process. For example, Seider notes that, "For any portfolio of projects there are many reasonable implementation scenarios. Having an effective visualization model allows scenarios to be more easily evaluated. An easy-to-understand model allows non-development groups to bring different expertise into the analysis. These groups benefit directly by gaining greater insight into constraints in the development chain. As a result, team decisions are better thought out and better understood by the organization" (2006, p. 44).
Based on the numerous stakeholders that are involved with regards to the solution envisioned herein and by extension to the larger Plan 2030 it is intended to support, it also important to develop contingency plans for testing and management oversight. As Seider emphasizes, "A well-built portfolio management model makes all key management "levers" available to scenario builders. 'What-if' questions can be rapidly analyzed and further refinements tried" (2006, p. 44). Finally, Seider recommends that the PPM provide for data collection across a broad range of input sources. In this regard, Seider concludes that, "The [PPM] model must support all types of projects (revenue producing and non-revenue producing) as well as overhead activities that reduce the throughput of product development. The model should drive explicit decisions on project priorities as well as changes in staffing; it should clearly identify key constraints" (2006, p. 44). Based on his analysis of previous PPM techniques used with larger projects, Seider cites the following as being typical causes for failure or performance management shortfalls:
1. Once-a-year evaluations may be too infrequent. Business conditions change, rendering planning assumptions obsolete, sometimes before the ink dries on the current plan.
2. The evaluation does not fully consider engineering overhead activities. Because the planning has a revenue focus, the bulk of management's attention involves new revenue opportunities. Planning assumptions and set-asides for factory support, cost reduction, quality improvement, etc., are not scrutinized.
3. Too many projects are priority ones; more granular development scenarios are not considered. There may be more subtle scenarios where better results are delivered. If analyzing the scenarios is complex or time consuming, different approaches may not get evaluated properly.
4. Constraints are not identified or challenged. Planning activities should identify constraints and workarounds suggested. A small change in constraints may yield dramatic improvements in performance (Seider, 2006, p. 44).
Security Considerations in Portfolio Project Management Initiatives
The term information security (IS) is broadly interpreted to include the following activities:
1. Protecting information from unauthorized users;
2. Making information available on a timely basis to authorized users;
3. Protecting information from integrity flaws, and,
4. Detecting information security breaches, if, and when, they take place (Bhimani, 2003, p. 97).
Managers, engineers, computer scientists, and others who face the day-to-day responsibility for information security in organizations, naturally have a strong practical interest in IS issues. Most of the academic work on IS has been done by computer scientists and engineers. Their research is centered around the technical design issues (e.g. use of encryption, access controls, and firewalls) aimed at reducing the frequency of security breaches. The importance of information security in an information-based economy cannot be overstated (Bhimani, 2003).
Any organization can have an exceptional state-of-the-art hardware and network security protection, but it may take only an uneducated user to download a virus that compromises the organization's systems or accidentally publishes confidential data. Regardless of how secure a network may be, it is only as secure as its weakest link. Intentional and unintentional errors by an employee that causes security incidents underline the importance of a security awareness program (Kolb & Abdullah, 2009).
The National Institute of Standards and Technology (NIST) defines information security awareness as "Awareness is not training. The purposes of awareness presentations are simply to focus attention on security. Awareness presentations are intended to allow individuals to recognize it security concerns and respond accordingly" (Kolb & Abdullah, 2009). Implementing a security awareness program is an essential piece of the overall information security infrastructure. It is the best way to communicate security information policies, tips, and best practices to the entire organization. However, it is important to note that Information security awareness is not about training but rather designed to change employee behavior (Kolb & Abdullah, 2009).A security awareness program should work in conjunction with the information technology hardware and software to mitigate the threats to an organization. In the "defense-in-depth" strategy to protect organizational assets, security awareness training is one of the defense layers implemented to educate the end-users about information security threats (Kolb & Abdullah, 2009).
The types of information security threats are broad-based and continue to expand because the Internet is essentially an open system. Any piece of information traveling on the system may be intercepted or altered while in transit, usually with easily available programs found right there, on the Internet. The following types are some of the most commonly used tools to intercept data-in-transit as described in Table 1 below.
Table 1
Types of information security attacks
Type
Description
Sniffing Attack
Packet sniffing refers to the technique of copying each packet as it flows across the network. Conceptually it is similar to wiretapping, and is usually initiated by internal users.
Spoofing
Pretending to be someone you're not by re-configuring a network address to make it appear that you're at a different address (mail spoofing), pretending to be somebody else's machine (IP spoofing) or pretending to be somebody else's Web site (Web spoofing).
'Man-in-the-Middle' Attack
Usually achieved by attaching a virtually invisible window that remains open as other sites are visited. With the help of this window, the intruder captures all the information sent to other Web sites (e.g. passwords, account numbers, Web pages).
Denial-of-Service (DOS) Attacks
These render target systems inaccessible to legitimate users. In a typical DOS attack, hackers flood companies' Web servers and communication links with an SYN/ACK (synchronize/acknowledge) packet, temporarily preventing access. Such attacks can pose serious problems for companies whose very business depends on the ability to serve customers on the Web.
Suppression of Audit Trails
An insider or outsider changes the system settings and turns off the audit trail.
Back Door/Trap Door
A hole in the system's security deliberately left in place by designers or maintainers. The motivation for such holes is not always sinister; some operating systems, for example, come out of the box with privileged accounts intended to be used only by field service technicians or the vendor's maintenance programmers.
Stealing File Backups
Stolen file backups violate the concept of confidentiality. Recovering data from an altered file backup causes you to lose the integrity of the data completely.
Exploiting Known Operating System/Application Software Weaknesses
Whether Unix, Linux or NT, each operating system has well-known weaknesses. If the software is not updated regularly with the most recent software patch, the potential to lose system security and data integrity exists.
Buffer Overflows
This type of attack deliberately enters more data than a program was written to handle. By "overflowing" the region of memory set aside to accept it, the extra data overwrites another region of memory meant to hold some of the program's instructions. The values introduced become new instructions, giving the attacker control of the target computer.
Malicious Corruption/Destruction of Data/Logic Bombs
A code surreptitiously inserted into an application or operating system that causes it to perform a destructive or security-compromising activity whenever specified conditions are met (e.g. The Y2K problem).
Collaborative Misuse of System Privileges
Users with different system privileges act together to eliminate the existing security system.
Exploiting Trust Relationships and Social Engineering
The hacker plays on people's generally trusting nature and their natural instinct to help others do their jobs (e.g., using telephone or e-mail, a colleague who lost his/her password asks the assistance of the help desk).
Password Guessing and Cracking
A password cracker is any program that can decrypt passwords or otherwise disable password protection. The most common methods are the brute force and dictionary attacks. The brute force attack is used when there is no additional information on the password, so the attacker tries all possible combinations -- one-character, two characters, etc. A long and mixed-character password significantly decreases brute force speed. If crackers know that the password contains a certain word, they may use the dictionary attack instead -- where only words from the computer's dictionary are tested as password candidates. The most powerful attack is the "rule-based attack." In this case, crackers know that a password consists of the word and a one or two-digit number. They write the rule so the program generates only suitable passwords (e.g. user25, password23, etc.
Viruses
Malicious programs designed to spread and replicate from computer to computer through telecommunication links, or shared computer diskettes and files.
Trojan Horses
A destructive program that masquerades as a benign application. Unlike viruses, Trojan horses do not replicate themselves but they can be just as destructive.
Worms
A program that replicates itself as a separate entity is called a "worm," not a virus. A worm may also be a Trojan horse if it disguises itself as something useful or amusing to persuade you to execute it.
Source: Elifoglu, 2002, p. 68
As the costs of software security breaches become more apparent, there has been a greater interest in developing and implementing solutions for different aspects of the problem in recent years (Hahn & Layne-Farrar, 2006). For example, following the terrorist attacks of September 11, 2001, the information technology community has been actively involved in developing secure collaborative online networking environments for governments around the world, particularly with a focus on how to prosecute the global war on terrorism and the threats to information security these forces represents. The results of a study by Hahn and Layne-Farrar (2006) identified the following security considerations for information technology initiatives for e-government and related applications:
1. Software security problems come in many different shapes and sizes; therefore, the appropriate solutions will depend on the nature of the problem.
2. Although attacks are becoming more common, the available data does not clearly establish that each aspect of software security poses a significant problem in terms of the damages inflicted by a breach. Some problems impose large costs on different groups, both in preventive and corrective costs. Other problems appear to function as more of a nuisance.
3. Contrary to the prevailing view that market failures in the provision of software security are serious, some software users, particularly businesses, may face fairly strong incentives to take reasonable precautions. In response to this demand, several innovative market-based solutions have emerged to address a number of software security problems.
4. Although some of the regulatory proposals for addressing security may be worth considering, most would require modification to ensure they do more good than harm. Moreover, broad interventionist proposals are difficult to justify given our findings about market-led responses. Instead, the best role for the government would be to encourage the collection of more detailed data used to better inform policymakers on the need for specific actions. Furthermore, government agencies should seek to optimize their own security (Hahn & Layne-Farrar, 2006, p. 283).
Project managers assigned PPM responsibilities must ensure that it security threats and vulnerabilities are identified early on during the design phases because the costs required to implement effective security controls and practices during the early stages of project development are much less than those involved when the system is already in place. Moreover, ensuring adherence to security-based software development practices will help avoid deficiencies, instead of implementing them after the solution is implemented (Mentz, King, Thong, Leo & Mataev, 2005).
Beyond the foregoing, other factors that must be taken into account during the design and implementation phases of the PPM initiative include the need to incorporate adequate security control baseline into all phases of system development, operations, maintenance, and disposal (Mentz et al., 2005). According to this authority, "Including information system security early in the SDLC for an information system will usually result in less expensive and more effective security than adding security to an operational system. NIST Special Publication 800-64, Security Considerations in the Information System Development Life Cycle, presents a framework for incorporating security into all phases of the SDLC process, from definition to disposal" (Mentz et al., 2005 p. 37).
Although the secure collaborative communications network that forms the solution envisioned in this study could assume a number of configurations, most if not all of the features that are needed are provided by an intranet. Based on an expansion of operating protocols that were developed for Internet applications, Intranets are becoming increasingly commonplace in organizations of all sizes and types (Milner, 2000). According to this authority, intranets can provide the level of security required for the solution: "In what is now commonly referred to as the internal information and knowledge engine of all types of organisations, networked across offices, locations and, in some instances, national boundaries. Properly constructed, it should offer, at appropriate levels of security clearance, a way of empowering an employee to navigate the most suitable, and value-adding path through the organization's operating structures, information holdings and knowledge base" (Milner, 2000, p. 112). Given the numerous users and their different clearance levels to the network, a secure intranet represents a useful alternative for the Plan's needs. In this regard, Proctor and Vu emphasize that, "Intranet technologies better enable users to obtain the information they want from the technology, instead of waiting for the information to be placed in front of them. Equally, intranets better enable users to push information, via the use of technology, instead of relying on the other, less efficient, less reliable models of communication" (2005, p. 542).
Moreover, a secure intranet avoids many of the vulnerability problems that are inextricably associated with any network that relies on the Internet. As Proctor and Vu point out, "Furthermore, when access is only internal, a company has the potential for better control of information security than that of paper documents. Intranets hold great promise for organizational learning, for along with nonlinear flow of knowledge, intranets enable real-time exchanges of knowledge that users have the ability to shape to meet their working and information needs" (2005, p. 542). Most importantly, perhaps, is the ability of a secure intranet to allow users to identify new ways to use the system to better achieve their respective organizational goals (Proctor & Vu, 2005).
With regards to the security features available for intranets, there are several alternatives and levels of protection that are available that are specifically designed for the public sector, with the most commonly used approach being a "firewall," a feature that has received considerable public sector use (Milner, 2000). In fact, firewall security measures are being used to support the Government Secure Intranet (GSI) project in the UK that is intended to improve the distribution of internal information within the public sector (Milner, 2000). According to this authority, "Defined as a 'powerful network security tool consisting of hardware and software that allow organizational access to Internet resources whilst prohibiting unwanted incursions from the Internet into your organization, a firewall is also a flexible security tool which can be applied selectively, if so desired, allowing easy external access to areas where this is held not to be problematic or indeed is seen as positively desirable, while permitting security and protection to be provided to other more sensitive areas of operation" (Milner, 2000, p. 37). Finally, another security-related issue that should be considered throughout the developmental phases of the solution includes the need to identify what type of encryption should be used for the various types of data that may be shared within the network (Milner, 2000). This aspect also introduces new training considerations and the need for ongoing oversight to ensure that established security protocols are followed by all network users.
Chapter 3: Methodology
Data Collection
The data needed for this study was collected from public and university libraries, as well as reliable online resource services such as Questia as well as relevant governmental online resources. Data collection proceeded in a step-wise fashion, focusing first on general issues related to a centralized "one-stop-one-click" secure communications network that would satisfy the needs of the vision articulated for the city of Abu Dhabi by 2030 in the Government's Plan and then proceeding to examine the specific communications needs for this initiative and where this information could be obtained and these issues are discussed further below.
Calculations
A preliminary analysis of the affected current stakeholders with a demonstrated or potential need for access to the secure communications network is needed to make some informed projections concerning the scope of the project. For this purpose, the matrix developed in Table 2 below could be used to perform the calculations necessary to identify relevant stakeholders and their corresponding project performance metrics.
Table 2
Identifying relevant project performance metrics for the secure communications network
Stakeholder
Responsibility
Possible Performance Metric(s)
Urban Planning Council: Current membership includes:
His Highness Sheikh Mohammed Bin Zayed Al Nahyan
Crown Prince of Abu Dhabi, Chairman of the Executive Council,
Chairman of the Abu Dhabi Urban Planning Council
His Excellency Khaldoon Khalifa Al Mubarak
Chairman of the Executive Affairs Authority,
Deputy Chairman of the Urban Planning Council
His Excellency Sheikh Sultan Bin Tahnoon Al Nahyan
Chairman of Abu Dhabi Tourism Authority
His Excellency Mohammed Ahmad Al Bawardi
Secretary General of the Abu Dhabi Executive Council
His Excellency Dr. Jouan Salem Al Dhaheri
Chairman of Abu Dhabi Department of Municipal Affairs
His Excellency Nasser Ahmed Al Suweidi
Chairman of Abu Dhabi Department of Planning and Economy
His Excellency Abdulla Rashid Al Otaiba
Chairman of Abu Dhabi Department of Transport
His Excellency Majid Al Mansouri
Secretary General of Environment Agency, Abu Dhabi
In addition, most of these stakeholders also oversee several other departments that will be affected by the Plan and will have differing responsibilities for performance measures.
Tasked with optimizing the city's development through a 25-year program of urban evolution. Pursuant to this responsibility, the Council is required to ensure that the Plan remains environmentally sound, protects cultural assets, while fostering Arab/Muslim-based communities that enjoy well designed architectural spaces. This general mission can be measured in a number of ways, including the possible performance metrics shown in the column to the right; other metrics could be added or supplemented as the need is identified and added to the PPM database.
1. Budget adherence;
2. Overall schedule performance;
3. Level of resident citizen participation.
4. Efficiency of operations.
5. Effectiveness of oversight.
6. Effectiveness of environmental initiatives.
Government Entities: It is reasonable to suggest that virtually all Abu Dhabi Government entities will become involved to some extent as the Plan progresses, but some of the current entities that will play an important role in the progress of the Plan include:
1. Abu Dhabi Authority for Culture & Heritage;
2. Abu Dhabi Chamber of Commerce & Industry;
3. Abu Dhabi Council for Economic Development;
4. Abu Dhabi Customs Administration;
5. Abu Dhabi Educational Zone; and,
6. Abu Dhabi Food Control Authority (to name just a few).
The overall responsibility for these performance metrics is the Central Government. The Government entities that fall under their purview will all have different -- and unique -- access needs to the secure communications network, but the general performance metrics described in the column to the right could be used to identify the types of data needed for the PPM analysis and specific quantifiable performance metrics could then be formulated for these measures. In addition, this step could be used to identify those individuals the agency wants to have access to the solution, and at what level(s). Password and username assignments could then be made for authentication purposes; standard protocols will be used to ensure these authentication tools remain secure and fresh by having users change their settings from time to time and other precautions as appropriate.
1. How responsive is the entity in providing requested data (either routine or special requests);
2. How accurate is the data that is provided?
3. Do managers provide timely feedback concerning the relevance and/or cost effectiveness of the metrics being used?
4. Schedule compliance.
5. Budget adherence.
Plan 2030 Project Management and Professional Team: Besides key leaders from the Central Government, this team is also comprised of numerous consultants and advisors from Canada, France, the United States Australia and Lebanon.
A portfolio management process is highly cross-functional and typically led by the senior operations manager. It is a comparative, scenario-based process intended to drive resolution of constraints and priority conflicts. It serves to validate that plans and tactics employed are consistent and achievable. The iterative / scenario-based method can be challenging to manage. Hundreds of different scenarios might exist. Subject matter experts might be better able to analyze alternatives than functional managers. For efficiency, one would prefer to decentralize analysis, with conflicts resolved centrally. Most project tradeoffs are straightforward and can be made in a rapid manner; however, some represent boundary conditions or cross-group constraints that require a focused, efficient and rapid resolution method. This is where senior management attention should be most valuable (Seider, 2006).
For each iteration, projects must re-establish their value and importance relative to every other existing or proposed new project. The model forces a project prioritization to take place. Getting multiple product-line managers or business-unit general managers to agree on a business-wide prioritization is challenging, but, once done, proves highly valuable to the organization. While the process is being executed, it is intense and consuming. Because the process evaluates the entire portfolio, it can involve many in middle management and subject matter experts (Seider, 2006).
Metrics would evaluate optimal intervals for project evaluation. Generally, the process should be run at regular intervals-biannually for some companies, quarterly for others. The need for efficiency is particularly important the more frequently it runs (Seider, 2006).
Plan 2030 contractors and subcontractor (potentially thousands of affected stakeholders)
Contractor- and subcontractor- specific
Contractor- and subcontractor- specific
Technical Information
There are a number of commercial PPM software applications that are available that could potentially satisfy the needs of the secure communications network solution envisioned herein, including those described further in Table 3 below.
Table 3
Representative commercial software applications for PPM secure collaboration and data sharing
Vendor/Web site
Product Name/Description
Key Attributes
Pacific Edge:
http://www.serena.com / company / news/pr/spr_10202006. html
Pacific Edge Mariner, the Company's flagship product that began shipping in October 2005, combines portfolio, project, resource, demand, and financial management into an integrated decision-support framework for an organization's PPM initiative. As a powerful and practical-to-adopt solution, Mariner's capabilities can be configured to an organization's specific levels of it process maturity. As it organizations mature, more advanced Mariner capabilities can be enabled to drive additional value from their PPM initiatives.
This top-down approach of portfolio management, if well-integrated with detailed, bottom-up project data, can help ensure that investments achieve business alignment (Essex, 2005). Also contains tools for identifying business goals and evaluating project portfolios by their contributions toward those goals (Essex, 2005).
Niku Corp.:
http://www.ca.com / us/public-sector-ppm.aspx
Company offers public sector-specific PPM packages that also contain tools for identifying business goals and evaluating project portfolios by their contributions toward those goals (Essex, 2005).
The public sector PPM package has the following key attributes:
1. Increase alignment of investments with mission;
2. Better forecast resource needs and budget funds accordingly; and,
3. Accelerate delivery of government compliance reports.
ProSight Inc.:
http://www.2020software.com/products/Primavera _Systems_ProSight.asp
Primavera ProSight has been built specifically for proposing, planning and controlling portfolio investments, ranging from it projects to capital programs, in a collaborative manner. Capabilities of this Primavera software include portfolio management, decision-support graphics, what-if scenarios, dependencies, proven scalability, secured access, automatic alerts, integrated detailed planning and collect investment ideas.
This package also contains tools for identifying business goals and evaluating project portfolios by their contributions toward those goals (Essex, 2005).
The technical information needed for the PPM analysis of the solution's progress would therefore depend on the selection of the software package and would be obtained from the vendor as part of the contractual negotiations for support and consultation.
Chapter 4: Results
Failure Analysis
Given the supply chain nightmares that could erupt at any time that would disrupt the progress of the solution envisioned herein -- and by extension -- the progress of the Plan for 2030, the potential for failure in varying degrees exists along the entire continuum of the project's management. Beyond the two extremes of minimal disruption to catastrophic failure, there also exists a broad range of security implications that cannot be quantified in strictly economic terms. As noted above, several priorities were established to gauge the success of the secure communications network solution envisioned herein, with these priorities being used for the first part of the corresponding failure analysis with regards to how well the solution addresses the following:
1. Achieve cost effectiveness once the portfolio management software is applied to the needs of the Abu Dhabi Government;
2. Identify how much the solution will save in terms of time, money, and efforts if it is applied;
3. Determine how the initiative will affect the utilization of existing resources;
4. Identify optimum approaches for ensuring the project is updated regularly and monitored with regards to its budget; and,
5. The risks the will be faced.
The second part of the failure analysis concerns the economic impact of this initiative which is projected in Table 4 below.
Table 4
Projected economic impact of the solution
Area
Description
Metrics
Projection
How does project portfolio management software reduce project costs and/or improve Return on Investment (ROI)?
1. Provides a centralized forum for collaboration among key stakeholders.
2. Maintains focus on budget and schedule.
1. Time-cost of stakeholders involved (X).
2. Time spent using the solution rather than existing communication methods.
Although the salary levels of the top government leadership and other key stakeholders (X) are proprietary and confidential and are therefore not readily available, depending on how much time each stakeholder invests in using the collaborative forum (Y), this figure could easily run into the tens of millions of dollars as illustrated in Table 5 below.
How does securing information for project portfolio management detect from cost and increase productivity or value of information?
Progress reports from project managers and feedback from key government officials are frequently classified; compromise of this data is not easily quantifiable but could threaten project progress or otherwise detract from productivity.
Varies
Varies
How does project portfolio management software improve efficiency and utilization of resources?
Project portfolio management software will help improve work efficiency and allow completion of the project on or before scheduled with a concomitant increase in contractor/subcontractor profit levels (X) and the potential cost of such additional profits to the Government (Y).
This calculation would depend on how much faster the project was completed with the solution (months or possibly years) compared to how long it would require without the solution based on the following metrics:
1. Additional profits to project contractors / subcontractors for project completion on or before schedule (X).
2. Potential cost to Government (Y).
Varies
Table 5
Projected Costs Savings of Solution for Plan for 2030
Users
Time/Cost
Years of Use
Total Potential Savings
(Estimate)
Present Day-2030
Subtotal
Total
Key Ministry Officials
$1,000,000
19
$19,000,000
Contractors
$750,000
19
$14,250,000
Subcontractors
$500,000
19
$9,500,000
$42,750,000
Assuming a total cost of design and implementation of the solution envisioned herein of $2,500,000, the potential return on investment could amount to $40,250,000, depending on the respective salary and benefits levels of the ministry officials involved in the project and the corresponding compensation rates of the other key stakeholders.
Safety Analysis
The foregoing failure analysis will be supplemented by an ongoing safety analysis of the project including the issues that emerge during implementation and subsequent administration. For this purpose, the PPM's Project Portfolio Life Span (PPLS) analytical approach will be used. This model consists of five-phased elements as follows:
1. Identification of needs and opportunities (effective governance);
2. Selection of the best combinations of projects (the portfolios);
3. Planning and execution of the projects (project management);
4. Product launch (acceptance and deployment of deliverables); and,
5. Realization of benefits (efficient operational usage) (Wideman, 2006).
These five metrics can be applied to aggregate performance data to target deficiencies in project management in terms of budget, scheduling, or the other measures being used to gauge performance, in order to identify opportunities for improvement in the communications system and trend any performance issues or security breaches that may have comprised the integrity of the network. These five metrics will be integrated into an overall system security plan for the solution that specifies the specific security risks that are involved as well as the required levels of access that will be needed for the various users of the secure communications one-click network. According to Mentz et al. (2005), a typical system security plan (SSP) establishes relevant access parameters based the potential level of impact (Low, Moderate, High) for each of the security objectives of confidentiality, integrity, and availability of federal information and information systems. In addition, the SSP should clearly set forth the various procedures that will be followed to test the security measures that are in place and to document these findings (Mentz et al., 2005). These are also essential elements in order to have the solution certified by accreditation organizations (Mentz et al., 2005).
The SSP for the solution will include the following components described in Table 6 below:
Table 6
Components of the solution's System Security Plan
SSP Component
Description
System Boundary Summary
Describes what constitutes the system for the purposes of the SSP.
IT System Security Categorization and Sensitivity
The System Security Categorization classifies the system as a Major Application or a General Support system. The Security Sensitivity identifies the potential level of impact as Low (limited impact), Moderate (serious impact), or High (severe or catastrophic impact) for confidentiality, integrity, and availability of federal information and information systems. The categorization and sensitivity determines the minimum management, operational, and technical security controls required for information and information systems.
Configuration Management Approach
Develop the approach for managing change over the development and production life cycle of the system -- application and operating system software, configuration settings, interfaces, and hardware. Note: A security risk assessment differs greatly from a project risk assessment. A security risk assessment assesses the security risks to the information system itself whereas a project risk assessment assesses the project risks.
Contingency and Disaster Recovery Approach
Prepare an approach for responding to man-made or natural incidents or disasters.
Preliminary Security Risk Assessment.
The basic assessment of the confidentiality, integrity, and availability risks that help determine what security controls are necessary to protect the information contained in this information system
Source: Mentz et al., 2005
In addition, relevant precautions and controls that are conventionally used for the security of information technology initiatives including requisite policies, procedures, or mechanisms of hardware or software that can minimize or eliminate potential vulnerabilities and threat events will need to be developed at the organization-specific level (Andress, 2003). According to Andress (2003), for project management purposes, threats are defined as events that can be reasonably expected to be imminent that holds the potential to cause damage or loss to an information technology network system, with six basic components of risk being specifically related to supporting information and technology resources as shown in Table 7 below:
You’re 80% through this paper. Sign up to read the full paper.
Sign Up Now — Instant Access Already a member? Log inAlways verify citation format against your institution’s current style guide requirements.