ITSC Production Acceptance Criteria Guidelines

advertisement
GUIDELINES
Title:
ITSC Production Acceptance Criteria
Descriptors :
1)
2)
3)
4)
5)
Category :
Information Technology
Application Developers
IT Project Approval
Acceptance Criteria
IT Project Identification
IT Project Transition
Table of Contents
1
Intent ............................................................................................................................................... 2
2
Organisational Scope ...................................................................................................................... 2
3
Definitions ........................................................................................................................................ 3
4
Project Identification and Approvals ................................................................................................ 5
5
4.1
Project Details ......................................................................................................................... 5
4.2
Approvals ................................................................................................................................ 5
ITSC Acceptance Criteria ................................................................................................................ 6
5.1
Criteria for Architectural Considerations and Compliance ...................................................... 6
5.2
Criteria for IT Service Management Acceptance .................................................................... 7
5.3
Criteria for Operational Acceptance ........................................................................................ 9
5.4
Criteria for Ongoing Support Acceptance ............................................................................. 13
5.5
Criteria for Business Acceptance .......................................................................................... 14
Version 1.7.2
Page 1 of 15
1 Intent
The Production Acceptance Criteria is in place to protect the production environment when introducing change. It ensures that projects are aware of the criteria required
to be met when transitioning a change from development into the production environment.
The Production Acceptance Criteria can be seen as a tool for projects which identifies the project deliverables that are required to support the successful transition of the
change into production; specifically in terms of effective establishment and support of the ongoing operational environment to support the change.
2 Organisational Scope
The completion of the Production Acceptance Criteria will be required for the following changes:
 The introduction of any new IT Service; be this a new application or through the provision of other Service capabilities
 Major enhancement to an existing IT Service which results in a change to how the IT Service is managed when in normal operations i.e. an existing IT Service
has been changed to such an extent that its implementation needs to be viewed in the same way as the introduction of a new IT Service.
Typically, refreshes to the IT infrastructure components that make up an IT Service and major version upgrades of key application software would fall into this
category.
This document is issued as a template by the ITSC Program Management Office (PMO). It will be provided to the Project Manager on initiation of a project in response to
the project being registered with the ITSC PMO. The Production Acceptance Criteria must be planned in at the project initiation stage and not used solely as a checklist
at the end of the project.
Version 1.7.2
Page 2 of 15
3 Definitions
Business Continuity Plan (BCP)
A clearly defined and documented plan for use at the time
of an event/incident and/or crisis that disrupts the
business operations. Typically a plan will cover all the key
personnel, resources, services and actions required to
manage the incident through to resolution and restoration
of normal business operations.
Business System Owner
The senior executive of the enterprise unit responsible
and accountable for the system.
Change Advisory Board (CAB)
The body established under the Change and
Configuration process to review and approve changes to
production systems.
Change Management Process
The documented process for managing changes in
production applications and supporting technical
infrastructure. Each application must have a documented
process setting out how changes are to be managed and
approved.
ICT Policy
Formal Information and Communication Policy.
ICT Security Guidelines
Guidelines supporting the ICT Policy covering ICT
security.
IT Service
A Service provided to one or more Customers, by an IT
Service Provider. An IT Service is based on the use of
Information Technology and supports the Customer's
Business Process.
Project Board
The group representing the interests of the enterprise
including users and suppliers and provides overall
direction and management of the project. The Board is
chaired by the Project Executive, the senior executive with
ultimate accountability for the success of the project (also
known as the project sponsor) The role of the Project
Executive may be delegated as deemed appropriate by
the senior executive.
RFC
Request For Change. A formal proposal to implement the
Project into production. RFC record is raised in
ServiceNow and contains details of the proposed change.
Version 1.7.2
Page 3 of 15
Service Catalogue
The Service Catalogue is a module of ServiceNow. It
contains request-able items and services. All ECU staff
can access the Service Catalogue via a web interface
called the IT Services Kiosk.
ServiceNow
ServiceNow is a Service Management Tool built around
the ITIL framework. ECU uses Software as a Service
(SaaS)-based offering and currently has got the following
modules in place: Request, Incident, Problem, Change
and Service Catalogue.
User Acceptance Testing
(UAT)
Is an independent test developed, planned and performed
by users prior to accepting the delivered system,. It
focuses on the business fit of the system to the
organisation, rather than technical issues.
Vulnerability Testing
Using tools and processes to ensure that the security
implementation actually provides the protection that the
organisation requires and expects.
Version 1.7.2
Page 4 of 15
4 Project Identification and Approvals
4.1 Project Details
The following Project Board details are required to be documented:
Project Name
RFC Number
Sponsoring Organisation Unit
Project Executive
Senior Supplier(s)
Senior User(s)
Project Manager
4.2 Approvals
An approval for acceptance of the change to transition into production is provided by a number of stakeholders, each of which provides sign-off for their specific area
of control and responsibility:

Senior Managers in ITSC.
Represents the authority from ITSC that all areas within ITSC are prepared to accept the change and manage it ongoing as part of standard operations.
Project Manager and Project Executive.
Represents the authority from the project that the change is ready to be introduced.
Business System Owner.
Represents the authority from the Business that the Business areas are prepared to accept the change and manage ongoing. There may be more than one
Business System Owner where a change affects multiple Business Systems/Processes.


Approvals will be obtained by the Project Manager, with evidence of sign-off captured in this document. Once all approvals have been obtained the document is
required to be submitted by the Project Manager to the Change Advisory Board (CAB) to support the CAB’s decision for approving the implementation of the change.
Role
Sign Off
Date
Comment
Manager, Business
Systems Services
Manager, Strategy and
Planning
Manager, Information
Security
Business System Owner
Version 1.7.2
Page 5 of 15
Role
Sign Off
Date
Comment
Project Manager
Project Executive
Manager, IT Operations
5
ITSC Acceptance Criteria
As part of the formal process to transition from development into production ITSC must be satisfied that it and the business requirements are appropriately addressed.
It is not the intention that all questions must have a positive response. Where a question essentially has a negative response an explanation must be provided that
explains the reason why the response has been framed the way it has. The intention being that each question be addressed, considered and a response provided in
the context of the change under consideration. Provide references to the supporting documentation by specifying the document name and location.
5.1 Criteria for Architectural Considerations and Compliance
No.
Version 1.7.2
Acceptance Criteria
Applies to
Tier
Page 6 of 15
Response
Comment
(Mandatory if
answering ‘No’)
Operational
Area to
Confirm
Confirmed by
No.
1.
Applies to
Tier
Acceptance Criteria
Response
Comment
(Mandatory if
answering ‘No’)
Operational
Area to
Confirm
Confirmed by
Architectural Considerations & Compliance
The change has been assessed against the endorsed Architectural Principles and
Recommendation and conforms to all relevant architectural policies, standards,
processes and guidelines.
Example elements to consider;

The change has been endorsed through the established Technology
Governance process.

The change aligns to the overarching technology roadmap, established
domain strategies, Architectural Principles & Recommendations and that due
consideration has been given to the impact on business process and any
relevant legislative compliance.

The information leveraged within the technical service has been classified in
accordance with the Information Classification Scheme, the appropriate
Information Handling Guidelines have been considered, Data Standards have
been met and the Information Asset Register has been updated.

The change conforms to established technology standards (environment
standards, integration standards, platform standards, authentication
standards. etc.). Where an ECU standard does not exist, industry best
practice will be referenced.

Appropriate design artifacts must be provided and catalogued within the
Architecture repository. This should include current state logical architecture,
as built infrastructure design, information/data flow diagrams, data models,
business process maps, etc.

The technical and business fit and value assessment (component of the
Application Strategy) has been completed/reviewed.
Lead Architect
All
Yes / No
Strategy and
Planning –
Lead Architect.
Document Names and links to the document location:
……………………
Signature and date
5.2 Criteria for IT Service Management Acceptance
No.
Version 1.7.2
Acceptance Criteria
Applies
to Tier
Response
Page 7 of 15
Comment
(Mandatory if answering
‘No’)
Operational
Area to
Confirm
Confirmed by
2.
User acceptance testing (UAT) has been completed and the Senior User/Project
Executive has signed off on user acceptance testing.
New or enhanced IT Services must be accepted by the business through
formalized UAT in a controlled test environment (normally QA) prior to being
implemented into production.
All
Yes / No
Business
Systems
Services
(BSS)
Principal Systems
Analyst
Document Name and link to the document location:
……………………
Signature and date
3.
The ITSC Technical Services Register (TSR) has been updated with;

the new or enhanced IT Service,

A Business System Owner
Infrastructure Manager
The ITSC Technical Services Register is a record of all IT Services supported by
ITSC. Operations Senior Staff can assist with identifying appropriate data to be
added to the ITSC Technical Services Register for each IT Service.
A Business System Owner is the person in the business most appropriate to
sponsor ongoing management of the system. Note. Tier 0 IT Services generally
represent the shared infrastructure which supports a number of other IT Services.
In these cases a senior IT representative is assigned as the Business Owner.
Yes / No
……………………
Signature and date
All
ITSC Technical Services Register (TSR) location:
Yes / No
https://apps.ecu.edu.au/itsc/technical-service-register/login.php
4.
Operations
Business
Systems
Services
(BSS)
……………………
Signature and date
ServiceNow has been updated to include any new IT Service.
ServiceNow , the IT Service Management tool, needs to be configured to manage
any new IT Services through the standard support processes e.g. Incident,
Request, Problem Management, Change Management etc.
Manager, Customer
Service
All
Yes / No
Name of the document and link to the document location:
Operations –
Customer
Services
https://edithcowan.service-now.com/
5.
Principal Systems
Analyst
When implementing a new IT Service, maintenance, change windows acceptable
outage times, peak usage periods, after hours support expectations are agreed,
defined and communicated.
……………………
Signature and date
0, 1 & 2
Yes / No
For applications, change windows should be specified and recorded in the
Version 1.7.2
Page 8 of 15
Operations –
Customer
Services
Manager, Customer
Service
application’s wiki space. These should be set at a mutually agreed time as
specified by the Business System Owner.
Note. Tier 0 IT Services generally represent the shared infrastructure which
supports a number of other IT Services. In these cases (unless negotiated
differently) the change window will fall within the current extended Sunday morning
maintenance window.
……………………
Signature and date
This will be superseded by SLAs once they are in place.
Business
Systems
Services
(BSS)
Yes / No
Principal Systems
Analyst
……………………
Signature and date
Document Name and link to the document location:
Infrastructure Manager
Yes / No
Operations
……………………
Signature and date
6.
The appropriate software licenses have been purchased including the first year of
annual support and maintenance.
Ongoing costs needed to fund the license maintenance past the first year including
provision for any future license growth, have been calculated and included in
future budget planning documentation to assist the ongoing financial management
of software licensing.
Manager, Compliance
All
Compliance
Yes / No
Name of the TRIM folder and link to the document location:
……………………
Signature and date
5.3 Criteria for Operational Acceptance
No.
7.
Acceptance Criteria
Environments have been built and tested to enable the ongoing support and
development of the IT Service i.e. development and QA in addition to production, with
QA being production-like. Where an environment has not been built, specific approval for
this decision shall be provided.
Version 1.7.2
Applies to
Tier
Response
0, 1 & 2
Yes / No
Page 9 of 15
Comment
(Mandatory if
answering ‘No’)
Operational
Area to
Confirm
Operations Infrastructure
Confirmed by
Infrastructure
Manager
No.
Acceptance Criteria
Applies to
Tier
Response
Comment
(Mandatory if
answering ‘No’)
Operational
Area to
Confirm
Confirmed by
Document Name and link to the document location:
……………………
Signature and date
8.
Environments have been built and tested to enable the ongoing support and
development of the IT Service i.e. QA in addition to production, with QA being
production-like. Where an environment has not been built, specific approval for this
decision shall be provided.
3+
Yes / No
Operations –
Infrastructure
Infrastructure
Manager
Document Name and link to the document location:
……………………
Signature and date
9.
System Recovery Documentation covering this IT Service exists and has undergone
successful Failover (where possible) and System Recovery Testing. The Business
System Owner, ITSC and RMAA have signed off on the Failover and System Recovery
Testing undertaken.
System Recovery Documentation/Testing should be performed as part of the design and
implementation process. The evidence for acceptance will be a completed System
Recovery Test Plan from the Senior Recovery Adviser.
0, 1 & 2
Yes / No
Compliance –
Data Recovery
Senior Recovery
Adviser
System Recovery Documentation can be found here:
https://wiki.it.ecu.edu.au/display/sysrec/System+Recovery
Document Name and link to the document location:
Version 1.7.2
……………………
Signature and date
Page 10 of 15
No.
10.
Acceptance Criteria
Applies to
Tier
Response
Comment
(Mandatory if
answering ‘No’)
Operational
Area to
Confirm
Confirmed by
System Recovery Documentation covering this IT Service exists and Backup & Restore
testing has been completed successfully.
This will evaluate the ability to recover data from failures leading to the loss or corruption
of data; and ability to restore from the last known backup.
The IT Infrastructure Systems team manages the backup system and can assist with
appropriately configuring backups.
All
Yes / No
Compliance –
Data Recovery
Senior Recovery
Adviser
Document Name and link to the document location:
……………………
Signature and date
11.
Data storage requirements have been assessed with respect to future growth. Future
growth estimates should be documented in the system documentation. This should take
into consideration all environments built i.e. development, QA and production.
Applications and Infrastructure teams take accountability for capacity planning. The final
sign-off would be from the Operations area.
Where the project’s implementation will see increased storage requirements, the project
will need to fund these storage requirements for the first 3 years.
All
Yes / No
Operations –
Infrastructure
Infrastructure
Manager
Document Name and link to the document location:
……………………
Signature and date
12.
Agreed system monitoring has been configured.
Generally, systems should be monitored with WhatsUp Gold or Zabbix Infrastructure
Systems Team and BSS application staff can assist with configuring this monitoring.
All
Yes / No
Operations –
Infrastructure
Infrastructure
Manager
Document Name and link to the document location:
……………………
Signature and date
Version 1.7.2
Page 11 of 15
No.
Acceptance Criteria
Applies to
Tier
Response
Comment
(Mandatory if
answering ‘No’)
Operational
Area to
Confirm
Confirmed by
13.
Performance Testing conducted to evaluate the requirements of a system to agreed
performance criteria e.g. expected response times met.
0, 1 & 2
Yes / No
Business
Systems
Services (BSS)
Principal Systems
Analyst
Document Name and link to the document location:
……………………
Signature and date
14.
Appropriate load testing has been performed and the system design is appropriate for
the load expected, including future growth.
The BSS & Operations teams can assist with load generation and test design.
0, 1 & 2
Yes / No
Business
Systems
Services (BSS)
Principal Systems
Analyst
Document Name and link to the document location:
……………………
Signature and date
15.
Impact on Data Warehouse have been assessed and addressed.
The data warehouse sources information from multiple systems. The process is data
sensitive and any changes to databases, data process/data flow and system related
changes such as upgrades might have an impact on the data warehouse and other
dependent systems.
Yes / No
Business
Systems
Services (BSS)
Document Name and link to the document location:
16.
……………………
Signature and date
The system has a documented and agreed infrastructure and application hardening and
patching process.
Document Name and link to the document location:
Manager,
Data Warehouse
Security Analyst
All
Yes / No
Information
Security
……………………
Signature and date
Version 1.7.2
Page 12 of 15
No.
17.
Acceptance Criteria
Applies to
Tier
Response
Comment
(Mandatory if
answering ‘No’)
Operational
Area to
Confirm
Confirmed by
The system has undergone vulnerability testing and is deemed to be appropriately
secured.
Project Manager will coordinate with Security Analyst – Operations to arrange the
testing. The request to do a vulnerability test should be managed through the Service
Catalogue with an online form that is work-flowed through the appropriate queues for
action and approval.
A vulnerability scan can be performed at any project stage.The final scan must be
completed after all software/applications have been installed on the system and a
change freeze is in place.
Security Analyst
All
Yes / No
Information
Security
The process will identify any known security vulnerabilities and may require negotiation
to resolve any outstanding issues. Please note outstanding security issues identified by
the vulnerability scan.
Document Name and link to the document location:
……………………
Signature and date
18.
The system conforms to the ICT Security Standards and Guidelines which are part of the
Information Technology Policy.
Refer to the Information Technology Policy
http://www.ecu.edu.au/GPPS/policies_db/policies_view.php?rec_id=0000000347
The criteria in this section cover some of the following security areas:

Account Management and Access Control

System Access and Use

Network Security Controls

Security of Third party Access
This will be superseded by a checklist that the project manager receives and addresses
as part of the delivery of the project.
Security Analyst
All
Information
Security
Yes / No
Document Name and link to the document location:
……………………
Signature and date
5.4 Criteria for Ongoing Support Acceptance
No
Version 1.7.2
Acceptance Criteria
Applies to
Tier
Page 13 of 15
Response
Comment
(Mandatory if
answering ‘No’)
Operational
Area to
Confirm
Confirmed by
No
Acceptance Criteria
Applies to
Tier
Response
Comment
(Mandatory if
answering ‘No’)
Operational
Area to
Confirm
18.
Confirmed by
Manager, Customer
Service
Handover to the ongoing support teams in ITSC has been completed. This will require
the Project Manager to proactively engage with all levels of support well in advance of
the implementation. Considers all aspects related to people, processes, tools and
partners.
Operations –
Customer
Services
Yes / No
This ensures that projects have considered, planned, engaged, communicated and
delivered on all aspects of the new or enhanced IT Service that are required to ensure
its ongoing management, operation and support within ITSC.
……………………
Signature and date
In particular the project will need to ensure that each support level within ITSC has been
provided with the necessary information to enable the smooth and effective transition of
the change into production and its ongoing support.

1st Level Support (IT Service Desk)
o

Business
Systems
Services
(BSS)
All
Yes / No
2nd Level Support (IT Campus Teams – Customer Support Officers)
o

Help Scripts, FAQs and Known Error workarounds for the new or enhanced IT
Service will need to be provided to the IT Service Desk to ensure that they are
equipped to effectively handle Incidents and Requests on day 1 of the
implementation.
Principal Systems
Analyst
Made aware of the change and any documentation or technical information that
may assist them when performing their role in direct contact with the customer.
……………………
Signature and date
3rd Level Support (Specialist support within the various ITSC teams)
o
Appropriate BSS, Infrastructure and IT Services staff should be trained in
operation and support of the IT Service/system being implemented. Generally,
support arrangements should be documented in the ITSC Technical Services
Register and if more complex, in a “service specific” area of the IT Wiki. Where
support involves a 3rd party vendor, the online support contact information form
available on the Wiki is required to be completed.
https://wiki.it.ecu.edu.au/display/uc/Home
Operations –
Infrastructure
Yes / No
Infrastructure
Manager
……………………
Signature and date
5.5 Criteria for Business Acceptance
No
19.
Acceptance Criteria
Business Continuity Plan (BCP) is in place to be used in situations where the IT system
is unavailable for whatever reason.
Applies to
Tier
Response
All
Yes / No
The Business System Owner must ensure that appropriate business continuity
Version 1.7.2
Page 14 of 15
Comment
(Mandatory if
answering ‘No’)
Operational
Area to
Confirm
Business
System Owner
Confirmed by
……………………
Signature and date
No
Acceptance Criteria
Applies to
Tier
Response
All
Yes / No
Comment
(Mandatory if
answering ‘No’)
Operational
Area to
Confirm
Confirmed by
processes are in place in case this system fails.
ITSC Technical Services staff can help to determine what recovery time and point
objectives are achievable based on System Recovery Testing.
20.
Faculties, Schools and Centres that will be impacted by the Change are suitably
prepared to accept the Change by ensuring that all aspects of people, processes, tools
and partners have been considered.
This ensures that projects have considered, planned, engaged, communicated and
delivered to the business areas all aspects of the new or enhanced IT Service that will
impact them as part of its transition and ongoing use.
Version 1.7.2
Business
System Owner
……………………
Signature and date
Page 15 of 15
Download