GUIDELINES Title: ITSC Production Acceptance Criteria Descriptors : 1) 2) 3) 4) 5) Category : Information Technology Application Developers IT Project Approval Acceptance Criteria IT Project Identification IT Project Transition Table of Contents 1 Intent ............................................................................................................................................... 2 2 Organisational Scope ...................................................................................................................... 2 3 Definitions ........................................................................................................................................ 3 4 Project Identification and Approvals ................................................................................................ 5 5 4.1 Project Details ......................................................................................................................... 5 4.2 Approvals ................................................................................................................................ 5 ITSC Acceptance Criteria ................................................................................................................ 6 5.1 Criteria for Architectural Considerations and Compliance ...................................................... 6 5.2 Criteria for IT Service Management Acceptance .................................................................... 7 5.3 Criteria for Operational Acceptance ........................................................................................ 9 5.4 Criteria for Ongoing Support Acceptance ............................................................................. 13 5.5 Criteria for Business Acceptance .......................................................................................... 14 Version 1.7.2 Page 1 of 15 1 Intent The Production Acceptance Criteria is in place to protect the production environment when introducing change. It ensures that projects are aware of the criteria required to be met when transitioning a change from development into the production environment. The Production Acceptance Criteria can be seen as a tool for projects which identifies the project deliverables that are required to support the successful transition of the change into production; specifically in terms of effective establishment and support of the ongoing operational environment to support the change. 2 Organisational Scope The completion of the Production Acceptance Criteria will be required for the following changes: The introduction of any new IT Service; be this a new application or through the provision of other Service capabilities Major enhancement to an existing IT Service which results in a change to how the IT Service is managed when in normal operations i.e. an existing IT Service has been changed to such an extent that its implementation needs to be viewed in the same way as the introduction of a new IT Service. Typically, refreshes to the IT infrastructure components that make up an IT Service and major version upgrades of key application software would fall into this category. This document is issued as a template by the ITSC Program Management Office (PMO). It will be provided to the Project Manager on initiation of a project in response to the project being registered with the ITSC PMO. The Production Acceptance Criteria must be planned in at the project initiation stage and not used solely as a checklist at the end of the project. Version 1.7.2 Page 2 of 15 3 Definitions Business Continuity Plan (BCP) A clearly defined and documented plan for use at the time of an event/incident and/or crisis that disrupts the business operations. Typically a plan will cover all the key personnel, resources, services and actions required to manage the incident through to resolution and restoration of normal business operations. Business System Owner The senior executive of the enterprise unit responsible and accountable for the system. Change Advisory Board (CAB) The body established under the Change and Configuration process to review and approve changes to production systems. Change Management Process The documented process for managing changes in production applications and supporting technical infrastructure. Each application must have a documented process setting out how changes are to be managed and approved. ICT Policy Formal Information and Communication Policy. ICT Security Guidelines Guidelines supporting the ICT Policy covering ICT security. IT Service A Service provided to one or more Customers, by an IT Service Provider. An IT Service is based on the use of Information Technology and supports the Customer's Business Process. Project Board The group representing the interests of the enterprise including users and suppliers and provides overall direction and management of the project. The Board is chaired by the Project Executive, the senior executive with ultimate accountability for the success of the project (also known as the project sponsor) The role of the Project Executive may be delegated as deemed appropriate by the senior executive. RFC Request For Change. A formal proposal to implement the Project into production. RFC record is raised in ServiceNow and contains details of the proposed change. Version 1.7.2 Page 3 of 15 Service Catalogue The Service Catalogue is a module of ServiceNow. It contains request-able items and services. All ECU staff can access the Service Catalogue via a web interface called the IT Services Kiosk. ServiceNow ServiceNow is a Service Management Tool built around the ITIL framework. ECU uses Software as a Service (SaaS)-based offering and currently has got the following modules in place: Request, Incident, Problem, Change and Service Catalogue. User Acceptance Testing (UAT) Is an independent test developed, planned and performed by users prior to accepting the delivered system,. It focuses on the business fit of the system to the organisation, rather than technical issues. Vulnerability Testing Using tools and processes to ensure that the security implementation actually provides the protection that the organisation requires and expects. Version 1.7.2 Page 4 of 15 4 Project Identification and Approvals 4.1 Project Details The following Project Board details are required to be documented: Project Name RFC Number Sponsoring Organisation Unit Project Executive Senior Supplier(s) Senior User(s) Project Manager 4.2 Approvals An approval for acceptance of the change to transition into production is provided by a number of stakeholders, each of which provides sign-off for their specific area of control and responsibility: Senior Managers in ITSC. Represents the authority from ITSC that all areas within ITSC are prepared to accept the change and manage it ongoing as part of standard operations. Project Manager and Project Executive. Represents the authority from the project that the change is ready to be introduced. Business System Owner. Represents the authority from the Business that the Business areas are prepared to accept the change and manage ongoing. There may be more than one Business System Owner where a change affects multiple Business Systems/Processes. Approvals will be obtained by the Project Manager, with evidence of sign-off captured in this document. Once all approvals have been obtained the document is required to be submitted by the Project Manager to the Change Advisory Board (CAB) to support the CAB’s decision for approving the implementation of the change. Role Sign Off Date Comment Manager, Business Systems Services Manager, Strategy and Planning Manager, Information Security Business System Owner Version 1.7.2 Page 5 of 15 Role Sign Off Date Comment Project Manager Project Executive Manager, IT Operations 5 ITSC Acceptance Criteria As part of the formal process to transition from development into production ITSC must be satisfied that it and the business requirements are appropriately addressed. It is not the intention that all questions must have a positive response. Where a question essentially has a negative response an explanation must be provided that explains the reason why the response has been framed the way it has. The intention being that each question be addressed, considered and a response provided in the context of the change under consideration. Provide references to the supporting documentation by specifying the document name and location. 5.1 Criteria for Architectural Considerations and Compliance No. Version 1.7.2 Acceptance Criteria Applies to Tier Page 6 of 15 Response Comment (Mandatory if answering ‘No’) Operational Area to Confirm Confirmed by No. 1. Applies to Tier Acceptance Criteria Response Comment (Mandatory if answering ‘No’) Operational Area to Confirm Confirmed by Architectural Considerations & Compliance The change has been assessed against the endorsed Architectural Principles and Recommendation and conforms to all relevant architectural policies, standards, processes and guidelines. Example elements to consider; The change has been endorsed through the established Technology Governance process. The change aligns to the overarching technology roadmap, established domain strategies, Architectural Principles & Recommendations and that due consideration has been given to the impact on business process and any relevant legislative compliance. The information leveraged within the technical service has been classified in accordance with the Information Classification Scheme, the appropriate Information Handling Guidelines have been considered, Data Standards have been met and the Information Asset Register has been updated. The change conforms to established technology standards (environment standards, integration standards, platform standards, authentication standards. etc.). Where an ECU standard does not exist, industry best practice will be referenced. Appropriate design artifacts must be provided and catalogued within the Architecture repository. This should include current state logical architecture, as built infrastructure design, information/data flow diagrams, data models, business process maps, etc. The technical and business fit and value assessment (component of the Application Strategy) has been completed/reviewed. Lead Architect All Yes / No Strategy and Planning – Lead Architect. Document Names and links to the document location: …………………… Signature and date 5.2 Criteria for IT Service Management Acceptance No. Version 1.7.2 Acceptance Criteria Applies to Tier Response Page 7 of 15 Comment (Mandatory if answering ‘No’) Operational Area to Confirm Confirmed by 2. User acceptance testing (UAT) has been completed and the Senior User/Project Executive has signed off on user acceptance testing. New or enhanced IT Services must be accepted by the business through formalized UAT in a controlled test environment (normally QA) prior to being implemented into production. All Yes / No Business Systems Services (BSS) Principal Systems Analyst Document Name and link to the document location: …………………… Signature and date 3. The ITSC Technical Services Register (TSR) has been updated with; the new or enhanced IT Service, A Business System Owner Infrastructure Manager The ITSC Technical Services Register is a record of all IT Services supported by ITSC. Operations Senior Staff can assist with identifying appropriate data to be added to the ITSC Technical Services Register for each IT Service. A Business System Owner is the person in the business most appropriate to sponsor ongoing management of the system. Note. Tier 0 IT Services generally represent the shared infrastructure which supports a number of other IT Services. In these cases a senior IT representative is assigned as the Business Owner. Yes / No …………………… Signature and date All ITSC Technical Services Register (TSR) location: Yes / No https://apps.ecu.edu.au/itsc/technical-service-register/login.php 4. Operations Business Systems Services (BSS) …………………… Signature and date ServiceNow has been updated to include any new IT Service. ServiceNow , the IT Service Management tool, needs to be configured to manage any new IT Services through the standard support processes e.g. Incident, Request, Problem Management, Change Management etc. Manager, Customer Service All Yes / No Name of the document and link to the document location: Operations – Customer Services https://edithcowan.service-now.com/ 5. Principal Systems Analyst When implementing a new IT Service, maintenance, change windows acceptable outage times, peak usage periods, after hours support expectations are agreed, defined and communicated. …………………… Signature and date 0, 1 & 2 Yes / No For applications, change windows should be specified and recorded in the Version 1.7.2 Page 8 of 15 Operations – Customer Services Manager, Customer Service application’s wiki space. These should be set at a mutually agreed time as specified by the Business System Owner. Note. Tier 0 IT Services generally represent the shared infrastructure which supports a number of other IT Services. In these cases (unless negotiated differently) the change window will fall within the current extended Sunday morning maintenance window. …………………… Signature and date This will be superseded by SLAs once they are in place. Business Systems Services (BSS) Yes / No Principal Systems Analyst …………………… Signature and date Document Name and link to the document location: Infrastructure Manager Yes / No Operations …………………… Signature and date 6. The appropriate software licenses have been purchased including the first year of annual support and maintenance. Ongoing costs needed to fund the license maintenance past the first year including provision for any future license growth, have been calculated and included in future budget planning documentation to assist the ongoing financial management of software licensing. Manager, Compliance All Compliance Yes / No Name of the TRIM folder and link to the document location: …………………… Signature and date 5.3 Criteria for Operational Acceptance No. 7. Acceptance Criteria Environments have been built and tested to enable the ongoing support and development of the IT Service i.e. development and QA in addition to production, with QA being production-like. Where an environment has not been built, specific approval for this decision shall be provided. Version 1.7.2 Applies to Tier Response 0, 1 & 2 Yes / No Page 9 of 15 Comment (Mandatory if answering ‘No’) Operational Area to Confirm Operations Infrastructure Confirmed by Infrastructure Manager No. Acceptance Criteria Applies to Tier Response Comment (Mandatory if answering ‘No’) Operational Area to Confirm Confirmed by Document Name and link to the document location: …………………… Signature and date 8. Environments have been built and tested to enable the ongoing support and development of the IT Service i.e. QA in addition to production, with QA being production-like. Where an environment has not been built, specific approval for this decision shall be provided. 3+ Yes / No Operations – Infrastructure Infrastructure Manager Document Name and link to the document location: …………………… Signature and date 9. System Recovery Documentation covering this IT Service exists and has undergone successful Failover (where possible) and System Recovery Testing. The Business System Owner, ITSC and RMAA have signed off on the Failover and System Recovery Testing undertaken. System Recovery Documentation/Testing should be performed as part of the design and implementation process. The evidence for acceptance will be a completed System Recovery Test Plan from the Senior Recovery Adviser. 0, 1 & 2 Yes / No Compliance – Data Recovery Senior Recovery Adviser System Recovery Documentation can be found here: https://wiki.it.ecu.edu.au/display/sysrec/System+Recovery Document Name and link to the document location: Version 1.7.2 …………………… Signature and date Page 10 of 15 No. 10. Acceptance Criteria Applies to Tier Response Comment (Mandatory if answering ‘No’) Operational Area to Confirm Confirmed by System Recovery Documentation covering this IT Service exists and Backup & Restore testing has been completed successfully. This will evaluate the ability to recover data from failures leading to the loss or corruption of data; and ability to restore from the last known backup. The IT Infrastructure Systems team manages the backup system and can assist with appropriately configuring backups. All Yes / No Compliance – Data Recovery Senior Recovery Adviser Document Name and link to the document location: …………………… Signature and date 11. Data storage requirements have been assessed with respect to future growth. Future growth estimates should be documented in the system documentation. This should take into consideration all environments built i.e. development, QA and production. Applications and Infrastructure teams take accountability for capacity planning. The final sign-off would be from the Operations area. Where the project’s implementation will see increased storage requirements, the project will need to fund these storage requirements for the first 3 years. All Yes / No Operations – Infrastructure Infrastructure Manager Document Name and link to the document location: …………………… Signature and date 12. Agreed system monitoring has been configured. Generally, systems should be monitored with WhatsUp Gold or Zabbix Infrastructure Systems Team and BSS application staff can assist with configuring this monitoring. All Yes / No Operations – Infrastructure Infrastructure Manager Document Name and link to the document location: …………………… Signature and date Version 1.7.2 Page 11 of 15 No. Acceptance Criteria Applies to Tier Response Comment (Mandatory if answering ‘No’) Operational Area to Confirm Confirmed by 13. Performance Testing conducted to evaluate the requirements of a system to agreed performance criteria e.g. expected response times met. 0, 1 & 2 Yes / No Business Systems Services (BSS) Principal Systems Analyst Document Name and link to the document location: …………………… Signature and date 14. Appropriate load testing has been performed and the system design is appropriate for the load expected, including future growth. The BSS & Operations teams can assist with load generation and test design. 0, 1 & 2 Yes / No Business Systems Services (BSS) Principal Systems Analyst Document Name and link to the document location: …………………… Signature and date 15. Impact on Data Warehouse have been assessed and addressed. The data warehouse sources information from multiple systems. The process is data sensitive and any changes to databases, data process/data flow and system related changes such as upgrades might have an impact on the data warehouse and other dependent systems. Yes / No Business Systems Services (BSS) Document Name and link to the document location: 16. …………………… Signature and date The system has a documented and agreed infrastructure and application hardening and patching process. Document Name and link to the document location: Manager, Data Warehouse Security Analyst All Yes / No Information Security …………………… Signature and date Version 1.7.2 Page 12 of 15 No. 17. Acceptance Criteria Applies to Tier Response Comment (Mandatory if answering ‘No’) Operational Area to Confirm Confirmed by The system has undergone vulnerability testing and is deemed to be appropriately secured. Project Manager will coordinate with Security Analyst – Operations to arrange the testing. The request to do a vulnerability test should be managed through the Service Catalogue with an online form that is work-flowed through the appropriate queues for action and approval. A vulnerability scan can be performed at any project stage.The final scan must be completed after all software/applications have been installed on the system and a change freeze is in place. Security Analyst All Yes / No Information Security The process will identify any known security vulnerabilities and may require negotiation to resolve any outstanding issues. Please note outstanding security issues identified by the vulnerability scan. Document Name and link to the document location: …………………… Signature and date 18. The system conforms to the ICT Security Standards and Guidelines which are part of the Information Technology Policy. Refer to the Information Technology Policy http://www.ecu.edu.au/GPPS/policies_db/policies_view.php?rec_id=0000000347 The criteria in this section cover some of the following security areas: Account Management and Access Control System Access and Use Network Security Controls Security of Third party Access This will be superseded by a checklist that the project manager receives and addresses as part of the delivery of the project. Security Analyst All Information Security Yes / No Document Name and link to the document location: …………………… Signature and date 5.4 Criteria for Ongoing Support Acceptance No Version 1.7.2 Acceptance Criteria Applies to Tier Page 13 of 15 Response Comment (Mandatory if answering ‘No’) Operational Area to Confirm Confirmed by No Acceptance Criteria Applies to Tier Response Comment (Mandatory if answering ‘No’) Operational Area to Confirm 18. Confirmed by Manager, Customer Service Handover to the ongoing support teams in ITSC has been completed. This will require the Project Manager to proactively engage with all levels of support well in advance of the implementation. Considers all aspects related to people, processes, tools and partners. Operations – Customer Services Yes / No This ensures that projects have considered, planned, engaged, communicated and delivered on all aspects of the new or enhanced IT Service that are required to ensure its ongoing management, operation and support within ITSC. …………………… Signature and date In particular the project will need to ensure that each support level within ITSC has been provided with the necessary information to enable the smooth and effective transition of the change into production and its ongoing support. 1st Level Support (IT Service Desk) o Business Systems Services (BSS) All Yes / No 2nd Level Support (IT Campus Teams – Customer Support Officers) o Help Scripts, FAQs and Known Error workarounds for the new or enhanced IT Service will need to be provided to the IT Service Desk to ensure that they are equipped to effectively handle Incidents and Requests on day 1 of the implementation. Principal Systems Analyst Made aware of the change and any documentation or technical information that may assist them when performing their role in direct contact with the customer. …………………… Signature and date 3rd Level Support (Specialist support within the various ITSC teams) o Appropriate BSS, Infrastructure and IT Services staff should be trained in operation and support of the IT Service/system being implemented. Generally, support arrangements should be documented in the ITSC Technical Services Register and if more complex, in a “service specific” area of the IT Wiki. Where support involves a 3rd party vendor, the online support contact information form available on the Wiki is required to be completed. https://wiki.it.ecu.edu.au/display/uc/Home Operations – Infrastructure Yes / No Infrastructure Manager …………………… Signature and date 5.5 Criteria for Business Acceptance No 19. Acceptance Criteria Business Continuity Plan (BCP) is in place to be used in situations where the IT system is unavailable for whatever reason. Applies to Tier Response All Yes / No The Business System Owner must ensure that appropriate business continuity Version 1.7.2 Page 14 of 15 Comment (Mandatory if answering ‘No’) Operational Area to Confirm Business System Owner Confirmed by …………………… Signature and date No Acceptance Criteria Applies to Tier Response All Yes / No Comment (Mandatory if answering ‘No’) Operational Area to Confirm Confirmed by processes are in place in case this system fails. ITSC Technical Services staff can help to determine what recovery time and point objectives are achievable based on System Recovery Testing. 20. Faculties, Schools and Centres that will be impacted by the Change are suitably prepared to accept the Change by ensuring that all aspects of people, processes, tools and partners have been considered. This ensures that projects have considered, planned, engaged, communicated and delivered to the business areas all aspects of the new or enhanced IT Service that will impact them as part of its transition and ongoing use. Version 1.7.2 Business System Owner …………………… Signature and date Page 15 of 15