ARB Checklist - Saas

Architecture Review Checklist (Software as a Service Edition)

Prepared By: Project #: Date Submitted: Document V 2.8 PA Department of Health

Version: Document History

Version Date Author Status Revision Descriptions 0.1 Initial Draft 1.0 First Published Added new links to OA/OIT standards due to them moving to 1.7 Connie Houck Updated 05/31/07 Aqualogic software Added new questions to reflect adherence to development 1.8 02/23/10 William Miller Updated standards, SiteMinder, SOA, data dictionaries, and code reuse. 2.0 11/13/14 Rae-Ann Ginter Updated 2.1 01/30/15 Rae-Ann Ginter Updated Included areas responsible for each domain 2.2 03/04/15 Rae-Ann Ginter Updated Removed broken link to strategic imperatives from PMO 2.3 07/09/15 Rae-Ann Ginter Updated Domain and updated 2 links within the Network Domain.

Replaced all questions in the Security Domain as directed by 2.4 6/15/16 Brett Grumbine Updated the BIIT Security Officer. Major revisions to reflect new APB processes. Updated to 2.5 9/22/16 Scott Kister Updated reflect changes based on project type. Inclusion of revisions from ARB board members. 2.6 9/28/16 Scott Kister Updated Updated to include OA/OIT cloud service questions. 2.7 3/22/17 Scott Kister Updated

Deleted question 5 from Proj. Mgmt. section as $250K threshold is 2.8 6/7/17 C. Keith Frye Updated no longer OA criteria.

of 59 Architecture Review Checklist PA Department of Health

of 59 Architecture Review Checklist PA Department of Health Table of Contents

1 Purpose of This Document The Department of Health has established technical standards to improve its ability to serve customers, use assets efficiently, and promote best practices. The objectives of the Architecture Review (AR) Checklist are: to raise awareness and understanding of the technical standards; to help ensure accurate collection of application standards compliance information; to assist in planning and resource projections for new and existing applications; to understand scalability and capacity requirements for ongoing system operations; to help identify opportunities to re-use business functions or technical components; and to ensure application design and development is complying with established technical standards and best practices.

The AR Checklist must be submitted to and approved by the DOH Architecture Review Board prior to starting application detailed design and/or proceeding with the procurement of a Commercial off the Shelf (COTS) or Software as a Service (SaaS) technology solution for projects that met architecture review criteria. A second architecture review may be required prior to beginning application development based on project scope. A final architecture review may be required prior to system promotion to a DOH production environment. The Architecture Review Board or project team may request additional architecture reviews as needed.

2 Acronyms

Acronym Definition ADA Application Developer Administrator ARB Architecture Review Board CoPA Commonwealth of Pennsylvania ITP Information Technology Policy OA/OIT Standards https://itcentral.pa.gov/Pages/IT-Policies.aspx System Regarding the Privacy and Security domains, the term “system” applies to the primary computer application, sub-systems, data repositories and related processes. MSL Managed Service Lite PACS PA Compute Services

3 System and Architecture Review Participant Information

System Name / ID: Date of 1st ARB Review Meeting: Date of 2nd ARB Review Meeting: Date of 3rd ARB Review Meeting:

of 59 Architecture Review Checklist PA Department of Health ARB Meeting Participant Names

4 Project 4.1 Technologies (Check all that apply)

Application Server Radio IES / SAP Development Database – SQL Security (not Desktop/Laptop/Tablet Server Telecom) Database – Oracle Telecom – Data GIS Disaster Recovery Telecom – Voice Document Management DOH Help Desk Telecom – Security Identity Management Web/Domain Naming Telecom – Video Large Storage Requirements DOH Network Data Networking Other Mobile Application Type Specify: Intranet Internet Client/Server

4.2 Hosting Location(s) (Check all that apply)

Herr Street Managed Services Cloud (Azure/Amazon, etc) PACS Managed Services Lite

of 59 Architecture Review Checklist PA Department of Health 4.3 IT Development Staff Requirements (Check all that apply)

DOH BIIT Contracted

4.4 Long-Term Support Staff Requirements (Check all that apply)

DOH/BIIT Contracted

5 Project Summary

6 Review Checklist Please respond to the questions in all the applicable sub-sections. If a deliverable (or project document) is referenced in the Response, please upload the corresponding deliverable onto the ARB SharePoint site, along with the completed checklist.

6.1 Access Domain (Responses will be reviewed by all teams)

ID Review Item Response

1 How many users need to be supported? Is external remote access required (e.g. 2 YES | NO | N/A VPN)? Does the system meet the minimum level for accessibility that PA has adopted to comply with Section 508 of the Rehabilitation Act 3a §1194.22? YES | NO | N/A

Refer to OA/OIT ITB—ACC001 IT Accessibility Policy for more information. 3b If no, provide mitigation strategy. How many concurrent users will be accessing 4 the system on average?

of 59 Architecture Review Checklist PA Department of Health 6.2 Application Domain (Responses will be reviewed by ADA’s)

What is the life expectancy of 1 the application (in years)? What load, performance testing, regression and 2a software testing tools will be used on this project? 2b Are these YES | NO | N/A tools compliant with OA/OIT standards ?

Refer to OA/OIT (ITP-

of 59 Architecture Review Checklist PA Department of Health APP014 Applicatio n Testing Tools Policy) for more informati on. If no, ple 2c ase exp lain . Are mobile technologies 3a being YES | NO | N/A leveraged with this project? If yes, what type? 3b (iOS, Android, etc) 4 If a website is YES | NO | N/A being created, is a mobile-

of 59 Architecture Review Checklist PA Department of Health friendly version required?

of 59 Architecture Review Checklist PA Department of Health 6.3 Information Domain (Responses will be reviewed by Health Informatics, Data Warehouse & Database teams)

Have data retention 1a YES | NO | N/A requirements been identified? If yes, briefly explain 1b the requirem ents. Has purge 2a criteria been YES | NO | N/A identified? 2b If so, briefly explain the criteria and whether or not aggregat e data

of 59 Architecture Review Checklist PA Department of Health will be retained after purge. Will a data dictionary be 3a YES | NO | N/A created for the system? If yes, explain where will it be stored 3b and on what frequency will it be updated. Will any of the data collected be duplicative 4a to other data YES | NO | N/A items collected throughout the Department? 4b If yes, explain if the applicatio

of 59 Architecture Review Checklist PA Department of Health n will utilize enterpris e reference tables for common data. Have all 5a reporting needs YES | NO | N/A been identified? If yes, briefly explain the 5b architect ure of the reporting function. Have all data elements needed to 6 satisfy the YES | NO | N/A reporting requirements been identified? 7a Will all YES | NO | N/A reporting needs be satisfied

of 59 Architecture Review Checklist PA Department of Health through the new system being proposed? If no, please explain any report generatio 7b n that will be done outside of the system. Has an ETL (Extract, Transform, Load) or similar process been 8 setup for YES | NO | N/A loading the data collected into the DOH Data Warehouse?

of 59 Architecture Review Checklist PA Department of Health Will the Department of Health own all 9 YES | NO | N/A of the data being collected? Will appropriate Department of Health staff 10 members have YES | NO | N/A direct access to the raw (record level) data. Does the project require data reporting that includes locational data (e.g. - latitude, 11 YES | NO | N/A longitude, county, minor civil division, census tract, census block group, etc.)? 12 Does the YES | NO | N/A project require locational data to be created

of 59 Architecture Review Checklist PA Department of Health and stored for internal and/or external reporting purposes? Does the project employ, or plan to employ, geospatial 13a YES | NO | N/A technologies, such as mapping or geocoding of address data? If yes, what 13b technolog y will be utilized? 13c Does this YES | NO | N/A technolog y comply with OA/OIT and Departme nt Standard

of 59 Architecture Review Checklist PA Department of Health s?

Refer to the OA/OIT ITP_INFG T001 - Geospati al Informati on Systems (GIS) for more informati on. If not, please explain 13d mitigatio n strategy.

of 59 Architecture Review Checklist PA Department of Health 6.4 Integration Domain (Responses will be reviewed by ADA responsible for the project)

Have all cross- system 1 interface YES | NO | N/A requirements been defined? Does the design support 2 integration with YES | NO | N/A other software products? Are middleware solutions being 3a proposed for YES | NO | N/A use by this system? If yes, 3b please describe. 3c If yes, YES | NO | N/A does the proposed solution comply

of 59 Architecture Review Checklist PA Department of Health with OA/OIT standards ?

Refer to OA/OIT (ITP_INT 001 - Message- Oriented Middlewa re) for more informati on. If not, 3d please explain. Is it anticipated that business 4a partner data YES | NO | N/A sharing will be required? 4b If yes, will the utilization of the e- gov

of 59 Architecture Review Checklist PA Department of Health exchange process for business to business middlewa re be implemen ted?

of 59 Architecture Review Checklist PA Department of Health 6.5 Network Domain (Responses will be reviewed by the DOH Network Team)

Will the existing DOH network 1 architecture YES | NO | N/A work to support this application? Is a wireless technology, such as 4G or 2a YES | NO | N/A Wi-Fi, required as part of this project? If yes, 2b please explain. 2c If yes, is YES | NO | N/A this technolog y compliant with OA/OIT

of 59 Architecture Review Checklist PA Department of Health standards ?

Refer to OA/OIT ITB- NET001 Wireless LAN Technolo gy for more informati on. Are there data transfer requirements that could affect the throughput on 3a the DOH YES | NO | N/A network (such as offsite backups, data used for analytics, etc.)? 3b If yes, please

of 59 Architecture Review Checklist PA Department of Health explain. Are there any firewall or network 4a YES | NO | N/A configuration changes required? If yes, 4b please explain.

of 59 Architecture Review Checklist PA Department of Health 6.6 Platform Domain (Responses will be reviewed by the DOH LAN team)

What is/are the proposed host location(s) 1 (PACS, MSL, DOH, cloud, etc.)? Specify all that apply. Will this initiative be 2a utilizing a YES | NO | N/A public cloud service? 2b If YES, YES | NO | N/A Cloud services must be fully vetted via an OA/OIT Service Request.

Has the proper service request been submitte d to OA/OIT? 2c If NO, Ser vic e Req ues ts can be cre ate d usi ng the onli ne sub mis

of 59 Architecture Review Checklist PA Department of Health sio n and tra cki ng tool on the IT Cen tral Ent erp rise Ser vic es pag e via the Ser vic e Gat ew ay link

of 59 Architecture Review Checklist PA Department of Health . Clic k on the Ser vic e Req ues t but ton , pro vid e the req ues ted info rm atio n and cho ose "Pr

of 59 Architecture Review Checklist PA Department of Health ofe ssio nal Ser vic es: Clo ud Ser vic e Use Cas e Rev iew ". The Clo ud Ser vic es Tea m will be noti fied

im me diat ely.

What web 3a browsers are supported? 3b Do these YES | NO | N/A web browsers comply with OA/OIT standard s?

Refer to OA/OIT ITB- PLT001 Desktop and Laptop Technolo gy Page 34 of 59 Architecture Review Checklist PA Department of Health Standard s for more informati on. If NO, ple 3c ase exp lain . Will the application require 3rd- 4a YES | NO | N/A party software tools to be installed? If yes, 4b please specify.

of 59 Architecture Review Checklist PA Department of Health 6.7 Privacy Domain

Will system implementation , administration and 1a management YES | NO | N/A comply with all privacy series ITP’s that apply? 1b If no, identify specific ITP’s, justificati on for non- complian ce and compens ating controls planned. (currently ITP- PRV001

and ITP- PRV002)

Will system implementation , administration and management 2a YES | NO | N/A comply with all privacy-related Management Directives that apply? 2b If no, identify the specific Managem ent Directives , justificati on for non- complian ce and compens ating controls

planned.

Beyond CoPA ITP’s and Management Directives, do other privacy laws, regulations, legislation, executive orders, policies, agreements, standards, 3a specifications YES | NO | N/A obligations, MOU’s or other privacy-related governance requirements apply to the implementation , administration and management of system and data?

of 59 Architecture Review Checklist PA Department of Health If yes, identify specific laws, regulatio 3b ns, agreeme nts, standards , etc. 4a Beyond YES | NO | N/A Commonwealth ITP’s and Management Directives, will system implementation , administration and management comply with all other privacy laws, regulations, legislation, executive orders, policies, agreements, standards,

of 59 Architecture Review Checklist PA Department of Health specifications, obligations, MOU’s or other privacy related governance requirements that apply? If no, identify the specific governan ce requirem ents, 4b justificati on for non- complian ce and compens ating controls planned.

6.8 Project Management Domain (Responses will be reviewed by the Project Management Office)

Have the required deliverables for this phase been 1a YES | NO | N/A completed, which includes the required business signoffs? If no, 1b please explain. Have project status reporting and project logs 2a YES | NO | N/A been satisfactorily completed to this point? If no, 2b please explain. 3a Are there any YES | NO | N/A existing major project

of 59 Architecture Review Checklist PA Department of Health decisions or interventions needed that are needed to keep this project on- track? If no, 3b please explain. Are project communication s and business participation 4a YES | NO | N/A meeting the plan and/or needs for the project? If no, 4b please explain.

of 59 Architecture Review Checklist PA Department of Health 6.9 Security Domain (Responses will be reviewed by the DOH Security Team)

Does the proposed solution comply with Commonwealth 1a Information YES | NO | N/A Technology Policies applicable to information security? If no, 1b please explain. 2a What other information security requirements apply for the protection of sensitive data, i.e., HIPAA, PCI, Act 148,

Does the proposed solution comply 2b with YES | NO | N/A applicabl e security requirem ents? If no, ple 2c ase exp lain .

of 59 Architecture Review Checklist PA Department of Health 6.10 Systems Management Domain (Responses will be reviewed by ADA responsible for the project)

What are the online 1 availability requirements? Will system/applicat 2a ion monitoring YES | NO | N/A tools be utilized? If yes, 2b please specify. Has a disaster recovery 3a approach YES | NO | N/A identified for the application? If yes, 3b please describe.

of 59 Architecture Review Checklist PA Department of Health What HCIS classification has been designated? (H-highly critical, C- critical, I- important, S- suspend).

Refer to 4a OA/OIT ITB SYM004-AR1 Policy for Establishing Alternate Processing Sites for Commonwealth Agencies for more information. 4b Is there YES | NO | N/A appropria te funding available for the designate

of 59 Architecture Review Checklist PA Department of Health d classificat ion? If not, 4c please explain. Have service level agreements 5 YES | NO | N/A (SLAs) been established for this system? What ongoing program area support will be required and 6 committed to the effort (following implementation )? 7 What ongoing BIIT support will be required and committed to the effort following implementation ? This

of 59 Architecture Review Checklist PA Department of Health estimate should include system maintenance resources and help desk resources. What internal and/or external forces may drive change to the implemented solution (i.e. 8 annual update to federal regulations, upcoming or anticipated legislative mandates)?

of 59 Architecture Review Checklist PA Department of Health 6.11 Software as a Service (SaaS) (Responses will be reviewed by all teams)

Which components of the system will be installed / 1 configured by the vendor and which will be DOH’s responsibility? Which components of the system will be supported 2 by the vendor and which will be DOH’s responsibility? 3 If the system will be hosted by the vendor, what is the physical infrastructure

of 59 Architecture Review Checklist PA Department of Health and security to ensure secure use and maintenance of DOH data? What are the hours of the 4 vendor’s support? Is there an extra charge 5 for after YES | NO | N/A business hours support? How are fixes and/or patches 6 provided to DOH? How frequent are new 7 releases / versions? Will the vendor 8a provide YES | NO | N/A training? If yes, 8b what kind and how? 9a How is the

of 59 Architecture Review Checklist PA Department of Health product/solutio n licensed? What are the 9b annual maintena nce fees? What is included with the 9c annual maintena nce fees? Is there any continued support after the 9d YES | NO | N/A license expires (e.g. updates) ? Are any other Commonwealth 10a YES | NO | N/A agencies using the product? 10b If yes, please

of 59 Architecture Review Checklist PA Department of Health describe any findings with reference to this product based on discussio ns with other Common wealth agencies. Are there any program or data library components 11 YES | NO | N/A that can be utilized or integrated with this product? 12a Are there any YES | NO | N/A components or constraints of the product that restrict the ability to satisfy the

of 59 Architecture Review Checklist PA Department of Health documented functionality requirements for the application? If yes, 12b please describe. Describe the methods which 13 can be used to access the application. If accessed by a web browser, describe any 14 objects required to be downloaded by the user. Will this application need to be accessible 15 through the DOH Intranet, Internet or both?

of 59 Architecture Review Checklist PA Department of Health Does the system use any automated workflows that 16a YES | NO | N/A electronically route documents or notify users? If yes, 16b please describe. Does the system support 17a on demand YES | NO | N/A (ad-hoc) reporting? If yes, 17b please describe. Describe the system’s security configuration 18 (e.g. role- based, organizational, geographically) .

of 59 Architecture Review Checklist PA Department of Health What data security methods are employed to 19 protect information entered into the system? Describe the 20 system’s scalability. Will a data extraction process be established to produce static 21a data files that YES | NO | N/A can be used for statistical analysis and reporting purposes? 21b If yes, YES | NO | N/A will a detailed data dictionary with coding

of 59 Architecture Review Checklist PA Department of Health definition s be provided with the data? If yes, please explain the frequency 21c at which the static data files will be produced . At the end of the contract, will all of the data collected 22a be transferred YES | NO | N/A to the Pennsylvania Department of Health? 22b If yes, YES | NO | N/A will a detailed data

of 59 Architecture Review Checklist PA Department of Health dictionary with coding definition s be included? If yes, explain where the data will be housed and how 22c it will be formatted and secured during the transfer. Does the vendor supply 23a YES | NO | N/A source code to DOH? 23b If yes, YES | NO | N/A can the software be placed in an

of 59 Architecture Review Checklist PA Department of Health escrow account that turns the source code over to the Common wealth in the event the company goes out of business or drops support for the product? Does the vendor have a model to estimate resource 24a YES | NO | N/A requirements for the recommended hardware configuration?

of 59 Architecture Review Checklist PA Department of Health If yes, 24b please describe. Does the system’s database 25a YES | NO | N/A require System Administrator level access? If yes, please explain why a lower 25b level security role cannot be used.

of 59 Architecture Review Checklist