Software Solutions
Two software applications are recommended as solutions for the security weaknesses identified at Aircraft Solutions. In particular, these software applications are Documentum, which is recommended to be used as a repository for documents such as project documents and product designs, and Visual Studio, which is recommended to be used as a repository for program codes.
Documentum. The capabilities of Documentum include support for all kinds of content, which include XML-tagged documents, fixed content, Web pages, e-mails, images, videos, and business documents (“List of Enterprise Content Management Systems,” 2012). It is a repository where content can be stored under compliance rules. It appears as a unified environment, although content may be physically stored on more than one physical storage device or server within a distributed environment.
Its key features include content publishing, design integration, accessibility and usability, categorization, language support, security, document management, search, online forms, integration with other systems, and content syndication (APLAWS, n.d.).
With regards specifically to its security features, Documentum requires users to authenticate themselves before they can access restricted information. This authentication process is performed through one of the systems that are listed in the application’s user administration section. Documentum is capable of integrating with any Active Directory or LDAP (Lightweight Directory Access Protocol)-based authentication module. It also supports single sign on from RSA or Netegrity. In addition, it is capable of handling client log-in through SSL.
Similarly, it supports SSL for access to the user directory server and for web page delivery and also allows for authentication over the NT LAN Manager (NTLM). As well, Documentum supports seven “levels of access rights for users, groups, and roles at the content object level" (APLAWS, n.d., p. 48). These access rights include delete, write, version, relate, read, browse, and none.
In addition, Documentum is capable of encrypting its main data repository. Moreover, a new version of the document is made whenever a change is made to the document, which helps prevents data loss. Workflow rules can also be defined to ensure that no step is missed (e.g. customer approval) before the document moves on to the next phase. As well, the EMC Network Module for Documentum is available to facilitate the backup and recovery of the different types of objects in the Documentum Content Server (EMC, 2009).
Microsoft Visual Studio. This is a powerful integrated development environment that ensures the creation of quality code throughout the entire software development lifecycle – from the design phase to the deployment phase (Microsoft, 2012b). Its main features include modeling tools, which enable both non-technical and technical users to create and use models for collaborating and graphically defining system and business functionality (tosaik, 2009). It supports both Domain Specific language and the Unified Modeling Language (UML). It also provides efficiency throughout the test cycle as it provides the capability for eliminating non-reproducible bugs; for the quick setup and deployment of tests that ensure the highest degree of the test’s completeness; for planning tests and tracking their progress; and for ensuring that all code changes are properly tested. Moreover, it has the capability of enabling teams to track their work more easily through the linking of work items with models and codes. As well, it enables the creation of workflow-based builds, which can help in the identification of errors before such errors affect the entire team or before they go into the production phase.
With regards to its security features, individual users can also be given access rights, depending on what they are allowed to do within the system. In addition, user groups can be created in order to further facilitate the granting of access rights. For example, a set of users who work on the same project can make up one user group whose members are granted the same rights. Such rights include read, write, and delete. In addition, various types of users can be granted specific permissions for using the database where the codes are stored. These permissions include those for creating or deploying a database, refractoring a database, performing unit tests on a database, generating data, comparing schemas and data, and running the Transact SQL Editor (Microsoft, 2012a).
Moreover, Visual Studio keeps separate versions of a file or program code whenever a change is made to it. This allows programmers to revert back to an old version of the code if errors are made with the current code or if the current code has been tampered with. In addition, with the codes being stored in a database, the backup and recovery of data are possible in the case of something uneventful occurring (e.g. natural disasters, power outages, and others).
Policy Solutions
Once the recommended applications have been implemented, policies with regards to their use should also be established. Firstly, the users of such applications should be identified, as well as their access permissions. For example, customers should be given only read access. Engineers should be given read, write, and delete access only to the projects they’re working on. In the same regard, user groups should be created to facilitate the granting of permissions, which will avoid confusion and will enable the administrator to modify the group’s permissions as necessary. For example, every project in the company should have their own user group. Furthermore, smaller or more specific user groups can also be created within each user group. For example, the engineers for Project A will make up one group and the programmers for Project A will make up another group. Not only will this make it easier to grant permissions and identify the users who have access to specific documents, this will also enable administrators to easily trace the user who may be responsible for a security breach, as the number of people who can access those documents is restricted and the names of users given such access can easily be identified.
In addition, workflow rules should be created and integrated into the systems to ensure that the process involved in the creation and maintenance of the company’s documents is followed. As an example, a rule can be created in Documentum that a new version of the document must be created (a new workflow must be run) before the document can be modified. This ensures that the current document is not overwritten and that it is preserved in its current state, which would enable any content to be restored in the event of errors being made while in the process of updating the document or in the event that the content is maliciously tampered with. Another example of a workflow rule is that a design document won’t be marked as final unless it has been approved by the customers. In this case, the customers can be included in the workflow so that their approval and sign-off are documented. With this rule, another rule or policy can be established where programmers are allowed to access and work only on design documents that are in the “Final” state, meaning, those that have been approved by the customer. With this rule, it can be ensured that the programmers are working with the right designs and specifications, which will prevent errors in the code and which will ensure that the programmers are working with the right specifications. This in turn will prevent resources from being wasted and the customers from becoming dissatisfied. Similarly, the workflow should include rules where any change made to the documents must still be approved by the customer before it gets marked as “Final.”
Finally, a policy for the automatic backup of the files should be put in place. For example, the backup process can be scheduled to run everyday at 6 A.M. and 10 P.M. to ensure that disruption to the employees’ work is minimized. With the backup process running twice a day, it can be ensured that the latest copies or versions of the files are backed up. Although not indicated in the case study, it can be assumed that the employees may not be working all at the same time, that is, some may be telecommuting or they may have flexible hours where some employees work from 8 to 5 while others may work from 2 to 10. It should also be considered that some employees may choose to work beyond their regular shifts so running the backup process twice a day ensures that the latest versions of the employees’ works are covered as much as possible.
Justification and Impact on Business Processes
The implementation of a content management system will ensure that only authoritative users are able to access and modify the documents within the company. It will prevent unauthorized access and will prevent the information in these documents from being tampered with. In addition, the versioning, backup, and restore features of the proposed systems will prevent data loss and will enable accountability to be traced. These systems will also ensure that business processes are followed.
The total cost of implementation for a 1, 000-user configuration of Documentum costs about US$ $863,938 (Mosher, 2008), which includes the Search feature, the Transformation/Rendition Management feature, the Workflow/Business Process Management feature, Collaboration, and Office Integration. Additional features would entail additional costs. Training, on the other hand, ranges from around $1,800 to $3,000 per user (Documentum, Inc., n.d.), although it’s possible to send only a few employees for training and these employees can in turn provide training for the rest of the organization.
On the other hand, Microsoft Visual Studio costs from $300 to $1,100 per license (Microsoft Visual Studio 2010 Professional, 2010). However, this usually needs to get integrated with the Team Foundation Server and Microsoft SQL Server. Unless these two are already implemented within the organization, Team Foundation Server would cost from $700 to $13,300 (“MSDN Subscriptions,” 2012) while an implementation of Microsoft SQL Server would cost around $803,000 for 1,000 users (“How to Buy,” 2012). Online training courses for Microsoft Visual Studio cost around $69 per user (Visual Studio.NET,” 2012).
Although these costs may seem too high, the returns can justify these costs due to the systems’ capability of preventing data loss. According to statistics, 31 percent of all computer users have lost all of their files because of occurrences that are beyond their control (Boston Computing Network, 2012) and 60 percent of companies that suffer from data loss are bound to shut down within six months of the data crash (Boston Computing Network, 2 012). Moreover, about 93 percent of companies that lose their data centers for ten days and more are bound to file for bankruptcy within a year of the occurrence (Boston Computing Network, 2012). In addition, according to a study conducted by the Ponemon Institute (2010), the costs incurred by the US for data breach amounted to US$ 6,751,451 in 2010 where 24 percent of the data breach were from malicious or criminal attacks; 36 percent were from system glitches; and 40 percent were from negligence (Ponemon Institute, 2010).
References
APLAWS. (n.d.). APLAWS+ comparison with other 5 content management systems. Retrieved
from http://www.epractice.eu/files/documents/cases/201-1157120772.pdf
Boston Computing Network. (2012). Data loss statistics. Retrieved from
http://www.bostoncomputing.net/consultation/databackup/statistics/
Documentum, Inc. (n.d.). Authorized federal supply service information technology schedule
pricelist general purpose commercial information technology equipment, software and
services. Retrieved from http://www.documents.dgs.ca.gov/pd/masters/
imaging/documentum.pdf
EMC. (2009, April). Backup and recovery of EMC Documentum content server using the
Networker module for Documentum. Retrieved from
http://www.emc.com/collateral/software/white-papers/h4071-backup-recovery-emc-
documentum-wp.pdf
How To Buy Comprehensive Licensing Information for SQL Server 2012. (2012). Retrieved
from http://www.microsoft.com/sqlserver/en/us/get-sql-server/how-to-buy.aspx
List of enterprise content management systems. (2012). Retrieved from
http://www.cmscritic.com/resource-lists/ecm-list/
Microsoft Visual Studio 2010 Professional. (2010). Retrieved from
http://www.microsoft.com/visualstudio/en-ph/products/2010-editions/professional
Microsoft. (2012). Required permissions for database features of Visual Studio. Retrieved from
http://msdn.microsoft.com/en-us/library/aa833413(v=vs.100).aspx
Microsoft. (2012). What is Visual Studio? Retrieved from
http://www.microsoft.com/visualstudio/en-us
Mosher, B. (2008, December 15). The cost of enterprise content management. Retrieved from
http://www.cmswire.com/cms/enterprise-cms/the-cost-of-enterprise-content-
management-003676.php
MSDN Subscriptions. (2012). Retrieved from http://msdn.microsoft.com/en-
us/subscriptions/hh442902.aspx
Ponemon Institute. (2010, July 13). Five Countries: Cost of data breach: Sponsored by PGP.
Corporation. Retrieved from http://www.ponemon.org/local/upload/fckjail/
generalcontent/18/file/2010%20Global%20CODB.pdf
tosaik. (2009, February 18). Key features of Microsoft Visual Studio 2010 and .NET 4.0.
Retrieved from http://saimaterial.wordpress.com/2009/02/
18/key-features-of-microsoft-visual-studio-2010-and-net-40/
Visual Studio .NET Online Training Courses. (2012). Retrieved from http://www.e-
learningcenter.com/visual_studio_net.htm