INITIATIVE-6: HTTP 2 HTTPS
What are we doing?
Upgrade All websites from HTTP to HTTPS
Why are we doing this?
Problem statement (Disease)
HTTP websites are vulnerable in a number of ways, for example packets moving between the browser to the website can be read in a number of ways. This is dangerous because sensitive data is sometimes passed between browser and website. By converting to an HTTPS website, we are encrypting data which eliminates unauthorized monitoring of data.
PTP Study suggested we move our websites to HTTPS
Industry is moving websites to HTTPS
Between RegionalSan, SASD, and ISD there are over 200 websites to convert.
Impact of this problem (Symptoms)
Current websites are vulnerable to unauthorized attacks leading to exposed confidential data.
- Browsers are starting to give warning messages that you are connecting to unprotected sites.
PTP Security Study highlighted this as issue.
Executive Level Requirements/Project Goals
| Stakeholder | Executive Level Requirement/Project Goal | How we will measure success |
|---|---|---|
| Anna Nikolaou | Protect the district from unauthorized monitoring of data on the network. | There should be no websites running HTTP. All websites should be running HTTPS. |
Recommended approach
Review and evaluate HTTPS options. For Vended apps we should look at vendor recommendations. Choose the best HTTPS option(s) for this project.
A typical web application may be installed into 3 environments; Development, QA/or testing, Production. It makes sense to convert a website first in the development environment, then in QA, finally in Production. In reality, some applications lack a testing environment, others support additional environments. Plans will be adjusted on an application-by-application basis to accommodate these variations.
There are PTP high priority tickets for the conversion of few websites, so a prioritization for web applications to convert should be made. While they should be done in a Development/QA/Production sequence, it is not necessary for each application to be converted in tandem with the other applications.
It seems like there are a few commons steps to perform for each installation. As of 11/14/2019, there are 135 web applications recorded in the CMDB to convert.
For each web application
| Process | Development | QA (or testing) | Production |
|---|---|---|---|
| Determine conversion pain points for web application or web application that affects that application. (For example conversion of Time-sheet application changes it's URL. This will break reports that link directly into Time-sheet application) | x | ||
| Develop a plan to test whether or not the conversion is successful. | x | ||
| Decide on the best HTTPS solution for the conversion of this website. | x | = | = |
| Test website. Is it ready for conversion? | x | x | x |
| Perform customer testing before conversion so that they have a baseline for testing. | x | x | |
| Prearrange a time when then conversion can take place | x | ||
| Send out a change notification that the website will be moved and more secure | x | ||
| Have the website converted to HTTPS. Fix associated links and programs | x | x | x |
| Verify that the conversion performed correctly. Refer to the test plan, and the baseline developed in earlier steps. | x | x | x |
| Send out a change notice that the website has been updated. | x |
Jira Issues
Initiative
INITIATIVE-6
Epics
Project Artifacts
Decisions
| Decision |
|---|
| No content found. |
Decisions
Record important project decisions and communicate them with your team.
Project Owner
Project Participants
Stakeholder register:
Initiative-6 - HTTP 2 HTTPS - Stakeholder Registry
Team Resources
Slack channel:
#initiative-6
Project workspace
Scrum board
Meetings
Risks
Initiative-6 - HTTP 2 HTTPS - Risk Log
Sizing Determination
Project Size = Internal Level 1
Initiative-6 - it-Project-Level-Assessment-Tool.xlsx