ISSP-017
advertisement
ISSP-017 Technical Discovery Questionnaire 1 Information Technology Purpose The purpose of the ISSP-017 Technical Discovery Form is to be used to identify key technical requirements for technology purchases. Completing this form will assist in ensuring the product aligns with established guidelines as set forth by the University Technology Standards Board (UTSB) and technical areas, and technical resources are available to support the product. When is this form completed? This form is to be completed prior to entering into an agreement to purchase technology that is considered an exception to standard technology purchases as defined in Technology Acquisition Policy 0-518. Who should complete this questionnaire? An IT technical lead, business analyst, or IT project manager should complete this form, working with a department representative planning to purchase the software and the vendor providing the product. Upon completion, please send this form to Alex Campoe, campoe@usf.edu. Form Version: Rev. 20150505 ISSP-017 Technical Discovery Questionnaire 2 Information Technology Contact Information Information Technology Contact This section is used to identify the IT representative responsible for completing this form. Examples of IT representatives include: an IT Lead, a Business Analyst, or an IT Project Manager. Include the request or project name. IT Contact Name Title Department USF System and/or Campus ☐ ☐ ☐ ☐ ☐ USF System Tampa Sarasota St. Pete USF Heath Request/Project Name Requestor Information This section is used to identify the requestor. The requestor is the department representative planning on purchasing the software product. Requestor Name Title College or Department USF System and/or Campus ☐ ☐ ☐ ☐ ☐ USF System Tampa Sarasota St. Pete USF Heath Vendor and Product Information This section is used to identify the vendor and product information. Vendor Vendor Contact Name Product Name Product Description Describe the product and how it will be used at USF. Product Installation Site Product Website Form Version: Rev. 20150505 ☐ Hosted and maintained by USF Data Center ☐ Hosted and maintained by Cloud Computing Service provider. ISSP-017 Technical Discovery Questionnaire 3 Information Technology Technical Discovery This section is used to describe the data assets, risks, infrastructure, databases, integration, and application requirements of the proposed software. I. Data Classification This section is used to identify the asset owner and asset custodian. The Sensitivity and Criticality sections identify data confidentiality, integrity, and availability requirements in the context of the USF System Risk Assessment and Business Continuity. Details on each classification can be found within Information Technology policy ISSP001 – Sensitivity and Criticality of Data. Asset Owner Organizational unit responsible for the contract with the vendor and owns the data. Asset Custodian Organizational unit responsible for the operational management and maintenance of the system. For University enterprise applications, this is assigned to the IT department. Sensitivity is directly related to the question: What would the repercussion be were the system and/or data exposed or altered by a third party in terms of Financial, Operational, Safety, or Reputation to the USF System? An asset is considered restricted when access and/or modification of the data is limited. This would include systems containing data protected by FERPA, GLB, other Federal or State regulations, or University policies. An asset is considered unrestricted when controls are not mandated by Federal or State regulations, University policies, or by the data owner. ☐ Restricted ☐ Unrestricted Criticality is related to the availability of the data and asks the question: What would happen if the system and/or data become unavailable? An asset is considered essential if the loss of availability would cause immediate, severe repercussions for the University. An asset is considered required when it is important to the campus; however, University operations could continue for a certain period of time, even if the data is not available. An asset is considered deferrable if it is needed for optimal University operations but loss of availability would not cause major issues, and the asset can usually be rebuilt or reconstituted from other sources such as manual data input. Form Version: Rev. 20150505 ☐ Essential ☐ Required ☐ Deferrable ISSP-017 Technical Discovery Questionnaire 4 Information Technology II. Networking This section is used to describe networking requirements. Expectations of network performance. ☐ Production ☐ Test ☐ Development Application Usage Profile Describe the usage profile including time of day, streaming vs. message based, and location distribution of users. Bandwidth Requirements Describe the anticipated bandwidth requirements including internet, data center, local campus, wireless, and research. Application Load Balancing Describe the application load balancing requirements. Virtual Private Network Describe the VPN requirements. IP Addressing Requirements Describe the IP addressing requirements for servers and clients, including private vs. public and static vs. dynamic. Network Uplinks for Server/Appliance ☐ ☐ ☐ ☐ ☐ 1 Gbps 10 Gbps 100 Gbps Single homed Dual homed ☐ ☐ ☐ ☐ Production Test Development Virtualization Supported III. Servers and Storage This section is used to describe the server environments. Server Environments Depending on complexity, a separate server architecture document may be required. Form Version: Rev. 20150505 ISSP-017 Technical Discovery Questionnaire 5 Information Technology Number of servers required: ____________ ☐ High Performance Computing Operating System Information Please specify the operating system and version required. ☐ Windows Server 2012 R2 ☐ Red Hat Enterprise Linux ☐ Other (please specify) Capacity and Scalability Describe capacity requirements. Disk requirements: Operating system: Data partitions: Number of CPUs (per server): _______________ Memory required (per server): ______________ System Maintenance ☐ Use monthly patching schedules ☐ Custom patch schedule required (list) Back-up and Back-up Retention Describe the back-up and back-up retention schedule. ☐ No Backup Required ☐ Non-production (2 week retention) ☐ Production (60 day retention) ☐ Custom Backup Requirements (please provide details): Business Continuity If the criticality of data is listed as “Required” or “Essential” in Data Assets and Risk Management section, a Business Impact Analysis will be required and conducted separately. ☐ Business Impact Analysis Required Form Version: Rev. 20150505 ISSP-017 Technical Discovery Questionnaire 6 Information Technology IV. Database Platform This section is used to identify the database platform. Database Platform (and version) Database Components Describe any database components required beyond default installation. Expected Database Growth on Disk ☐ Oracle ☐ MS SQL ☐ Other Percentage growth per month ______________ This section is used to identify database information for products hosted and maintained by a Cloud Computing Service Provider. Back-up and Back-up Retention Describe the database back-up and back-up retention schedule. Remote Access to Cloud Database Accessible from University site using nonproprietary tools for reporting and analysis. ☐ Yes ☐ No Patching Schedule On what schedule are database vendor patch sets applied to the database. V. Integration i. Data Integration This section is used to identify data integration requirements. Check all that apply*. *The use of Social Security Numbers (SSNs) is restricted to specific organizational units. These units are required to complete a rigorous security evaluation performed by the Office of Information Security. ☐ Social Security Numbers Includes data such as grades, names, email addresses, Directory and Non-Directory information obtained automatically from OASIS, Canvas, DegreeWorks, or from the Data Warehouse. Do not check this box if the student is being prompted to enter this information. Includes data such as names, email addresses, position description, supervisor, or any other employee data extracted from GEMS or from the ☐ Student Data Form Version: Rev. 20150505 ☐ Employee Data ISSP-017 Technical Discovery Questionnaire 7 Information Technology Data Warehouse. Do not check this box if the employee is being prompted to enter this information. Includes data such as travel information, purchasing, budget, financial aid, or any other financial data automatically extracted from FAST or from the Data Warehouse. Do not check this box if the user is being prompted to enter this information. *Access to card ID number, classification, or picture must be authorized by Card Services. Check if this software application will process credit card and/or other type of payments. ☐ Financial Data ☐ Card ID Information ☐ Payment Processing ii. Application Interface Methods This section is used to identify Application Interface Methods. API Protocols ☐ REST ☐ SOAP ☐ Other File Transfer ☐ SFTP ☐ Other Database Connectivity ☐ ☐ ☐ ☐ ODBC DB Links VPN Other Data Transfer Frequency ☐ ☐ ☐ ☐ ☐ Nightly Monthly Real-time On-demand Other Form Version: Rev. 20150505 ISSP-017 Technical Discovery Questionnaire 8 Information Technology VI. Software Application This section is used to identify application upgrade and feature enhancement schedules. Application Upgrades ☐ ☐ ☐ ☐ ☐ Monthly Quarterly Annually No set schedule Flexible Feature Enhancements ☐ ☐ ☐ ☐ ☐ Monthly Quarterly Annually No set schedule Flexible VII. Web Services This section is used to identify Web Services compatibility features. Content Management System Software application considered a web Content Management System (CMS). Web Browser Compatibility If other, provide browser name. ☐ ☐ ☐ ☐ ☐ ☐ ☐ Accessibility ☐ 508 Compliant Emergency Communications Hardware and/or software application expected to display USF System Emergency Announcements. Responsive Design Software application displays properly on a variety of mobile devices or desktops. Branding Software application has ability to be branded per the USF branding standards. Visit www.usf.edu/brand to view standards. If other, please explain. MyUSF/MyUSF Mobile Software application accessible via MyUSF (portal) and/or MyUSF Mobile (official mobile app of USF.) If yes, specify primary audience: students, faculty, staff, institution, etc. ☐ Yes ☐ No Form Version: Rev. 20150505 ☐ ☐ ☐ ☐ ☐ ☐ Yes No Unknown Firefox Google Chrome Internet Explorer Other Yes No Unknown Yes No Other ☐ Yes ☐ No ISSP-017 Technical Discovery Questionnaire 9 Information Technology Social Media Software application integration with Social Media channels (i.e. Facebook, Twitter, etc.). Mobility Software application considered a native mobile application. ☐ ☐ ☐ ☐ ☐ ☐ Yes No Unknown Yes No Unknown VIII. Account Management This section is used to identify account management procedures, including authentication mechanisms. Check this box if the software will require user account credentials (login and password. NetID authentication is required for all multi-user systems. ☐ Account login and Account Management Check all authentication mechanisms that are supported. ☐ ☐ ☐ ☐ ☐ JASIG / CAS Shibboleth Secure LDAP Active Directory / ADFS None of the above IX. Reporting This section is used to identify reporting tools. Check if reporting of data is required across applications. ☐ Check if custom report development including dashboards, scorecards and data visualization is required. ☐ X. Product Support This section is used to identify product support levels and availability. Support Levels Product Support Hours of Operation Form Version: Rev. 20150505 ☐ ☐ ☐ ☐ ☐ Self-service 1st Level 2nd Level 3rd Level Other ISSP-017 Technical Discovery Questionnaire 10 Information Technology Service Level Agreements Describe service level agreements. XI. References This section is used to list references that this software application. Provide a list of Higher Education institutions that use this software application. Form Version: Rev. 20150505
