[PPT] - E-Pass Redesign Overview Presentation for E-Pass Implementation PowerPoint Presentation

SLIDE 1

E-Pass Redesign

Overview Presentation for E-Pass Implementation Team

February 12, 2003

SLIDE 2

Agenda

Why re-design?
Key improvements
Project timeline
Feature walkthrough
Usability test results
Help Needed – Testing, Rollout

SLIDE 3

Why re-design?

Reduce training and operating costs

– Make application easier to use and understand – Make processing of requests and token processing more efficient – Reduce helpdesk calls

Address problems with current application
Improve overall application reliability,

maintainability and flexibility for change

SLIDE 4

Reduce training and operating costs

Baseline for customer satisfaction established with September

2002 customer satisfaction survey

Improved ease-of-use - confirmed with usability testing
Request processing more efficient with tasks and alerts,

intelligent sponsor identification, pre-defined mailing addresses, ability to transfer approvals, direct access via e-mail and more…

Added self-service operations to reduce reliance on customer

support and sponsor

Added capability to identify and track key operational metrics
Guided troubleshooting of key problems
Online context-sensitive page and field help

SLIDE 5

Address current problems

Multiple menus
Confusion about when to replace a token
Most frequent operations not close-to-hand
Difficult to select individuals in sponsor’s branch of

tree

Bad e-mail addresses
Poor security question compliance

SLIDE 6

Improve reliability, maintainability, flexibility

Detailed design documentation
Use of general-purpose models for roles and rights
Software architecture utilizing modern 3-tier, object-
riented model (J2EE)
Hardware architecture provides load balancing and

fail-over of key components for reliability

Web Services interface for connecting to any future

identity management initiatives

SLIDE 7

Key improvements

Orientation change – focus on user vs. function

System gives ready access to functions that are applicable at any given stage to the user selected

Personalized start page – view tasks and alerts specific to you

and sponsored users

Customer self-service functions - reduce helpdesk and sponsor

calls

Security question changes - improve compliance/security
E-mail address verification
Direct access to waiting tasks from e-mail
Improved search capability
Comprehensive and flexible security model
Ability to issue limited-term E-Passes

SLIDE 8

Project timeline

Implementation planning from now through early July launch…

Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Jul Oct 01 Aug 03 Business Requirements Key Use Cases & Business Processes Stakeholder Workshops High-Level Design Completed RFP Implementation Vendor Selected Iteration 1 User Acceptance Iteration 2 Launch Detailed Design Prototype & Usability Testing

SLIDE 9

Home page

SLIDE 10

Alerts & waiting tasks

Alert sponsor of all activity related to directly sponsored users:

– Lost, stolen, broken tokens; temporary passwords set

Waiting tasks include:

– For self:

Updating profile
Renewing an expiring token
Updating security questions

– Sponsor approvals for:

New E-Pass (permanent or limited-term)
Replacement tokens
User transfers
Revalidating user

SLIDE 11

Start page

SLIDE 12

User- vs. function-centric

Existing system

– Select function, then user, then determine if function is still valid for user

Select Function Identify User Function valid/ not valid? Identify User Select Valid Function

New system

– Select user, system displays functions available for that user based on privileges, then select function desired

SLIDE 13

Select user

SLIDE 14

Manage user

SLIDE 15

Customer self-service

Requires a minimum of two security questions to be

answered

Allow end-user to self-report or handle common

token problems

– Report lost or stolen token

Allows user to automatically place request for replacement

token with sponsor

– Resync Token – Reset PIN – Receive and Activate Token

Sponsor and user notified by e-mail; self-service not

available if e-mail addresses haven’t been verified

SLIDE 16

Customer self-service

User identity is validated with correct answers to two security

questions

Security questions are pre-defined; user can select up to 6 out
f 20 or more possible and supplies answers
Three self-service operations available:

– Report Lost or Stolen Token – Reset PIN – Resync Token

Operations cause sponsor and user to be notified by e-mail
Self-service is not available if user is sponsor-dependent

SLIDE 17

Security questions

Questions no longer open-ended (industry-standard)
Questions selectable from a list of 20 or more
At least 6 questions are available to be used at any

given time

“Used” questions cannot be re-used in any 30 day

period

User has 30 days grace period to select and answer

at least two security questions after E-Pass issued

E-Pass disabled if security questions not answered

SLIDE 18

Token self-activation

Applies to new or replacement tokens
User receives e-mail notification, clicks on included

URL

Browser launches special activation page - user is

prompted for the token serial number of the token now in their possession

If the supplied token serial number matches the token

sent, the token is automatically activated

If the token received was a replacement token, the
ld token is deactivated

SLIDE 19

E-Mail verification

Significant problem with invalid e-mail addresses in

current system

Re-design requires e-mail addresses to be “verified”

for new users and any time e-mail address is changed in a profile

User will receive e-mail with a unique URL/code.

Clicking on URL within e-mail will automatically “verify” e-mail address

Sponsors will receive e-mail in cases where user has

no e-mail account

SLIDE 20

E-mail address verification

Profile

E-Mail: pahazen@phena.com

User Registers: Enters Basic Profile Information System Creates Unique Code & Sends E-Mail to Registered E-Mail Address

Profile

E-Mail: pahazen@phena.com
Unique Code: xj47syw8fas
E-Mail Unverified

1 2

User Clicks on URL In E-Mail Containing Unique Code System Matches Code to Profile & Marks E-Mail Verified

Profile

E-Mail: pahazen@phena.com
Unique Code: xj47syw8fas
E-Mail Verified

3

SLIDE 21

Direct access to waiting tasks from e-mail

Notification e-mails that include a waiting task

will include a URL for direct processing of the task

User clicks on e-mail URL
After authentication, user can immediately

approve/reject request!

SLIDE 22

Three elements

Delegated authority model
Privileges – roles and rights
Company trust relationships

Eliminates hard-coded business rules!

Alliance vs. non-alliance dependencies
Level 0, 1, 2, 3, 3, 3, …, 4

New security model

SLIDE 23

Profiles, tokens, activity log

Name Company SBU Site Site Location Street Address City State Country E-Mail Phone

up4353 up4353

User Profile Primary Token Additional Token

st0193

Optional Tokens

1. User Registered
2. Temp Pswd Set
3. User & Token Activated
4. Token Expiry Notice Sent
5. New Token Received
6. Transfer Initiated
7. Transfer Accepted

User Activity Log

In the redesign, the E-Pass user profile and tokens are separate. This allows E-Pass usernames to be assigned without tokens or for multiple tokens to be assigned to an individual when special circumstances warrant it (e.g. extra token needed for system testing)

SLIDE 24

Sponsor dependence

When:

Sponsor explicitly wants to manage the user, or
User has a limited-term E-Pass, or
User has a blank or invalid e-mail address, or
User has been assigned an E-Pass but no token

Effects are:

User is not permitted to edit his/her security questions
User is not eligible for self-service or customer support
All e-mail alerts are re-directed to the sponsor

User is dependent on sponsor!

SLIDE 25

Limited-term E-Passes

Ability to issue a limited term E-Pass/token to

a non-DuPont visitor or contractor

E-Pass is valid and token can be used for 30-

180 days

SLIDE 26

Limited-term E-Passes

Only designated sponsors are permitted to issue LTEs, those with the

Visitor Administrator privilege assigned

A limited-term E-Pass is issued using the standard E-Pass request

process (extra checkbox specifies LTE vs. permanent E-Pass)

Sponsors can assign a reclaimed token from a previous LTE or have a

new token sent by Token Administration

LTEs are valid for 30 days at a time, renewable up to 180 days (6

months). Sponsors are notified 5 days prior to expiration to renew.

Token operations (reset PIN, resync token, etc.) for LTEs can be

performed by sponsors only.

SLIDE 27

Usability testing

Prototype developed, Nov-Dec 2002
Prime audience was sponsors, 2000 invited.
180 tests completed over an 8-day period

(Dec 10-18)

Gathered feedback on key tasks/areas:

– Home page, login, start page, reports, re-assign E-Pass approval, expired token, request new E- Pass, select & manage user, revalidate user

SLIDE 28

Usability results

78% North America, 11% Europe, 7% A/P, 4% South America
73% of sponsors sponsor fewer than 30 users
75% of users use their sponsor as the primary means of support
70% use E-Pass at least monthly, 30% rarely
80+% use network connection to access the application
84% agreed that new application is easier-to-use than current

application

Several areas for improvement identified and added to design:

– labeling, login, differentiating approval/rejection options, finding users, key reports

Many asked for additional opportunities to see the new design

and review training materials

SLIDE 29

Your help needed

Testing
Rollout

SLIDE 30

Key areas of change

Users

– Activation alternative (self-service) – New security questions and answers – Update profile after revalidation – Self-service capabilities

SLIDE 31

Key areas of change

Sponsors

– Sponsor dependence – Waiting tasks – Transferring more than one user at a time – Refer E-Pass approval to another sponsor – Manage user (selecting user then operation) – Using the tree selector and search tool – Tracking requests – Reporting lost, stolen, broken tokens; use of return token

SLIDE 32

Help needed: Testing

Need volunteers from the end-user

community (all roles) to:

– Help develop test cases – Test the developing system – Report success/failure

How do we identify these individuals?

SLIDE 33

Help needed: rollout preparation

Awareness: Communications, online demonstrations
Education: tutorial/guide, help topics, reference cards
One-on-one training for small role groups: Customer

Support, TA/TO, Company Administrators

Testing – participation needed from all role types

What are your expectations and ideas?

SLIDE 34

Additional background

The remaining slides in this presentation provide additional detail on the new security model incorporated into the redesigned E-Pass application

SLIDE 35

Delegated authority model

Model doesn’t change in the re-design
Determines scope of changes that can be

made by sponsors

Delegated authority model does not

constrain:

– Company administrators – Token admins or token operators – Customer support representatives – System administrator

SLIDE 36

Privileges

2 types of rights

– Assigned right - determines what role(s) the user can play – Delegation right - controls whether or not the user can delegate a right to another user

Roles:

– Sponsor – Visitor Administrator – Company Administrator – Customer Support – Token Administrator – Token Operator – System Administrator

SLIDE 37

Roles

All companies Company Administrator

Manages Role

Self User Users in entire delegated authority model Customer Support Representative Token Administrator Token Operator System Administrator Limited-term E-Passes and tokens assigned to distribution point Visitor Administrator Sponsored Users:

Lower down in branch
Must be In same company unless affiliated

company has ExtSponsor right Sponsor CESSO

SLIDE 38

Company trust relationships

Constrains actions of a user belonging to a specific company
Allows/restricts what changes can be made within the company

and between users of different companies

– The CESSO exists within ONLY DuPont – Can the company have:

Sponsors
Visitor administrators
Company administrators - DuPont Only
System administrators
Token administrators
Token operators
Customer support representatives?

– Only DuPont is allowed to sponsor other companies. – Only someone in DuPont is allowed to change the privileges of someone in another company.

SLIDE 39

Example: Security model

CESSO Robert Lee SP CA

Eric Bongard

SP CA SP CA TA

Ed Miller (CSC)

SP CA TA

Sponsor A

SP

User B

SP

User C

SP

Brian Hayden (CSC)

SP TA

Sue Koffler (CSC)

SP TA

Token Admin A

SP TA

DuPont has External Sponsor and External Assignment company trust

rights. This allows DuPont to

sponsor someone in CSC and to assign the TA delegation right to

CSC. They can also sponsor User

C, who is belongs to Phena. CSC has the Token Administrator company trust right allowing Token Administrators to be defined within the company. DuPont Phena CSC DuPont has CA company trust rights. This allows the CESSO to appoint Robert Lee and Eric Bongard as CAs. SP Sponsor CA Company Administrator TA Token Administrator

Assigned Right Delegation Right

CS VA SA TO TO TO TO

Token Operator A

SP TO