Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

3.5
ProcessWhat To DoHow To Do It
1Initiate the Project
  1. If you are using a workflow-based project management tool (e.g., JIRA) then set up a document template to track approvals and completion of tasks.
  2. If you are not using a project management tool then use one of the following checklists as appropriate based on initial assumptions about the project:
    1. Project Sign-Off Sheet for Developed Applications
    2. Project Sign-Off Sheet for Third-Party Applications
    1. /wiki/spaces/public/pages/31361348
    2. /wiki/spaces/public/pages/31361354
2Identify Sponsor
  1. Identify a person who will take ownership of the project and:
    • is in a position where he or she can organize resources from the functional side.
    • has the skills and time to manage or help manage the project, including requirements analysis, tracking progress, setting up meetings, and organize user testing
    • has the time and interest to develop the skills required to assist requirements analysis.
3Submit Project Proposal
  1. Prepare a Project Proposal request and submit the request as defined on the How to Submit a New Project page.
  2. To aid in determining what should be included in the Financial Impact section of the Project Proposal, download and use the Project Impact Analysis or High-Level Cost Benefit Analysis workbooks.
  3. If a third-party solution is an option to complete the project then prepare a Third-Party System Review for each of the third-party systems being considered.
  4. If you will be using JIRA to manage your project then you should submit a new JIRA Project Request as soon as possible after submitting the project proposal to the Project Review Team. If you are using some other tool to manage your project (e.g., MS Project, SmartSheets, ServiceNow) you should initialize the required project information there.
  5. Prepare Project Information Home and Project Decision Log wiki pages to publish information and updates about the project.
4Requirements Definition
  1. Consider candidates for the various roles on the Project Team. Assign as many of these as possible.
  2. Create the Project Charter for large, high risk applications. 
  3. Prepare the Functional Requirements to document the basic functional requirements of the system.
  4. Use the results from the Third-Party System Reviews to help determine whether an application software solution should be developed internally or acquired from a third-party.
    1. The general guideline is that if a third-party solution providing at least 85% of the features and capabilities outlined in the Functional Requirements can be located, and it satisfies the technical criteria defined by OIT with respect to architecture, security, etc., then the third-party solution should be used.
    2. If multiple third-party solutions are being considered, a Third-Party System Review should be done for each one.
  5. Review the OIT Data Classifications to determine whether the project involves access to to sensitive, restricted, or personally identifiable information.
    1. If it does then contact the OIT Security Manager.
    2. Security reviews are best scheduled starting at the planning stages of a project and are required during the requirements definition process of any high risk project.
  6. Determine the level of risk involved with the project.
    1. Complete Sections I - X of the Security Risk Assessment Questionnaire (SRAQ) to calculate the project's risk level.
    2. A HIGH RISK application includes any application that uses, stores, or transmits:
      • Password
      • Social Security Number
      • Home phone or address
      • Credit card numbers
      • Bank account numbers
      • Driver license or other credential
      • Nonpublic student or employee data
      • FERPA-protected student data
      • Patient information
      • Or any other data deemed sensitive, restricted, or personally identifiable as defined in the OIT data classifications.
  7. If restricted information is stored or accessed:
    1. Encryption must be used in storage and transmission in all cases where such data occurs.
    2. The project is categorized as HIGH RISK and the UCI CIO and UCI Security Officer must be notified in writing or acknowledged email before any work effort begins.
    3. Contact the OIT Security Manager at the planning stages of high risk projects to review the SRAQ and security requirements of the project.
  8. Use the Audit Preparation Questionnaire to determine what information will be required if the project or system is audited.
  9. Schedule a requirements review and acceptance sign-off with functional and technical project teams to review the functional requirements.
    1. Prior to reviewing the requirements with the project team, it may be helpful to create a Development Environment Review Form.
5Prepare a Project Plan
  1. A Project Plan /wiki/spaces/public/pages/31361283 contains enough information about the project that all stakeholders can understand what will be done and have an idea when the work will be completed. This includes:
    1. Project Definition containing basic information about the project,
    2. Schedule showing project milestones and projected resource requirements and timeframes,
    3. Issues Log to keep track of potential and real problems encountered during the course of the project, and
    4. Organizational Information including key stakeholders, roles, and contact information.
6Create System Specification
  1. Especially for more complex systems, as you design your specifications, be sure to consider:
    1. Architecture Review
    2. Database Review
    3. GUI Review and consistency
    4. When creating diagrams (data flow, system architecture, system design, etc.) that show interaction between software components only use the tools defined in the Application Developer's Toolbox.
    5. At minimum separate development and production environments must be set up. You may also need a test, training, or staging environment.
    6. Create test data if any sensitive data will need to be tested.
      • Schedule regular security reviews with the Security Team at the beginning of your project.
      • System Architecture Diagrams in SRAQ Section XI should be completed and reviewed.
      • Complete the Threat Anaylsis section of SRAQ based on technical details of design.
7Prepare a Test Plan
  1. A Test Plan consists of:
    1. Automated code testing in your development environment
    2. Cross-browser application certification using VMWare
    3. Steps to test major areas of functionality. Include screen shots for regression testing.
    4. Security tests as outlined in the SRAQ.
    5. Accessibility test (WCAG 2.0 as guideline)
    6. Parallel system test
    7. Test schedule
    8. User acceptance checklists
8Software Implementation
Section
Column
width49%
 In House
  1. Application development is an iterative process with regularly scheduled review stages and quality controls.
  2. Contact your systems development director about the preferred development platform, tools, and methods.
  3. For more information about OIT software development practices, see Systems Development Practices & Guidelines.
  4. The Application Developer's Toolbox provides useful information about OIT-supported tools for the developer.
  5. During implementation, the Section XII (Controls) of the SRAQ must be completed. (OIT recommendations/wiki/spaces/adcom/pages/68028501)
  6. Schedule Application and Code Review.
    1. The /wiki/spaces/adcom/pages/68028495 should be followed during implementation.
    2. High risk code, such as authentication and authorization, must be reviewed in the early stages of implementation.
    3. Schedule Code Reviews with peer software engineers from the beginning of development.
Column
width2%

 

Column
width49%
 Vendor
  1. Vendor procured software involves software configuration activities rather than software coding.
  2. Vendor procured software are designed and developed to meet the needs across a broad client base.  As such, current functionality and processes will need to be evaluated against the framework and confines of the vendor software.  
  3. This will require mapping all critical processes to the software's functionality.  If the critical process cannot be accommodated by the software, it may require UCI developed application to close any gaps for the mission critical process that cannot be met by the vendor procured software.
  4. Vendor should help guide the process during the implementation.  As such, they should provide a project plan and a project schedule that outlines how the implementation will unfold.  In the absence of a formal project plan by the vendor, you will need to collaborate with the vendor to prepare the project plan and the project schedule per Step 5 above.
  5. During implementation, the Section XII (Controls) of the SRAQ must be completed. (OIT recommendations/wiki/spaces/adcom/pages/68028501)
  6. During the Project Execution Phase, all project tasks must be updated on a regular basis to determine risk and issues that prevent the project tasks from moving forward and communicated to appropriate parties.
  7. Once the vendor procured software has been implemented, validate the deliverables against contractual obligations.
     

 

 

9Quality Assurance
  1. QA is an iterative set of activities during development of a project and is normally based on a documented process and standard practices. These include:
    1. Code analysis with automated tools and peer code reviews. Example: Java Code Review Checklist.
    2. Unit, Functional, and browser compatibility testing by programmer and end user.
    3. Security review in the form of verification of SRAQ Controls Section XII and OIT Application Security Checklist.
    4. IT Accessibility testing completed
    5. Performance, load, and stress testing to simulate user load.
    6. Reporting and publishing of test results to determine progress and production readiness.
  2. See an example of Java Quality Assurance process.
  3. Reference links:
10User Acceptance Testing
  1. User Acceptance Test and Acceptance Sign-off is usually coordinated by a Functional Lead and indicates that users have:
    • Tested functionality,
    • Approved that an application meets original requirements, and
    • Determined that it is ready to go into production from the business perspective.
11Production Rollout Planning
  1. Production Rollout Planning includes:
    • SRAQ completed fully with any left over action items completed.
    • Successful quality assurance testing, application vulnerability scanning, and security sign-off.
    • Completed Project Sign-Off Sheet (Third-Party or Developed Application version as appropriate for the project) with approvals and dates.
    • For some OIT functional units, issue tracking and Change Control Management must be worked out with the appropriate OIT support units prior to moving the system to production.
    • Scheduled database and code backups.
    • Appropriate contingency plan or roll-back plans.
    • Announcement of the application's availability date to end users via appropriate communication channels.
    • User Training.
    • Help Desk training.
    • Cross-train backup support.
    • Adding the application into Help Desk Service Request Tracking System.
    • Adding application to campus portals, if applicable.
12Launch Application
  1. Congratulate yourself on a job well done!
  2. Continue with change management and production support.
13Post-Implementation Review
  1. Perform project close-out including clean-up and lessons learned.
  2. Transition support from developers to OIT Help Desk.
  3. Prepare a Project Completion Report for review with end users.
  4. Meet with end users and project team to review Project Completion Report.
  5. Meet with Executive Sponsor to obtain sign-off of the Project Sign-Off Sheet.
  6. Email Project Sign-Off Sheet to the OIT Project Manager.
  7. Prepare system disposition plans.
  8. Monitor system to make sure it is performing as designed.

...

Both Waterfall and Scrum are widely used methodologies for different reasons.  Although most projects adopt one methodology over the other, the non-traditional hybrid method of using parts of each methodology can also be effective in arriving at the desired project outcome.  Table below provides some characteristics of both Waterfall and Scrum.  Detailed information on each methodologies tailored for OIT can be found in the following links.

 WaterfallScrum
Fundamental AssumptionsSystems are fully specifiable, predictable, and can be build through meticulous and extensive planning.High-quality, adaptive software can be developed by small teams using principles of continuous design improvement and testing based on rapid feedback and change.
ControlPredictive: decisions are based on forecastsEmpirical: decisions are based on realities you observe in the actual project
Management StyleCommand-and-control (amber organizations)Leadership-and-collaboration (orange and green organizations)
Knowledge ManagementExplicitTacit
Role AssignmentIndividual - favors specializationSelf-organizing teams - encourages role interchangeability
CommunicationFormal and documentedFrequent and facilitated
Customer's RoleImportantCritical
Organization of WorkGuided by architectural level and tasks (vertical slices by architectural level)Guided by product features (horizontal slices through each architectural layer)
Development ModelLife cycle modelEvolutionary/Incremental delivery model
Desired Organizational StructureMechanistic (bureaucratic with high formalization)Organic (flexible and participative, encouraging interpersonal interactions)

...