Versions Compared

Version Old Version 118 New Version 119
Changes made by

Eric Puchalski

Brian Roode

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

ProcessWhat To DoHow To Do It
1Initiate the Project
  1. If you are using a workflow-based project management tool (e.g., JIRA) then set up a document template to track approvals and completion of tasks.
  2. If you are not using a project management tool then use one of the following checklists as appropriate based on initial assumptions about the project:
    1. Project Sign-Off Sheet for Developed Applications
    2. Project Sign-Off Sheet for Third-Party Applications
2Identify Sponsor
  1. Identify a person who will take ownership of the project and:
    • is in a position where he or she can organize resources from the functional side.
    • has the skills and time to manage or help manage the project, including requirements analysis, tracking progress, setting up meetings, and organize user testing
    • has the time and interest to develop the skills required to assist requirements analysis.
3Submit Project Proposal
  1. Prepare a Project Proposal request and submit the request as defined on the How to Submit a New Project page.
  2. To aid in determining what should be included in the Financial Impact section of the Project Proposal, download and use the Project Impact Analysis or High-Level Cost Benefit Analysis workbooks.
  3. If a third-party solution is an option to complete the project then prepare a Third-Party System Review for each of the third-party systems being considered.
  4. As soon as possible after submitting the project proposal to the Project Review Team, a new JIRA Project Request should be submitted.
  5. Prepare a wiki or Web page to publish information and updates about the project.
4Requirements Definition
  1. Consider candidates for the various roles on the Project Team. Assign as many of these as possible.
  2. Create the Project Charter for large, high risk applications. 
  3. Prepare the Functional Requirements to document the basic functional requirements of the system.
  4. Use the results from the Third-Party System Reviews to help determine whether an application software solution should be developed internally or acquired from a third-party.
    1. The general guideline is that if a third-party solution providing at least 85% of the features and capabilities outlined in the Functional Requirements can be located, and it satisfies the technical criteria defined by OIT with respect to architecture, security, etc., then the third-party solution should be used.
    2. If multiple third-party solutions are being considered, a Third-Party System Review should be done for each one.
  5. Review the OIT Data Classifications to determine whether the project involves access to to sensitive, restricted, or personally identifiable information.
    1. If it does then contact the OIT Security Manager.
    2. Security reviews are best scheduled starting at the planning stages of a project and are required during the requirements definition process of any high risk project.
  6. Determine the level of risk involved with the project.
    1. Complete Sections I - X of the Security Risk Assessment Questionnaire (SRAQ) to calculate the project's risk level.
    2. A HIGH RISK application includes any application that uses, stores, or transmits:
      • Password
      • Social Security Number
      • Home phone or address
      • Credit card numbers
      • Bank account numbers
      • Driver license or other credential
      • Nonpublic student or employee data
      • FERPA-protected student data
      • Patient information
      • Or any other data deemed sensitive, restricted, or personally identifiable as defined in the OIT data classifications.
  7. If restricted information is stored or accessed:
    1. Encryption must be used in storage and transmission in all cases where such data occurs.
    2. The project is categorized as HIGH RISK and the UCI CIO and UCI Security Officer must be notified in writing or acknowledged email before any work effort begins.
    3. Contact the OIT Security Manager at the planning stages of high risk projects to review the SRAQ and security requirements of the project.
  8. Use the Audit Preparation Questionnaire to determine what information will be required if the project or system is audited.
  9. Schedule a requirements review and acceptance sign-off with functional and technical project teams to review the functional requirements.
    1. Prior to reviewing the requirements with the project team, it may be helpful to create a Development Environment Review Form.
5Prepare a Project Plan
  1. A Project Plan contains enough information about the project that all stakeholders can understand what will be done and have an idea when the work will be completed. This includes:
    1. Project Definition containing basic information about the project,
    2. Schedule showing project milestones and projected resource requirements and timeframes,
    3. Issues Log to keep track of potential and real problems encountered during the course of the project, and
    4. Organizational Information including key stakeholders, roles, and contact information.
6Create System Specification
  1. Especially for more complex systems, as you design your specifications, be sure to consider:
    1. Architecture Review
    2. Database Review
    3. GUI Review and consistency
    4. When creating diagrams (data flow, system architecture, system design, etc.) that show interaction between software components only use the tools defined in the Application Developer's Toolbox.
    5. At minimum separate development and production environments must be set up. You may also need a test, training, or staging environment.
    6. Create test data if any sensitive data will need to be tested.
      • Schedule regular security reviews with the Security Team at the beginning of your project.
      • System Architecture Diagrams in SRAQ Section XI should be completed and reviewed.
      • Complete the Threat Anaylsis section of SRAQ based on technical details of design.
7Prepare a Test Plan
  1. A Test Plan consists of:
    1. Automated code testing in your development environment
    2. Cross-browser application certification using VMWare
    3. Steps to test major areas of functionality. Include screen shots for regression testing.
    4. Security tests as outlined in the SRAQ.
    5. Parallel system test
    6. Test schedule
    7. User acceptance checklists
8Develop Application
  1. Application development is an iterative process with regularly scheduled review stages and quality controls.
  2. Contact your systems development director about the preferred development platform, tools, and methods.
  3. For more information about OIT software development practices, see Systems Development Practices & Guidelines.
  4. The Application Developer's Toolbox provides useful information about OIT-supported tools for the developer.
  5. During implementation, the Section XII (Controls) of the SRAQ must be completed. (OIT recommendations)
  6. Schedule Application and Code Review.
    1. The /wiki/spaces/adcom/pages/68028495 should be followed during implementation.
    2. High risk code, such as authentication and authorization, must be reviewed in the early stages of implementation.
    3. Schedule Code Reviews with peer software engineers from the beginning of development.
9Quality Assurance
  1. QA is an iterative set of activities during development of a project and is normally based on a documented process and standard practices. These include:
    1. Code analysis with automated tools and peer code reviews. Example: Java Code Review Checklist.
    2. Unit, Functional, and browser compatibility testing by programmer and end user.
    3. Security review in the form of verification of SRAQ Controls Section XII and OIT Application Security Checklist.
    4. Performance, load, and stress testing to simulate user load.
    5. Reporting and publishing of test results to determine progress and production readiness.
  2. See an example of Java Quality Assurance process.
  3. Reference links:
10User Acceptance Testing
  1. User Acceptance Test and Acceptance Sign-off is usually coordinated by a Functional Lead and indicates that users have:
    • Tested functionality,
    • Approved that an application meets original requirements, and
    • Determined that it is ready to go into production from the business perspective.
11Production Rollout Planning
  1. Production Rollout Planning includes:
    • SRAQ completed fully with any left over action items completed.
    • Successful quality assurance testing, application vulnerability scanning, and security sign-off.
    • Completed Project Sign-Off Sheet (Third-Party or Developed Application version as appropriate for the project) with approvals and dates.
    • For some OIT functional units, issue tracking and Change Control Management must be worked out with the appropriate OIT support units prior to moving the system to production.
    • Scheduled database and code backups.
    • Appropriate contingency plan or roll-back plans.
    • Announcement of the application's availability date to end users via appropriate communication channels.
    • User Training.
    • Help Desk training.
    • Cross-train backup support.
    • Adding the application into Help Desk Service Request Tracking System.
    • Adding application to campus portals, if applicable.
12Launch Application
  1. Congratulate yourself on a job well done!
  2. Continue with change management and production support.
13Post-Implementation Review
  1. Perform project close-out including clean-up and lessons learned.
  2. Transition support from developers to OIT Help Desk.
  3. Prepare a Project Completion Report for review with end users.
  4. Meet with end users and project team to review Project Completion Report.
  5. Meet with Executive Sponsor to obtain sign-off of the Project Sign-Off Sheet.
  6. Email Project Sign-Off Sheet to the OIT Project Manager.
  7. Prepare system disposition plans.
  8. Monitor system to make sure it is performing as designed.