Risk
|
Risk Level
|
Ergo Recommendation
|
Action Taken
|
The TMG Server 2010 product used as a firewall for publishing Outlook Web Access (OWA) is officially end-of-life (EOL) by Microsoft. This will continue to function on the network and Ergo has the skill set within its technical team but support and on-going development by Microsoft will no longer be available.
|
NON-URGENT
(best practice)
|
Consider alternatives to publish Outlook Web Access (OWA) and one option may direct from the Imerja appliance or an IIS proxy.
|
To be considered as part of the ICT strategy (reinvestment of ICT infrastructure using later technologies)
|
If the SQL Server updates are not added to WSUS configuration then any new critical or security updates issued by Microsoft will not be applied to the SIMS Server post installation.
|
URGENT
(minimal expected standards)
COMPLETED
|
This is a simple configuration change and Ergo would recommend it is implemented as soon as possible so that the Academy can clearly see what critical or security updates are pending for SQL on the SIMS Server.
|
SQL Server updates have been added to the WSUS configuration.
A few security updates have been identified as required.
Windows updates pushed out to servers and clients over the Christmas holidays.
|
If the latest Service Packs are not installed for Exchange and SQL Servers then the Academy may be exposed to security risks or bugs that would have been resolved by updates on those later Service Packs.
|
URGENT
(minimal expected standards)
COMPLETED
|
Read all documentation and pre-requisites to applying those Service Packs. Take a full backup and also a snapshot in VMware during downtime agreed with the Academy, then apply the Service Packs.
|
Service Packs have been identified as required and will be installed as part of the Windows update rollout as above, over the Xmas holiday period.
|
If the latest VMware critical updates are not installed for the ESXi hosts and Virtual Machines (VMs) then the Academy may be exposed to any security risks or bugs that have been resolved by those updates.
|
URGENT
(minimal expected standards)
COMPLETED
|
The ESXi host updates can be done with disruption to service; Ergo recommends that each hosts is updated one-at-a-time by placing it in maintenance mode, moving the VMs off, applying the updates then bringing it back online within the clustered environment. For Virtual Machines (VMs) updates it is advisable to schedule downtime as they are likely to require a restart. The VMware Update Manager should be used for all of these and a full backup and snapshot of VMs prior to updating.
|
‘VMware ESXi 5.0 Installable Update 3’ and ‘VMware vSphere Client 5.0 Update 3’ have been identified as required. As this update requires downtime this was scheduled to be installed during the holidays.
VM 5.5 Upgrade implemented Easter holidays.
Cost to implement £750.00
Two licences for Veeam Cost £1711.
|
Ergo advise that the following Server Infrastructure hardware is likely to reach the end of its expected lifecycle within the next 1 year;
-
Dell Backup Storage (Direct Attached Storage)
-
Dell LTO-4 Tape Autoloader
|
NON-URGENT
(best practice)
COMPLETED
|
The Academy to consider budgeting for a like-for-like replacement on the existing hardware, a new backup server with high capacity local storage to replace the DAS or Cloud-based alternatives for offsite storage. Ergo are happy to discuss the options further with the Academy.
|
Quotes obtained for a new back up server with a higher capacity and tape loader, now installed over Easter Holidays. Discussed cloud based solutions at meeting on 21.3.2014 – more expensive at this point in time and may also present security issues re access to sensitive information at this time. Reusing existing server for storage in Community Centre.
Cost £5,494 and £4,383 respectively. Cost of installation £2250 stated below**.
|
Ergo advise that the following Server Infrastructure hardware is likely to reach the end of its expected lifecycle within the next 1-2 years;
-
Dell Virtualisation Host Server
|
NON-URGENT
(best practice)
COMPLETED
|
The Academy to consider budgeting for a replacement server to the existing hardware. Ergo are happy to discuss the options further with the Academy.
|
Competitive quotes obtained for a replacement Server ESXI infrastructure.
Installed over Easter holidays.
Cost £5,051 (including installation).
|
Ergo advise that the following Server Infrastructure hardware is likely to reach the end of its expected lifecycle within the next 1-3 years;
|
NON-URGENT
(best practice)
COMPLETED
|
The Academy to consider budgeting for a replacement server to the existing hardware. Ergo are happy to discuss the options further with the Academy.
|
Above host server recycled to provide additional backup server capacity.
**Cost of all server installation works by Ergo £2250 – test Veeam, tape autoloader, reposition existing back up solution to create a disaster recovery environment
|
The VMware ESXi Host servers do not have a lot of ‘headroom’ for physical memory capacity in the event of a host failover or for a potential upgrade to Windows Server 2012, which requires more memory.
|
NON-URGENT
(best practice)
COMPLETED
|
The Academy to consider memory upgrades for the existing physical VMware ESXi host servers. This is not an absolute requirement but would benefit the Academy, particularly for host failover and any upgrades to Windows Server 2012. Ergo are happy to discuss the options further with the Academy.
|
As above more powerful host servers installed address this issue.
|
The Academy does not have successful backups to recover from in the event of a disaster. This due to lack of disk space on the Dell PowerVault MD1000 Backup Storage.
|
URGENT
(minimal expected standards)
COMPLETED
|
Ergo recommend that the Academy urgently consider two different options to address the lack of disk space. One of those is to upgrade the existing Dell PowerVault MD1000 with extra hard disks or alternatively look at the purchase of a new backup storage with sufficient local storage for all disk-based backups. Ergo are happy to discuss the options further with the Academy.
|
Discussed options with Ergo.
Now addressed by the local backup server in the Community Centre and purchased of 20 new media cartridges.
Completed over Easter holidays.
Cost of tapes £837.
|
Ergo advise the APC UPS used to protect all of the HP switches from a power outage are likely to reach the end of their expected lifecycle within the next 1-2 years.
|
NON-URGENT
(best practice)
COMPLETED
|
The Academy to consider budgeting for replacement UPS or batteries for the existing hardware or looking into options for testing the batteries. Ergo are happy to discuss this further with the Academy.
|
To avoid batteries failing replacement batteries ordered and fitted in the Easter half term.
Cost of Batteries from Softcat most competitive £1100.
|
The Academy has a large amount of ageing client devices that are more prone to hardware failures, likely to go out of warranty and not be suitable specification to meet the future needs of the Academy (for example, Windows 8.1 upgrade).
There are approximately 193 desktops and 117 laptops that are over 3 years old and of those; 86 desktops and 17 laptops are over 5 years old.
|
URGENT
(minimal expected standards)
|
Ergo advise the Academy to consider budgeting to replace those ageing client devices and are happy to discuss the options in more detail.
|
We are aware of the ageing devices and have considered the possibility of developing a thin client solution, however after recent talks with Ergo it seems that the thin client solution would not be cost effective due to the Amount of clients that we would actually make thin client.
Full review taking place in HT5 and 6.Consider options: upgrade/ replace with solid state devices- faster speed for logging in, ipad or laptop solutions using accessible shared trolleys. Possible installation over the summer break 2014 or in 2014/15 etc.
|
The Software Asset Register contains the Academy’s licensing information but is not fully up-to-date. The risk is that some software may not be licensed correctly or the Academy does not budget for purchases/renewals/upgrades as required.
|
NON-URGENT
(best practice)
|
Ergo advise the Academy to review and update the Software Asset Register as soon as possible and we are happy to help where we can, particularly for any software purchased through us as a reseller.
|
This is scheduled for HT5 and 6 to update existing data. Spice works and Paradgo are major Software asset register retailers.
|
At present the LTO tape cartridges used for backups remain in the tape autoloader at all times and not off-sited with a full back up on. In the event of a disaster in the main server room, there would be no offsite media to restore the systems and data from.
|
URGENT
(minimal expected standards)
COMPLETED
|
Ergo would advise that in the short-term those tapes are regularly ejected with a full back up on and either taken offsite completely or stored in a Fire proof safe (preferably elsewhere in the building). We understand the Academy would also like to look into an automated Cloud backup solution and Ergo would be happy to help and discuss this in more detail.
|
Space will be made available by deleting unrequired backup data off the backup server before Friday 06-12-13, full backups to disk will then hopefully run successfully over the weekend and duplicate backups to tapes will be taken for each server w/c 09-12-13. These tapes will then be stored in a fireproof safe in the data office on site.
Full backups undertaken in February 2014. Held in the safe in Director of Finance Office. To complete each month. To investigate further holding in a different fire proof safe. Hold in the Community Centre Safe – off site.
|
The Academy would also be safeguarded by a plan to replace all of LTO tape cartridges on a 2-3 year cycle (250 mounts is a benchmark often used for the lifecycle of cartridges but best to check with the manufacturer in question).
|
NON-URGENT
(best practice)
COMPLETED
|
The Academy to consider budgeting for a replacement set of LTO tape cartridges or look at alternatives solutions such as Cloud-based backup. Ergo are happy to discuss the options further with the Academy.
|
Considered with ERGO as part of the review of back up solutions. Tape loader ordered. Can read old tapes, new version and write to tapes.
Cost of tapes £837 above.
|
The Academy could potentially be more proactive on detecting problems in the ICT infrastructure with the aid of a central monitoring solution to automate important daily checks, for example disk space, are all the services started on the virtual servers?
|
NON-URGENT
(best practice)
|
Ergo are happy to discuss the options further with the Academy if they would like to consider such as solution.
|
This is a “want” rather than a need to check performance of servers, switches, loading of servers to monitor automatically rather than manually as at present.
|
If the Academy does not have in place up-to-date ICT Policies that meet the minimum expected standards for a School then this could expose them to a large number of risks. Ergo has not audited any existing ICT Policies and it may be that the Academy already meets all of them recommendations.
|
URGENT
(minimal expected standards)
ONGOING
|
If the Academy does not meet all of the minimum expected standards, then Ergo recommends that it is addressed as a priority. There are a lot of really useful resources available on the Internet and Ergo would also be happy to facilitate contact with other Schools (if required), which are customers of ours to help provide any advice.
|
The Academy currently has an ‘ICT Acceptable Use Policy’ but this needs developing further to address all of the minimum expected standards.
We will liaise with Ergo to develop this over the Summer holidays. To also consider business continuity plans as part of risk management strategy.
|
If the Academy does not tighten the Password Policy for all Staff and Students it could risk the security of the ICT system. Although, password complexity is implemented with a minimum requirement of 8 characters, which is best practice, the Academy decided to disable a forced password reset because it was causing a lot of problems and helpdesk requests. The plan was to manually reset all passwords at the start of School term (September 2013) but this did not happen.
|
URGENT
(minimal expected standards)
COMPLETED
|
The Academy to re-consider enabling the forced password reset policy or look at plans to ensure that passwords are manually reset on a regular basis i.e. potentially after Christmas as the next one. Ergo are happy to help where necessary with this.
|
Enforcing password resets caused numerous issues with both staff and students (e.g. several students forced to change their passwords at the start of a lesson who struggled with the complex requirements all the while, eating away at the lesson time).
Schedule a forced password reset for all staff at the start of the new term in January 2014 and students after February half term.
|
The Academy may benefit from the implementation of an E-Safety product to aid the policies they have in-place and help protect pupils further.
|
NON-URGENT
(best practice)
|
Ergo are happy to discuss the options further with the Academy if they would like to consider such as solution.
|
To obtain quotes from Ergo re “Securus” software (“student monitoring”) to protect students from bullying. This software obtains screen shots of time, date and responsible student, and then locks the computer by monitoring inputs to keyboard and images as well.
|
