1

NLNB Service Vendor Quality Assessment

Team 3, EY
Exercise IST 302
Phase H

Revision Log
Revision

Date

Explanation

02/13/2015

First issue, Phase A Deliverables Added

2/27/2015

Second Issue, Phase B Deliverables Added and EY

Feedback Added

3/6/2015

Third Issue, Phase C Deliverables Added and EY

Feedback Added

3/20/2015

Fourth Issue, Phase D Deliverables Added and EY

Feedback Added

3/27/2015

Fifth Issue, Phase E Deliverables Added and EY

Feedback Added

4/6/2015

Sixth Issue, Phase F Deliverables Added and EY

Feedback Added

4/17/2015

Seventh Issue, Phase G Deliverables Added and EY

Feedback Added

4/20/2015

Seventh Issue, Phase H Deliverables Added

Table of Contents
Revision Log..........................................................................................................1
Executive Summary...............................................................................................4
The Means for Collecting Requirements and Developing the WBS......................5
Overview Initiation...............................................................................................7
Team Roster..........................................................................................................8
Team Contract.......................................................................................................9
Stakeholder Register...........................................................................................13
Stakeholder Management Strategy.....................................................................14
Stakeholder Communications Analysis................................................................15
Business Case.....................................................................................................17
Project Charter.....................................................................................................23
Agenda for Kick-off Meeting.................................................................................26
Risk Management for Vendor Reviews................................................................27
Overview Planning..29
Functional Description...30
Technical Description.31
Project Assumptions..34
Risk Register/List of Prioritized Risks.35
Project Scope Statement ....................................................................................36
Requirements Traceability Matrix .......................................................................39
Work Breakdown Structure .................................................................................41

Work Breakdown Structure Dictionary ................................................................45

Scope Management Plan ....................................................................................51
Gantt Chart with Milestones.....54
Activity-on-Arrow Network Diagram....55
Schedule Management Plan.56
Project Schedule Model Development....62
Project Cost Baseline.67
Project Cost Estimate68
Cost Management Plan.......................................................................................69
Overview Executing72
Communications Management Plan73
Quality Assurance Plan.76
Overview Monitoring and Controlling......77
Change Request Form..78
Change Request Log.80
Overview Closing81
Project Documentation..82
Customer Acceptance/Project Completion Form..83
Bibliography.85
Lessons Learned....86
Scoring Rubric.88

Executive Summary
This report was commissioned to examine and verify that vendors to Nittany Lion
National Bank (NLNB) are compliant with their contract regarding data protection.
Research for Phase A deliverable focuses on the overview of the overall project. NLNB
wants to grow as a business and become more profitable. After evaluating their
expenses, NLNB found that it would be beneficial to manage the cost of purchasing
services. NLNB has decided to prioritize managing purchased services. Vendor
relationships are really important to NLNB, but vendor relationships must be balanced
with price. We predict that the pre-start-up activities will have successful outcomes
based on our success criterion and that this project will benefit NLNB and serve their
initiative to obtain pricing that takes into account the aggregate of scale with their value
as a major customer, service with an emphasis on added value, and substantial
reductions in cost.
To promote this initiative, NLNB will be conducting Vendor Security Compliance
Reviews (VSCRs). VSCRs are necessary in order to comply with NLNB Standards and
regulatory requirements. The NLNB VSCR team oversees the VSCR process and
periodically reviews vendors as required. NLNB is looking for a third party, one or more
Security Consulting Firms (SCFs), to perform VSCR services. The purpose of the
reviews is to assess the security of each vendors facilities and provide assurance that
each vendor has taken the appropriate information security measures to comply with
the current contract in place.

The Means for Collecting Requirements and Developing the WBS

This project will consist of determining which vendor has the best quality for EY. The
scope will be developed upon further meetings with EY. In order to review vendors, we
will prepare a scope statement by addressing the following points:
How will vendors be reviewed?
What standards will we be comparing vendors to ensure that NLNB vendors are
performing satisfactorily?
What are current best practices for vendor review?
Create a vendor information analysis
Utilize PSU Library Databases to define current best practices
How will we evaluate each vendors strengths and weaknesses?
Evaluate vendors against each other based on price point to ensure fair pricing
How will we go about collecting and documenting requirements for features?
How will we verify that NLNB is satisfied with the constraints of the projects
deliverables?
How do we plan on developing a WBS (the approach)?
Our team will be responsible to define our analysis and manage vendor
contracts, performance, relationships and risk
These activities are associated with each other because they revolve around the
purpose of the project: to obtain pricing that takes into account the aggregate of scale
with their value as a major customer, service with an emphasis on added value, and
substantial reductions in cost.

The project will be completed by May 2nd, 2015. Throughout the semester we will
complete Phases A through H to ensure we are on task and on schedule. After the
completion of Phase H, the project will be complete.

Overview - Initiation
Nittany Lion National Bank Related Services Company (NLNB), Inc. wants to grow as a
business and increase their profits. After evaluating their expenses, NLNB has
prioritized managing purchased services and the costs associated with the purchased
services.

Vendor relationships are really important to NLNB, but vendor relationships must be
balanced with price. NLNB intends to make every effort to obtain pricing that takes into
account the aggregate of scale with their value as a major customer, service with an
emphasis on added value, and substantial reductions in cost.

To promote this initiative, NLNB will be conducting Vendor Security Compliance

Reviews (VSCRs). VSCRs are necessary in order to comply with NLNB Standards and
regulatory requirements. The NLNB VSCR team oversees the VSCR process and
periodically reviews vendors as required. NLNB is looking for a third party, one or more
Security Consulting Firms (SCFs), to perform VSCR services.

The purpose of the reviews is to assess the security of each vendors facilities and
provide assurance that each vendor has taken the appropriate information security
measures to comply with the current contract in place.

Team Roster
February 6, 2015

Project Name: NLNB Service Vendor Quality Assessment

Name

Role on

Position

Email

Phone

Location

mqg5319@psu.edu (610)-413- State

Project
Mats

Point of

Penn State

Gausdal

Contact for

Consulting

EY

Team

Coordinator

Penn State

Michael
Hergarty

4420

PA
mah5741@psu.edu (215)-983- State

Consulting

5000

Team
Franklin

Documenter

Mak

Penn State

fwm5072@psu.edu

(215)-908- State
0994

Team
Project

Penn State

Nizinski

Manager

Consulting
Team

College,
PA

Consulting

Allie

College,

College,
PA

acn136@psu.edu

(717)-324- State
2618

College,
PA

Team Contract

Team Name: EY Team 3

Course/Section: IST 302 (Sect. 001)

Project Team Members Names and Sign-off

A team leader is:
Responsible for managing the group project, creates work plan, designates tasks,
mediates member performance
Primary liaison with instructors, submits documentation for each phase.
Submits work for each phase to TAs
Member Signature
Acknowledging Compliance

Member Name (Print)

Contact Information

Franklin Mak

Email:
fwm5072@psu.edu
Phone: 215-908-0994

Franklin Mak

Allie Nizinski

Email: acn136@psu.edu
Phone: 717-324-2618

Allie Nizinski

Michael Hegarty

Email:
mah5741@psu.edu
Phone: 215-983-5000

Michael Hegarty

Mats Gausdal

Email:
mqg5319@psu.edu
Phone: 610-413-4420

Mats Gausdal

10

Code of Conduct
We agree to:
Communicate at a minimum frequency of a weekly basis through email and/or
telephone/texts to keep all team members up to date with project work

Participate actively in weekly meetings

Make sufficient effort to complete the project, on time, and on scope

Allocate work equally among team members
Confront each other to resolve any conflicts within our team
Authorize our team leader to inform our instructor in the case any conflict escalates
out of control
Notify all team members, in advance, if a team member cannot:
participate in a meeting, or
complete an assigned task on time
Honor and respect all university rules and regulations

Participation
Equal participation should be expected by all team members.

We agree to:
Check emails and phone messages daily and in order to not miss important emails
or texts regarding the group project coming from other team members
Allocate the work equally among the team members.

11

Allow the team leader to set due dates with agreement from the other team
members
Monitor, at each meeting, the work that was due from each team member at that
meeting

Review the work done by all other team members

Discuss work that is not up to group expectations

It is each team members responsibility to revise his/her work to be satisfactory by
the next night, and he/she will then distribute the improved work to all team
members at that time.

Division of Work
We agree to:
Allocate work equally between all members. Work division will be decided at weekly
team meetings
Meet deadlines that allow review and edit of all documents by all team members
Assign roles appropriate to each team members skills and strengths
Assist team members with work when they are struggling
Monitor all project activities to assure that each member works on for every
assignment to ensure that no one is doing more or less than others.

Consequences
If a team member demonstrates a pattern of poor quality work, we will meet with the
TA after a majority rule vote.

12

Communication
Each team must agree to the methods by which they will communicate with one another
whether it be through email, text/GroupMe, Skype, or face-to-face.

We agree to:
Use GroupMe and Google Docs for our daily communication and collaboration,
however for more serious issues we will schedule face-to-face meeting times
Assure the exchange of all documents to all team members so the entire team is
fully informed
Remind team members of team meetings and work responsibilities via email and
GroupMe

Meeting Guidelines
Meet every Monday from 2:45-3:30 p.m. and every Wednesday from 4:30-5:30 p.m.

We agree to:
Create and fill out a doodle document to establish a meeting time that is acceptable
for all team members
Work together to make sure we accomplish all that need to be done at our meetings
Record the agreements reached concerning important dates and assignments
agreed during team meetings
Use team meetings to review content and answer questions about deliverables for
that phase

13

Stakeholder Register for NLNB Service Vendor Quality Assessment

Prepared by: Michael Hegarty

Date: 2/11/15

Name

Position

Internal/
External

Project
Role

Contact Information

Michael Hegarty

Coordinator

Internal

Penn State
Consulting
Team

mah5741@psu.edu

Allie Nizinski

Team
Leader/Project
Manager

Internal

Penn State
Consulting
Team

acn136@psu.edu

Franklin Mak

Documenter

Internal

Penn State
Consulting
Team

fwm5072@psu.edu

Mats Gausdal

Point of
Contact for EY

Internal

Penn State
Consulting
Team

mqg5319@psu.edu

John Hill

Professor

External

Special
Advisor

jhill@ist.psu.edu

Andrew
Dunheimer

EY Contact

Internal

Client

Andrew.Dunheimer@ey.com

Lauren Ceppi

EY Contact

Internal

Client

Lauren.Ceppi@ey.com

14

Stakeholder Management Strategy for NLNB Service Vendor Quality Assessment

Prepared by: Michael Hegarty

Date: 2/11/2015

Name

Level of
Interest

Level of
Influence

Potential Management Strategies

Michael Hegarty

High

High

Michael is very interested in seeing

this project succeed and likes to have
face-to-face meetings.

Allison Nizinski

High

High

Allie is great at staying on top of the

key parts of the project and has a
very high interest in the success of
this project.

Franklin Mak

High

High

Franklin finds it critical this project is

successful. He has a high interest in
the success because a failed project
weighs heavily on him.

Mats Guasdal

High

High

Mats is extremely interested in seeing

this project to success and likes to
focus on overview of the project.

John Hill

Medium

High

Professor Hill has an interest of

medium because this is not his only
project to help on. He has to help all
the other teams.

Andrew
Dunheimer

Medium

High

Andrew has an interest of medium

because he has a lot of things on his
plate and is helping the Team out by
acting as a Contact.

Lauren Ceppi

Medium

High

Lauren, like Andrew, has an interest

of medium because she has a lot of
things on her plate and is helping the
Team out by acting as a Contact.

15

Stakeholder

Document
Name

Document
Format

Contact
Person

Due

Michael Hegarty

Lessons
Learned
Report,
Stakeholder
Management
Strategy,
Stakeholder
Communication
Analysis,
Stakeholder
Register,
Scope,
Technical
Description,
Lessons
Learned,
Scope
Management
Plan, Project
Schedule
Model
Development,
Cost
Management
Plan, Quality
Assurance
Plan, Change
Request Log

Phase A, Word
Document, Phase
B, Phase C,
Phase D, Phase
E, Phase F,
Phase G

John Hill,
Andrew
Dunheimer,
Lauren Ceppi

4/20/15

Allie Nizinski

Project Charter,
Bibliography,
OverviewInitiation,
Project Plan,
Functional
Description,
Project
Assumptions,
Requirements
Traceability
Matrix, Gantt

Phase A, Word
Document, MS
Project, Phase B,
Phase C, Phase
D, Phase E,
Phase F, Phase
G, Phase H

John Hill,
Andrew
Dunheimer,
Lauren Ceppi

4/20/15

16

Chart with
Milestones,
Cost
Management
Plan, Overview
Executing,
Overview
Monitoring and
Control,
Overview Closing
Franklin Mak

Business Case,
Weekly
Agenda,
OverviewPlanning,
Weekly
Agenda, Scope
Statement,
Schedule
Management
Plan, Change
Request Form,
Customer
Acceptance/Pr
oject
Completion
Form

Phase A, Word
Document, Phase
B, Phase C,
Phase D, Phase
E, Phase F,
Phase G, Phase
H

John Hill,
Andrew
Dunheimer,
Lauren Ceppi

4/20/15

Mats Gausdal

Team Contract,
Executive
Summary, List
of Prioritized
Risks, Risk
Register, WBS,
WBS
Dictionary,
Activity-onArrow Network
Diagram,
Project Cost
Baseline,
Communication
s Management
Plan

Phase A, Phase
B, Phase C, MS
Excel, PDF,
Phase D, Phase
E, Phase F,
Phase G

John Hill,
Andrew
Dunheimer,
Lauren Ceppi

4/20/15

17

Business Case for EY Case

Date: 2/11/15

Project Name: NLNB Service Vendor Quality Assessment

1.0 Introduction/ Background
Nittany Lion National Bank Related Services Company (NLNB), Inc. has launched a
series of initiatives to grow their business and substantially improve their profitability.
Purchased services account for some of the largest components of their expense
base, so managing the cost of purchased services is among their highest priorities. As
a result, they are launching sourcing initiatives that encompass all NLNB business
units and all major expense categories. Another priority is to maintain strong
relationships with all of their vendors. Having a quality relationship is very important to
operating at maximum optimization. NLNB intends to make every effort possible to
obtain pricing they seem fit compared to their value as a major customer. NLNB is
driven to find quality service with an emphasis on added value, and substantial
reductions in cost.
2.0 Business Objective
Vendor Security Compliance Reviews (VSCRs) are necessary in order to comply with
NLNB Standards as well as regulatory requirements. As part of the CISOs
organization, the NLNB VSCR Team provides oversight of the VSCR process and
ensures that all vendors are visited periodically as required. Vendors are visited
regularly to make sure they are following all of the standards set forward by NLNB.

18

NLNB wants to ensure they view each vendor fairly, therefore a set of standards is
necessary to promote fairness while grading each vendor. The objective is to build out
deliverables for how to go about reviewing vendors and managing those relationships
and the risks associated with them. Using these standards NLNB will be able to view
which vendors they rank more highly based only on quality and cost.
3.0 Current Situation and Problem/Opportunity Statement
NLNB is currently looking for one or more Security Consulting Firms (SCFs) to provide
Vendor Security Compliance Review (VSCR) services. VSCRs are conducted on
external companies that provide services to NLNB where NLNBs business or
customer-confidential data is being processed, stored, and/or accessed. The reviews
are designed to specifically assess the security posture of a vendors facilities and to
provide sufficient assurance that a vendor has implemented information security
measures that are consistent with its contract obligations. This will allow NLNB to
have a vendor analysis for each vendor and evaluate their current relationship and
contract with each vendor.
4.0 Critical Assumption and Constraints
To ensure confidentiality, security, and integrity of NLNB data while in the hands of
NLNBs vendors and to fulfill NLNBs legal and regulatory commitments. To ensure
required logical and physical security controls over all external facilities where NLNB
Data is accessed, processed, filed, transmitted or stored;
To assess risks associated with external vendor non-compliance and ensure they
implement appropriate security and control measures required to mitigate those risks.

19

VSCRs are conducted at external locations that process, store or access NLNB
business or customer confidential data. This includes but is not limited to out-tasking
an internal function to an external vendor, (e. g., telemarketing, resource strategy,
etc.). External companies that have direct on-line access to NLNB systems; and
external companies that perform a service or product support for NLNB.
NLNB prioritizes cost for this project.
5.0 Analysis of Options and Recommendation
The Security Consulting Firm that they require (and will hire) will need to perform
Vendor Security Compliance Reviews. There are two varieties of VSCRs:
1. On-Site Security Reviews

Lasts about a day and a half, excluding interview preparation and report
preparation

Uses NLNB Interview Process Utility.

Physical and logical security questions covered.

Performed on vendors that have a contract with NLNB on an ongoing basis.

2. Conference Call Security Reviews

Lasts about two hours, excluding interview preparation and report preparation

Uses the NLNB Technology Evaluation Questionnaire.

Logical security questions in scope.

Performed on potentials NLNB vendors prior to contract.

Agents of the SCF in question would need to be stationed nearby the vendor
for OSSRs, whereas CCSRs require no such constraint. Of course, the

20

difference is the thoroughness of the Security Reviews, with the former being
most in-depth and the latter less so. In addition, OSSRs need only one agent
for perform the review.
6.0 Preliminary Project Requirements
Ensure that a Non-Disclosure Agreement (NDA) is completed and signed between the
vendor being reviewed and the SCF For OSSRs, the SCF will offer participation
[observation] to the VRM. For OSSRs, perform a minimum of 5 control tests per
review. The SCF must ensure that all data collected during the review is adequately
protected while in their custody [via PGP disk level encryption or equivalent for
electronic copies and good business practices for paper copies]. The SCF will retain
secured service partner documents for one year or until completion of a subsequent
review, whichever is longer. Risk ratings of High, Medium and Low shall be applied
in accordance with the guidelines set forth in NLNB-provided rating guidance. NLNB
will own all methodology, procedures, questionnaires, pre-assessments, training
materials and assessment results.

This RFP is intended to gather information about your firms ability to perform
multiples of these reviews per year. The project does not, in itself, target improving
the process [though there are parallel efforts with this as a target]. The SCF will not
reuse assessment materials from vendor to vendor.
7.0 Budget Estimate and Financial Analysis
The total budget is at maximum $2.5 million USD, split across fees of the

21

administrative, onsite review or remote review varieties. We plan to use net present
value analysis, return on investment, and payback analysis to further map out the
budget.

Return on Investment (ROI): The benefits minus the costs divided by costs.

Opportunity Cost of Capital: The rate used in discounting future cash flow;
also known as capitalization rate or discount rate.

Internal rate of return (IRR): The discount rate that results in an NPV of
zero for a project.

Cash flow: Benefits minus costs or income minus expenses.

Cost of capital: The return available by investing the capital elsewhere.

Net Present Value (NPV) analysis: A method of calculating the expected

net monetary gain or loss from a project by discounting all expected future
cash inflows and outflows to the present point in time.

Discount factor: A multiplier for each year based on the discount rate and
year.

Payback period: The amount of time it will take to recoup, in the form of
net cash inflows, the total dollars invested in project.

Required rate of return: The minimum acceptable rate of return on an

investment.

8.0 Schedule Estimate

Maximum time of 3 years to completion.

22

9.0 Potential Risks

Depending on the SCF, the VSCRs performed can be inadequate at best, or miss
gaping holes in security at worst. The trick is for those SCFs to be diligent in their
VSCRs, especially in terms of consistency and thoroughness. In addition, the preexisting VSCRs might not be adequate enough, given the manner in which they are
slated to be executed.
Outside of handling and refining VSCR processes and policies, there can also be
technical issues; CCSRs can have connectivity issues depending on the Internet
Service Provider or conference call mediums (programs such as Skype).
10.0 Exhibits
[To be discussed after budget is further elaborated at a later time]

23

Project Charter
Project Title: NLNB Service Vendor Quality Assessment
Project Start Date: January 30, 2015

Projected Finish Date: February 13, 2015

Budget Information:
Pricing Assumptions - Price Quotes
OSSR Assumptions
CCSR Assumptions
Annual volume up to 400 per year
Annual volume up to 250 per year
SLA:
SLA:
Reviews identified in the two week period
Reviews are preformed within 25
before a quarter are completed in the
business days after being
quarter
requested
Report due to NLNB within 30 business
Report due to NLNB within 5
days of site visit
business days of CC
Flat rate per review [all toll free
Flat rate per review including T&E
conference call numbers provided by
NLNB]
Distribution: 50% North America, 20% Europe Distribution: 60% North America, 20%
and 30% Asia
Europe and 20% Asia
OSSR Price Quote
CCSR Price Quote
$600 Per Review
(To be placed directly on the sourcing
site)
Travel, Lodging, and Hourly Rate
Travel should be booked in advance for the best rate. Lodging costs are not to
exceed $200 per night.
Hourly rates of Team 3 correspond to experience in the security consulting industry:
Senior member: $75.00/hr
Junior member: $50.00/hr
Project ceilings and additional notes
Project not to exceed $2.5 million USD
The discounted rate for this project is 12%
The length of this project should not exceed 3 years

$2,000 Per Review

(To be placed directly on the sourcing site)

Project Manager: Allie Nizinski, (717) 324-2618, acn136@psu.edu

Project Objectives:

24

To ensure confidentiality, security, and integrity of NLNB data while in the

hands of NLNBs vendors and to fulfill NLNBs legal and regulatory
commitments;

To ensure required logical and physical security controls over all external
facilities where NLNB Data is accessed, processed, filed, transmitted or
stored;

To assess risks associated with external vendor non-compliance and

ensure they implement appropriate security and control measures required
to mitigate those risks.

VSCRs are conducted at external locations that process, store or access NLNB
business or customer confidential data. This includes but is not limited to:

Out-tasking an internal function to an external vendor, (e. g., telemarketing,

resource strategy, etc.);

External companies that have direct on-line access to NLNB systems; and

External companies that perform a service or product support for NLNB.

Success Criteria:
Project success metrics will be decided at a later date, but Team 3 will be
conscientious of scope, time, cost, and quality. Team 3 is prioritizing cost at NLNBs
request.
Approach:

Review internal and external templates and examples of project management

documents

25

Determine a way to measure the value of vendor review during the project

Research vendor review and best practices

Roles and Responsibilities

Name and Signature

Role

Position

Mats Gausdal

EY Point of
Contact

Penn State
Consulting
Team

mqg5319@psu.edu,
(610)-413-4420

Coordinator

Penn State
Consulting
Team

mah5741@psu.edu,
(215)-983-5000

Michael Hegarty

Contact
Information

Franklin Mak

Documenter

Penn State
Consulting
Team

fwm5072@psu.edu,
(215)-908-0994

Allie Nizinski

Project
Manager

Penn State
Consulting
Team

acn136@psu.edu,
(717)-324-2618

Andrew Dunheimer

EY
Client/Advisor Consulting

Andrew.Dunheimer
@ey.com

Lauren Ceppi

Client/Advisor

EY
Consulting

Lauren.Ceppi@ey.c
om

John Hill

Special
Consultant

Penn State

ANGEL

TAs

Reviewer

Penn State

ANGEL

Comments: (Handwritten or typed comments from above stakeholders, if applicable)

None at this time

26

Agenda for Kick-Off Meeting

EY Project
Kick-off Meeting
[February 6, 2015]
Meeting Objective: Get the project off to a great start by introducing key stakeholders,
reviewing project goals, and discussing future plans
Agenda:
Introductions of attendees
Background of project
Review of project-related documents (i.e. business case, project charter)
Discussion of project organizational structure
Discussion of project scope, time, and cost goals
Discussion of other important topics
List of action items from meeting
Action Item

Assigned To

Due Date

Business Case, Weekly

Agenda

Franklin Mak

February 13, 2015

Project Charter,
Bibliography

Allie Nizinski

February 13, 2015

Lessons Learned Report,

Stakeholder Management
Strategy, Stakeholder
Communication Analysis,
Stakeholder Register

Michael Hegarty

February 13, 2015

Communicate and send

weekly agenda on a weekly
basis to EY

Mats Gausdal

February 13, 2015

Date and time of next team meeting:

Wednesday, February 18, 2015
Date and time of next EY meeting:
Monday, February 16, 2015

27

Risk Management for Vendor Reviews

There are certain risks associated with conducting the vendor reviews for NLNB. These
include risks correlated with scheduling difficulties due to weather and fairness when
creating performance review metrics. From a technical standpoint, there are risks of the
VSCRs finding holes in security, but especially in overlooking those holes in security.
We plan to manage this risk by having the SCFs be diligent in their VSCRs in terms of
consistency and thoroughness and by maintain consistency by using a set of best
practices. In addition, the pre-existing VSCRs might not be adequate enough, given the
manner in which they are slated to be executed. There is also concern regarding
technical issues with security itself. Lastly, CCSRs can have connectivity issues
depending on the Internet Service Provider or conference call mediums (programs such
as Skype). During the initiation phase of the project we have held a specific
consideration to acts associated with these risks.

28

Overview - Planning
To manage purchased services, we need to find vendors that have goals that align well
with NLNBs own goals to expand and secure the information of their future customers,
in addition to reinforcing the security that guards archived data from their clients before
the expansion. NLNB needs to keep costs down to allow them to continue to offer
excellent service at an affordable price, as well as be consistently secure and be
diligently well-kept to keep their business smooth, safe, and sound.
The purpose of the reviews is to assess the security of each vendors facilities and
provide assurance that each vendor has taken the appropriate information security
measures to comply with the current contract in place. We will be assessing the risks
involved for each vendor and comparing price points to negotiate better prices or
change vendors.

29

Functional Description
To improve profitability, NLNB has prioritized managing the cost of purchased services.
NLNB wishes to obtain better pricing by leveraging vendor relationships.
The Request for Proposal (RFP) is being sent to competitors of NLNBs current vendors
to identify the best value, cost effective providers for these services. NLNB is looking for
us to provide Vendor Security Compliance Review (VSCR) services.
VSCRs will be conducted for NLNB vendors. Since vendors store business or customerconfidential data is being processed, stored, and/or accessed. The reviews will assess
the security of each vendors facilities and ensure that each vendor has taken the
necessary security measures that are consistent with its contract obligation. The
reviews will allow NLNB to ensure the integrity of its data and keep costs down.

30

Technical Description
To discover and/or confirm which vendors currently offer NLNB the best value, we will
travel to each vendor and review their facilitys security and ensure that each vendor is
maintaining its contractual obligation.
These reviews ensure confidentiality, security, and integrity of Nittany Lion National
Bank Data while in the hands of NLNBs Vendors and to fulfill NLNBs legal and
regulatory commitments and to ensure required logical and physical security controls
over all external facilities where NLNB Data is accessed, processed, filed, transmitted or
stored.
2 Types of Security Reviews
On-Site Security Review (OSSR)

Conference Call Security

Reviews (CCSR)

On site - 1 1/2 day duration [excluding preparation for

review and report preparation]

Conference call - 2 hr
duration [excluding
preparation for review and
report preparation]

Uses the NLNB Interview Process Utility

Uses the NLNB Technology

Evaluation Questionnaire

Physical and logical security questions covered

Logical security questions in

scope

Performed: 1) on Vendors that have a contract in place

with NLNB; and 2) on an ongoing basis

Performed on potential
NLNB Vendors prior to
contract

To perform an on-site review, we will travel to the actual company and conduct the
review in person, at the vendors facilities. On-site reviews with vendors are conducted
only for current NLNB vendors. This review is the most expensive option because it
includes travel cost, lodging cost, and the hourly rate of the employees who perform the

31

review. Even though it is more expensive, the on-site review provides the best
opportunity for a successful review because of meeting the vendor face-to-face and
physically reviewing their facilities on-site. An on-site visit allows us to review physical
and logical security questions.
OSSRs are best performed by SCF staff already located in the specific geography.
Only one qualified person is necessary for each Vendor assessment. If a
seasoned/credentialed professional is not available, the SCF will submit a resume of a
qualified replacement to NLNB for consideration and approval prior to conducting the
review.
NLNB provides an Interview Process Utility [IPU] for the OSSR. This spreadsheet
format is augmented with guidelines for the acceptable depth of findings and
assistance for rating the responses.

For the CCSR, a Questionnaire is provided to the vendor firm being reviewed. The
Technology Evaluation Questionnaire [TEC] is completed by the firm and returned. It is
then used as the complete basis of the Conference Call. No separate research or
evaluation from the SCF is part of the process. The SCF will work with the NLNB
Vendor Relationship Manager (VRM) and the NLNB Review Coordinator, as
appropriate, to coordinate all reviews and associated meetings.

The NLNB methodology for performing these reviews has been used both by NLNB
staff and by other SCFs. While the process will continue to be refined, the SCF should

32

not consider development of the methodology, or the tools, used for the reviews to be
part of the work effort. The SCF will utilize NLNBs existing methodology and developed
tools for these reviews.
Review Guidelines
On-Site Security Review (OSSR)

Conference Call Security Reviews (CCSR)

SCF performs scheduling with VRM and

service provider

Scheduling performed by NLNB Project

Governance Board. SCF prepares and
facilitates.

Documentation from review is provided to The only documentation from review should
NLNB Vendor Security Management with be the report itself
the report.
SLA:

SLA:
Reviews identified in the two week
period before a quarter are
completed in the quarter
Report due to NLNB within 30
business days of site visit

Reviews are preformed within 25

business days after being requested
Report due to NLNB within 5
business days of CC

Report is Quality Assured by SCF before

submission to NLNB

Report is Quality Assured by SCF before

submission to NLNB

SCF works with VRM

SCF works with NLNB Project Manager

Key steps in the process to be performed by the SCF include:

Ensure that a Non-Disclosure Agreement (NDA) is completed and signed
between the vendor being reviewed and the SCF
For OSSRs, the SCF will offer participation [observation] to the VRM
For OSSRs, perform a minimum of 5 control tests per review
The SCF must ensure that all data collected during the review is adequately
protected while in their custody [via PGP disk level encryption or equivalent for
electronic copies and good business practices for paper copies]. The SCF will

33

retain secured service partner documents for one year or until completion of a
subsequent review, whichever is longer.
Risk ratings of High, Medium and Low shall be applied in accordance with the
guidelines set forth in NLNB-provided rating guidance.

The current IPU has 175 individual exploration areas. These are grouped in 25 sections.
There are 107 questions in the current version. The full IPU and TEQ will be provided to
the SCF(s) chosen to perform the work.

Another type of review performed is a teleconference security call. This call is used to
review potential vendors that could do business with NLNB. The conference call takes
place over the span of a couple of hours with potential vendors and answers logical
questions about their performance. This is a cheaper review because it does not require
travel and lodging costs since the review is over the phone. This review only costs the
hourly rate of the employees who perform the review.

General Exclusions/Limitations:
NLNB will own all methodology, procedures, questionnaires, pre-assessments,
training materials and assessment results.
This RFP is intended to gather information about your firms ability to perform
multiples of these reviews per year. The project does not, in itself, target
improving the process [though there are parallel efforts with this as a target.
The SCF will not reuse assessment materials from vendor to vendor.

34

Project Assumptions
If a vendor is compliant, competitor pricing will be compared, but NLNB also takes into
other factors. Current NLNB vendors will be evaluated based on current performance
and history of interaction. If vendors are satisfying cost, scope, time, and quality, it is
likely that the vendor will be eligible for an extended contract/a future contract.

If a vendor is not compliant with the contract agreement when addressing the issue of
protecting highly sensitive information (NLNBs business and customer information) this
exemplifies a breach of contract and the contract may be terminated. Vendors may be
given a warning and will work with NLNB to become in compliance. NLNB is permitted
to hire/fire vendors when contract obligations are not satisfied. A Request for Proposal
(RFP) will be sent out to have alternative vendors who are prepared to step in if the
occasion calls for it.

If a competitor submits competitive pricing, the competitor will be under review.

Although the competitor meets the scope and cost constraints, further review will be
needed to look into time and quality constraints. Additionally, the competitor has the
option to submit to a review of their current security measures at their facilities to ensure
the integrity of all NLNBs data.

35

Risk Register and List of Prioritized Risks

[Refer to the file named nlnb_vscr_risk_register.xlsx]

36

Project Scope Statement

Project Title: NLNB Service Vendor Quality Assessment
Date: 03/07/15

Prepared by: Franklin Mak

Project Justification: To ensure confidentiality, security, and integrity of NLNB data

accessed by external vendors. We want to guarantee that the vendors being used for
the data collection have the processes in place to be able to keep all information safe.
Each vendor must be able to ensure that the wrong person does not access data, it is
correct and accurate, and it is available when it is needed.
Product Characteristics and Requirements:
1. This project must yield a working system of VSCRs as well as a method of
judging them to ascertain if the security of one branch or others are compromised
or likely to be compromised. It should also detect any internal malicious
tampering of software, security-related or otherwise.
2. Should it be that a security compromise occurs due to internal leakage (i.e. one
of NLNBs employees copying information and financial detail to use/distribute
elsewhere), that leakage will be handled by NLNB.
3. Should it be that a security compromise occurs due to a hardware issue (i.e.
Server malfunction, defective parts), we shall arrive promptly to repair and, if
necessary, replace parts and machinery with funds allocated by the proposed
budget.
a. While repairs are made, the damages will be recorded and examined to
investigate malicious activity. Depending on the outcome, the costs may

37

shift to NLNB if an employee of theirs was responsible for the damage,

4. Should it be that a security compromise occurs due to software issues, a
technician will go to investigate and fix it in a timely manner.
a. If the technician cannot fix the problem within a reasonable timeframe, the
bank itself will be briefed on the situation and advised accordingly on
whether or not they should continue to function or to hold off certain
affected operations until the issue is remedied.
Product User Acceptance Criteria:
1. The VSCRs must be thorough enough to mitigate the chance of data leaks and
to flush out any possible liabilities.
2. These VSCRs should also be easy to perform and ready to perform should
concerns arise.
3. Should the VSCRs find that the security measures for their data are inadequate,
there should be measures in place to fix them in a timely and cost efficient
manner.
Summary of Project Deliverables
1. Project management-related deliverables: business case, charter, team
contract, scope statement, WBS, schedule, cost baseline, status reports, final
project presentation, final project report, lessons-learned report, and any other
documents required to manage the project.
2. Product-related deliverables:
a. A working VSCR System

38

i. Judging Rubric
ii. Review Scheduling System

Requirements Traceability Matrix for NLNB Service Vendor Quality Assessment

Prepared by:

Allie Nizinski

Date: 03/03/15

39

Requirement

Name

Category

Source

Status

NLNB Interview

Documentation

Project

Complete. Provided

Charter

by NLNB.

Project

In progress.

Charter

Documentation is

No.
R1

Process Utility
R2

NLNB Technology

Documentation

Evaluation
Questionnaire
R3

Physical Security

being assembled.
Documentation

Questions

R4

R5

Security Questions Documentation

Non-Disclosure

Documentation

Agreement
R6

Control Test

Documentation

Procedures

Project

In progress.

Charter,

Documentation is

Scope

being assembled.

Project

In progress.

Charter,

Documentation is

Scope

being assembled.

Project

Complete. Provided

Charter

by NLNB.

Project

In progress.

Charter

Documentation is
being assembled.

R7

PGP Disk Level

Encryption

Software

Project

Complete. Software

Charter

ordered.

40

R8

Hotel Reservation

Lodging

Project

Ongoing.

Charter
R9

Airline Reservation

Travel

Project
Charter

Work Breakdown Structure

[Refer to the file named wbs.pdf]

Ongoing.

41

Tabular Form
1. NLNB VSCRs
1.1 Initiation
1.1.1 Evaluate current systems
1.1.1.1 Evaluate state of current system
1.1.1.2 Analyze product and compare to updated requirements
1.1.2 Define VSCRs requirements
1.1.2.1 Define user requirements
1.1.2.1 Define content requirements
1.1.2.2 Define system requirements
1.1.2.3 Define NLNB vendors server requirements
1.1.3 Define specific functionality
1.1.3.1 Define system functionality
1.1.4 Define risks & risk management approach
1.1.4.1 Define project risks
1.1.4.2 Identify risks
1.1.4.3 Specify response
1.1.4.4 Assess security posture
1.1.5 Develop project plan
1.1.6 Develop a vendor risk assessment
1.1.7 Develop a budget plan
1.1.8 Brief development team

42

1.2 VSCR Planning

1.2.1 Develop design plan
1.2.1.2 Develop use cases
1.2.1.3 Create data architecture
1.2.1.4 Create hardware architecture
1.2.2 Design product
1.2.2.1 Design framework
1.2.2.2 Design UI
1.2.2.4 Design database
1.2.3 Design Test
1.2.3.1 Design Test of 1.2.2
1.2.4 Design Schedule
1.2.4.1 Design calendar when vendors can participate in assessments
1.3 VSCR development
1.3.1 Develop product
1.3.1.1 Develop framework
1.3.1.3 Develop UI
1.3.1.4 Develop database
1.3.2 Execute tests
1.3.2.1 Execute manual tests
1.3.3 Implementation
1.3.3.1 Implement product with NLNB
1.3.3.2 Analyze product testing

43

1.3.4 Data collection

1.3.4.1 Review data collection requirements
1.3.4.2 Import sample data collection
1.4 Executing phase
1.4.1 Rollout
1.4.1.1 Migrate sample data
1.4.1.2 Install software
1.4.2 Alpha testing phase
1.4.2.1 Gather subjects
1.4.2.2 Conduct user testing
1.4.2.3 Feedback
1.4.2.4 System testing
1.4.2.5 Implement changes
1.4.3 Beta testing phase
1.4.3.1 Gather additional subjects
1.4.3.2 Conduct user testing
1.4.3.3 Feedback
1.4.3.4 System testing
1.4.3.5 Implement Changes
1.4.4 Data Assessments
1.4.4.1 Data Collection
1.4.4.2 Migrate data
1.4.4.3 Data Analysis

44

1.4.4.4 Data Report

1.4.5 Product rollout
1.4.5.1 Conduct final system testing
1.4.6 Announce launch
1.4.7 Quality Assurance
1.4.7.1 Conduct product meets the requirements
1.5 Support
1.5.1 Define support requirements
1.5.1.1 Define user support
1.5.1.2 Define product support
1.5.2 Training
1.5.2.1 Conduct training requirements
1.5.2.2 Gather personnel
1.5.2.3 Team technical training

WBS Dictionary
Project Title: NLNB Service Vendor Quality Assessment

45

WBS Item Number: 1.1

WBS Item Name: Initiation
Description: Conduct review of existing VSCRs

WBS Item Number: 1.1.1

WBS Item Name: Evaluate current systems
Description: In the planning phase of VSCR the SCF will conduct an evaluation of the
current product NLNB is utilizing. This will help in the development of updated VSCRs.
SCF will conduct a requirement test of the product and will analyze and compare it to
the updated requirements. This will help SCF in developing a new plan for VSCRs. This
will also help provide a lot of additional value of the NLNBs product.

WBS Item Number: 1.1.2

WBS Item Name: Define VSCRs requirements
Description: Conduct requirements for VSCRs in terms of user, content and system
requirements.

WBS Item Number: 1.1.3

WBS Item Name: Define specific functionality
Description: Product capable of serving the purpose for which it was designed
specifically in terms of its system

46

WBS Item Number: 1.1.4

WBS Item Name: Define risks & risk management approach
Description: Assess project risks and identify them accordingly. Specify a response for
the related risks. Ensure logical and physical security controls over all external facilities
where NLNB Data is accessed, processed, filed, transmitted or stored;

WBS Item Number: 1.1.5

WBS Item Name: Develop project plan
Description: Develop a continuous plan for the project given the updated evaluations,
requirement definitions, functionalities, risks, and risk management approach

WBS Item Number: 1.1.6

WBS Item Name: Brief development team
Description: Conduct a brief with the team responsible for developing the product. Go
over the necessary requirements for the product and make sure they are understood.

WBS Item Number: 1.2

WBS Item Name: VSCR planning
Description: Prepare the preliminary plans for the work to be developed and executed.

WBS Item Number: 1.2.1

WBS Item Name: Develop design plan

47

Description: Develop project and purpose of the design phase. Define interactions in a
UML to achieve the required goal. Ensure models, policies, and standards comply with
data collection, arrangement and integration. Identify the systems physical components
and how they work together.

WBS Item Number: 1.2.2

WBS Item Name: Design product
Description: Develop the MVC for the product. Ensure the three parts effectively
communicate. Develop an effective interactive UI that comply with the requirements.
Develop EDR for database.

WBS Item Number: 1.2.3

WBS Item Name: Design Test
Description: Conduct testing of the design.

WBS Item Number: 1.3

WBS Item Name: VSCR development
Description: The development phase of the product. In this phase the VSCRs will be put
to work.

WBS Item Number: 1.3.1

WBS Item Name: Develop product

48

Description: The MVC will be developed accordingly with the framework, the UI will be
developed and the database will be developed accordingly to its EDR.

WBS Item Number: 1.3.2

WBS Item Name: Execute Test
Description: First testing phase of the product. Testing phase conducted to eliminate
critical errors.

WBS Item Number: 1.3.3

WBS Item Name: Implementation
Description: Implement product testing with NLNB vendor and analyze how it functions.

WBS Item Number: 1.3.4

WBS Item Name: Data collection
Description: Review what data to be collected for testing purposes. Following data will
be imported to development database.

WBS Item Number: 1.4

WBS Item Name: Executing phase
Description: Product executing phase. The product is finished developed and ready
execution

WBS Item Number: 1.4.1

49

WBS Item Name: Rollout

Description: The sample data will be migrated to the vendor and software will be
installed.

WBS Item Number: 1.4.2

WBS Item Name: Alpha testing phase
Description: First round of external testing. Subjects will be chosen and they will
conduct testing of the system. Subjects will give feedback, SCF will test the system and
implement necessary changes based on feedback

WBS Item Number: 1.4.3

WBS Item Name: Beta testing phase
Description: Second round of external testing. The larger group of subjects will give a
more real-life experience to the system. Will give the SCF key feedback on how to
ensure the product runs effectively.

WBS Item Number: 1.4.4

WBS Item Name: Data Assessments
Description: Perform collection of NLNB customer data, analyze it and ensure it runs
effectively with the new product

WBS Item Number: 1.4.7

WBS Item Name: Quality assurance

50

Description: Perform quality test of the product, meet with NLNB and make sure they
are satisfied with the new product.

WBS Item Number: 1.5

WBS Item Name: Support
Description: Go over the necessary support requirements between SCF and NLNB.

WBS Item Number: 1.5.1

WBS Item Name: Define support requirements
Description: Talk with the user and ensure they understand the purpose of the product,
perform product support.

WBS Item Number: 1.5.2

WBS Item Name: Training
Description: Gather requirements for training phase. Conduct meeting with NLNB to
ensure that they understand how the new system works. Perform training for training
staff (train the trainer).

Scope Management Plan

Date: 03/06/15

51

Project Name: NLNB Service Vendor Quality Assessment

Introduction
Throughout this project we will be reviewing current and prospective vendors. These
vendors will be reviewed on their security practices. Both on-site and remote reviews of
vendors will take place to ensure proper research has been done. Throughout this
section we will explain how we prepared the scope statement and how we are
controlling and managing it through each iteration of the project.

Preparing the Scope Statement

Reviewing NLNB Service Vendor Quality Assessment objectives, requirements and
milestones is needed to formulate a scope statement. The scope statement will be
developed through inputs from the stakeholders, clients and team members. The scope
will be created to ensure the project stays on task and is completed as planned. Key
documents such as the project charter, stakeholder register, preliminary scope
statements and other planning documents will be crucial in laying the foundation for the
scope. The scope statement will include constraints, assumptions, exclusions,
deliverables and acceptance criteria. As time progresses the scope becomes clearer
and must be communicated to the project stakeholders.

Creating the Work Breakdown Structure (WBS)

52

A Work Breakdown Structure (WBS) is a hierarchical decomposition for work. It is

broken down into subdivisions with individual work packages that have corresponding
project deliverables. The WBS allows the project manager to effectively manage the
scope and be able to present the project in terms of work package. The WBS shows
each main deliverable, in this case each Phase, but then also breaks down the Phases
to show smaller sections. This presents the project in an easily visible way for
stakeholders. The WBS will be composed of all the defined work packages.

Verifying Completion of Project Deliverables

Each deliverable was communicated early on in the project. The deliverable was
defined and was given a due date. Each deliverable should be verified to project scope
and formally accepted by the stakeholders and clients throughout the project life cycles.
If a deliverable is not accepted then the scope of the project will have to change
according to what the stakeholders want. The project manager must ensure that the
deliverables given for acceptance are on par with what was presented as the
deliverables in the beginning of the projects life. A deliverable acceptance document
will be signed to officially verify and accept that each deliverable meets the projects
scope. This document will ensure the deliverables have been formally accepted and
align with the requirements of the scope.

Managing Requests for Changes to Project Scope

53

To manage requests for changes to the project scope, one has to be monitoring the
scope at every deliverable. There are many scope elements that need to be monitored
during the project that can impact the original scope. The Project manager and team are
responsible for monitoring the scope and elements that could impact the scope. There
are many unplanned things that could change the scope during the projects life cycle so
the scope must constantly be monitored. Proposed changes to the scope could be
brought upon by the sponsor, stakeholder or project manager. Any proposed change
must be approved by the project manager because it will impact the overall project
greatly. Risk factors must be presented to the stakeholders because of the impact
changing the scope has on the project.

54

Gantt Chart with Milestones

[Refer to the file named EYTeam3-Plan-Schedule.mpp.]

55

Activity-On-Arrow Network Diagram

[Refer to the file named aoa.pdf.]

1 Initiation
2 Evaluate current systems
3 Define risks & risk management approach
4 Define VSCRs requirements
5 Define specific functionality
6 Develop project plan
7 Brief development team
8 Develop design plan
9 Develop use cases
10 Create data architecture
11 Create hardware architecture
12 Develop product
13 Execute tests
14 Implementation
15 Analyze product testing
16 Data collection
17 Rollout
18 Create sample data
19 Migrate sample data
20 Install prototype
21 Install software
22 Alpha testing phase
23 Beta testing phase
24 Data assessments
25 Product Rollout
26 Announce launch
27 Quality Assurance
28 Define requirements
29 Define support
30 Define Product support
31 Develop training program
32 Train Employees
33 Completion
Schedule Management Plan

56

The schedule model was created by basing it on the WBS activity list, identifying key
milestones in the WBS, and following the critical path made from the WBS and the key
milestones.

In terms of project progress, we decided that measuring in time (specifically, days) was
the most effective measurement in terms of monitoring progress. The estimates above
are likely to deviate by about 2 to 5 days.

Concerning estimate deviation, we figured that our variance threshold would be around
+-10%, due to a plethora of possible delays (e.g. addition required test, key members of
the development team being incapacitated, etc.).

Progress reports should contain two bar graphs; the first bar graph for where our ideal
progress should be, and the other for where our actual progress is. These graphs
should compare the number of tasks completed alongside the time that elapsed during
their completion. We would expect a progress report every week, as well as upon the
completion of each milestone. Should a milestone be reached at the same time as the
normal weekly progress report, only one will be required.

Below is our plan for our schedule management process:

57

1) Initiation
a) Concept
i) Evaluate current systems
(1) Examine existing protocols and systems and decide if they are to be
integrated into the new system, reengineered for usage in the new
system, or retired.
ii) Define VSCRs Requirements
(1) Identify standards to be kept and protocols to be observed.
iii) Define specific functionality
(1) Identify programs and their functions/purpose within the system.
iv) Define risks and risk management approach
(1) Identify possible negative outcomes and how they will be addressed in the
event that they should occur.
v) Develop project plan
(1) Elaborate on what resources are being applied to which parts of the effort.
vi) Brief development team
(1) Communicate the information gathered from the pre-existing systems, the
VSCR requirements, specific functionality, risk management approaches,
and the project plan to the development team.
2) Planning
a) VSCR Design
i) Develop design plan
(1) Design product

58

(a) Given the information from the briefing at the end of the initiation stage,
the development team lays out the basic architecture of the new
system.
(2) Design test
(a) After the architecture is finished drafting, it is tested, then adjusted or
overhauled accordingly in response to any issues that arise in the
tests.
ii) Develop use cases
(1) Brainstorm the average usage of the system, from the duration of usage
per session to the frequency of the systems usage.
(2) From the above, cater to the specific functions in the system in regards to
the findings.
iii) Create data architecture
(1) Taking the product designs, the development team fleshes out the system
in code, testing frequently as they go to mitigate the number of bugs to be
found later.
iv) Create hardware architecture
(1) The development team begins to acquire the equipment necessary to
support the system. This equipment can use parts from the older system,
in which it is treated as a legacy system.
3) Executing
a) VSCR Development
i) Rollout

59

(1) After the data and hardware architecture is established, it is tested

thoroughly.
ii) Create sample data
(1) In order for the Rollout to occur, sample data must be generated for it to
process.
iii) Migrate sample data
(1) The sample data is inputted into the system and passed off to testing.
iv) Install prototype
(1) The prototype of the hardware is installed in specific branches for the
upcoming testing phases.
v) Install software
(1) The software is installed into the prototype hardware for the system in
preparation for the testing phases.
4) Monitoring and Controlling
a) Monitoring and Controlling
i) Alpha testing phase
(1) The system with the sample data in it is exposed tested by employees
who would use this system. The first rounds of testing would reveal bugs
and system functionality failures.
ii) Beta testing phase
(1) The adjusted system from after the alpha testing phase is exposed to the
employees once more. More bugs are discovered and feedback
regarding the systems UI and other minor issues are received.

60

iii) Data assessments

(1) The development team takes their findings from both phases of testing
and adjusts the system with consideration to feedback and fixes any
remaining bugs that they found.
iv) Product Rollout
(1) The product itself is polished and prepped for the launch.
v) Announce launch
(1) A date is decided on for the official integration of the system into all
branches.
vi) Quality assurance
(1) After the installation and integration of the new system, channels of
communication are opened up in advance for the technical support that
will maintain its functions.
5) Closing
a) Support
i) Define Requirements
ii) Based on communicated issues found in the alpha and beta stages, in
addition to the issues found after Product Rollout, determine the needs of the
end users of the system.
iii) Define support
(1) Determine the levels of support. For instance, there could be a need for
levels of clearance depending on the nature of the issue and where it is.
iv) Define product support

61

(1) Determine the types of support. For example, there could be a need for
technical or hardware support and software support.
v) Develop training program
(1) Lay the foundations to teach employees how to troubleshoot issues that
occur and fix them if they are beyond user error. In addition, establish
regulations and protocol in regards of user access and clearance levels.
vi) Train employees
(1) Enroll employees as they come in the training program.

Project Schedule Model Development

1) Initiation
a. Conceptualization

62

i. Evaluate current systems

1. Duration: 1 day
2. Dependencies: 1 -- Evaluate current systems
ii. Define VSCRs Requirements
1. Duration: 1 day
2. Dependencies: 1 -- Evaluate current systems
iii. Define specific functionality
1. Duration: 1 day
2. Dependencies: 1 -- Define VSCRs Requirements
iv. Define risks and risk management approach
1. Duration: 1 day
2. Dependencies: 0
v. Develop project plan
1. Duration: 1 day
2. Dependencies: 4 -- Evaluate current systems, Define VSCRs
Requirements, Define specific functionality, Define risks and
risk management approach
vi. Brief development team
1. Duration: 1 day
2. Dependencies: 1 -- Develop project plan
2) Planning
a. VSCR Design
i. Develop design plan

63

1. Design product
a. Duration: 10 days
b. Dependencies: 0
2. Design test
a. Duration: 8 days
b. Dependencies: 0
ii. Develop use cases
1. Duration: 8 days
2. Dependencies: 1 -- Develop design plans
iii. Create data architecture
1. Duration: 9 days
2. Dependencies: 1 -- Develop use cases
iv. Create hardware architecture
1. Duration: 9 days
2. Dependencies: 1 -- Develop use cases
3) Executing
a. VSCR Development
i. Rollout
1. Duration: 1 day
2. Dependencies: 0
ii. Create sample data
1. Duration: 1 day
2. Dependencies: 0

64

iii. Migrate sample data

1. Duration: 1 day
2. Dependencies: 1 -- Rollout
iv. Install prototype
1. Duration: 1 day
2. Dependencies: 1 -- Migrate sample data
v. Install software
1. Duration: 2 days
2. Dependencies: 1 -- Install prototype
4) Monitoring and Controlling
a. Monitoring and Controlling
i. Alpha testing phase
1. Duration: 2 days
2. Dependencies: 0
ii. Beta testing phase
1. Duration: 2 days
2. Dependencies: 1 -- Alpha testing phase
iii. Data assessments
1. Duration: 3 days
2. Dependencies: 0
iv. Product Rollout
1. Duration: 3 days
2. Dependencies: 0

65

v. Announce launch
1. Duration: 1 day
2. Dependencies: 1 -- Product Rollout
vi. Quality assurance
1. Duration: 6 days
2. Dependencies: 1 -- Announce Launch
5) Closing
a. Support
i. Define Requirements
1. Duration: 2 days
2. Dependencies: 0
ii. Define support
1. Duration: 3 days
2. Dependencies: 1 -- Define Requirements
iii. Define product support
1. Duration: 1 day
2. Dependencies: 0
iv. Develop training program
1. Duration: 2 days
2. Dependencies: 0
v. Train employees
1. Duration: 5 days
2. Dependencies: 0

66

Project Cost Baseline

[Refer to the file named EYTeam3-PhaseE-CostBaseline.xls.]

67

Project Cost Estimate

[Refer to the file named EYTeam3-PhaseE-Cost Estimate.xls.]

68

Cost Management Plan

Planning Cost Management
Policies and Procedures

69

NLNB Information Security Organization

The Information Security Organization will be assessing the security of each vendors
facility to provide assurance that each vendor has taken the appropriate information
security measures to comply with the current contract in place.
Personnel Security
All employees and contractors are subject to pre-employment screening which include,
but are not limited to criminal and financial checks, employment and education
verification, reference checks, and drug screening. National Regulations do not restrict
pre-employment screening.
Security Practices
NLNBs network management program includes regular as-needed maintenance of a
network topology documenting network devices and access points (i.e. wireless,
extranet, Internet, and dial up), device change management, immediate alerts via email
and text on network failures and anomalies, bi-weekly scanning for rogue devices and
wireless access points, and access and change audit log review.
Operational Practices and Procedures
All third party providers for any connections, products, or open source code are required
to have Services Level Agreements (SLAs).

For further information, please reference the CSSR Questionnaire.

Estimating Costs

70

Determining the Budget

As with most projects, the better half of the funding allocated to developing and
installing the VSCRs will tend to go to the labor. In particular, the project called for a
decent number of adepts in their respective fields for the development team, the heart
of the endeavor. The individuals on the development team each receive an hourly
wage for this project. In addition to the hourly wage, their necessary travel and hotel
costs are factored in as well for the meetings to be had at each milestone. Lastly, there
are estimations of how much hardware will cost.
Controlling Costs

71

As stated above, individuals on the development team receive an hourly wage for this
project. This wage adjusts itself within accordance to their actual contribution to the
project itself. For example, if one team member was to expend 300 hours of labor to
complete 1 task and another was to complete 3 similar tasks in about half of that, the
wages would be adjusted to reflect their merit/inefficiency. In addition, costs related to
hotels and travel can fluctuate during certain times of year. As a result, the budget cost
estimate regarding travel/hotels can be lower than estimated (it should be noted that the
aforementioned travel/hotel cost estimate considered the worst case scenario in costs).

Overview- Executing

72

The executing process group takes the actions necessary to complete the work
described in the planning activities. The main outcome of this process group is
delivering the actual work of the project. During the executing process, EY Team 3 team
members will receive assignments. Information will be distributed in a timely manner.
Throughout the execution phase, management will produce a communications
management plan and a quality assurance plan. The key to the executing phase is good
communication, focusing on both group and individual communication needs. By
utilizing a bi-weekly phone call, EY Team 3 and NLNB can maintain excellent
communication.

Communication Management Plan

73

Date: 04/06/2015
The purpose of the communications management plan is to define the necessary
communication strategies for NLNB VSCR. The intention of this document is to ensure
that stakeholders are aware of their communication responsibilities.

For the project to be successful, it is critical to have effective communication between all
stakeholders. EY Team 3 team members Mats Gausdal, Michael Hegarty, Franklin Mak,
and Allie Nizinski will communicate with each other. Communication with Professor Hill
will be vital to understand the requirements and guidelines for the project.
Communication with NLNB will be performed on a regular basis to ensure the success
of the project. Communication will also be conducted with any other stakeholders whose
support is required for a successful project.

Every team member will, to the best of their ability, ensure the project will not suffer
from bad communication. Project Leader Allie Nizinski and Point of Contact Mats
Gausdal will be responsible for the daily communication with the stakeholders. Allie
Nizinski is responsible for the communication within the team and with Professor Hill.
Mats Gausdal is responsible for communicating with Andrew Dunheimer and Lauren
Ceppi. In the event of revised procedures to the project, the responsible stakeholders
will update the rest of the team.

Stakeholders

Communications
Name

Delivery
Method/Format

Producer

Due/Frequency

74

Michael
Hegarty

Continuous Status
Reports

E-mail and Short

Meeting

All Team
Members

4/10/15

Allie Nizinski

Continuous Status
Reports

E-mail and Short

Meeting

All Team
Members

4/10/15

Franklin Mak

Continuous Status
Reports

E-mail and Short

Meeting

All Team
Members

4/10/15

Mats Gausdal

Continuous Status
Reports

E-mail and Short

Meeting

All Team
Members

4/10/15

John Hill

Weekly Status
Reports

E-mail and Short

Meeting

All Team
Members

As Necessary

Andrew
Dunheimer

Weekly Status
Reports

E-mail and
Conference
Meetings

Mats
Gausdal

Every Monday at
3:00 pm

Lauren Ceppi

Weekly Status
Reports

E-mail and
Conference
Meetings

Mats
Gausdal

Every Monday at
3:00 pm

Glossary of Common Terminology

75

Forecasts - Predict future project status and progress based on past information and
trends
Interactive Communication - Two or more people interacting to exchange information
via meetings, phone calls, or video conferencing
Lessons Learned Report - A document that reflects on the important information team
members have learned from working on a project
Progress Report - Describes what the project team has accomplished during a certain
period
Pull Communication - Information is sent to recipients at their request via web sites,
bulletin boards, e-learning, blogs etc.
Push Communication - Information is sent or pushed to recipients without their
request via reports, e-mails, faxes, voice mails etc.
Reporting Performance - Involves collecting and disseminating information about how
well a project is moving toward meeting its goals
Stakeholder A person involved in or affected by project activities
Status Report - Describes where the project stands at a specific point in time. The
report addresses where the project stands in terms of the triple constraint
Wiki - A web site that enables anyone who accesses it to contribute or modify content
Quality Assurance Plan

76

77

Overview- Monitoring and Control

During the monitoring and control process, the key task is to manage EY Team 3. We
will be measuring progress toward the project objectives, monitoring deviation from the
plan, and taking corrective action to match the progress with the project plan.
Management includes producing a change request form and a change request log.

The Project Manager, Allie Nizinski, will be monitoring progress closely to ensure that
deliverables are being completed and objectives are being met. Allie Nizinski will work
closely with EY Team 3 and NLNB to ensure that deliverables are being completed ontime and objectives are being met.

The ideal outcome of the monitoring and control process group is to complete a project
successfully by delivering the agreed-upon project scope within the time, cost, and
quality constraints. If changes to project objectives or plans are required, the monitoring
and control processes ensure that these changes are made efficiently and effectively to
meet stakeholder needs and expectations. Monitoring and control processes overlap all
of the other project management process groups because changes can occur at any
time.

Change Request Form

78

Date 03/30/2015
Project Name: NLNB Service Vendor Quality Assessment
Date Request Submitted: 03/30/2015
Title of Change Request: Reduction of Face-to-Face Meetings
Change Order Number: 1002
Submitted by: Franklin Mak
Change Category: Schedule
Description of change requested: Reduce the number of face-to-face meetings to
reduce costs. Replace those meetings with remote sessions.
Events that made this change necessary or desirable:
The realization that most exchanges of information or briefings could be done over
applications such as Team Viewer or Skype.
Justification for the change/why it is needed/desired to continue/complete the
project:
The reduction of face-to-face meetings would cut costs by decreasing travel, lodging,
and food expenses. This slack in the budget can be reallocated to other parts of the
project.
Impact of the proposed change on: Cost savings.
Scope: None
Schedule: Meetings may be adjusted based on time saved from travelling.
Cost: Should reduce the cost of the project entirely and allow for reallocation of budget.
Staffing: None

79

Risk: Technical Issues including, but not limited to, connection failures, software and/or
hardware failures, and potential leakage of sensitive information via digital means.
Other: None

Suggested implementation if the change request is approved:

Either a Skype or Team Viewer business license should be acquired and installed by
members involved with key meetings. Availability would need to be reassessed.

Suggested alternate plan if change request is rejected but sentiment is mutual:

Create and enforce a rule that ensures the cheapest possible travel and lodging
arrangements. Cost managers will be such enforcers.
Required approvals:

Name/Title

Date

Approve/Reject

Blutarch Mann

In Review

In Review

Saxton Barnabus Hale

In Review

In Review

Allison Nizinski

04/03/2015

Approved

Mats Gausdal

04/03/2015

Approved

Michael Hegarty

04/03/2015

Approved

80

Change Request Log

Change Log
Project: NLNB Service Vendor Quality Assessment
Change Change
No.
Type
CR 001

Description
of Change

Schedule/ This change

Costs
requests that
the number of
face-to-face
meetings is
reduced to
reduce travel
costs.

Date: 04/08/2015

Requestor Date
Submitted
Franklin
Mak

Date
Approved

Status

Comments

03/30/2015 04/08/2015 Approved This request

was approved
because the
project no
longer
required that
face-to-face
meetings be
scheduled.

81

Overview Closing
During the closing phase, all activities are finalized and all deliverables will be
transferred to NLNB. Our final product will be a Phase H deliverable, a final project
report. This final project report will include all services we will be providing to NLNB.

NLNB will conduct a post-implementation review to analyze whether the project

achieved what it set out to do. Information from this type of review also becomes an
organizational process asset for future projects. After the post-implementation review is
conducted and the review is satisfactory, NLNB will sign off on the Client Acceptance
Form, a written statement formally accepting that the terms of the contract were met.

Project Documentation

82

No additional project documentation.

Customer Acceptance/ Project Completion Form

83

Date: 04/08/2015
Project Name: NLNB Service Vendor Quality Assessment
Project Manager: Allison Nizinski

We, the undersigned, acknowledge and accept delivery of the work completed for this
project on behalf of our organization. Our signatures attest to our agreement that this
project has been completed. No further work should be done on this project.

Name

Title

Blutarch Mann

Co-founder and CEO of

Signature

Date
04/08/2015

NLNB
Saxton Barnabus

Co-founder and

Hale

Chairman of NLNB

04/08/2015

1. Was this project completed to your satisfaction?

a. Yes
2. Please provide the main reasons for your satisfaction or dissatisfaction with this
project.
.

The project, even with a few considerable obstacles, was a success. It was on

timely, effective, and appears to be easy to sustain indefinitely. A few of the cost control
methods from this project have been filed away for usage in future projects, especially
the usage of secured remote communications between branches.

84

3. Please provide suggestions on how our organization could improve its project
delivery capability in the future.
.

While the project itself finished on time, a few steps were nearly delayed due to

misinformation or a lack thereof.

85

Bibliography
Information Technology Project Management. CENGAGE Learning. Retrieved from
www.chegg.com.
Schwalbe, Kathy. Introduction to Project Management. Template files (for creating a
charter, scope statement, etc.) using Microsoft Office. Retrieved from
http://www.intropm.com/.

86

Lesson Learned Report

Project Name: NLNB Service Vendor Quality Assessment

Project Sponsor: EY
Project Manager: Allie Nizinski
Project Dates: 3/20/2015
Final Budget: Reference Project Charter for pricing information
1.

Did the project meet scope, time, and cost goals?

Phase C did meet the scope and time of the project. The project was due Friday the
6th and each part was completed within an adequate timeframe to properly review
and edit it. There was no cost for this part of the project so the cost goals are
currently irrelevant.
2.

What was the success criteria listed in the project scope statement?

The success criteria listed is to meet all the goals set forth. We planned to have the
project done by a certain date so it could be reviewed to ensure the quality is at the
highest level. If these two things were met then it would be a success.

3.

Reflect on whether or not you met the project success criteria.

This phase is successful because we met the time and scope goals we planned to
meet.

4.

What were the main lessons your team learned from this project?

The main lesson we learned is it is better to get a head start on work because

87

schedules do not always work as planned. Sometimes people cannot meet at the
same time so it is best to plan ahead.

5.

Describe one example of what went right on this project.

One example of something that went right on this project was that Phase B was
completed on time. We did not have to rush at the deadline and have the quality of
work suffer.

6.

Describe one example of what went wrong on this project.

Our team meetings did not always go as plan for this phase. At one point we had to
push our meeting back a few days which resulted in not all team members being
able to attend.

7.

What will you do differently on the next project based on your

experience working on this project?
Everything has been going well so far with the project, but we have had minor
problems with scheduling our meetings. Therefore in the future we will work more
consciously to properly schedule our meetings to ensure all members can attend.