arb checklist - development - pennsylvania … all phases, and guidance... · web viewto ensure...

<enter sponsor dept/bureau name>

<Enter project name>Architecture Review Checklist(Inteneral/External Development Edition)

Prepared By:

TAR Project #:

Date Submitted:

Document Version: V 3.2

PA Department of Health <enter sponsor dept or bureau name>

Document History

Version Date Author Status Revision Descriptions0.1 Initial Draft1.0 First Published

1.7 05/31/07 Connie Houck Updated Added new links to OA/OIT standards due to them moving to Aqualogic software

1.8 02/23/10 William Miller Updated Added new questions to reflect adherence to development standards, SiteMinder, SOA, data dictionaries, and code reuse.

2.0 11/13/14 Rae-Ann Ginter Updated2.1 01/30/15 Rae-Ann Ginter Updated Included areas responsible for each domain2.2 03/04/15 Rae-Ann Ginter Updated

2.3 07/09/15 Rae-Ann Ginter UpdatedRemoved broken link to strategic imperatives from PMO Domain and updated 2 links within the Network Domain.

2.4 6/15/16 Brett Grumbine UpdatedReplaced all questions in the Security Domain as directed by the BIIT Security Officer.

2.5 9/22/16 Scott Kister UpdatedMajor revisions to reflect new APB processes. Updated to reflect changes based on project type.

2.6 9/28/16 Scott Kister UpdatedInclusion of revisions from ARB board members.

2.7 10/31/16 Scott Kister Updated Updates to questions based on feedback from ARB members.2.8 12/5/16 Scott Kister Updated Updates to include questions specific to COTS/MOTS projects.

2.9 1/31/2017 Scott Kister UpdatedCompleted updates to include questions specific to development projects (intenal/external). Corrected all external links to OA ITP references.

3.0 3/22/17 Scott Kister Updated Updated to include OA/OIT cloud service questions.3.1 4/17/17 Scott Kister Updated Clarified scope of Network Domain questions.

3.2 6/7/17 C. Keith Frye Updated Deleted question 5 from Proj. Mgmt. section as $250K threshold is no longer OA criteria.

<enter project code & name> of 27 Architecture Review Checklist


Table of Contents1 PURPOSE OF THIS DOCUMENT.................................................................................42 ACRONYMS...................................................................................................................43 SYSTEM AND ARCHITECTURE REVIEW PARTICIPANT INFORMATION................54 PROJECT.......................................................................................................................6

4.1 Technologies..............................................................................................64.2 Hosting Location(s)....................................................................................64.3 IT Development Staff Requirements..........................................................64.4 Long-Term Support Staff Requirements....................................................6

5 PROJECT SUMMARY...................................................................................................76 REVIEW CHECKLIST....................................................................................................8

6.1 Access Domain..........................................................................................86.2 Application Domain....................................................................................96.3 Information Domain..................................................................................136.4 Integration Domain...................................................................................166.5 Network Domain.......................................................................................176.6 Platform Domain.......................................................................................196.7 Privacy Domain........................................................................................216.8 Project Management Domain...................................................................226.9 Security Domain.......................................................................................246.10 Systems Management Domain................................................................25



1 Purpose of This Document The Department of Health has established technical standards to improve its ability to serve customers, use assets efficiently, and promote best practices. The objectives of the Architecture Review (AR) Checklist are:

to raise awareness and understanding of the technical standards;

to help ensure accurate collection of application standards compliance information;

to assist in planning and resource projections for new and existing applications;

to understand scalability and capacity requirements for ongoing system operations;

to help identify opportunities to re-use business functions or technical components; and

to ensure application design and development is complying with established technical standards and best practices.

The AR Checklist must be submitted to and approved by the DOH Architecture Review Board prior to starting application detailed design and/or proceeding with the procurement of a Commercial off the Shelf (COTS) or Software as a Service (SaaS) technology solution for projects that met architecture review criteria. A second architecture review may be required prior to beginning application development based on project scope. A final architecture review may be required prior to system promotion to a DOH production environment. The Architecture Review Board or project team may request additional architecture reviews as needed.

2 Acronyms <Provide all acronyms that may be used within this document.>

Acronym DefinitionADA Application Developer AdministratorARB Architecture Review BoardCoPA Commonwealth of PennsylvaniaITP Information Technology PolicyOA/OIT Standards https://itcentral.pa.gov/Pages/IT-Policies.aspxSystem Regarding the Privacy and Security domains, the term “system” applies to the primary computer

application, sub-systems, data repositories and related processes. MSL Managed Service Lite


https://itcentral.pa.gov/Pages/IT-Policies.aspx


Acronym DefinitionPACS PA Compute Services

3 System and Architecture Review Participant Information

System Name / ID:Date of 1st ARB Review Meeting: Date of 2nd ARB Review Meeting:Date of 3rd ARB Review Meeting:Date of 4th ARB Review Meeting:

ARB Meeting Participant Names



4 Project 4.1 Technologies

(Check all that apply)

Application Development Server Radio IES / SAP Database – SQL Server Security (not Telecom) Desktop/Laptop/Tablet Database – Oracle Telecom – Data GIS Disaster Recovery Telecom – Voice Document Management DOH Help Desk Telecom – Security Identity Management Web/Domain Naming Telecom – Video Large Storage Requirements DOH Network Data Networking Other Mobile Application Type Specify:

Intranet Internet Client/Server

4.2 Hosting Location(s)(Check all that apply)

Herr Street Managed Services Cloud (Azure/Amazon, etc) PACS Managed Services Lite

4.3 IT Development Staff Requirements (Check all that apply)

DOH BIIT Contracted

4.4 Long-Term Support Staff Requirements(Check all that apply)

DOH/BIIT Contracted



5 Project Summary<Provide an overview of the project history, objectives, and timeline. Include members and roles of the project team.>



6 Review ChecklistPlease respond to the questions in all the applicable sub-sections. If a deliverable (or project document) is referenced in the Response, please upload the corresponding deliverable onto the ARB SharePoint site, along with the completed checklist.

6.1 Access Domain(Responses will be reviewed by all teams)

ID Review Item Response

1

How many total users need to be supported?

This estimate is to include both Department and external users of the application.

2 Is external remote access required (e.g. VPN)? YES | NO | N/A

3a

Does the system meet the minimum level for accessibility that PA has adopted to comply with Section 508 of the Rehabilitation Act §1194.22?

Refer to OA/OIT ITB—ACC001 IT Accessibility Policy for more information.

YES | NO | N/A

3b If no, provide mitigation strategy.

4 How many concurrent users will be accessing the system on average?

5How will user authentication/access be implemented (e.g. internal database tables, Keystone ID, Active Directory, etc.)?


https://itcentral.pa.gov/Documents/itp_acc001.pdf

https://sharepoint.health.pa.gov/sites/collab/ARB/SitePages/Home-old.aspx


6.2 Application Domain (Responses will be reviewed by ADA’s)


1 What is the estimated life expectancy of the application (in years)?

2a What load, performance testing, regression and software testing tools will be used on this project?

2b

Are these tools compliant with OA/OIT standards?

Refer to OA/OIT (ITP-APP014 Application Testing Tools Policy) for more information.

YES | NO | N/A

2c If no, please explain.

3a Are mobile technologies being leveraged with this project? YES | NO | N/A

3b If yes, what type? (iOS, Android, HTML5, etc.)

4 If a website is being created, is a mobile-friendly version required? YES | NO | N/A

5 What server-side programming languages are used?

6a

Are these languages compliant with current OA/OIT standards? Refer to OA/OIT ITP-APP011 Application Development Languages)) for more information.

YES | NO | N/A


https://itcentral.pa.gov/Documents/itp_app011.pdf





6b If not, please explain.

7a What client-side programming languages are used?

7b

Are these languages compliant with current OA/OIT standards? Refer to OA/OIT (ITP-APP011 Application Development Languages) for more information.

YES | NO | N/A

7c If not, please explain.

8a What software configuration management and change management tools will be used on this project?

8b

Are these tools compliant with OA/OIT standards? Refer to OA/OIT (ITP_APP018 - Software Configuration Management Tools) for more information.

YES | NO | N/A


9a Are messaging products used in this application? YES | NO | N/A

9b What messaging products are used in this application?

9c

Are these messaging products compliant with OA/OIT standards? Refer to OA/OIT ITP_INT001 - Message-Oriented Middleware) for more information.

YES | NO | N/A


https://itcentral.pa.gov/Documents/itp_int001.pdf








9d If not, please explain.

10a Does this system have any web-based components? YES | NO | N/A

10b If yes, what web application server and /or web information server technologies will be used?

10c

Are these technologies compliant with “Current” OA/OIT standards? Refer to ITP-APP002 - Web Server/Application Server Standards for more information.

YES | NO | N/A


11a Does this application utilize search technology? YES | NO | N/A

11b If yes, what type?

11c

If this search technology is non-compliant with “Current” OA/OIT standards, please explain mitigation strategy. Refer to OA/OIT ITB-APP003 - Search Technology Standards for more information.

12a Is the system easily scalable to meet projected increases in demand and/or usage? YES | NO | N/A

12b If yes, please elaborate.


https://itcentral.pa.gov/Documents/itb_app003.pdf

https://itcentral.pa.gov/Documents/itb_app003.pdf




13a

Are any components or functionality candidates for reuse in other systems or applications? To be general-purpose, it should have no business-specific logic embedded in it, and it should have no dependencies on other business-specific components. It should be a “drop-in” component.

YES | NO | N/A

13b If so, please elaborate.



6.3 Information Domain (Responses will be reviewed by Health Informatics, Data Warehouse & Database teams)


1a Have data retention requirements been identified? YES | NO | N/A

1b If yes, briefly explain the requirements.

2a Has purge criteria been identified? YES | NO | N/A

2b If so, briefly explain the criteria and whether or not aggregate data will be retained after purge.

3a Will a data dictionary be created for the system? YES | NO | N/A

3b If yes, explain where will it be stored and on what frequency will it be updated.

4a Will any of the data collected be duplicative to other data items collected throughout the Department? YES | NO | N/A

4b If yes, explain if the application will utilize enterprise reference tables for common data.

5a Have all reporting needs been identified? YES | NO | N/A

5b If yes, briefly explain the architecture of the reporting function.



6 Have all data elements needed to satisfy the reporting requirements been identified? YES | NO | N/A

7a Will all reporting needs be satisfied through the new system being proposed? YES | NO | N/A

7b If no, please explain any report generation that will be done outside of the system.

8Has an ETL (Extract, Transform, Load) or similar process been setup for loading the data collected into the DOH Data Warehouse?

YES | NO | N/A

9 Will the Department of Health own all of the data being collected? YES | NO | N/A

10 Will appropriate Department of Health staff members have direct access to the raw (record level) data. YES | NO | N/A

11Does the project require data reporting that includes locational data (e.g. - latitude, longitude, county, minor civil division, census tract, census block group, etc.)?

YES | NO | N/A

12Does the project require locational data to be created and stored for internal and/or external reporting purposes?

YES | NO | N/A

13aDoes the project employ, or plan to employ, geospatial technologies, such as mapping or geocoding of address data?

YES | NO | N/A

13b If yes, what technology will be utilized?

13c

Does this technology comply with OA/OIT and Department Standards?

Refer to the OA/OIT ITP_INFGT001 - Geospatial Information Systems (GIS) for more information.

YES | NO | N/A


https://itcentral.pa.gov/Documents/itp_infgt001.pdf

https://itcentral.pa.gov/Documents/itp_infgt001.pdf


13d If not, please explain mitigation strategy.

14a What database systems and versions are utilized?

14bAre these database systems in compliance with OA/OIT standards? Refer to OA/OIT ITP-INF001 - Database Management Systems for more information.

YES | NO | N/A

15 What database normalization standards will be employed in the creation of the database?

16a Has a logical data model (Post Design Session) been completed? YES | NO | N/A

16bDoes the data model comply with OA/OIT standards? Refer to OA/OIT ITP-INF003 - Data Modeling Standards for more information.

YES | NO | N/A

16c If not, please explain mitigation strategy.

17a Has a physical data model (Pre-Implementation Session) been completed? YES | NO | N/A

17bDoes the data model comply with OA/OIT standards? Refer to OA/OIT ITP-INF003 - Data Modeling Standards for more information.

YES | NO | N/A

17c If not, please explain mitigation strategy.


https://itcentral.pa.gov/Documents/itp_inf003.pdf





18aDo all application data structures comply with OA/OIT and Department standards? Refer to OA/OIT for more information.

YES | NO | N/A

18b If yes, please explain.

6.4 Integration Domain(Responses will be reviewed by ADA responsible for the project)


1 Have all cross-system interface requirements been defined? YES | NO | N/A

2 Does the design support integration with other software products? YES | NO | N/A

3a Are middleware solutions being proposed for use by this system? YES | NO | N/A

3b If yes, please describe.

3c

If yes, does the proposed solution comply with OA/OIT standards?

Refer to OA/OIT (ITP_INT001 - Message-Oriented Middleware) for more information.

YES | NO | N/A


4a Is it anticipated that business partner data sharing will be required? YES | NO | N/A





4bIf yes, will the utilization of the e-gov exchange process for business to business middleware be implemented?



6.5 Network Domain (Responses will be reviewed by the DOH Network Team)


1 Will the existing DOH network architecture work to support this application? YES | NO | N/A

2aIs a wireless technology, such as 4G provided at DOH sites or Wi-Fi provided at DOH sites, required as part of this project?

YES | NO | N/A


2c

If yes, is this technology compliant with OA/OIT standards?

Refer to OA/OIT ITB-NET001 Wireless LAN Technology for more information.

YES | NO | N/A

3a

Are there data transfer requirements that could affect the throughput on the DOH network (such as offsite backups, data used for analytics, database synchronization if using app in standalone mode, etc.)?

YES | NO | N/A


4a Are there any DOH firewall or network configuration changes required? YES | NO | N/A


5a

Does new hardware, such as routers and /or switches, need to be purchased in order to support this project?

Equipment must comply with current OA/OIT standards and protocols. Refer to OA/OIT ITB-NET002 Network Router and Switch Technology Standards for more information.

YES | NO | N/A


https://itcentral.pa.gov/Documents/itp_net002.pdf






5b If YES, please explain.



6.6 Platform Domain(Responses will be reviewed by the DOH LAN team)


1a What is/are the proposed host location(s) (PACS, MSL, DOH, cloud, etc.)? Specify all that apply.

1b Is the necessary hosting environment documentation completed? YES | NO | N/A

2 Is the design compatible with Virtual Machine (VM) hosting? YES | NO | N/A

3a Will this initiative be utilizing a public cloud service? YES | NO | N/A

3b

If YES, Cloud services must be fully vetted via an OA/OIT Service Request.

Has the proper service request been submitted to OA/OIT?

YES | NO | N/A

3c

If NO, Service Requests can be created using the online submission and tracking tool on the IT Central Enterprise Services page via the Service Gateway link. Click on the Service Request button, provide the requested information and choose "Professional Services: Cloud Service Use Case Review". The Cloud Services Team will be notified immediately.


https://itcentral.pa.gov/Pages/Enterprise-Services.aspx


4a What server platform will the system require?

4b Does the proposed server platform comply with current OA/OIT standards? YES | NO | N/A

5a What desktop platform will the system require?

5b

Does this desktop platform comply with the current OA/OIT standards?

Refer to OA/OIT ITB-PLT001 Desktop and Laptop Technology Standards for more information.

YES | NO | N/A

6a What operating systems and versions are supported?

6b

Do these operating systems comply with current OA/OIT standards?


YES | NO | N/A

7a What web browsers are supported?

7b

Do these web browsers comply with OA/OIT standards?


YES | NO | N/A

8a Will the application or 3rd-party software tools be required to be installed? YES | NO | N/A

8b If yes, please specify.


https://itcentral.pa.gov/Documents/itp_plt001.pdf







6.7 Privacy Domain


1aWill system implementation, administration and management comply with all privacy series ITP’s that apply?

YES | NO | N/A

1bIf no, identify specific ITP’s, justification for non-compliance and compensating controls planned. (currently ITP-PRV001 and ITP-PRV002)

2aWill system implementation, administration and management comply with all privacy-related Management Directives that apply?

YES | NO | N/A

2bIf no, identify the specific Management Directives, justification for non-compliance and compensating controls planned.

3a

Beyond CoPA ITP’s and Management Directives, do other privacy laws, regulations, legislation, executive orders, policies, agreements, standards, specifications obligations, MOU’s or other privacy-related governance requirements apply to the implementation, administration and management of system and data?

YES | NO | N/A

3b If yes, identify specific laws, regulations, agreements, standards, etc.

4a

Beyond Commonwealth ITP’s and Management Directives, will system implementation, administration and management comply with all other privacy laws, regulations, legislation, executive orders, policies, agreements, standards, specifications, obligations, MOU’s or other privacy related governance requirements that apply?

YES | NO | N/A

4b If no, identify the specific governance


https://itcentral.pa.gov/Documents/itp_prv002.pdf

https://itcentral.pa.gov/Documents/itp_prv001.pdf


requirements, justification for non-compliance and compensating controls planned.

6.8 Project Management Domain(Responses will be reviewed by the Project Management Office)


1aHave the required deliverables for this phase been completed, which includes the required business signoffs?

YES | NO | N/A

1b If no, please explain.

2a Have project status reporting and project logs been satisfactorily completed to this point? YES | NO | N/A


3aAre there any existing major project decisions or interventions needed that are needed to keep this project on-track?

YES | NO | N/A


4a Are project communications and business participation meeting the plan and/or needs for the project? YES | NO | N/A




6.9 Security Domain(Responses will be reviewed by the DOH Security Team)


1aDoes the proposed solution comply with Commonwealth Information Technology Policies applicable to information security?

YES | NO | N/A


2aWhat other information security requirements apply for the protection of sensitive data, i.e., HIPAA, PCI, Act 148, etc.?

2b Does the proposed solution comply with applicable security requirements? YES | NO | N/A

2c If no, please explain.



6.10 Systems Management Domain(Responses will be reviewed by ADA responsible for the project)


1 What are the online availability requirements?

2a Will system/application monitoring tools be utilized? YES | NO | N/A

2b If yes, please specify.

3a Has a disaster recovery approach been identified for the application? YES | NO | N/A

3b If yes, please describe.

4a

What HCIS classification has been designated? (H-highly critical, C-critical, I-important, S-suspend).

Refer to OA/OIT ITB SYM004-AR1 Policy for Establishing Alternate Processing Sites for Commonwealth Agencies for more information.

4b Is there appropriate funding available for the designated classification? YES | NO | N/A


5 Have service level agreements (SLAs) been established for this system? YES | NO | N/A

6 What ongoing program area support will be required and committed to the effort (following implementation)?


https://itcentral.pa.gov/Documents/itp_sym004.pdf




7

What ongoing BIIT support will be required and committed to the effort following implementation? This estimate should include system maintenance resources and help desk resources.

8

What internal and/or external forces may drive change to the implemented solution (i.e. annual update to federal regulations, upcoming or anticipated legislative mandates)?

9aIf applicable at the current point in the project, has an ARB Capacity Plan document been completed for this project?

YES | NO | N/A

9bIf 9a is application to this project and the response for 9a was NO, please explain mitigation strategy.
