0% found this document useful (0 votes)

242 views

Lesson 7: Internet Security: Objectives

This lesson will identify Internet Security issues that IT professionals must be familiar with. Most business Web pages encourage you to subscribe to, register for or purchase products or services over the Internet. How do you know that your personal data will be securely transmitted?

Uploaded by

William C Rounsaville

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

242 views

Lesson 7: Internet Security: Objectives

Uploaded by

William C Rounsaville

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 56

7Lesson 7: Internet Security

Objectives
By the end of this lesson, you will be able to: Identify the three types of encryption. Identify ways that authentication provides Web security. Identify ways that firewalls provide Web security. Identify malware (malicious software). Identify ways to detect and prevent virus attacks. Define spyware. Define patches and updates. Identify ways that screen savers provide workstation security. Define list servers and listserve groups. Identify security-related ethical and legal issues faced by IT professionals.

Authorized to be used in American Public University System. To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010

7-2

Internet Business Foundations

Pre-Assessment Questions
1. What is the most secure method for sending information over the Internet? a. b. c. d. 2. Using Using Using Using encryption passwords patches spyware

Firewalls prevent unauthorized access to or from: a. b. c. d. the Internet. the World Wide Web. private networks. public networks.

What is malware?

Version 1.2

Subscription Expiration 09/12/2010

Lesson 7: Internet Security

7-3

Introduction to Internet Security

The Internet is a network of shared information and resources. The connectivity that makes the Internet possible also makes systems vulnerable to unwanted activity. This lesson will identify Internet security issues that IT professionals must be familiar with in order to protect their companies' systems.

Encryption
OBJECTIVE: 1.10.1: Major encryption types 1.10.2: Authentication, digital certificates, encryption, firewalls 1.10.3: Data confidentiality, data integrity, nonrepudiation

Most business Web pages encourage you to subscribe to, register for or purchase products or services over the Internet. These pages usually solicit personal or confidential information. If you submit information in a Web form, such as the form in Figure 7-1, how do you know that your personal data will be securely transmitted? Will a credit card number be stolen? Will a home address be exploited? Sending sensitive information across the Internet may seem unsafe. However, Web transactions are at least as secure as traditional transactions in which consumers give their credit cards to waiters in restaurants or supply credit card numbers to vendors over the phone. What prevents a waiter or a phone vendor from stealing the credit card number?

Figure 7-1: Web page personal information form

In an effort to make online transmission of sensitive data more secure, many businesses use encryption. As you have learned, encryption is the process of converting data into an unreadable form of text. Encryption is the primary means of ensuring data security and privacy on the Internet. For e-commerce businesses, the mere presence of encryption increases consumer confidence.
key A variable value, such as a numeric code, that uses an algorithm to encrypt and decrypt data. Some applications encrypt and decrypt with the same key, whereas other applications use a pair of keys.

Encryption applications dramatically reduce the risk of information theft by scrambling the information using mathematical algorithms. Encrypted data is referred to as ciphertext; unencrypted data is referred to as plaintext. Encrypted text cannot be read without the correct encryption key. Only the intended recipient of the information has the key to decrypt, or decipher, the data you supply. Because encrypted text is unreadable by anyone who does not possess the correct key, data encryption helps secure online transactions by ensuring the confidentiality and integrity of the data supplied by the customer.

Version 1.2

Subscription Expiration 09/12/2010

7-4

Internet Business Foundations

Three types of data encryption exist: symmetric-key encryption, asymmetric-key encryption and hash encryption.

Symmetric-key (secret-key) encryption

symmetric-key encryption An encryption method in which the same key is used to encrypt and decrypt a message.

Symmetric-key encryption (also called symmetric encryption or secret-key encryption) is an encryption method in which the same key is used to encrypt and decrypt a message. The message sender uses a key (generated by an encryption application) to encrypt the message; the sender forwards a copy of the key to the message recipient, who uses the same key to decrypt the message. It is critical that the secrecy of the key be maintained by the sending and receiving parties in order for symmetric encryption to be effective. If the key is acquired by a malicious third party (such as during the key exchange between sender and recipient), the third party can use the key to decrypt the message and even pretend to be the message sender. When you want to use symmetric-key encryption to communicate with your intended recipients, you should use asymmetric encryption (presented in the next section) to send the key. For all encryption types, the 128-bit encryption standard is considered to be high-level encryption, although much more powerful keys exist (for example, 512-bit key standard).

Asymmetric-key (public-key) encryption

asymmetric-key encryption An encryption method in which two keys (the private key and public key) are used to encrypt and decrypt a message.

Asymmetric-key encryption (also called asymmetric encryption or public-key encryption) refers to an encryption method in which two keys are used to encrypt and decrypt a message: a private key and a public key. The public key is known to all sending and receiving parties involved in the communication, whether via Web browsers, e-mail or instant messaging. The private key is used by the recipient to decrypt the message. Therefore, the private key must be kept secret. The sending and receiving parties must share a public key in order to use asymmetrickey encryption. For example, when Sarah wants to send a secure message to Tina, Sarah uses a shared public key to encrypt the message. When Tina receives the message, she must use her own private key to decrypt the message. As long as Tina keeps her private key secure, only Tina will be able to decrypt her messages. When Tina wants to send a secure message to Sarah, Tina uses a shared public key to encrypt the message. When Sarah receives the message, she must use her own private key to decrypt the message. In asymmetric-key encryption, the public and private keys are mathematically related so that only the public key can be used to encrypt messages, and only the corresponding private key can be used to decrypt them. Asymmetric-key encryption provides a high level of data confidentiality because it is nearly impossible for a malicious third party to decipher the private key, even if the third party knows the public key. Asymmetric-key encryption also provides a high level of data integrity because as long as the private key remains private, a malicious third party cannot alter the data before it reaches the intended recipient.

The RSA algorithm

RSA is the most common asymmetric encryption algorithm. It was developed in 1977 by Ronald Rivest, Adi Shamir and Leonard Adleman. RSA is included in the Microsoft Internet Explorer and Mozilla Firefox Web browsers, as well as in Lotus Notes, Intuit Quicken, Netscape Browser and many other products. RSA (www.rsa.com), which owns the encryption algorithm, licenses the algorithm technologies. RSA has evolved into the standard for Internet encryption, and is included in existing and proposed Internet, Web and computing standards.

Version 1.2

Subscription Expiration 09/12/2010

Lesson 7: Internet Security

7-5

Hash (one-way) encryption

hash encryption An encryption method in which hashes are used to verify the integrity of transmitted messages. hash A number generated by an algorithm from a text string.

Hash encryption (also called one-way encryption) is an encryption method in which hashes are used to verify the integrity of transmitted messages. (You learned about data integrity and data confidentiality in a previous lesson.) A hash (also called a messagedigest) is a number generated by an algorithm from a string of text. The generated hash value is smaller than the text itself, and is generated in such a way that it is nearly impossible for the same hash value to be generated from some other text. The hash is as unique to the text string as fingerprints are to an individual. Hash algorithms are often used to encrypt and decrypt digital signatures (presented later in this lesson), which are used to authenticate message senders and recipients. The hash algorithm transforms the digital signature into a hash value. When a sender transmits a message, both the digital signature and the hashed digital signature are sent to the recipient, along with the message (which itself should be encrypted using symmetric or asymmetric encryption). Using the same hash algorithm that the sender used, the recipient decrypts the digital signature to derive another hash value, and then compares it with the hashed value that was sent by the sender. If the hashed values are the same, the recipient can be confident that the message integrity remained intact. The hash algorithm verifies that the digital signature was not secretly decrypted, altered and reencrypted during transit from sender to receiver. Another use for hash encryption is to protect passwords from disclosure. A malicious third party cannot re-engineer the hash through a hash algorithm to decrypt a password. When a user enters a password to access a secure Web site or intranet, the password is encrypted and compared to the stored hashed password in the Web server. If the values match, then access is permitted. Once the password is hashed, the process cannot be reversed. Thus, hashing is always a one-way operation. Hash encryption is not useful for data confidentiality, because the encrypted data cannot be decrypted.

Hash algorithms
Popular hash algorithms are MD2, MD4 and MD5. MD2 and MD4 are earlier versions of MD5, all of which were created by Ronald Rivest, one of the co-creators of the RSA algorithm. MD2 was optimized for 8-bit processors, while MD4 and MD5 were optimized for 32-bit processors. The algorithms were intended to be used to encrypt and decrypt digital signatures, but they can be used to encrypt and decrypt messages of any length. MD5, which is the most current and popular version, creates a 128-bit hash from the digital signature or message text. Another popular hash algorithm is the Secure Hash Algorithm (SHA), which creates 160bit hashes. Because SHA produces longer hashes than those produced by MD5, it is more secure from attacks than MD5.

Movie Time!
Insert the CIWv5 Foundations Movie CD to learn even more about this topic. Encryption (approx. playing time: 05:30)
All movie clips are 2007 LearnKey, Inc.

Version 1.2

Subscription Expiration 09/12/2010

7-6

Internet Business Foundations

Authentication
OBJECTIVE: 1.10.2: Authentication, digital certificates, encryption, firewalls

As you learned in a previous lesson, authentication is the process of verifying the identity of a user who logs on to a computer system, or the integrity of transmitted data. Authentication is usually performed through the use of digital certificates, and user names and passwords.

User names and passwords

Requiring user names and passwords is the most common way to authenticate users on private and public computer networks, including the Internet. User names and passwords provide a measure of Web security because the user must enter the correct user name and password to gain access to the Web server. However, user names and passwords can often be forgotten, intercepted, or accidentally revealed, which diminishes their reliability. For this reason, digital certificates are likely to become the standard authentication method on the Internet.
digital certificate A passwordprotected, encrypted data file containing message encryption, user identification and message text. digital signature An electronic stamp added to a message that uniquely identifies its source and verifies its contents at the time of the signature. non-repudiation The security principle of providing proof that a transaction occurred between identified parties. Repudiation occurs when one party in a transaction denies that the transaction took place. OBJECTIVE: 1.10.2: Authentication, digital certificates, encryption, firewalls firewall A security barrier that controls the flow of information between the Internet and private networks. A firewall prevents outsiders from accessing an enterprise's internal network, which accesses the Internet indirectly through a proxy server.

Digital certificates
A digital certificate is a password-protected, encrypted data file that verifies the identity of the sender of a message. It is attached to an electronic message and guarantees that the data has not been compromised during transmission. A digital certificate must be signed by a certificate authority to be valid. Digital certificates provide data integrity. Digital certificates are issued by a certificate authority (CA) or internal security administrators. A CA is a trusted third party that verifies the identity of the person or company that submitted a certification request (CR). A digital certificate contains the requestor's name, a serial number, expiration date, a copy of the requestor's public key and the digital signature of the CA (so the requestor can verify that the certificate is legitimate). A digital signature is an electronic stamp that identifies a message's source and its contents. A digital signature can be used with any kind of message, whether it is encrypted or not. To verify your identity, you can attach your own digital signature to any message or data you send over the Internet. Digital signatures do not provide data confidentiality because they do not encrypt the data; they simply verify the integrity of the data and the identity of the sender. However, digital signatures enforce non-repudiation, which is the ability to prove that a transaction occurred. Sending data with a digital signature proves that the message was both sent and received. Neither party can repudiate the transaction.

Firewalls
A firewall is a security barrier that prevents unauthorized access to or from private networks. Businesses use this combination of hardware, software and corporate policies to prevent Internet users outside the business from accessing proprietary data on the business's networks that are connected to the Internet, as well as private intranets. Firewalls are also used to control employee access to Internet resources. The most common business firewall technique uses a firewall server in conjunction with a proxy server to screen packets of data. All data entering or leaving an organization passes through the firewall. The firewall examines each packet and determines whether to forward it to its destination, based on security policies set up by the firewall administrator or IT department. The proxy server replaces the network IP address with another, contingent address. This process effectively hides the network IP address from the rest of the Internet, thereby protecting the network.

Version 1.2

Subscription Expiration 09/12/2010

Lesson 7: Internet Security

7-7

When you connect your computer to the Internet, you are potentially connecting to all the computers on the Internet. This relationship works in reverse as well: All other computers on the Internet are connected to yours, and perhaps to all the computers on your corporate LAN. Some LANs feature Web servers or FTP servers that provide confidential or proprietary files to users on the LAN. If the LAN is on the Internet, anyone outside the business who knows the domain name or IP address of the server could access these files. Often, these files have no encryption or password protection because the administrators of the Web or FTP servers did not know the LAN was accessible to the Internet. By connecting to the Internet through firewalls, no computer on the LAN is actually connected to the Internet, and any requests for information must pass through the firewall. This feature allows users on the LAN to request information from the Internet, but to deny any requests from outside users for information stored on the LAN. Firewalls can be inconvenient for business users who are protected by them. For example, users may be unable to access an external e-mail provider or to upload files to external servers. Some standardized Internet plug-ins, such as RealAudio, cannot function through firewalls. Some of the new video plug-ins used on news Web sites are also unable to operate through firewalls. If your employer's firewall interferes with work you need to conduct on the Internet, you should work with your IT department's firewall administrators to achieve a level of protection that allows you to access necessary resources. Security policies are a vital part of any firewall strategy. The policies created by firewall administrators govern who will be allowed external access, what information employees will have access to, how often passwords must be changed, and so forth. Hardware and software alone cannot protect information from employees determined to hurt the company, but hardware, software and sensible security policies can protect proprietary data and internal communications from malicious outsiders. Firewalls can be considered the first line of defense against LAN security breaches because they provide data confidentiality. Firewalls do not ensure data integrity or nonrepudiation because they do not encrypt or authenticate data.

Desktop firewalls
Desktop firewalls are available for individual client workstations. Also known as personal firewalls, they offer protection for an individual system instead of an entire network. Tools such as Norton 360 (www.symantec.com), ZoneAlarm Internet Security Suite (www.zonealarm.com) and BlackICE PC Protection (www.digitalriver.com) can detect and respond to attacks on your computer system. Desktop firewalls offer many firewall features, such as inspection of all incoming transmissions for security threats. When a firewall is used in conjunction with antivirus software (which will be presented later in this lesson), a personal computer is very secure, provided that the user updates the antivirus and desktop firewall software frequently.

Native desktop firewall software

Increasingly, operating system vendors are providing native desktop firewall software. For example, Windows XP includes a native desktop firewall that is disabled by default. You can enable the firewall and customize your desktop firewall settings.

Version 1.2

Subscription Expiration 09/12/2010

7-8

Internet Business Foundations

UNIX and Linux systems often provide applications that allow you to block connections, such as the following examples: iptables found on newer UNIX and Linux systems ipchains found on older UNIX and Linux systems

Desktop firewall features

Some desktop firewalls include the following features: Logging You can determine when a connection was made, as well as its source. You can also discover the protocol and/or port a remote user used to make the connection. Blocking protocols You can block various protocols, including Transmission Control Protocol (TCP), User Datagram Protocol (UDP), Internet Control Messaging Protocol (ICMP) and Internet Protocol (IP). If blocking TCP and UDP, you can select any port to allow or disallow. ICMP is an especially common protocol to block, because attackers often use it to flood network connections. However, blocking this protocol may cause problems when troubleshooting your computer's connectivity to the network, because ICMP is most often used to test whether a system is able to communicate on a network.

Internet Control Messaging Protocol (ICMP) A subset of Internet Protocol that is most often used to determine whether a computer can communicate with the rest of the network.

Default desktop firewall stances

Desktop firewalls can be configured in one of the following ways: Default open allows all traffic except that which is explicitly forbidden Default closed denies all traffic except that which is explicitly allowed

Blocking incoming and outgoing traffic

Desktop firewalls can also be configured to block incoming and outgoing traffic. Most desktop firewalls block incoming traffic (for example, traffic from the Internet to your computer). Most desktop firewalls can also be configured to block traffic from your computer to computers on the network. If you are experiencing connection difficulties specific to one protocol on your local network, consider that a desktop firewall might be blocking transmissions. In the following lab, you will explore the options to consider when enabling a desktop firewall. Suppose you are the security administrator for a bank. The bank manager has asked you to protect employees' computers by restricting access to Internet resources. How would you configure the desktop firewalls to offer appropriate protection but still allow employee access to relevant Internet resources?

Lab 7-1: Enabling your desktop firewall

In this lab, you will enable your desktop firewall. 1. 2. Minimize any open windows so that the Desktop is visible. Click the Start button, right-click My Network Places, then click Properties. This step displays the Network Connections window (Figure 7-2). The Local Area Connection icon that displays represents your system's network interface card (NIC).

Version 1.2

Subscription Expiration 09/12/2010

Lesson 7: Internet Security

7-9

Note: If My Network Places does not display in the Start menu, open Windows Explorer and right-click My Network Places in the Folders pane, then click Properties.

Figure 7-2: Network Connections window

3. 4.

Right-click the Local Area Connection icon, click Properties to display the Properties dialog box, then click the Advanced tab. In the Windows Firewall section, click the Settings button to display the Windows Firewall dialog box. Click the Advanced tab and click the Settings button in the Network Connection Settings section to display the Advanced Settings dialog box (Figure 7-3). You can use the tabs in this dialog box to customize the firewall settings.

Figure 7-3: Advanced Settings dialog box

Version 1.2

Subscription Expiration 09/12/2010

7-10

Internet Business Foundations

Click each tab in the Advanced Settings dialog box. Notice that in the Services tab, you can specify the services running on your network that Internet users can access. In the ICMP tab, you can specify the Internet requests to which your computer will respond. Click the Cancel button three times to close the dialog boxes without enabling your desktop firewall, then close the Network Connections window.

Malware (Malicious Software)

malware Abbreviation for malicious software. Malware is software designed to harm computer systems.

Malware, or malicious software, refers to programs or files whose specific intent is to harm computer systems. Malware is an electronic form of vandalism that can have global implications. IT professionals must be aware of malware to be able to detect and remove malicious code before it causes harm to systems and networks. Malware includes computer viruses, worms, Trojan horses and illicit servers, each of which will be discussed in this section.

Viruses
OBJECTIVE: 1.10.4: Computer virus attacks

A virus is a malicious program designed to damage computer systems, from stand-alone computers to entire networks. Specifically, a virus is a program that assumes control of system operations, and damages or destroys data. Viruses are loaded onto your computer without your knowledge and run without your consent. All computer viruses are man-made and are often designed to spread to other computer users through networks or e-mail address books. Viruses can be transferred via e-mail attachments, program or file downloads, and disk or CD swapping. In most cases, the creator or user of the source media containing the virus is unaware of its presence. For example, a virus might have written itself onto every floppy disk that you used. If you pass an infected disk to a colleague, that colleague's system can also be infected. Similarly, a colleague might inadvertently send you an e-mail attachment infected by a macro virus. If you attempt to open or print the file, the virus will engage. E-mail attachments have become the most effective way to spread viruses. Viruses that reside within the text of an HTML-formatted e-mail message are particularly virulent because the user need only receive the virus for it to cause damage. The next time the virus recipient starts the computer, the virus runs and is sent to everyone in the recipient's address book. A simple virus can: Display harmless messages on the screen. Use all available memory, thereby slowing or halting all other processes. Corrupt or destroy data files. Erase the contents of an entire hard disk.

virus A malicious program that replicates itself on computer systems, usually through executable software, and causes irreparable system damage.

More dangerous viruses can have devastating effects on a global scale. For example, the Chernobyl (CIH) virus infected 32-bit Windows 95/98 and Windows Server executable files, which caused computers to lose their data. In Korea, it affected approximately 1 million computers and caused more than US$250 million in damage. The VBS Love Letter virus overwrote Windows files with common file name extensions (such as .gif and .ini) on remote and local drives, replaced the files' contents with the source code of the virus, and appended the .vbs extension to the files. All infected files were destroyed. The

Version 1.2

Subscription Expiration 09/12/2010

Lesson 7: Internet Security

7-11

Melissa virus infected Microsoft Word documents and was sent to the first 50 people in the recipient's Microsoft Outlook Address Book. The virus inserted text into infected documents once every hour after the number of minutes corresponding to the date had passed (if the document was opened or closed at the appropriate time). Table 7-1 describes types of computer viruses.
Table 7-1: Computer virus types

Virus Type Boot sector virus

Description
Moves boot sector (an area of a disk that stores essential files needed by the computer during startup) data to another part of the disk and replaces it with its own code. Whenever the computer starts up, the boot sector virus executes. Resides on the hard disk and is activated when a particular event occurs, such as a date change, a file change or a user or program action. Makes changes to a disk's file system. Any program run from an infected disk causes the virus to run, giving the impression that the virus infects all programs on the disk. Infects program files on a disk. When the infected program is run, the virus also runs. Infects a specific type of document file that can include macros (codes, commands, actions or keystrokes that produce a result), such as Microsoft Word or Excel files. When a document containing a macro is opened, the virus runs. Resides in the computer's memory and conceals changes it makes to files, hiding the damage from the user and the operating system.

Bomb Cluster virus

File-infecting virus Macro virus

Stealth virus

OBJECTIVE: 1.10.10: Virus vs. worm worm A self-replicating program or algorithm that consumes system resources.

Worms
A worm is a self-replicating program or algorithm that consumes system resources. The difference between a worm and a virus is that a worm does not alter files; it resides in active memory and replicates itself until an entire disk is full. Worms can spread to all computers connected to a network and are commonly spread over the Internet via e-mail attachments. For example, the PE_Nimda.A-O worm was spread as an executable file attachment in e-mail messages. The PE_Nimda.A-O worm did not require a user to open the e-mail attachment; it exploited a weakness in Microsoft e-mail clients and executed the file automatically. As this worm has shown, TCP/IP networks are particularly vulnerable to worm attacks. Worms rely on specific software implementations. For example, Win32/Melting.worm attacks only Windows systems running Microsoft Outlook. This worm can spread by itself and can disable any type of Windows system, making it permanently unstable.

Trojan horses
Trojan horse A program disguised as a harmless application that actually produces harmful results.

A Trojan horse is a program that appears to be harmless but actually produces harmful results. Trojan horses contain code that produces malicious or harmful results within applications that appear benign, such as computer games. Unlike worms and viruses, Trojan horses do not replicate themselves or copy themselves to other files and disks. A Trojan horse may be spread as part of a computer virus. One of the most sinister Trojan horse types is a program that claims to find and destroy computer viruses, but introduces viruses into your system instead.

Version 1.2

Subscription Expiration 09/12/2010

7-12

Internet Business Foundations

Illicit servers
illicit server An application that installs hidden services on systems. Illicit servers consist of "client" code and "server" code that enable the attacker to monitor and control the operation of the computer infected with the server code.

An illicit server is an application that installs hidden services on systems. Many illicit servers, such as NetBus and Back Orifice (a play on Microsoft's Back Office), are remote control or remote access programs. Illicit servers differ from Trojan horses in that they consist of "client" code and "server" code. The client (the malicious third party that is attacking a system) can send the server code as an unsolicited file attachment via e-mail, Internet chat and newsgroup messages to users, hoping that they will open the file and install the application. If the users who receive the server code install the application (intentionally or otherwise) and connect to the Internet, the attacker can use the client code's remote control capabilities to monitor and control the operation of the infected computers. An illicit server can be made to look like a patch or a program fix (which will be presented later in this lesson), so that recipients think they have received a legitimate file. Attackers can use illicit servers to perform malicious operations on infected computers, such as: Creating custom startup messages. Editing the Windows registry files. Sending messages. Changing the Desktop display. Playing sounds. Switching off the display screen. Disabling keyboard keys. Hiding the mouse cursor. Hiding the taskbar. Stealing passwords. Monitoring keystrokes. Restarting the computer. Locking up the computer. Executing applications. Viewing the contents of files. Transferring files to and from the computer.

Virus Detection and Prevention

Corporate IT departments are often the first line of defense against computer viruses. Generally, the IT department will receive warnings about viruses that are being spread, and will have time to prepare for virus detection and subsequent disinfection. Common ways that computer viruses are contracted include: Receiving an infected disk from someone else and reading it from your disk drive. Downloading an infected file or program to your computer from a network computer, an intranet or the Internet.

Version 1.2

Subscription Expiration 09/12/2010

Lesson 7: Internet Security

7-13

OBJECTIVE: 1.10.4: Computer virus attacks

Downloading an illicit server attachment from a malicious source. Copying to your hard disk a document file infected with a macro virus.

Following are some actions you can take to protect your systems from contracting viruses: Do not open e-mail messages or attachments from unknown senders. Configure the security settings for your e-mail program and Web browser to the highest possible levels. Use an antivirus software program to periodically scan e-mail attachments, files, programs, software or disks (even new software from a trusted source) before you open or use them on your computer. Use an antivirus software program to scan your disks and files if you use them on another computer. Use an antivirus software program to scan all files and programs you download from the Internet. Keep your antivirus software current by downloading virus signature updates as they become available. Stay informed about the latest virus threats so that you recognize an e-mail virus before you open and unleash it. Make backup copies of important files and store them on separate disks so that the files will be unaffected if you contract a virus.

Antivirus software
antivirus software Software that scans disks and programs for known viruses and eliminates them.

The best protection against a virus is to know the origin of each program or file you install on your computer, or open from your e-mail or instant message client. Because this is difficult, you should use antivirus software to scan e-mail attachments and files for known viruses, and eliminate any it finds. In general, viruses can be detected when they modify parts of your system in order to pass themselves along. When a virus has been detected, you must use antivirus software to disinfect your system. Antivirus software that is kept current knows the signature of the virus, and works by scanning the infected file or program for the identifying signatures. If the virus is found, your hard drive can often be disinfected immediately so that the virus cannot infect other files or cause more damage. Most antivirus programs download signature profiles of new viruses automatically so that the program can check for the new viruses as soon as they are discovered. If your company has an IT department, it will probably provide and update antivirus software for you. If you work for a company without an IT department, you can download antivirus software from many Web sites. Trend Micro (www.trendmicro.com), McAfee, Inc. (www.mcafee.com) and Panda Software (www.pandasoftware.com) are three providers of antivirus software. Another antivirus software company, Symantec (www.symantec.com), provides the Symantec Security Response page (www.symantec.com/avcenter/), which identifies the latest virus threats. You can also obtain information about virus threats at the Trend Micro Security Information page (www.trendmicro.com/vinfo). All of these Web sites are excellent sources of information about current viruses.

Version 1.2

Subscription Expiration 09/12/2010

7-14

Internet Business Foundations

Unexpected attachments
OBJECTIVE: 1.10.6: Unexpected e-mail attachments

Because e-mail is the most common method for spreading viruses, you should be wary of any unexpected attachments you receive with e-mail or instant message transmissions. Following are some actions you can take if you receive an attachment you did not expect or do not recognize: Do not attempt to open the attachment. Try to contact the message sender and determine whether the attachment is legitimate. If you are unable to contact the sender or the sender is unaware of the attachment, delete the attachment from the message. Open your Deleted Items folder and delete the attachment from it to permanently remove the attachment from your system.

Virus attacks
If your computer is attacked by a virus, do not panic. Most viruses can be removed without permanent damage to your system, and most viruses can be halted even after they commence an attack.
OBJECTIVE: 1.10.7: Suspected attacks

Following are some actions you can take if you suspect a virus attack: Use antivirus software to remove the virus immediately. If the virus is active in memory and you are not able to launch the antivirus software, turn off your computer and reboot from a known clean system disk. This procedure will start the system without the virus in memory. You should then be able to launch the antivirus software and begin the disinfection process. Check all your disks and backup files with the antivirus software, and remove the virus from them if necessary. If files or programs are damaged or altered by the virus, you will need to replace them with backup copies or reinstall programs from original installation media. Because viruses can self-replicate, you must find and remove all copies of the virus in your system. Use the antivirus software to scan your entire system and disks for the virus and remove it. If damage is widespread, you may be forced to reformat your hard disk and reload all your programs and files. However, this technique should be used as a last resort because most antivirus software is very effective at disinfecting systems, even for difficult-to-remove viruses.

OBJECTIVE: 1.10.11: Spyware spyware A software application secretly placed on a user's system to gather information and relay it to outside parties, usually for advertising purposes.

Spyware
Spyware (or adware) is a software application that is secretly placed on a user's system to gather information and relay it to outside parties, usually for advertising purposes. Many Internet-based applications contain spyware. Companies with both good and bad reputations have included spyware code in their software. Spyware can also be placed on a user's system by a virus or by an application downloaded from the Internet. Once installed, spyware monitors the user's activity on the Internet and conveys the information to the spyware originator. The originator can then gather Web site usage,

Version 1.2

Subscription Expiration 09/12/2010

Lesson 7: Internet Security

7-15

e-mail and even password information from the user, then use it for advertising purposes or malicious activities. Spyware is analogous to the Trojan horse in that it is installed automatically without the user's knowledge or consent. Legitimate data-collecting programs that are installed with the user's knowledge are not considered spyware, as long as the user provides consent, and knows the type of data being collected and to whom it is being conveyed. For example, cookies are text files that store information about Internet use and reside on users' systems. Users generally know about cookies and their functions, and users can disable outside access to cookie information. Spyware can also affect the efficiency and stability of computer operations by consuming memory resources and bandwidth. Because spyware is an independent executable program, it has the ability to: Scan files on hard drives. Read cookies. Monitor keystrokes. Install other spyware applications. Change the default home page in Web browsers. Automatically send information to the spyware developer.

Removing spyware helps ensure privacy by preventing companies from tracking your Internet activity and collecting your personal information.

Detecting and blocking spyware

You can detect the presence of spyware by obtaining a spyware detection application. Such applications work much like antivirus applications in that they scan a computer's hard drive, memory and network connections, and look for suspicious activity. These applications can be updated, just like an antivirus application can be updated. Network and systems administrators can detect the presence of spyware by doing the following: Using a network analyzer to capture and study network transmissions for suspicious packets. Using the netstat application to review all ports. (Netstat is a TCP/IP utility that reads network data structures.) If the administrator finds a suspicious port open on your system, he or she can conduct a Web-based search on that port. The administrator may discover that it is a port used by spyware installed on your system.

You can combat spyware by: Deleting the application that contains the spyware. Using a desktop firewall to block transmissions between your system and the spyware vendor.

Version 1.2

Subscription Expiration 09/12/2010

7-16

Internet Business Foundations

Spyware detection applications and false positives

Spyware detection applications use the following strategies: They contain lists of known spyware. They contain programming that can detect suspicious activity, which includes Windows registry entries that are out of place, suspicious network connections, and applications that behave suspiciously.

Spyware detection applications can report false positives, wherein legitimate applications are incorrectly categorized as spyware. As you use a spyware detection application, ensure that you examine the results carefully so that you do not remove legitimate applications. In the following lab, you will install the Ad-Aware spyware detection software. Suppose you are the IT administrator for a small family-run business. Several employees have complained that their default Web browser home pages have been changed without their input, and their computers have been running more slowly than they usually do. You suspect that they are victims of spyware, so you install spyware detection software to find and remove the spyware applications.

Lab 7-2: Installing and using spyware detection software

In this lab, you will install and use Ad-Aware spyware detection software. 1. 2. 3. Open Windows Explorer and navigate to the C:\CIW\Internet\LabFiles\Lesson07 folder. Double-click aawsepersonal.exe, then click Run in response to the security warning. This step will display the Ad-Aware SE Personal Installation Wizard. Follow the installation instructions in the wizard to install Ad-Aware SE Personal on your system. Note: If you do not have access to the aawsepersonal.exe binary in the data folder, complete the following steps to install Ad-Aware SE Personal on your system: Start your browser. Type the URL www.lavasoft.com in the Address box, then press ENTER. This step accesses the Lavasoft home page. Click the Free Download Ad-Aware SE Personal button. You will be forwarded to an external site (Download.com), with a link to the software. Click the Download Now link. Click the Save button in response to the security warning. Specify to save aawsepersonal.exe to your Desktop, then click the Save button to download the Ad-Aware installation binary to your Desktop. Display the Desktop, double-click the installation binary (aawsepersonal.exe) and follow the instructions to complete the installation.

Display the Desktop, then double-click the Ad-Aware SE Personal shortcut to launch the application.

Version 1.2

Subscription Expiration 09/12/2010

Lesson 7: Internet Security

7-17

Ad-Aware SE will load new sypware definitions as they occur. If you receive a message prompting you to check for updates, click OK, click Connect, then click OK to download the new definitions file. When the download is complete, click Finish. The Ad-Aware SE Personal window (Figure 7-4) will display.

Figure 7-4: Ad-Aware SE Personal spyware detection application

Click the Start button, then click Next to perform an initial scan, which will look for spyware applications and suspicious activity. Note: The scan may take several minutes, depending upon the size of your hard drive and speed of your system.

7. 8. 9.

When the scan is finished, click the Show Logfile button to display the list of spyware that the scan found on your system. Scroll through the Scan Log. Notice that some legitimate applications were marked as spyware. In these cases, you are probably viewing false positives. Click the Scan Summary, Critical Objects and Negligible Objects tabs. The Scan Summary tab displays a summary of the scanning results. The Critical Objects tab displays objects that may pose a threat and should be considered for removal. The Negligible Objects tab displays objects that are not considered to be a threat; the objects consist of MRU (most recently used items) lists.

10. Double-click a few entries and read them. Take note of any software that might be spyware. Note: Do NOT click the Quarantine button, as this would remove all apparent spyware applications and back them up into the quarantine folder. You do not want to quarantine these applications in this lab unless you are absolutely certain they are spyware. 11. Click Next to display a message informing you that no objects are selected for removal, then click OK. 12. Close the Ad-Aware SE Personal window and the Windows Explorer window.

Version 1.2

Subscription Expiration 09/12/2010

7-18

Internet Business Foundations

13. As a class, answer the following questions: Did you find any false positives? What spyware did you find? How can removing spyware improve privacy?

Note: For additional information about how to use Ad-Aware (including technical support), access the www.lavasoftsupport.com/index.php Web page.

OBJECTIVE: 1.10.5: Client software patches and updates

Updates and Patches

An update is any file or collection of software tools that resolves system liabilities and improves software performance. A patch is a file of programming code that is inserted into an existing executable program to fix a known problem, or bug. Patches are designed to provide an immediate solution to a particular programming problem and can often be downloaded from the Web site of the software vendor. However, patches are intended to be only temporary solutions until problems can be permanently repaired. Generally, a software vendor will provide permanent solutions to program bugs in later product releases, known as updates. Updates are released periodically when deemed necessary by the vendor. A major update with significant software improvements is often marketed as a new release. Patches and updates should never be applied to all system units without applying them to test computers first. In fact, many security policies require an extensive testing process before an update is installed onto any systems. If the patches or updates do not address the problems your system is experiencing, or if there would be no performance gain by applying them, you should not install them. Patches and updates can cause incompatibility issues among system resources or applications, and can even introduce new security issues. However, if your system is vulnerable to a security problem, you may need to install the patches or updates as soon as possible. Make sure that you obtain patches or updates from trusted sources, especially if the program is an open-source upgrade. Verify hashes and signatures before installing upgrades to avoid installing a virus onto your system.

update A file or collection of tools that resolves system liabilities and improves software performance. patch Programming code that provides a temporary solution to a known problem, or bug.

Antivirus program updates

Antivirus program updates generally refer to files containing virus signature profiles that have become known since the last program update. Updates are important because even the best antivirus program will not protect you if its signature profiles are outdated. Antivirus software uses signature profiles to recognize patterns that indicate viruses. Because new viruses are created so rapidly, manufacturers update these signature profiles frequently. Most antivirus software will download the latest profiles automatically.

Encryption levels and Web browsers

Software applications and Web browsers support various encryption levels. Many Web sites require that your browser use 128-bit encryption for added security. The latest versions of both Internet Explorer and Mozilla Firefox support 128-bit encryption. If you are using earlier versions of either browser, you can download updates to support 128-bit encryption.

Version 1.2

Subscription Expiration 09/12/2010

Lesson 7: Internet Security

7-19

Desktop security
It is important to maintain the security of individual computers, particularly because most computers in the workplace are connected to corporate networks, intranets and the Internet. Computers running older operating systems (such as Windows 95/98 or Windows NT) may no longer be supported with security patches, thereby leaving them vulnerable to intrusion. For newer computers (2000 or later), it is important to apply regular operating system patches and updates supplied by software vendors to minimize security breaches.

E-mail clients
As you have already learned, e-mail is the most common way to spread viruses. You should keep your e-mail client current, and install necessary security patches and updates to minimize security breaches. Additionally, many e-mail clients default to 40-bit encryption levels. You can install updates to support 128-bit encryption.

Screen Savers
OBJECTIVE: 1.10.9: Workstation screen saver security

A screen saver is a utility program that displays images or animation on your monitor when no keystrokes or mouse actions have occurred for a specified duration. You can use screen savers to hide your work while you are away from your desk, providing a measure of security. Some system screen savers allow you to password-protect your screen saver. If you configure this feature, then once your screen saver activates to hide your Desktop, your specified password must be entered to deactivate the screen saver. In Windows XP, you use the Screen Saver tab of the Display Properties dialog box (Figure 7-5) to specify a screen saver and the amount of time your computer is to remain idle before the screen saver activates.

screen saver A graphic or moving image that appears on your screen when your computer is idle.

Figure 7-5: Display Properties dialog box Screen Saver tab

In the following lab, you will activate a screen saver. Suppose you are an IT administrator and you want to update computer security measures in your company. One of the first tasks you perform is instructing employees to set their screen savers to display no longer than five minutes after their computers are idle. Would you recommend that users

Version 1.2

Subscription Expiration 09/12/2010

7-20

Internet Business Foundations

password-protect their screen savers for additional security? For which types of job roles are password-protected screen savers appropriate?

Lab 7-3: Activating a screen saver

In this lab, you will specify a screen saver and the amount of time your computer needs to remain idle before the screen saver appears on your Desktop. 1. 2. 3. Right-click a blank area of the Desktop, click Properties to display the Display Properties dialog box, then click the Screen Saver tab. Display the Screen Saver drop-down list, then click a screen saver of your choice. Double-click the contents of the Wait text box, type 1, then click OK. This step specifies that the screen saver will display when your computer has been idle for one minute. Do not press any keys or move the mouse for at least one minute. The screen saver you selected should display on your screen. When the screen saver appears, move the mouse to redisplay the Desktop. Right-click a blank area of the Desktop, click Properties to display the Display Properties dialog box, then click the Screen Saver tab. Display the Screen Saver drop-down list, then click Windows XP. This step specifies the default operating system screen saver. Double-click the contents of the Wait text box, then type 10. This step specifies that 10 minutes is the amount of time your computer needs to remain idle in order for the screen saver to activate. Click OK to close the dialog box and restore the screen saver to its default settings.

4. 5. 6. 7. 8.

OBJECTIVE: 1.10.8: E-mail listserve groups list server A server that collects and distributes information from an authorized group of participants, called a listserve group. listserve group Users who subscribe to an e-mailing list through a list server.

List Servers and Listserve Groups

A list server is a server that automates the collection and distribution of messages from an authorized group of participants, allowing collaboration among multiple users. A list server differs from a mail server, which handles incoming and outgoing e-mail for Internet users. A group of users that subscribes to a mailing list is called a listserve group. Participants must send an e-mail to the list server to join a specific group. Once subscribed, they are placed on a mailing list of users authorized to receive messages from the list server. When a list server receives messages from listserve group participants, it stores the messages, then distributes them to its mailing list. A user who wants to join a listserve group simply sends an e-mail message to the list server. This request is often a blank e-mail message with a simple request in the Subject field. A request can be worded as follows: subscribe ciw

Version 1.2

Subscription Expiration 09/12/2010

Lesson 7: Internet Security

7-21

Some list servers request that the same command also be placed in the body of the e-mail message. If the list server is configured to allow a particular user to join, the list server then sends a confirmation e-mail to the subscriber. Occasionally, users will attempt to subscribe other people to listserve groups. To prevent this practice, list servers often require the user to confirm the subscription before he or she is added to the mailing list. List servers typically forward e-mails, announcements, newsletters or advertising to group members on a regular schedule or as events occur. Three of the most popular list servers are LISTSERV (www.lsoft.com), which is a product of L-Soft; Majordomo (www.greatcircle.com/majordomo), which is hosted by Great Circle Associates and is freeware; and Lyris (www.lyris.com). List servers forward e-mail messages that are addressed to their mailing lists to the list's respective listserve group. A number of Web sites are devoted to mailing lists, such as Topica (http://lists.topica.com) and Yahoo! Groups (http://groups.yahoo.com). You can use these sites to find mailing lists that you want to join. Topica and Yahoo! Groups are not list servers; they simply search for and provide links to mailing lists. The mailing lists themselves are hosted by list servers. In the following lab, you will explore LISTSERV. Suppose you are the marketing director for a company. You want to distribute timely information to customers about your company's products. You purchase LISTSERV to create your own mailing list server so that you can distribute messages to all subscribers on your list (your customers) quickly and efficiently.

Lab 7-4: Exploring LISTSERV

In this lab, you will access the LISTSERV Web page and explore various links to obtain information about LISTSERV. 1. 2. Start Microsoft Internet Explorer. Click anywhere in the Address box, type www.lsoft.com, then press displays the L-Soft home page (Figure 7-6).
ENTER.

This step

Figure 7-6: L-Soft home page

Version 1.2

Subscription Expiration 09/12/2010

7-22

Internet Business Foundations

3. 4.

Under the Email List Management heading, click the LIST SERV link to display the LISTSERV page. If time permits, click the See LISTSERV Demo link to display a demonstration of the LISTSERV Web interface. Click various links in the Demo page to obtain information about the latest product interface. Click Exit Demo to close the Demo window and redisplay the browser window. If time permits, click the Download Evaluation button on the LISTSERV page to download an evaluation copy of the most recent LISTSERV product. To use it, you will need to configure the software with the following information: Your name and the name of your organization Your Web server's CGI directory The URL path to the Web archive script directory you specified The directory in which LISTSERV should place the files it creates and uses for the Web interface The fully qualified Internet host name of the computer on which LISTSERV is being installed The fully qualified Internet host name of the computer through which LISTSERV will send its outbound mail The e-mail address of the user who will be in charge of operating the server

5. 6.

In the following lab, you will explore the Topica Web site. Suppose you are an IT project manager and you want to join mailing lists that pertain to project management topics so you can keep your skills current. You search the listings provided by Topica to determine which lists might be the most worthwhile for you to join.

Lab 7-5: Exploring Topica

In this lab, you will access the Topica Web site to find mailing lists about project management. 1. Click anywhere in the Address box, type lists.topica.com, then press step displays the Topica home page (Figure 7-7).
ENTER.

This

Version 1.2

Subscription Expiration 09/12/2010

Lesson 7: Internet Security

7-23

Figure 7-7: Topica home page

Scroll down to display the Search text box. Click anywhere in the box, type "project management", then click the Search button. This step displays a page of mailing list links related to project management. Click a project management link, then follow any additional links that display until you access a project management mailing list. Follow any instructions that grant you access to the e-mails that have been posted, then read several of them. How would you subscribe to the mailing list? How would you post a message to the mailing list? Close the Internet Explorer window.

Security-Related Ethical and Legal Issues

The main function of IT professionals in any organization is to provide network and Internet-related services, and to protect system resources from unauthorized entry, malicious attackers and malware. IT professionals are also faced with ethical and legal issues related to the security of network and individual computer use by employees. In addition, the Internet has brought about new challenges to copyright, trademark and licensing law enforcement. Because the Internet spans numerous countries and each government has its own set of rules, new enforcement techniques must be applied. This section discusses privacy concerns, copyright issues, licensing issues, trademark issues and encryption policies.

Privacy concerns
OBJECTIVE: 1.14.1: Privacy issues 1.14.2: Appropriate use issues 1.14.3: Personal privacy vs. company resources

One of the major drawbacks of networked computing and Internet use is that your computer activities and personal information are no longer private. For example, online businesses collect information from users who make purchases on the Internet, and may sell the information for advertising or marketing purposes. Along with susceptibility to infection by malware, you may also be the recipient of junk e-mail (spam). Because spam is sent to you uninvited, it can be considered an invasion of privacy, even though it generally has no harmful effects on computer systems. However, reviewing and deleting spam may hinder your productivity.

Version 1.2

Subscription Expiration 09/12/2010

7-24

Internet Business Foundations

Some actions you can take to minimize the spam you receive include the following: Avoid adding yourself to unwanted mailing lists When you submit any type of online form, choose to not be added to a mailing list (unless you want to be added to the list). If such an option is not available, consider not submitting the form. Conduct online transactions through secure Web sites Before you purchase anything over the Internet, ensure that the transaction is secure. Current Internet Explorer and Mozilla Firefox versions will inform you whether a site is secure when you access the site. Remember that a URL beginning with https:// ensures that your Web session is managed by a secure protocol, which encrypts and decrypts the information you send and receive during the course of the transaction. Do not assume that only the intended recipient will read your e-mail messages Assume that whatever you write in an e-mail message could be seen by other people, particularly if you work for a company that routinely monitors its employees' e-mail. Even if your company does not monitor e-mail, the person to whom you send an e-mail message may forward it to others with your original message intact. Be selective when posting information to newsgroups Remember that many newsgroups and chat rooms are unsupervised. When you post a message to a newsgroup, your e-mail address becomes available to all those who have access to the newsgroup or chat room at that moment, which can make you vulnerable to unwanted solicitations or virus attacks. Before posting any messages, monitor the newsgroup to determine whether the users seem trustworthy.

Some organizations monitor their employees' e-mail messages and restrict their access to certain Web sites. Employers sometimes adopt such a policy because they consider all information carried by the company's communication system to be company property, just as the network, communication equipment and software used by the employees are company property. However, by restricting access to certain Web sites, companies may be denying employees legitimate Internet resources that may help them do their jobs. Reasons that some companies elect to monitor employees' e-mail messages or restrict Internet access include the following: To protect proprietary information To prevent users from viewing or downloading undesirable data or malware To ensure that resources are being used solely for business purposes

Network administrators can also audit the contents of employee hard drives. Cached files from the Internet (as well as personal document files you have created) may be subject to examination. Therefore, you should use your home computer to keep personal data and send personal e-mail messages, and use company resources only for work-related activities. For example, you may be trying to help a family member find a job. You may modify and format his or her rsum on your company computer, and spend time surfing the Web for employment-related sites. Are you using the resources provided to you for their intended purposes? Are you being paid to use company resources for personal business? Could the time you spend helping your family member be better spent on work-related tasks, which in turn help the business?

Version 1.2

Subscription Expiration 09/12/2010

Lesson 7: Internet Security

7-25

As you learned in a previous lesson, copyright laws protect original works of authorship that are fixed in a tangible medium of expression. According to copyright law, the basic elements are: Expression. Originality.

An Internet user who uses an unauthorized copy of someone else's work is violating the copyright owner's rights. Remember that although copying text or images from a Web site is easy, the ability to do so does not make it legal to use someone else's work for your own purposes. Copyright infringement is a punishable crime. Contrary to popular belief, an international copyright does not exist. To protect your copyright of your original material, you must contact the government agency that handles copyrights in the country in which you reside. For instance, in the United States, you would contact the Library of Congress Copyright Office. You can request the forms (depending on your specific work) by phone, or download forms at www.loc.gov/copyright. In Canada, you would contact the Canadian Intellectual Property Office (http://cipo.gc.ca). If you or your company holds a copyright on your Web site material, you should place the copyright symbol ( ) and year at the bottom of each page that contains the copyrighted material. Copyright symbols are not required but are highly recommended because they are often the first line of defense against copyright infringement.

Information Infrastructure Task Force (IITF)

The Information Infrastructure Task Force (IITF) was formed in 1993 to codify copyright law as it applies to digital information. The IITF in turn established the Working Group On Intellectual Property Rights to examine the intellectual property implications of combining the existing infrastructures of radio, television, telephones, fax machines and computers into one information infrastructure of all communication mediums. The group's mission was to make recommendations for changes to U.S. intellectual property law and policy. In 1994, the Working Group On Intellectual Property Rights published the "Green Paper," a preliminary report on intellectual property rights. The group recognized the need to review current copyright laws in light of the fact that copying and disseminating information is extremely easy in the digital age.

World Intellectual Property Organization (WIPO)

The World Intellectual Property Organization (WIPO) is a specialized United Nations agency formed to protect intellectual property worldwide. Intellectual property consists of industrial property (trademarks, inventions) and copyrighted works. WIPO attempts to enforce copyright laws through cooperation among countries. More than 170 countries are currently members of WIPO. If you register a copyright for a book in the United States, and someone reproduces and sells it in Germany without your permission, you would be able to prosecute that person in both the United States and Germany because both countries have signed copyright agreement documentation. The WIPO site (www.wipo.org) lists the copyright administration office for each member country.

Version 1.2

Subscription Expiration 09/12/2010

7-26

Internet Business Foundations

Precedent copyright law and Internet cases

The following court cases have precedent-setting implications with respect to copyright laws and the Internet. Sega Enterprises Ltd. vs. MAPHIA In Sega Enterprises Ltd. vs. MAPHIA, Sega Enterprises brought suit against MAPHIA, an electronic bulletin board system (BBS). Sega Enterprises claimed that MAPHIA copied Sega games to its BBS and made them available for user downloads. The court found that MAPHIA sometimes charged users a direct fee for downloading privileges, or bartered for the privilege of downloading the Sega games. Because Sega's games are protected by copyright, MAPHIA violated Sega's copyright by obtaining unauthorized copies of Sega's games and placing them on storage media of the BBS to be downloaded by unknown users. The courts found in favor of Sega Enterprises. Playboy Enterprises vs. Frena In Playboy Enterprises vs. Frena, Playboy brought a lawsuit against the defendant George Frena, an independent BBS operator. Playboy claimed that Frena distributed unauthorized copies of Playboy's copyright-protected photographs from his BBS. Frena's BBS was available to anyone for a fee. Frena admitted that he did not obtain authorization from Playboy to copy or distribute the photographs. The courts found evidence of direct copyright infringement, and stated that the fact that Frena may not have known he was committing copyright infringement was irrelevant. Recording Industry Association of America (RIAA) vs. Napster This copyrightinfringement case was filed by the RIAA to contest the distribution of copyrighted music files over the Internet using a popular program called Napster. As you have learned, Napster allowed users who had installed the Napster software on their computers to share MP3 music files with other users who had the Napster software. No fee was charged for copying files from one user's computer to another. The RIAA wants artists and record companies to receive royalty payments from users who swap copyrighted files. Napster argued that, because the MP3 files were transferred from user to user and were never in Napster's possession, Napster did not act illegally. The courts ruled in favor of the RIAA and required Napster to halt its services. Napster (www.napster.com) is still operating but now charges a per-track or per-album fee. Record companies such as Bertelsmann Music Group (BMG) have since joined with technology developers to create subscription services that will allow users to share copyrighted MP3 files while observing a permission agreement. These arrangements allow artists and record companies to receive payment for their copyrighted music.

Licensing issues
If you want to license someone else's copyright-protected material, you must contact the copyright owner and ask for permission. This task might involve contacting the legal department of a large organization, a copyright specialist at a small to midsize organization, or even an individual. If you are granted permission to use copyrighted work, the copyright holder dictates the terms of use. For example, there may be no cost but you may be required to credit the owner for the work. In most cases, you must license the work from the owner under the terms of an agreement. The agreement usually determines the way the work may be used (limited or unlimited reproduction) and the payment arrangement (royalties or one lump payment).

Version 1.2

Subscription Expiration 09/12/2010

Lesson 7: Internet Security

7-27

Trademark issues
A trademark is any word, slogan, symbol, name, package design or device (or any combination thereof) that marks and distinguishes a product from other products in trade. For instance, AltaVista and Rolls Royce are both trademarks. Trademarks are protected worldwide by participating WIPO countries. To register a trademark, you must contact the government agency in your country that handles trademarks. For example, in the United States, you would contact the U.S. Patent and Trademark Office. You can request the forms by phone, or download forms online from www.uspto.gov. In Canada, you would contact the Canadian Intellectual Property Office at http://cipo.gc.ca.

Encryption policies
OBJECTIVE: 1.14.5: Company encryption policies

As you have learned, encryption is a very effective safeguard, but the amount of protection it offers varies based on the type of encryption used and the size of the key. Smaller keys, such as 40-bit keys, are easier to break than 128-bit or 256-bit keys. However, longer keys require more computational power to encrypt and decrypt data, which can slow transmission. It is imperative that companies protect their encryption keys to ensure secure transmissions. Many businesses encrypt network transmissions in order to: Protect data. Prevent data from being intercepted by malicious outsiders. Deter hackers. Respond to customer or competitor pressure for increased security. Comply with government requirements regulating the security of Internet data transmissions.

Even if data transmissions do not warrant encryption, network administrators may still need to protect the privacy of e-mail messages, which often contain information of a proprietary or confidential nature. As you have learned, Web browsers such as Microsoft Internet Explorer and Mozilla Firefox include S/MIME, which is based on RSA's asymmetric encryption algorithm. S/MIME describes the way that encryption information and a digital certificate can be included as part of the message body. Each e-mail message includes a digital signature, which the recipient must receive in order to decrypt the message. Companies that conduct business internationally must be aware of the encryption laws in various countries. Some countries do not allow large encryption keys to be exported, which forces network administrators to implement encryption solutions that fall within legal guidelines. When establishing company encryption policies, network administrators must determine the risk of sending unencrypted data based on the nature of the data and its risk to the company if it were obtained by unauthorized users. Encrypting data slows data communication because each packet of data must be encrypted and decrypted. If the data is proprietary or sensitive in nature, then encrypting transmissions becomes critical. If not, network administrators need not encrypt their transmissions.

Version 1.2

Subscription Expiration 09/12/2010

7-28

Internet Business Foundations

Case Study

Protecting Networks
Roberto is the network administrator for an international law firm with offices and customers in North America, South America, Africa and the Middle East. The lawyers frequently contact each other via e-mail, use the Internet to research cases, and use listserve groups to discuss recent cases and developments in international law. Roberto wants to protect the company's network from malicious invasions, and limit the lawyers' access to the Internet and newsgroups. Roberto performs the following tasks:

He ensures that firewalls are in place to prevent outsiders from accessing proprietary data on the law firm's private network, and to prevent access to specific Internet resources. He installs antivirus software on all computers and prepares a maintenance schedule to periodically update the software with the most recent virus signature profiles. He assigns user names and passwords that the lawyers must use to access the network. He configures Web browsers and e-mail clients to reject incoming file attachments that do not have digital signatures or digital certificates. He educates the lawyers on the steps to take to prevent malware infection. He establishes encryption policies for sending sensitive information via e-mail. * * *

As a class, discuss other ways Roberto can protect the law firm's network resources from outside attack. Which protective measures do you consider too restrictive? Discuss your reasons.

Version 1.2

Subscription Expiration 09/12/2010

Lesson 7: Internet Security

7-29

Lesson Summary
Application project
Some computer viruses have received worldwide attention because of the damage they have inflicted. The PE_Nimda.A-O and the infamous W97M.Melissa.A worms spread globally because they were contained in executable e-mail and newsgroup article attachments. Access the Symantec Security Response page at www.symantec.com/avcenter or the Trend Micro Security Information page at www.trendmicro.com/vinfo, and research the PE_Nimda.A-O or W97M.Melissa.A worm or a more recent virus. For each virus, identify precautionary measures that you can take to prevent your company's network from becoming infected.

Skills review
In this lesson, you learned about symmetric-key, asymmetric-key and hash encryption. You studied the way user names and passwords, as well as digital certificates and firewalls, can provide Web security and ensure secure online transactions. You learned about viruses, worms, Trojan horses, illicit servers and spyware, and you studied methods you can employ to protect computers and networks from the harmful effects of viruses. You learned ways to protect your computer from virus attacks, steps to take when an attack is suspected, and steps to take when you receive an unexpected or unexplained file attachment. You learned about patches and updates and their functions with regard to antivirus programs, Web browser encryption levels, desktop security and e-mail clients. You also learned the ways that screen savers can provide a measure of workstation security. Finally you learned about list servers and how to manage your participation in listserve groups. You also learned about the privacy concerns, copyright issues, licensing issues and trademark issues facing IT professionals, as well as the need to encrypt company transmissions and establish company encryption policies. Now that you have completed this lesson, you should be able to: Identify the three types of encryption. Identify ways that authentication provides Web security. Identify ways that firewalls provide Web security. Identify malware (malicious software). Identify ways to detect and prevent virus attacks. Define spyware. Define patches and updates. Identify ways that screen savers provide workstation security. Define list servers and listserve groups. Identify security-related ethical and legal issues faced by IT professionals.

Version 1.2

Subscription Expiration 09/12/2010

7-30

Internet Business Foundations

Lesson 7 Review
1. What is the difference between symmetric-key encryption and asymmetric-key encryption? ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________ 2. What is a digital certificate? ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________ 3. What is a firewall? ____________________________________________________________________________________ ____________________________________________________________________________________ 4. What is the difference between a virus and a worm? ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________ 5. What is the difference between malware and spyware? ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________ 6. What is the difference between a patch and an update? ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________ 7. Describe the purpose of a list server. ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________

Version 1.2

Subscription Expiration 09/12/2010

8Lesson 8: IT Project Management

Objectives
By the end of this lesson, you will be able to: Identify project management fundamentals. Identify project management skills. Identify the five project management phases. Define the project triangle. Identify the value of project management software. Create a project schedule. Identify the value of documenting projects. Identify the value of planning and scheduling meetings. Identify the value of reviewing projects. Identify quality assurance techniques. Identify the business implications of IT decisions. Identify project management certifications and resources.

Authorized to be used in American Public University System. To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010

8-2

Internet Business Foundations

Pre-Assessment Questions
1. What is scope creep? ____________________________________________________________________________________ ____________________________________________________________________________________ 2. Why do the executing phase and the controlling phase of a project usually overlap? ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________ 3. What is the project triangle? a. b. c. d. The relationships among project scope, time and money. The relationships among the planning, executing and controlling phases of project management. The relationships among project tasks, resources and assignments. The relationships among the planning skills, organizational skills and communication skills needed by good project managers.

Version 1.2

Subscription Expiration 09/12/2010

Lesson 8: IT Project Management

8-3

Overview of IT Project Management

Business and project management skills are becoming increasingly important for IT professionals to master. Failed IT projects can put significant strain on business resources and can adversely affect an organization's bottom line. Poor project management is one of the primary reasons for IT project failure. Businesses are starting to realize that successfully managed IT projects increase productivity, yield a greater return on investment, increase profits, and improve customer service and satisfaction. In fact, many organizations are starting to require project management skills for IT job advancement. IT projects differ from other projects in one significant way. The IT department manages a business's data, which may include proprietary product data, customer and vendor data, financial data, personnel data, and so forth. Therefore, IT projects may involve several different systems. As an IT project manager, you must be able to work with these various systems and the individuals involved with them. IT projects can include hardware and software installations and upgrades, network security implementations, process improvements, training and support, and so forth. This lesson will discuss project management fundamentals, and the importance that project management concepts and skills are gaining in IT job roles, particularly IT project leadership positions.

Project Management Fundamentals

project management The practice of applying skills and processes to activities in order to meet deadlines and achieve desired results.

Project management is the practice of applying knowledge, skills and processes to activities in order to meet deadlines and achieve desired results. Project management skills can be applied to all industries and job roles. Whether you are creating a Web site, installing services and clients on your organization's computers, or creating courseware, the same basic project management techniques apply. You have probably applied project management skills and techniques to projects you have undertaken. For example, before you purchase a new photocopy machine for your company, you assess the need for a new machine and the time frame within which you want it; you determine the brand and model that will best meet your company's needs; and then you contact vendors via telephone for price estimates. You then make the purchase. After the new photocopy machine is put to use, you may evaluate the decisions you made, as well as employees' level of satisfaction with the new machine. Even though the steps involved in making such a purchase seem obvious, the relationships, phases and processes you use can be applied to all projects, large and small.

Defining project management terms

project A sequence of tasks that must be accomplished within a certain time frame to achieve a desired result.

A project is a sequence of tasks that must be accomplished within a defined time frame in order to achieve a desired result. Projects differ from ongoing work operations in that projects are temporary and unique. A project has a start date and an end date, and it produces a specific deliverable, or end product. For example, the photocopy machine purchase project began when you were given the task of buying a new machine, and ended when you finalized purchase arrangements. Even if you purchased a new photocopy machine every year, each purchase cycle would be a temporary, unique, separate and distinct project.

Version 1.2

Subscription Expiration 09/12/2010

8-4

Internet Business Foundations

task A unit of work that must be accomplished during the course of a project. resource A person, department or device needed to accomplish a task. assignment The appointment of a specific resource to a specific task.

A task is a unit of work that must be accomplished during the course of a project. In the photocopy machine purchase scenario, tasks include determining the type of machine you need and contacting vendors for price estimates. A resource is a person, department or device needed to accomplish a project task. In the scenario, you, the vendor and your telephone can all be considered resources. An assignment is made when a resource is given a specific task to perform. As a project manager (IT or otherwise), you will usually manage project elements such as: Schedules. Costs. Performance risks.

OBJECTIVE: 1.15.3: Project scope/scope creep scope The goals and tasks of a project, and the work required to complete them.

You use project management skills and techniques to control these project elements. You begin the project management process by creating realistic objectives and establishing the scope of the work to be completed.

Scope and scope creep

The end product or ultimate goal of a project, along with the tasks required to achieve that goal, constitute the project scope. In the photocopy machine purchase scenario, all the work required to research and make the purchase is included in the scope of the project. Project scope varies depending on the complexity of the project and the number of tasks required to complete it. For example, developing a Web site is a project of greater scope than designing a company newsletter. You must consider the project's scope when planning a project of any size. A common problem associated with project management is the tendency for the project's scope to increase over time. Any changes in the schedule, cost or performance required to complete the project can affect its scope. Issues often arise during the project that were not initially considered. You may be able to contain the scope of the project, but only by introducing subprojects, which also must be managed. Changes in project scope tend to occur in small increments, and therefore might seem negligible. However, small increases in scope will add up. These gradual increases are called scope creep. If you do not adequately manage scope creep, the success of your project may be compromised.

scope creep Gradual increases in project scope that can undermine the success of a project.

Project Management Skills

To effectively manage a project, you must have strong planning, organizational, communication and problem-solving skills. If you are a novice project manager, managing a part of a project is a good way to start. As you gain experience, you can manage bigger pieces and, eventually, take on the role of project manager for an entire IT project. Earning project management certification can strengthen your project management skills. Two of the most recognized certifications are: The Project Management Professional (PMP) certification from the Project Management Institute (www.pmi.org/info/PDC_CertificationsOverview.asp). The IT Project+ certification from CompTIA (www.comptia.org/certification/itproject/default.asp).

Version 1.2

Subscription Expiration 09/12/2010

Lesson 8: IT Project Management

8-5

The Project Management Professional (PMP) certification is the more widely known of the two and is geared toward various professions. The IT Project+ certification is geared specifically for IT professionals.

Planning skills
To plan a project well, you must be able to identify the tasks that constitute the project, understand the ways in which tasks are dependent upon one another, and know the ways that project dependencies will affect the project as a whole. You must also make the most effective use of the people involved with the project, which includes the following:
stakeholder A person or group with an interest in a project and the power to exert influence (either positive or negative) over the project and affect results.

Identifying the project stakeholders Stakeholders are people or groups that can exert influence over the project and affect results. Stakeholders include the project manager, the project team, the sponsors and the customers. Acquiring the right staff for the project Projects require employees with varied skills, backgrounds and job roles. You must be able to recognize the needs of the project and staff it with the right people. Developing and managing teams Projects often involve temporary processes and disparate groups of people. For example, individuals may be brought together who work in different departments or are at different levels within the organization. You must be able to bridge departmental boundaries and individual skill levels in order to accomplish the goal. You must also be able to impart ownership to project participants by holding them accountable for the completion of their tasks, and by soliciting their input and incorporating it into project processes.

Organizational skills
As a project manager, you must have the ability to control how and when individual tasks are completed throughout the course of the project. Managing a project is like conducting an orchestra. Whereas a conductor must be able to follow a score, cue the musicians to play at the correct time and conduct multiple sections at once, a project manager must be able to follow a project plan, ensure that each resource begins and completes tasks at the proper time, and manage a variety of tasks simultaneously. You must be able to help project participants organize and prioritize their tasks to stay within the project scope. You can accomplish this by identifying and assigning project roles and responsibilities and reporting relationships. That is, you must define the organizational structure for the project.

Communication skills
Before you begin a project, you must gather information from the customers to ensure that the end product will meet their needs. Failure to determine goals at the outset can hinder project success. As a project progresses, you must be able to evaluate the condition of the project and communicate project data effectively. You are responsible for keeping project participants informed in order to keep the project running smoothly. Regular communication helps manage scope creep and determine whether costs are exceeding the budget. Understanding the status of a project can also help participants focus on areas that need immediate attention.

Version 1.2

Subscription Expiration 09/12/2010

8-6

Internet Business Foundations

Problem-solving skills
As a project manager, you must be able to quickly identify problems (real or potential) and propose solutions. Problem-solving skills will help you implement solutions without affecting project scope. You must have the ability to make appropriate decisions in a timely manner to prevent problems from adversely affecting the project.

Project Management Phases

Five project management phases constitute the project life cycle: Initiating phase Planning phase Executing phase Controlling phase Closing phase

Each phase is marked by the completion of one or more deliverables. The conclusion of each project phase usually includes a review of performance to date and a decision about whether to proceed to the next phase. Project management phases often overlap. Typically, the executing and controlling phases of a project occur simultaneously. It is also important to note that some phases may occur more than once throughout the project life cycle.

Initiating a project
The initiating phase sets the foundation for the project. This phase defines the project scope, the project goals and the tasks required to accomplish those goals. The initiating phase of a project consists of the following tasks:
OBJECTIVE: 1.15.2: Needs analysis needs analysis Determining a customer's needs by acquiring information, processing and evaluating the information, then creating a plan of action to address the needs.

Conducting a needs analysis Determining project objectives, assumptions and constraints Developing a Statement Of Work (SOW)

Needs analysis
A critical first step in the initiating phase is to conduct a needs analysis, which will help identify the goals of the project. A needs analysis identifies the problems or needs that the project must resolve or address. You can then translate the results of the needs analysis into the requirements that the project must meet. Conducting a needs analysis consists of learning the customer's needs. The customer is the person, department or company for whom you are performing a project. You must elicit needs information, such as the problem the customer is experiencing, the time frame for solving the problem, and the budget for solving the problem. You must get as much information as possible from the customer, and from all systems and individuals that will be affected by the project; process and evaluate the information you receive; and turn it into a cogent plan of action. The needs analysis will help you clearly define the project objectives. The success of a completed project can be judged by how closely each objective was met.

Version 1.2

Subscription Expiration 09/12/2010

Lesson 8: IT Project Management

8-7

Project objectives, assumptions and constraints

A project objective should be specific and measurable. Objectives can include a list of project deliverables, deadlines for both the final deliverable and intermediate tasks, quality criteria for the deliverables, and cost limitations for the project. All stakeholders must understand and agree to the project objectives.
assumption A factor that is considered to be real or certain for planning purposes.

During this time, you should also define any project assumptions. An assumption is any factor that is considered to be real or certain. For example, if you need to utilize resources from other departments, who will manage those resources? When, and for how long, will those resources be available to you? Assumptions should be clearly defined so that others will know what is expected of them. You should also try to determine project constraints at this time. Constraints are factors that limit your options. Generally, a constraint is a restriction. A project may be constrained by a fixed budget or a deadline. One task may need to end by a specific date so another task that is reliant on the first task can begin. The three major constraints on any project are: Schedule (time). Resources (money, people, equipment). Scope.

constraint A factor, such as budget or time, that limits a project manager's options.

OBJECTIVE: 1.15.8: Statement Of Work (SOW)

Statement Of Work (SOW)

Finally, you and all stakeholders should define the ways that project success will be measured. At the end of the initiating phase, you should complete a Statement Of Work before you proceed to the next phase. The SOW outlines the requirements for each project task to ensure that the project objectives are met. The SOW should contain clearly defined goals and an agreed-upon plan to achieve them. The SOW can be created between individuals, between departments, between individuals and departments, and so forth. If the SOW is completed between your organization and an outside organization or individual, the payment structure can be included in the SOW. By determining the customer's needs during the initiating phase, you can create a project that meets those needs, and you can determine the tasks, time and cost required to complete the project.

Statement Of Work (SOW) A contract to initiate a project; the contract contains project goals and specifies how those goals will be met.

Planning a project
The planning phase addresses project details. Project planning involves identifying all the tasks required to achieve the project goals, the people who will perform those tasks, and the resources that will be required. Planning also involves estimating the time each task will take to complete and determining project tasks that are dependent upon one another.

The project schedule

project schedule A document that lists the planned dates for performing tasks and meeting goals defined in a project plan.

During the planning phase, you must develop a project schedule. A project schedule lists the planned dates for performing tasks and meeting goals identified in the project plan. To develop a project schedule, you should meet with the entire project team to determine the time and money required to complete each task. You should then outline the required tasks and assign resources to each.

Version 1.2

Subscription Expiration 09/12/2010

8-8

Internet Business Foundations

The project team

OBJECTIVE: 1.15.5: Crossfunctional teams

Project teams can (and often do) consist of individuals from different departments. For example, your project may consist of IT professionals from within your department, as well as individuals from the Web development, marketing and accounting departments. Each person offers a different perspective and perhaps a different set of priorities. Consider the following examples: The person from the accounting department may be primarily concerned with project costs and may have authority over budget constraints. The person from the marketing department may be concerned with the project's effect on customers' perceptions of the products or company, or on promotional or advertising functions. The Web designer may be concerned with Web site content or design changes as a result of the project. The IT department members will probably be most concerned about the tasks required to meet the project goals and the time constraints imposed on them.

As the project manager, you will be responsible for satisfying these disparate priorities as you seek to complete the project schedule within the project constraints. At the completion of the planning phase, you should have a schedule outlining tasks, responsibilities, budgets and deadlines. However, remember that planning is a constantly evolving process that lasts throughout most of the project life cycle.

Executing and controlling a project

During the executing and controlling phases of a project, project work is performed (executed), and progress is monitored and corrective action is taken as needed (controlled). At the start of the executing phase, you coordinate people and other resources to carry out the project plan. As work progresses, you must delegate or reassign tasks and resolve conflicts as necessary. The executing phase continues as work progresses. Meanwhile, you begin the controlling phase. This phase includes coordinating project activities, detecting disruptions, taking corrective measures, troubleshooting problems, updating team members about project status and driving the project forward. Thus, during these concurrent phases, you ensure through regular monitoring that all objectives are being met. By comparing actual data to the original estimates determined during the planning phase, you can identify variations and take corrective action when necessary. Corrective action might involve replacing or assigning additional resources, changing tasks, or adjusting the budget. Finally, to successfully execute and control a project, you must produce action plans and status reports to keep everyone apprised of the project's progress. Controlling your project can be especially challenging when your project team consists of crossdepartmental members whose reporting structures differ. Figure 8-1 illustrates an organizational structure in which various project team members report to different company officers.

Version 1.2

Subscription Expiration 09/12/2010

Lesson 8: IT Project Management

8-9

Figure 8-1: Organizational structure project team members

OBJECTIVE: 1.15.6: Information flow and reporting models

The organizational structure shown in the figure is for a relatively large company (350 or more employees). Of course, not all companies and organizations follow this model exactly. However, all companies and organizations should create a model that ensures accountability among departments and reduces conflicts of interest.

Understanding conflicts of interest

Project team members will probably forward action plans and status reports to others within their departments. Each department will have a different reaction to project plan modifications, particularly if the modifications affect them directly. Following are examples of conflicts of interest that can develop among the various departments represented in your project: The Chief Financial Officer (CFO) may veto a proposed change due to the extra costs involved. The Chief Information Officer (CIO) may resist changes that require additional personnel who cannot be spared or additional tasks that adversely affect the project timeline. The Chief Operations Officer (COO) may determine that the returns on certain phases of the project are not worth the risk, and may seek to eliminate or modify certain tasks. The Chief Security Officer (CSO) may determine that the tasks involved in certain phases of the project pose too great a security risk to the company's data or network, and may seek to eliminate the tasks from the project.

Adjusting the project plan

If situations such as the ones in the previous list occur, you must make appropriate recommendations and adjust the project plan accordingly without losing sight of the project's ultimate goal. In a worst-case scenario, departmental differences may become untenable and put the entire project at risk. In some cases, the appropriate course of action may to terminate the project if it simply will not justify the investment required. Terminating unprofitable projects helps the bottom line. Remember that as the project manager, you are the owner of the project. You must accept final responsibility for all project decisions and outcomes.

Version 1.2

Subscription Expiration 09/12/2010

8-10

Internet Business Foundations

Closing a project
The final phase of a project is the closing phase. During the closing phase, your team should evaluate the project schedule, budget, scope, resources and assignments to determine the aspects of the project that worked well and the changes that should be implemented in the future. A project is deemed a success when it is completed within the budget and time frame specified, and the finished product meets quality standards. At the end of the closing phase, you should receive a formal acceptance of the project deliverable from the customer, a documented history of the project, and recommendations for revising the project plan for future projects.

The Project Triangle

OBJECTIVE: 1.15.1: Project triangle

Three factors time, money and scope affect every project, and they form what is sometimes referred to as the project triangle. When any one of these elements is adjusted, the other two are also affected. For example, if you decrease the budget on a project, you may need to limit its scope as well. Or if you add more time to a schedule, you may be able to reduce costs by eliminating overtime expenses. All three of these elements are important, but typically one will have a greater impact on a project than the others. The relationship among these three elements will determine the kinds of problems that may arise during a project, as well as the solutions you can implement. A fourth element quality is at the center of the project triangle. It is not a factor in the triangle, but changes you make to the other three factors will most likely affect quality. For example, if you have extra time in your schedule, you may be able to increase the project's scope, which may result in a higher level of quality. If you need to cut costs, you may need to decrease scope, and a lower level of quality may result. Therefore, as you optimize a project's schedule, consider the ways that adjusting one element of the triangle might affect the other two, and how overall quality will be affected.

Movie Time!
Insert the CIWv5 Foundations Movie CD to learn even more about this topic. Project Management Concepts (approx. playing time: 08:15)
All movie clips are 2007 LearnKey, Inc.

Project Management Software

As you can see, project management is a balancing act. Although experience is the best way to become an excellent project manager, project management software can help you with the details. Most project management software stores your schedule information in a database. This database might be proprietary (for example, part of a project management program). In many cases, you can export information to a database application (for example, Microsoft Access or MySQL).

Version 1.2

Subscription Expiration 09/12/2010

Lesson 8: IT Project Management

8-11

Scheduling information
Project management software stores the following schedule information: A project start date A project calendar Necessary tasks and their durations Project resources and their costs

As you establish relationships among project tasks, project management software calculates the length of time required to complete the tasks, as well as resource availability. As you adjust the schedule, the software recalculates the finish dates and adjusts the project calendar.

Tracking project progress and status

As you post progress information to the database, you can use project management software to compare the actual performance to the planned performance, and display variations. The software can alert you if your project is behind schedule or over budget, as well as inform you when you are ahead of schedule. These features can help you to increase quality and reduce costs. Finally, most project management software enables you to produce charts and reports to communicate project status.

Using a successful project as a template

After closing a project, if you decide that the project was well planned and executed, you can save the old project as a template and use it as a starting point for future projects of a similar nature. In the following lab, you will install a free project management application called GanttProject. You will also install Java (also free) because GanttProject requires Java in order to run. Suppose you are the IT administrator at your company. A new project manager will be joining your department next week, and you want to prepare the project manager's computer so that she has all the resources necessary to be immediately productive.

Lab 8-1: Installing Java and the GanttProject project management tool
In this lab, you will install Java and the GanttProject project management software application. 1. 2. 3. First, you will install Java. Open Internet Explorer, enter the URL www.java.com, and then press ENTER to access the Java home page. Click the Free Java Download button, then click Install in response to the security warning to display the Java Runtime Environment Install Wizard. Ensure that you specify Typical Setup when given the choice between a Typical Setup or Custom Setup installation. It is not necessary to install the Google Toolbar or Google Desktop features. Follow the instructions to install Java on your computer, then click Finish when the installation is complete. Close the Internet Explorer window.

Version 1.2

Subscription Expiration 09/12/2010

8-12

Internet Business Foundations

5. 6. 7. 8.

Next, you will install GanttProject. Open Windows Explorer and navigate to the C:\CIW\Internet\LabFiles\Lesson08 folder. Double-click ganttproject-2.0.4.exe to display the GanttProject Setup Wizard. Follow the instructions to install GanttProject on your computer. When the installation is complete, close Windows Explorer.

Now you are ready to use GanttProject to create and manage a project, which you will do in the next section.

Creating Project Schedules

OBJECTIVE: 1.15.4: Project software, charts and timelines

Once you have completed the initiating phase of a project, you are ready to begin the planning phase and create the project schedule. When you start this phase, you should have clearly defined goals and objectives in mind, as well as the tasks necessary to achieve them. You should also know the approximate length of time each task will take, the order in which tasks should be performed and the employees who will perform them. You can then create a project schedule to determine the project timeline.

Gantt charts
Gantt chart A horizontal bar chart that graphically displays project tasks and durations.

Project management software often contains Gantt charts that graphically display the project tasks and task durations. A typical Gantt chart is shown in Figure 8-2. In a Gantt chart, each task is represented by a separate bar. The top of the Gantt chart displays dates in increments of days, weeks or months, depending on the length of the project. The task duration is represented by the length of the horizontal bar. The left end of the taskbar marks the task start date, and the right end marks the task completion date. Tasks may be performed concurrently, they may overlap, or they may run sequentially if the start of one task is dependent on the completion of another.

Tasks pane

Gantt chart

Figure 8-2: Sample Gantt chart

Henry Gantt, an American engineer and pioneer in the field of scientific management, developed Gantt charts in 1917 as a tool for scheduling production work for military projects. In addition to the basic elements of the Gantt chart shown in the figure, most project management software can enhance the chart to display the following information:

Version 1.2

Subscription Expiration 09/12/2010

Lesson 8: IT Project Management

8-13

A vertical marker that represents the current date. The progression of each task, indicated by shading the portion of the task that is completed. Shading completed tasks or portions of tasks provides a visual representation of the status of the project. Sequential relationships among tasks to illustrate task dependencies, usually in the form of link arrows. The resources assigned to each task. Project milestones, which mark major events during the course of the project.

In the following lab, you will use GanttProject to create a project schedule. Suppose your company's IT department wants to upgrade the operating system on all company computers. The department first wants to upgrade the operating system on test computers, or PCs, to ensure the upgrades will work properly. You are a new IT project manager, and the IT administrator has asked you to create a project schedule to organize the tasks necessary to complete the upgrades on the test PCs.

Lab 8-2: Creating a project schedule

In this lab, you will use GanttProject to create a project schedule. The project for which you are creating a schedule is upgrading the operating system on test computers, or PCs, in preparation for upgrading computers throughout the company. 1. 2. First, you will create the tasks and subtasks necessary to upgrade the operating system on test computers. Minimize any open windows to display the Desktop. Double-click the GanttProject icon to display the GanttProject application window (Figure 8-3). Note: If a Tips Of The Day message box displays, click the Close button to close it.

Figure 8-3: GanttProject application window

Version 1.2

Subscription Expiration 09/12/2010

8-14

Internet Business Foundations

3. 4.

In the toolbar, click the New Task button to add a task to the Tasks pane. In the Tasks pane, notice that the text in the Name column is selected, enabling you to name the task. Type Prepare Test PCs, then press ENTER to specify the task name. Notice also that a task bar appears in the Gantt chart reflecting the task you just created, and that the task start date defaults to today's date. Click the New Task button to add a second task to the Tasks pane. Type Identify Test PCs, press ENTER, and then click the Indent button in the Gantt tab toolbar. Notice that the second task is indented and displays as a subtask of the first task. Notice also in the Gantt chart that the bar for the first task has been replaced by a thick black line, which indicates that the first task is a top-level task that will be defined by its subtasks. With the Identify Test PCs task still selected, click the Task Properties button in the toolbar to display the Properties dialog box (shown in Figure 8-4). Notice that the name you specified for the task in Step 5 displays in the Name text box.

Figure 8-4: GanttProject Properties dialog box for task

Specify a duration of 2 days, then click OK. Notice that the thick black line representing the top-level task also reflects a duration of two days. Note: If the task bars in the Gantt chart do not reflect the change, click anywhere in an open area of the Gantt chart.

8. 9.

Click anywhere in a blank area of the Tasks pane to deselect any tasks. Click the New Task button to add a third task and specify a name of Determine Hardware Configurations. With the third task still selected, click the Indent button to indent the task and make it the second subtask of the top-level task, Prepare Test PCs.

10. With the Determine Hardware Configurations subtask still selected, click the New Task button and specify a name of Install CD/DVD Drives. Notice that when you press ENTER, the task automatically displays as a subtask of Prepare Test PCs. This is because the previous subtask was selected when you created this new task. 11. Click anywhere in an empty area of the Tasks pane to deselect any tasks, then click the New Task button. Specify a name of Identify Compatibility Issues, then press ENTER. Notice that because no task was selected and you did not click the Indent button, this task did not become a subtask of Prepare Test PCs.

Version 1.2

Subscription Expiration 09/12/2010

Lesson 8: IT Project Management

8-15

12. Click anywhere in an empty area of the Tasks pane to deselect any tasks, then click the New Task button. Specify a name of Research OS Compatibility Issues, then click the Indent button. Notice that this task displays as a subtask of Identify Compatibility Issues. 13. With the Research OS Compatibility Issues task still selected, click the New Task button and specify a name of Research Hardware Compatibility Issues. Notice that the task automatically displays as a subtask of Identify Compatibility Issues. 14. Add the top-level tasks and durations specified in the following table to the project schedule. Top-Level Task
Install New Drivers Test Client PCs Install Patches to Fix Bugs Train Users

Duration
2 Days 1 Day 2 Days 1 Day

15. Review the data you entered in the application. Your task list and Gantt chart should resemble Figure 8-5.

Figure 8-5: Task list and Gantt chart

16. Next, you will specify task dependencies. In the Gantt chart, click and hold the Gantt bar for Identify Test PCs, drag it to the Gantt bar for Determine Hardware Configurations, then release the mouse button. This step specifies that the start of the second subtask is dependent on the completion of the first, and moves the start date of the second subtask forward two days. 17. Click and hold the Gantt bar for Determine Hardware Configurations, drag it to the Gantt bar for Install CD/DVD Drives, then release the mouse button. This step specifies that the start of the third subtask is dependent on the completion of the second, and moves the start date of the third subtask forward one day. 18. Continue to link the remaining Gantt bars so that the start of each task (or subtask) is dependent upon the completion of the previous task (or subtask). 19. Finally, you will specify a new project start date. In the Tasks pane, select the toplevel task Prepare Test PCs and display the Properties dialog box.

Version 1.2

Subscription Expiration 09/12/2010

8-16

Internet Business Foundations

20. In the Date section, click the Show Calendar button next to the Begin Date box, click the first Monday following the current week, then click OK. Notice that the entire project moves forward to reflect the new project start date. Notice also that weekend dates in the project timeline are automatically bypassed. 21. In the toolbar, click the Next button several times if necessary to shift the entire Gantt chart into view. Your task list and Gantt chart should now resemble Figure 8-6.

Figure 8-6: Task list and Gantt chart final

22. Exit GanttProject without saving the project schedule. You now know how to use a project management software application to create a project schedule and display it using a Gantt chart.

Documenting Projects
OBJECTIVE: 1.15.12: Project documentation

After the planning stage, you should be able to identify the tasks that are most important and the tasks that can be delayed without affecting the completion of other tasks or the overall project. Being aware of critical tasks will help you make adjustments to ensure that the project is completed on time.

Paper trail
During the executing and controlling phases of a project, you should document project tasks to provide a paper trail, or record, of the team members who worked on tasks, and the dates they started and completed them. Team members should sign and date the document to confirm that they completed the tasks. By documenting the project as it advances, you can track its progress by determining whether tasks are starting and finishing on time, and whether tasks are being completed within the budget. By tracking these factors while the project is still in progress, you can solve problems as they occur and make necessary adjustments. Documenting a project promotes team member accountability and enables stakeholders to monitor various stages of the project.

Issues log
You should also keep an issues log in which you document problems that need to be escalated to managers or executives outside the project team for resolution. Issues often arise during the course of a project that require authoritative decisions in order for the team to complete tasks and keep the project on track. You can use the issues log as

Version 1.2

Subscription Expiration 09/12/2010

Lesson 8: IT Project Management

8-17

backup documentation to support any time, resource or cost changes that may accrue due to circumstances beyond the project team's control.

Planning and Scheduling Meetings

OBJECTIVE: 1.15.16: Meetings

Also during the executing and controlling phases of a project, you need to meet with team members regularly to discuss progress, and to respond to project issues and unanticipated developments. Any variations from the project plan should also be identified and addressed. Proactively anticipating and responding to potential project deviations will help you avoid a crisis later. Meeting with team members provides opportunities to present new ideas to improve workflow, solve problems, inform team members of project status and make decisions. You should also periodically meet with stakeholders and management to keep them apprised of project progress and to handle issues they bring up that may affect the scope of the project. You may want to schedule meetings with stakeholders and management around project milestones. You can also prepare a Project Status report to review specific highlights or achievements, stages of task completion, cost status of the project, and so forth. This is also a good time to solicit information from management that you need in order to respond to problems.

Meetings and scope creep

Scheduled meetings are also an excellent way to manage scope creep. A few minor scope increases may not significantly affect the project. However, major or frequent requests that were not part of the original Statement Of Work can derail the project if they are not properly managed. Regular meetings to review and discuss requests will help to manage change requests and eliminate those that are not crucial to the success of the project.

OBJECTIVE: 1.15.11: Formal project review

Reviewing Projects
During the closing phase of every project, the project manager should perform a formal project review with the project team. The project review provides an opportunity for the following: Testing the product The customer has the opportunity to evaluate and test the deliverable, and formalize acceptance of it. If the product does not meet expectations, the customer can reject the product and request modifications before granting final approval. If the product is approved, it can be implemented. Evaluating performances You can review team members' performances and determine the individuals and departments that contributed most to the project's success. If the project exceeded its initial constraints or yielded an unacceptable end product, team members can determine the mix of resources that would have yielded a high-quality product within time and budget constraints. Documenting lessons learned Team members can document the processes that worked well, as well as modifications to improve processes that did not work as well as expected. Team members should identify aspects of the project that contributed to time, cost or scope overruns. Documenting the lessons learned can help team members (and others) improve their performances or resolve similar issues in future projects.

Version 1.2

Subscription Expiration 09/12/2010

8-18

Internet Business Foundations

Quality Assurance
OBJECTIVE: 1.15.13: Separation of duties 1.15.15: Quality management and assurance

As a project manager, you are not only concerned with the components of the project triangle. You must also consider the quality of the product. If the product does not meet the customer's quality standards, it will not be accepted, and the project will probably be considered a failure. You can employ several techniques to manage and assure the quality of the product, including the following: Separation of duties (also called segregation of duties) Project teamwork can help ensure quality by providing independent verification that project tasks were completed correctly. One team member can check the work of another, and vice versa. If one team member misses a crucial step, the other will probably notice it and complete the task properly. This type of teamwork helps ensure the quality of the product. Adherence to ISO 9000 standards ISO 9000 standards (introduced in the next section) are an international benchmark for systemizing processes to help organizations create products and services that meet the quality standards set by customers and government regulations. By complying with ISO 9000 standards, organizations are implementing a best-practices approach to managing projects and processes to ensure high-quality deliverables.

International Organization for Standardization (ISO) 9000

The International Organization for Standardization (ISO) is a grouping of national standards bodies from 148 countries. ISO develops technical specifications for intellectual, scientific, technological and economic activities worldwide. ISO is not an acronym; the name is derived from the Greek isos, which means equal. You can learn more about ISO at www.iso.org. ISO offers a family of management system standards called ISO 9000. ISO 9000 details the steps recommended to produce high-quality products and services using a qualitymanagement system that maximizes time, money and resources. ISO 9000 outlines a systematic approach to managing business processes so that they consistently deliver quality products.

IT Business Implications
Many IT projects have a direct effect on a company's bottom line. The risk and business value of each project must be considered relative to each other to determine the projects that should be authorized and the projects that should not. This section will discuss the effects of organizational rules and policies on IT projects; IT rights and responsibilities; the effects of IT projects on employee productivity; and the ways that business concerns determine the IT projects to pursue and the IT functions that receive the endorsement of upper management.

Organizational rules and policies

OBJECTIVE: 1.15.7: IT issues in organizational policies

IT project initiation and implementation are bound by the rules and policies that govern an organization. IT professionals must consider the ways that the rules and policies will affect their ability to fulfill customer requests, particularly when the customer is an individual or department within the organization.

Version 1.2

Subscription Expiration 09/12/2010

Lesson 8: IT Project Management

8-19

For example, suppose that you are managing the installation of new server equipment and a new e-mail client. Organizational rules and policies that you may have to consider include the following: Change request forms You can initiate a project only when formally requested to do so by a requestor who must submit a form, such as a change request form. This form details the specific problem or need, and requests IT time and resources to resolve it. You can use the form as the basis for your needs analysis and Statement Of Work to determine the project goals and objectives. Employee overtime During the changeover of server equipment, the existing equipment must be disengaged, resulting in server downtime. If equipment downtime is significant, will employees need to work overtime to remain on schedule with their own tasks? If the company is reluctant to grant overtime for non-IT personnel, you may have to schedule the installations at off-peak times, such as evenings or weekends. Employee training If your organization has a sales or customer service staff, will business be affected if phones are not covered? You may have to stagger software installations or e-mail client training so that not all employees are away from their phones at one time. Project documentation Company policy may dictate that all project managers document their activities to provide a formal tracking process. IT project documentation can be used to confirm which employee requested the service or product, the tasks and objectives that were agreed upon, the project start and end dates, the testing or acceptance criteria, and final project sign-off. For example, if the project involved updating the company Web site, documentation can be used to identify specific Web page changes, the person who made them and the reasons they were made. Such a tracking process ensures accountability so that Web site changes are not made without proper authorization. Documentation provides a vehicle for problem resolution if the changes require further modification.

IT rights and responsibilities

OBJECTIVE: 1.15.7: IT issues in organizational policies

IT professionals have certain rights, and they also have responsibilities to the organization. For example, IT professionals must have access to the tools needed to perform their jobs, such as the hardware, software and security access required to perform tasks. They also have the right to receive clear, detailed objectives and instructions so that they can provide the appropriate services and products to their customers. IT professionals have the responsibility to provide services and products in a timely, costeffective, secure manner that satisfies customer needs without compromising the integrity or security of the data or processes with which they work. They also have the responsibility to plan service and product installations and conduct training in a manner that minimizes workflow interruption and hardware or network downtime.

Effects of IT projects on productivity

OBJECTIVE: 1.15.9: Implications of technical changes

IT projects often impact an organization's bottom line because systems upon which employees rely to perform their job duties are affected. Employees and stakeholders will respond to IT professionals based on the way IT projects are conducted and managed. As an IT project manager, you must always strive to minimize workflow interruptions to avoid negatively affecting an organization.

Version 1.2

Subscription Expiration 09/12/2010

8-20

Internet Business Foundations

When IT projects affect systems that employees use, you should: Inform employees about the systems that will be affected, and the date and duration that the systems will be inaccessible. Provide alternative ways to complete tasks when systems are offline. Perform tasks during off-peak hours to minimize distractions. Provide training and support so that users assimilate the new systems as quickly as possible. Provide support to answer questions and solve problems while employees learn the new systems.

When IT projects are managed properly: Employee productivity loss is minimized, which minimizes the negative impact to the company's bottom line. Employee transition from old to new systems occurs more swiftly and smoothly. Fewer problems occur, which will result in less IT support time. Good will will be fostered among departments because users will view IT as a service organization that is responsive and sensitive to their wants and needs.

When IT projects are mismanaged: Employees may become frustrated and angry because their ability to work is unnecessarily hindered. Employee productivity and perhaps morale may be adversely affected because of an inordinate amount of system downtime. Project tasks may take longer to complete, which may waste company resources and money. Animosity among departments may occur because users will view IT as a department that hinders their ability to get their jobs done.

Following are some examples of how IT projects affect employee productivity.

Upgrading a firewall
How does installing a firewall affect employee productivity? Suppose that IT is upgrading the firewall to no longer allow certain types of file attachments (for example, .doc, .bat or .exe files) to pass through the e-mail server. If employees routinely exchange these types of files via e-mail, productivity may be diminished because employees must find alternative methods of transmitting this information. Employees may have to use a VPN or FTP server to transfer files, which may involve training. If productivity is adversely affected, the organization's bottom line may be adversely affected, particularly in a large company in which hundreds or thousands of employees can be affected at once.

Restricting Internet access

As part of the firewall upgrade, certain Web sites that employees may have routinely accessed are now rendered inaccessible. What are the implications to employee productivity? If the Web sites contained information instrumental to their job functions, employees may lose productivity until they find comparable information from another easily accessible source. As an IT professional, you must weigh the increase in firewall security against the deterrent to employee productivity, and make decisions accordingly.

Version 1.2

Subscription Expiration 09/12/2010

Lesson 8: IT Project Management

8-21

Changing user names and passwords

Another common IT function is to periodically change user names and passwords for network access as an extra security precaution. If employees are unaware of or unprepared for the change, they may become frustrated and confused when they try to log on to the network and are denied access. As an IT professional, you must notify employees in advance of the change, specify the date on which the new user names and passwords will take effect, and give employees instructions regarding the new user names and passwords. Sending reminders and giving employees instructions in advance will increase their comfort level with the change.

Changing e-mail protocols

How does changing e-mail protocols affect employee productivity? Suppose that IT is switching the company e-mail protocol from POP3 to IMAP4. Upgrading the protocol software will involve user downtime while IT installs and tests the software on the e-mail server. Users may experience unanticipated problems or conversion incompatibilities. IT must reconfigure the firewall and provide training and support in order for employees to use the new e-mail protocol. As stated in the other examples, a proactive approach by IT can minimize productivity loss.

Return On Investment (ROI) and IT projects

OBJECTIVE: 1.15.10: Return On Investment (ROI)

Return On Investment (ROI) in the context of IT projects refers to the profit earned as a result of a project relative to the value of the resources required to complete the project. Before starting a project, an IT project manager must determine the benefits of spending the money to create the product or service. As a project manager, you will be held responsible for the project's ROI and be required to justify the project's benefits relative to its costs. You must be able to determine the risk and business value of each project to justify which projects to preserve and which projects to eliminate. For example, IT may receive a request to replace one software suite with another throughout the company. As the IT project manager, you must determine whether the costs of switching suites (including ramifications such as installation time, end-user training, and so forth) can be justified relative to the benefits afforded by the new suite. If the cost of upgrading is high and no measurable increase in productivity or sales will result from it, the ROI considerations would probably lead you to reject the request. By contrast, IT may receive a request to add information to the company Web site that research has indicated may dramatically increase sales. If you determine that it would take a Web developer less than a week to update the Web site and test the new links, the potential ROI may be well worth the investment.

Return On Investment (ROI) Profit earned as a result of a project relative to the value of resources required to complete it.

Proving ROI
An ROI concern exists for technical IT functions relative to the company's bottom line. The IT department can decide to undertake various projects, from changing e-mail clients to installing a firewall to creating a company intranet. Before any of these projects gains upper-management approval, the IT department will probably have to convince management that the end products or services will produce a positive ROI; that is, that the money spent will be more than offset by the savings or productivity gains resulting from the new products or services. For example, the Web team may request updated Web development software, which they claim will enable them to enhance the company Web site design for greater visual impact

Version 1.2

Subscription Expiration 09/12/2010

8-22

Internet Business Foundations

OBJECTIVE: 1.15.14: Information systems and business concerns

and functionality. Upper management will need answers to the following questions before approving the purchase: Will the new software yield a significantly improved Web site? Will the upgraded Web site attract more customers? Will the upgraded Web site translate into greater sales? Will the investment in the software upgrade increase the bottom line?

Unless the Web team can provide evidence that the new software will produce a positive ROI, upper management probably will not approve the purchase.

Project Management Institute (PMI)

Many resources exist to help expand your knowledge of project management concepts and principles. A key resource is the Project Management Institute (PMI), which is a nonprofit membership organization that publishes standards and offers education in the project management profession. PMI sets ethical and professional project management standards, and offers the Project Management Professional (PMP) certification program.

Project Management Body of Knowledge

The Project Management Body of Knowledge (PMBOK) identifies nine topic areas that define project management. Each topic area provides a set of principles and techniques to help you manage projects, and is explained in a book published by PMI titled Guide to the Project Management Body of Knowledge. The nine topic areas are as follows: Project Integration Management ensuring that all project elements are properly coordinated by developing and executing the project plan Project Scope Management defining the tasks and resources needed to meet project objectives, and identifying the budget constraints Project Time Management defining task durations and developing the project schedule to ensure that a project is completed by the deadline. Project Cost Management controlling expenses to ensure that a project is completed within the approved budget Project Quality Management incorporating appropriate quality assurance and product testing techniques to ensure that project deliverables satisfy project goals and meet customer needs Project Human Resource Management assessing and coordinating resource allocations to assign appropriate individuals to project tasks to maximize the efficiency of the project team Project Communications Management communicating project status and distributing information to team members and stakeholders in a timely manner to address issues as they arise and manage deviations from the project plan Project Risk Management analyzing and identifying project risks relative to ROI to determine which projects should proceed and which should be terminated Project Procurement Management obtaining the necessary resources to meet project goals

To learn more about the Project Management Institute and to purchase copies of Guide to the Project Management Body of Knowledge, visit PMI online at www.pmi.org.

Version 1.2

Subscription Expiration 09/12/2010

Lesson 8: IT Project Management

8-23

Case Study

We Need an Intranet!
Mary Kate is a project manager in the IT department for a university. She has been asked to manage a project to create a faculty intranet. The university has multiple campuses in various locations, and professors and other faculty need to be able to easily post questions, schedules and other documents to share in a secure environment. Mary Kate performed the following steps to begin the intranet project.

She performed a needs analysis. Mary Kate interviewed the university faculty to determine their needs for an intranet and the uses they foresee for it. She discovered that several of the professors were working on a research project and wanted to use the intranet to facilitate group discussions, as well as to host periodic Webinars for professors at other universities. She chose the project team. Mary Kate enlisted members of the IT department for the project, including someone to install firewalls so users have access to the Internet through the firewall server, and someone to set up the site to host Webinars. She determined the project constraints. Mary Kate determined when the intranet needed to be live. She considered how long she would have the services of the various team members, how long team members could work on this project before being assigned to other tasks, and when the first Webinar was scheduled. Once she gathered all of this information, she was able to determine the project scope and constraints. She created the project schedule. Mary Kate worked with the project team to outline the tasks and task relationships required to complete the project. She assigned resources to specific tasks so that each person was aware of his or her role in the overall project plan. She scheduled weekly meetings for the duration of the project. Mary Kate included the CIO, project team members, faculty members and all other stakeholders in the meetings. She created a Project Status report and an issues log. Mary Kate used these documents in each meeting to apprise stakeholders of the project status and to introduce any problems or issues that had arisen since the last meeting.

Once Mary Kate had performed all these tasks, she was ready to begin the executing phase of the project. * * *

As a class, discuss the management of this project. How might scope creep occur? How could it be managed?

Version 1.2

Subscription Expiration 09/12/2010

8-24

Internet Business Foundations

Lesson Summary
Application project
Several free project management software applications are available for download from the Web. Use any of the search engines that have been introduced in this course to search for free project management software that can be downloaded (use search keywords such as "project management software," "Gantt chart software," and so forth). Download an application to your Desktop. Pair up with a partner or friend and create a Statement Of Work for a simple IT project, such as the installation of software upgrades and services on the computers within a particular department. List specific tasks that must occur during the various stages of the project in order to meet your project objectives. Be sure to include at least one task for each of the five project management phases. Use project management software to enter the tasks, task durations and milestones to create a Gantt chart of the project schedule.

Skills review
In this lesson, you learned about the fundamentals of project management, project management skills, and the five project management phases that constitute the project life cycle: initiating, planning, executing, controlling and closing a project. You also learned that the project triangle time, money and scope affects every project and impacts the quality of the project deliverables. You learned about the benefits of project management software and used a freeware application to create a project schedule and develop a Gantt chart of tasks, task durations and task dependencies. You learned the value of documenting and reviewing projects, planning and scheduling meetings, and applying quality assurance techniques. You learned about the impact of IT decisions on organizations and vice versa, such as the impact organizational rules and policies have on IT projects, IT rights and responsibilities, the impact of IT projects on employee productivity, and the ROI implications of IT decisions. Finally, you learned about the Project Management Institute (PMI), which is a key resource for project management concepts and principles. Now that you have completed this lesson, you should be able to: Identify project management fundamentals. Identify project management skills. Identify the five project management phases. Define the project triangle. Identify the value of project management software. Create a project schedule. Identify the value of documenting projects. Identify the value of planning and scheduling meetings.

Version 1.2

Subscription Expiration 09/12/2010

Lesson 8: IT Project Management

8-25

Identify the value of reviewing projects. Identify quality assurance techniques. Identify the business implications of IT decisions. Identify project management certifications and resources.

Lesson 8 Review
1. Name the primary way that IT projects differ from other projects. ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________ 2. Define project management. ____________________________________________________________________________________ ____________________________________________________________________________________ 3. What is the term for a unit of work that must be accomplished during the course of a project? ____________________________________________________________________________________ 4. What is the term for a person or group that has an interest in the outcome of a project and can affect its results? ____________________________________________________________________________________ 5. List the five phases of the project management life cycle. ____________________________________________________________________________________ 6. How does the customer participate in the closing phase of a project? ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________ 7. Name some responsibilities that an IT professional has when working on a project that affects other departments in an organization. ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________

Version 1.2

Subscription Expiration 09/12/2010

8-26

Internet Business Foundations

Version 1.2

Subscription Expiration 09/12/2010

Bulletproof Facebook Formula by John
67% (3)
Bulletproof Facebook Formula by John
17 pages
TOC-L OQR Rev1.04 ZEMH-8100D
No ratings yet
TOC-L OQR Rev1.04 ZEMH-8100D
24 pages
CT LFC Procedure 07mw11
100% (2)
CT LFC Procedure 07mw11
64 pages
Econnect: Click The Link or Type The Web Address of Alex in Your Browser
No ratings yet
Econnect: Click The Link or Type The Web Address of Alex in Your Browser
7 pages
ITE 322 - Reviewer
No ratings yet
ITE 322 - Reviewer
6 pages
Computer Network Final Module
No ratings yet
Computer Network Final Module
105 pages
Hackers Are Commonly Thought of As The Bad Guys, The People Who Make Your Computer Go As Slow
No ratings yet
Hackers Are Commonly Thought of As The Bad Guys, The People Who Make Your Computer Go As Slow
7 pages
Encryption
No ratings yet
Encryption
6 pages
How Encryption Works: in The Key Of..
No ratings yet
How Encryption Works: in The Key Of..
5 pages
2021KUCP1001
No ratings yet
2021KUCP1001
5 pages
Crypto
No ratings yet
Crypto
36 pages
Basics of Encryption and
No ratings yet
Basics of Encryption and
4 pages
What Is Encryption
No ratings yet
What Is Encryption
6 pages
Lecture #3
No ratings yet
Lecture #3
6 pages
Security Threats in The E-Commerce Environment
No ratings yet
Security Threats in The E-Commerce Environment
73 pages
Unit 3
No ratings yet
Unit 3
33 pages
COURSE CODE: IT311 - Information Assurance and Security: Cryptography To The Rescue
No ratings yet
COURSE CODE: IT311 - Information Assurance and Security: Cryptography To The Rescue
6 pages
Cryptography
No ratings yet
Cryptography
5 pages
network Security pptx
No ratings yet
network Security pptx
47 pages
Chapter - 5 Network Security
No ratings yet
Chapter - 5 Network Security
36 pages
IT-801 Information Security Lab File
No ratings yet
IT-801 Information Security Lab File
47 pages
Introduction to Public-Key Cryptography
No ratings yet
Introduction to Public-Key Cryptography
22 pages
Encryption Keys
No ratings yet
Encryption Keys
6 pages
Security and Cryptography
No ratings yet
Security and Cryptography
9 pages
Encryption As A Countermeasure For Information Assurance
No ratings yet
Encryption As A Countermeasure For Information Assurance
5 pages
Network Security
No ratings yet
Network Security
31 pages
Security: by Prasanth, Y13
No ratings yet
Security: by Prasanth, Y13
19 pages
CF Unit 5
No ratings yet
CF Unit 5
11 pages
Report
No ratings yet
Report
60 pages
Crpto 4
No ratings yet
Crpto 4
18 pages
Encrypting Data: Pinili Vanne Ouano Larena Galdo Libron Ricksteel
No ratings yet
Encrypting Data: Pinili Vanne Ouano Larena Galdo Libron Ricksteel
29 pages
Plaintext and Ciphertext
No ratings yet
Plaintext and Ciphertext
7 pages
andrew23
No ratings yet
andrew23
15 pages
Unit-4
No ratings yet
Unit-4
32 pages
Networ Assignment
No ratings yet
Networ Assignment
44 pages
Security
No ratings yet
Security
13 pages
A Definition of Data Encryption
No ratings yet
A Definition of Data Encryption
8 pages
Networks Internet E-Commerce Mobile Telephones Wireless Microphones Wireless Intercom Bluetooth Automatic Teller Machines
No ratings yet
Networks Internet E-Commerce Mobile Telephones Wireless Microphones Wireless Intercom Bluetooth Automatic Teller Machines
6 pages
Session:2020-21: School: School of Law, Justice & Governance (Solj&G)
No ratings yet
Session:2020-21: School: School of Law, Justice & Governance (Solj&G)
8 pages
Vel Tech Symp
No ratings yet
Vel Tech Symp
9 pages
Cryptography Solutions
No ratings yet
Cryptography Solutions
9 pages
Information Security: Department of Information Technology University of The Punjab Gujranwala Campus
No ratings yet
Information Security: Department of Information Technology University of The Punjab Gujranwala Campus
7 pages
Hashing Digital Signature
No ratings yet
Hashing Digital Signature
73 pages
Data Encryption Decryption
100% (2)
Data Encryption Decryption
60 pages
How Encryption Works
No ratings yet
How Encryption Works
5 pages
TCIL-IT Ethical Hacker Assignment No. 2
No ratings yet
TCIL-IT Ethical Hacker Assignment No. 2
11 pages
Info Sec
No ratings yet
Info Sec
6 pages
UNIT 2 tk
No ratings yet
UNIT 2 tk
4 pages
CNS
No ratings yet
CNS
26 pages
The Different Types of Threats On The Internet, Which Can Create Damage
No ratings yet
The Different Types of Threats On The Internet, Which Can Create Damage
11 pages
امنيه الفصل الاول
No ratings yet
امنيه الفصل الاول
41 pages
ppt6
No ratings yet
ppt6
28 pages
Digital Certificate and Signature
100% (5)
Digital Certificate and Signature
51 pages
Original 1688556290 Methods of Cryptography PDF
No ratings yet
Original 1688556290 Methods of Cryptography PDF
3 pages
Online Security & Technology Solutions
No ratings yet
Online Security & Technology Solutions
42 pages
Ecure Client Server Message Integrity Verification Using Robust Encrypted Technique
No ratings yet
Ecure Client Server Message Integrity Verification Using Robust Encrypted Technique
5 pages
Lecture 08
No ratings yet
Lecture 08
20 pages
Cyber Security
No ratings yet
Cyber Security
33 pages
Encryption
No ratings yet
Encryption
66 pages
Chapter 3
No ratings yet
Chapter 3
14 pages
Cryptography: Latika Arora, IT/06/321
No ratings yet
Cryptography: Latika Arora, IT/06/321
5 pages
7 Basic Cryptography
No ratings yet
7 Basic Cryptography
24 pages
Securing Email Communication: How to Protect Your Correspondence from Wiretapping Using Free Tools
From Everand
Securing Email Communication: How to Protect Your Correspondence from Wiretapping Using Free Tools
Slava Gomzin
No ratings yet
Your System's Sweetspots: CEO's Advice on Basic Cyber Security: CEO's Advice on Computer Science
From Everand
Your System's Sweetspots: CEO's Advice on Basic Cyber Security: CEO's Advice on Computer Science
Warren H. Lau
No ratings yet
Regd. Office: 25, Bazar Lane, Bengali Market, New Delhi-110001
No ratings yet
Regd. Office: 25, Bazar Lane, Bengali Market, New Delhi-110001
144 pages
Itwin Seminar
No ratings yet
Itwin Seminar
7 pages
EH unit 2
No ratings yet
EH unit 2
42 pages
Karel Prog
No ratings yet
Karel Prog
71 pages
CEIA Industrial Metal Detectors
No ratings yet
CEIA Industrial Metal Detectors
6 pages
Local Storage
No ratings yet
Local Storage
2 pages
Ashbel Govore O Level Project (Library Managemnet System VB - Net)
50% (2)
Ashbel Govore O Level Project (Library Managemnet System VB - Net)
37 pages
Tech Note 892 - Configure SQL and Alarm DB Logger Manager PDF
No ratings yet
Tech Note 892 - Configure SQL and Alarm DB Logger Manager PDF
11 pages
Security Checklist For Developers
No ratings yet
Security Checklist For Developers
4 pages
NSB Internet Bank UserGuide
50% (2)
NSB Internet Bank UserGuide
5 pages
TCP1101 Programming Fundamentals Basic Data Analysis Program (BDAP)
No ratings yet
TCP1101 Programming Fundamentals Basic Data Analysis Program (BDAP)
7 pages
12343343434 - Copy
No ratings yet
12343343434 - Copy
2 pages
Voucer 5
No ratings yet
Voucer 5
4 pages
17.2.6 Lab - Attacking A mySQL Database - ILM
No ratings yet
17.2.6 Lab - Attacking A mySQL Database - ILM
13 pages
Lab - CTF - Basic Pentesting
No ratings yet
Lab - CTF - Basic Pentesting
12 pages
B6 - Complete The Text and Reading Comprehension
No ratings yet
B6 - Complete The Text and Reading Comprehension
10 pages
Visual Basic 2010 Homework Help
100% (1)
Visual Basic 2010 Homework Help
8 pages
Cisco Huawei
No ratings yet
Cisco Huawei
7 pages
Creating A Company Culture For Security Design Documentation Name Institution Date
No ratings yet
Creating A Company Culture For Security Design Documentation Name Institution Date
5 pages
Hacking - 17 Most Dangerous Hacking Attacks - Downlaod From Darkwiki - in PDF
No ratings yet
Hacking - 17 Most Dangerous Hacking Attacks - Downlaod From Darkwiki - in PDF
93 pages
Floboss 107 Flow Manager LCD User Manual en 132304
No ratings yet
Floboss 107 Flow Manager LCD User Manual en 132304
68 pages
30561994019
No ratings yet
30561994019
2 pages
Knowledge Park: IT CBS & NONCBS: (Updated Upto 01.04.2023)
No ratings yet
Knowledge Park: IT CBS & NONCBS: (Updated Upto 01.04.2023)
20 pages
New IT Essential 5.0
100% (1)
New IT Essential 5.0
13 pages
مراجعة النخبة Ict ترم اول صف رابع من اكاديمية تراست (1)
No ratings yet
مراجعة النخبة Ict ترم اول صف رابع من اكاديمية تراست (1)
49 pages
SSIS Package Configurations PDF
No ratings yet
SSIS Package Configurations PDF
22 pages

Lesson 7: Internet Security: Objectives

Uploaded by

Lesson 7: Internet Security: Objectives

Uploaded by

7Lesson 7: Internet Security

Authorized to be used in American Public University System. To report abuse, go to www.CIW-certified.com/abuse.

Subscription Expiration 09/12/2010

Internet Business Foundations

What is malware? ____________________________________________________________________________________ ____________________________________________________________________________________ ____________________________________________________________________________________

Subscription Expiration 09/12/2010

Lesson 7: Internet Security

Introduction to Internet Security

Figure 7-1: Web page personal information form

Subscription Expiration 09/12/2010

Internet Business Foundations

Symmetric-key (secret-key) encryption

Asymmetric-key (public-key) encryption

The RSA algorithm

Subscription Expiration 09/12/2010

Lesson 7: Internet Security

Hash (one-way) encryption

Subscription Expiration 09/12/2010

Internet Business Foundations

User names and passwords

Subscription Expiration 09/12/2010

Lesson 7: Internet Security

Native desktop firewall software

Subscription Expiration 09/12/2010

Internet Business Foundations

Desktop firewall features

Default desktop firewall stances

Blocking incoming and outgoing traffic

Lab 7-1: Enabling your desktop firewall

Subscription Expiration 09/12/2010

Lesson 7: Internet Security

Figure 7-2: Network Connections window

Figure 7-3: Advanced Settings dialog box

Subscription Expiration 09/12/2010

Internet Business Foundations

Malware (Malicious Software)

Subscription Expiration 09/12/2010

Lesson 7: Internet Security

Virus Type Boot sector virus

Bomb Cluster virus

File-infecting virus Macro virus

Subscription Expiration 09/12/2010

Internet Business Foundations

Virus Detection and Prevention

Subscription Expiration 09/12/2010

Lesson 7: Internet Security

Subscription Expiration 09/12/2010

Internet Business Foundations

Subscription Expiration 09/12/2010

Lesson 7: Internet Security

Detecting and blocking spyware

Subscription Expiration 09/12/2010

Internet Business Foundations

Spyware detection applications and false positives

Lab 7-2: Installing and using spyware detection software

Subscription Expiration 09/12/2010

Lesson 7: Internet Security

Figure 7-4: Ad-Aware SE Personal spyware detection application

Subscription Expiration 09/12/2010

Internet Business Foundations

OBJECTIVE: 1.10.5: Client software patches and updates

Updates and Patches

Antivirus program updates

Encryption levels and Web browsers

Subscription Expiration 09/12/2010

Lesson 7: Internet Security

Figure 7-5: Display Properties dialog box Screen Saver tab

Subscription Expiration 09/12/2010

Internet Business Foundations

Lab 7-3: Activating a screen saver

List Servers and Listserve Groups

Subscription Expiration 09/12/2010

Lesson 7: Internet Security

Lab 7-4: Exploring LISTSERV

Figure 7-6: L-Soft home page

Subscription Expiration 09/12/2010

What is malware?