Frequently Asked Questions

You have questions. We have the answers.



Systems

What operating systems support the application?
  • EPRS server: Requires a window server 2008 or newer server
  • EPRS server: Minitab 16, multiuser version, or newer
  • EPRS user: Browser based, Chrome recommended


What hardware requirements have been defined?

Only as required to meet the server operating system requirements.



What application recovery or disaster recovery procedures have been developed?

None, other than standard backups of the server and the SQL database.



Infrastructure Monitoring

What network and system performance monitoring requirements have been defined?
  • There are server based applications that track the server itself (we use) but nothing for the EPRS application.
  • We have installed “Always Up” as software that runs the application as a service, and will restart the application if it is ever closed or shutdown.


What mechanisms exist to detect malicious code or compromised application components?

None other than standard server firewall and AV applications managed by the client.



What network and system security monitoring requirements have been defined?

None.



Virtualization and Externalization

What aspects of the application lend themselves to virtualization?

We have successfully installed and run the EPRS on a fixed server, local virtualized server and a virtualized cloud server.



How will the advantages and constraints of each approach be weighed and decided upon?

The advantages and constraints for cloud vs. local servers are independent of the ERPS and based on corporate requirements.  The only additional EPRS constraint is that the installed server must have access to all data sources within the company, which generally requires the server to be within the corporate firewall.



Environment

What frameworks and programming languages have been used to create the application?

EPRS automation engine is written in Visual C, the macro coding is programmed with a proprietary Minitab application language.



What process, code, or infrastructure dependencies have been defined for the application?
  • The EPRS requires a Windows server environment, which include .net functionality. 
  • The user interface uses an IIS webserver with dynamic web pages using ASP.
  • Graphic generation and analytics use the Minitab Multiuser application (server based)
  • User access can be managed within the EPRS using managed UID/PWD combinations or Active Directories can be used to manage access in a windows environment.
  • A MS-SQL database is used to manage the configuration settings of the EPRS.


What databases and application servers support the application?

Every installation has used a MS-SQL database, but any hosted SQL database should work.



How will database connection strings, encryption keys, and other sensitive components be stored, accessed, and protected from unauthorized detection?

The UID & PWD used by the EPRS to acquire data from SQL databases is visible to admin users and is not encrypted in the system.  For most clients, this is a unique EPRS UID/PWD setup with read-only access to a mirrored copy of the corporate data warehouse.



Data Processing

What data entry paths does the application support?

All entry paths are through the web application using ERPS managed user rights.



What data output paths does the application support?

The primary outputs of the system are pushed out to the IIS Webserver.  There is an ability to upload and download data from the system by developers during the system setup.  No data access is available for non-admin right users.



How does data flow across the application's internal components?
  • The EPRS generates a series of Minitab commands based on each metric being setup.  These commands are passed to Minitab for execution in a batch processing mode. 
  • Minitab will interpret the submitted commands, acquire the appropriate data from a network source, process the data to create the performance report graphic, send the graphic to the EPRS and then close itself.  All acquired data is lost upon closing, it is not stored in the EPRS system.
  • The EPRS system will capture the Minitab performance graphic and insert it into the dynamic page used to present the performance metric.
  • The EPRS also has the ability to provide dynamic HTML pages with flowcharts that can be used for browser based access to the metric reports.  These flow chart pages may be generated within the EPRS or may be uploaded from any web enabled flowcharting program.


What data input validation requirements have been defined?

Data input validation should be performed during the development and setup of a performance metric.  A Minitab Add-In is provided for validation purposes.  When the metric data and display settings are validated, the settings are transferred to the EPRS for automated reporting.  If data validity issues occur after setup, the system will replace the performance graphic with a informative graphic describing the data problem.



What data does the application store and how?
  • No performance data is stored in the EPRS system.
  • Flow chart diagrams, in an html format, are maintained in the EPRS system.
  • Metric definition and creation commands are maintained in the EPRS.


What data is or may need to be encrypted and what key management requirements have been defined?

All SQL tables include hashed metric references and ID reference values.  Labels and specific parameter settings used to create the graphic are not encrypted or hashed.



Access

What user privilege levels does the application support?

User and admin



What user identification and authentication requirements have been defined?

Internal userid/pwd or using Active Directories



What user access restrictions have been defined?
  • Each user has rights assigned within the EPRS (admin or user) which controls access within the EPRS setup and controls.
  • Each user may be assigned to a role (group) to designate the access rights to metric and flow chart pages.  The user may only view metrics and flow charts that are set for everyone or their assigned role groups.
  • Each dynamic page (metric or flow chart) may be set for everyone to view or may be set to viewing by user role group(s).
  • A user with admin rights has access to every user role group.


Application Monitoring

What application error handling and logging requirements have been defined? What processes are in place to show an end user only the minimum required information upon an error, and not to expose facets of application design, security, and implementation?

The EPRS maintains a log documenting key activities and faults.  This log may be viewed and downloaded by anyone with admin rights.  If the EPRS does provide a fault during programming or setup, a code is provided at the top of the page for the admin to copy down.  It is similar to the entry in the error log and will help diagnose the issue when provided to the support staff.



Application Design

How is intermediate or in-process data stored in the application components' memory and in cache?

All intermediate data is stored within the Minitab software environment, not within the EPRS.



What staging, testing, and Quality Assurance requirements have been defined?

None



Operations

What is the process for identifying and addressing vulnerabilities in the application?

None



What is the process for identifying and addressing vulnerabilities in network and system components?

None



What access to system and network administrators have to the application's sensitive data?

There is no sensitive data within the EPRS.  Sensitive information may appear in .jpg graphics as part of a chart.  These graphics are visible to all network and EPRS administrators



What security incident requirements have been defined?

None



What physical controls restrict access to the application's components and data?

Standard network rights to the server the application resides on.



What is the process for granting access to the environment hosting the application?

Standard network rights to the host



Change Management

How are changes to the code controlled?
  • The EPRS server version is managed with a revision number and sub-revision number in an X.X format.  The whole number revisions involve a major functional change and the .X number represent minor updates.
  • Each macro which is used in the EPRS and Minitab Add-in have an independent revision number that increments in whole numbers, such as 2,3,4…..  New versions are produced when the macro functionality changes.
  • The EPRS add-in is managed with a revision number and sub-revision number in an X.X format.  The whole number revisions involve a major functional change and the .X number represent minor updates.  This revision number is independent of the EPRS server revision.


How are changes to the infrastructure controlled?

Smarter Solutions maintains documents that list each revision and its functionality changes.



How is code deployed to production?
  • EPRS server updates are remotely installed by Smarter Solutions’ tech support team.  EPRS server updates are performed by any user with Admin rights using an existing admin section menu.
  • EPRS add-in updates are user installed through a standard windows installer file.  Add-in Macro files are updated by the user through an existing add-in menu.


What mechanisms exist to detect violations of change management practices?

None.



Software Development

What data is available to developers for testing?

Nothing is provided to external developers.  Smarter Solutions has a single multi-faceted data set used for software and macro development.



What secure coding processes have been established?

None.