<Enter project name>
Architecture Review Checklist
(Inteneral/External Development Edition)
Prepared By:TAR Project #:
Date Submitted:
Document Version: / V 3.2
Document History
Version / Date / Author / Status / Revision Descriptions0.1 / Initial Draft
1.0 / First Published
1.7 / 05/31/07 / Connie Houck / Updated / Added new links to OA/OIT standards due to them moving to Aqualogic software
1.8 / 02/23/10 / William Miller / Updated / Added new questions to reflect adherence to development standards, SiteMinder, SOA, data dictionaries, and code reuse.
2.0 / 11/13/14 / Rae-Ann Ginter / Updated
2.1 / 01/30/15 / Rae-Ann Ginter / Updated / Included areas responsible for each domain
2.2 / 03/04/15 / Rae-Ann Ginter / Updated
2.3 / 07/09/15 / Rae-Ann Ginter / Updated / Removed broken link to strategic imperatives from PMO Domain and updated 2 links within the Network Domain.
2.4 / 6/15/16 / Brett Grumbine / Updated / Replaced all questions in the Security Domain as directed by the BIIT Security Officer.
2.5 / 9/22/16 / Scott Kister / Updated / Major revisions to reflect new APB processes. Updated to reflect changes based on project type.
2.6 / 9/28/16 / Scott Kister / Updated / Inclusion of revisions from ARB board members.
2.7 / 10/31/16 / Scott Kister / Updated / Updates to questions based on feedback from ARB members.
2.8 / 12/5/16 / Scott Kister / Updated / Updates to include questions specific to COTS/MOTS projects.
2.9 / 1/31/2017 / Scott Kister / Updated / Completed updates to include questions specific to development projects (intenal/external). Corrected all external links to OA ITP references.
3.0 / 3/22/17 / Scott Kister / Updated / Updated to include OA/OIT cloud service questions.
3.1 / 4/17/17 / Scott Kister / Updated / Clarified scope of Network Domain questions.
3.2 / 6/7/17 / C. Keith Frye / Updated / Deleted question 5 from Proj. Mgmt. section as $250K threshold is no longer OA criteria.
<enter project code & name> / Page 1 of 27 / Architecture Review Checklist
PA Department of Health / <enter sponsor dept or bureau name>
Table of Contents
1Purpose of This Document
2Acronyms
3System and Architecture Review Participant Information
4Project
4.1Technologies
4.2Hosting Location(s)
4.3IT Development Staff Requirements
4.4Long-Term Support Staff Requirements
5Project Summary
6Review Checklist
6.1Access Domain
6.2Application Domain
6.3Information Domain
6.4Integration Domain
6.5Network Domain
6.6Platform Domain
6.7Privacy Domain
6.8Project Management Domain
6.9Security Domain
6.10Systems Management Domain
1Purpose of This Document
The Department of Health has established technical standards to improve its ability to serve customers, use assets efficiently, and promote best practices. The objectives of the Architecture Review (AR) Checklist are:
- to raise awareness and understanding of the technical standards;
- to help ensure accurate collection of application standards compliance information;
- to assist in planning and resource projections for new and existing applications;
- to understand scalability and capacity requirements for ongoing system operations;
- to help identify opportunities to re-use business functions or technical components; and
- to ensure application design and development is complying with established technical standards and best practices.
The AR Checklist must be submitted to and approved by the DOH Architecture Review Board prior to starting application detailed design and/or proceeding with the procurement of a Commercial off the Shelf (COTS) or Software as a Service (SaaS) technology solution for projects that met architecture review criteria. A second architecture review may be required prior to beginning application development based on project scope. A final architecture review may be required prior to system promotion to a DOH production environment. The Architecture Review Board or project team may request additional architecture reviews as needed.
2Acronyms
<Provide all acronyms that may be used within this document.
Acronym / DefinitionADA / Application Developer Administrator
ARB / Architecture Review Board
CoPA / Commonwealth of Pennsylvania
ITP / Information Technology Policy
OA/OIT Standards /
System / Regarding the Privacy and Security domains, the term “system” applies to the primary computer application, sub-systems, data repositories and related processes.
MSL / Managed Service Lite
PACS / PA Compute Services
3System and Architecture Review Participant Information
System Name / ID:Date of 1st ARB Review Meeting:
Date of 2nd ARB Review Meeting:
Date of 3rd ARB Review Meeting:
Date of 4thARB Review Meeting:
ARB Meeting Participant Names
4Project
4.1Technologies
(Check all that apply)
Application Development / Server / Radio / IES / SAPDatabase – SQL Server / Security (not Telecom) / Desktop/Laptop/Tablet
Database – Oracle / Telecom – Data / GIS
Disaster Recovery / Telecom – Voice / Document Management
DOH Help Desk / Telecom – Security / Identity Management
Web/Domain Naming / Telecom – Video / Large Storage Requirements
DOH Network / Data Networking / Other
Mobile / Application Type / Specify:
Intranet
Internet
Client/Server
4.2Hosting Location(s)
(Check all that apply)
Herr Street / Managed Services / Cloud (Azure/Amazon, etc)PACS / Managed Services Lite
4.3IT Development StaffRequirements
(Check all that apply)
DOH BIIT / Contracted4.4Long-Term Support Staff Requirements
(Check all that apply)
DOH/BIIT / Contracted5Project Summary
<Provide an overview of the project history, objectives, and timeline. Include members and roles of the project team.
6Review Checklist
Please respond to the questions in all the applicable sub-sections. If a deliverable (or project document) is referenced in the Response, please upload the corresponding deliverable onto the ARB SharePoint site, along with the completed checklist.
6.1Access Domain
(Responses will be reviewed by all teams)
ID / Review Item / Response1 / How many total users need to be supported?
This estimate is to include both Department and external users of the application.
2 / Is external remote access required (e.g. VPN)? / YES | NO | N/A
3a / Does the system meet the minimum level for accessibility that PA has adopted to comply with Section 508 of the Rehabilitation Act §1194.22?
Refer to OA/OIT ITB—ACC001 IT Accessibility Policy for more information. / YES | NO | N/A
3b / If no, provide mitigation strategy.
4 / How many concurrent users will be accessing the system on average?
5 / How will user authentication/access be implemented (e.g. internal database tables, Keystone ID, Active Directory, etc.)?
6.2Application Domain
(Responses will be reviewed by ADA’s)
ID / Review Item / Response1 / What is the estimated life expectancy of the application (in years)?
2a / What load, performance testing, regression and software testing tools will be used on this project?
2b / Are these tools compliant with OA/OIT standards?
Refer to OA/OIT (ITP-APP014 Application Testing Tools Policy) for more information. / YES | NO | N/A
2c / If no, please explain.
3a / Are mobile technologies being leveraged with this project? / YES | NO | N/A
3b / If yes, what type? (iOS, Android, HTML5, etc.)
4 / If a website is being created, is a mobile-friendly version required? / YES | NO | N/A
5 / What server-side programming languages are used?
6a / Are these languages compliant with current OA/OIT standards? Refer to OA/OIT ITP-APP011 Application Development Languages)) for more information. / YES | NO | N/A
6b / If not, please explain.
7a / What client-side programming languages are used?
7b / Are these languages compliant with current OA/OIT standards? Refer to OA/OIT (ITP-APP011 Application Development Languages) for more information. / YES | NO | N/A
7c / If not, please explain.
8a / What software configuration management and change management tools will be used on this project?
8b / Are these tools compliant with OA/OIT standards? Refer to OA/OIT (ITP_APP018 - Software Configuration Management Tools) for more information. / YES | NO | N/A
8c / If not, please explain.
9a / Are messaging products used in this application? / YES | NO | N/A
9b / What messaging products are used in this application?
9c / Are these messaging products compliant with OA/OIT standards? Refer to OA/OIT ITP_INT001 - Message-Oriented Middleware) for more information. / YES | NO | N/A
9d / If not, please explain.
10a / Does this system have any web-based components? / YES | NO | N/A
10b / If yes, what web application server and /or web information server technologies will be used?
10c / Are these technologies compliant with “Current” OA/OIT standards? Refer to ITP-APP002 - Web Server/Application Server Standards for more information. / YES | NO | N/A
10d / If not, please explain.
11a / Does this application utilize search technology? / YES | NO | N/A
11b / If yes, what type?
11c / If this search technology is non-compliant with “Current” OA/OIT standards, please explain mitigation strategy. Refer to OA/OIT ITB-APP003 - Search Technology Standards for more information.
12a / Is the system easily scalable to meet projected increases in demand and/or usage? / YES | NO | N/A
12b / If yes, please elaborate.
13a / Are any components or functionality candidates for reuse in other systems or applications? To be general-purpose, it should have no business-specific logic embedded in it, and it should have no dependencies on other business-specific components. It should be a “drop-in” component. / YES | NO | N/A
13b / If so, please elaborate.
6.3Information Domain
(Responses will be reviewed by Health Informatics, Data Warehouse & Database teams)
ID / Review Item / Response1a / Have data retention requirements been identified? / YES | NO | N/A
1b / If yes, briefly explain the requirements.
2a / Has purge criteria been identified? / YES | NO | N/A
2b / If so, briefly explain the criteria and whether or not aggregate data will be retained after purge.
3a / Will a data dictionary be created for the system? / YES | NO | N/A
3b / If yes, explain where will it be stored and on what frequency will it be updated.
4a / Will any of the data collected be duplicative to other data items collected throughout the Department? / YES | NO | N/A
4b / If yes, explain if the application will utilize enterprise reference tables for common data.
5a / Have all reporting needs been identified? / YES | NO | N/A
5b / If yes, briefly explain the architecture of the reporting function.
6 / Have all data elements needed to satisfy the reporting requirements been identified? / YES | NO | N/A
7a / Will all reporting needs be satisfied through the new system being proposed? / YES | NO | N/A
7b / If no, please explain any report generation that will be done outside of the system.
8 / Has an ETL (Extract, Transform, Load) or similar process been setup for loading the data collected into the DOH Data Warehouse? / YES | NO | N/A
9 / Will the Department of Health own all of the data being collected? / YES | NO | N/A
10 / Will appropriate Department of Health staff members have direct access to the raw (record level) data. / YES | NO | N/A
11 / Does the project require data reporting that includes locational data (e.g. - latitude, longitude, county, minor civil division, census tract, census block group, etc.)? / YES | NO | N/A
12 / Does the project require locational data to be created and stored for internal and/or external reporting purposes? / YES | NO | N/A
13a / Does the project employ, or plan to employ, geospatial technologies, such as mapping or geocoding of address data? / YES | NO | N/A
13b / If yes, what technology will be utilized?
13c / Does this technology comply with OA/OIT and Department Standards?
Refer to the OA/OIT ITP_INFGT001 - Geospatial Information Systems (GIS) for more information. / YES | NO | N/A
13d / If not, please explain mitigation strategy.
14a / What database systems and versions are utilized?
14b / Are these database systems in compliance with OA/OIT standards? Refer to OA/OIT ITP-INF001 - Database Management Systems for more information. / YES | NO | N/A
15 / What database normalization standards will be employed in the creation of the database?
16a / Has a logical data model (Post Design Session) been completed? / YES | NO | N/A
16b / Does the data model comply with OA/OIT standards? Refer to OA/OIT ITP-INF003 - Data Modeling Standards for more information. / YES | NO | N/A
16c / If not, please explain mitigation strategy.
17a / Has a physical data model (Pre-Implementation Session) been completed? / YES | NO | N/A
17b / Does the data model comply with OA/OIT standards? Refer to OA/OIT ITP-INF003 - Data Modeling Standards for more information. / YES | NO | N/A
17c / If not, please explain mitigation strategy.
18a / Do all application data structures comply with OA/OIT and Department standards? Refer to OA/OIT for more information. / YES | NO | N/A
18b / If yes, please explain.
6.4Integration Domain
(Responses will be reviewed by ADA responsible for the project)
ID / Review Item / Response1 / Have all cross-system interface requirements been defined? / YES | NO | N/A
2 / Does the design support integration with other software products? / YES | NO | N/A
3a / Are middleware solutions being proposed for use by this system? / YES | NO | N/A
3b / If yes, please describe.
3c / If yes, does the proposed solution comply with OA/OIT standards?
Refer to OA/OIT (ITP_INT001 - Message-Oriented Middleware) for more information. / YES | NO | N/A
3d / If not, please explain.
4a / Is it anticipated that business partner data sharing will be required? / YES | NO | N/A
4b / If yes, will the utilization of the e-gov exchange process for business to business middleware be implemented?
6.5Network Domain
(Responses will be reviewed by the DOH Network Team)
ID / Review Item / Response1 / Will the existing DOH network architecture work to support this application? / YES | NO | N/A
2a / Is a wireless technology, such as 4G provided at DOH sites or Wi-Fi provided at DOH sites, required as part of this project? / YES | NO | N/A
2b / If yes, please explain.
2c / If yes, is this technology compliant with OA/OIT standards?
Refer to OA/OIT ITB-NET001 Wireless LAN Technology for more information. / YES | NO | N/A
3a / Are there data transfer requirements that could affect the throughput on the DOH network (such as offsite backups, data used for analytics, database synchronization if using app in standalone mode, etc.)? / YES | NO | N/A
3b / If yes, please explain.
4a / Are there any DOH firewall or network configuration changes required? / YES | NO | N/A
4b / If yes, please explain.
5a / Does new hardware, such as routers and /or switches, need to be purchased in order to support this project?
Equipment must comply with current OA/OIT standards and protocols. Refer to OA/OIT ITB-NET002 Network Router and Switch Technology Standards for more information. / YES | NO | N/A
5b / If YES, please explain.
6.6Platform Domain
(Responses will be reviewed by the DOH LAN team)
ID / Review Item / Response1a / What is/are the proposed host location(s) (PACS, MSL, DOH, cloud, etc.)? Specify all that apply.
1b / Is the necessary hosting environment documentation completed? / YES | NO | N/A
2 / Is the design compatible with Virtual Machine (VM) hosting? / YES | NO | N/A
3a / Will this initiative be utilizing a public cloud service? / YES | NO | N/A
3b / If YES, Cloud services must be fully vetted via an OA/OIT Service Request.
Has the proper service request been submitted to OA/OIT? / YES | NO | N/A
3c / If NO, Service Requests can be created using the online submission and tracking tool on the IT Central Enterprise Services page via the Service Gateway link. Click on the Service Request button, provide the requested information and choose "Professional Services: Cloud Service Use Case Review". The Cloud Services Team will be notified immediately.
4a / What server platform will the system require?
4b / Does the proposed server platform comply with current OA/OIT standards? / YES | NO | N/A
5a / What desktop platform will the system require?
5b / Does this desktop platform comply with the current OA/OIT standards?
Refer to OA/OIT ITB-PLT001 Desktop and Laptop Technology Standards for more information. / YES | NO | N/A
6a / What operating systems and versions are supported?
6b / Do these operating systems comply with current OA/OIT standards?
Refer to OA/OIT ITB-PLT001 Desktop and Laptop Technology Standardsfor more information. / YES | NO | N/A
7a / What web browsers are supported?
7b / Do these web browsers comply with OA/OIT standards?
Refer to OA/OIT ITB-PLT001 Desktop and Laptop Technology Standards for more information. / YES | NO | N/A
8a / Will the application or 3rd-party software tools be required to be installed? / YES | NO | N/A
8b / If yes, please specify.
6.7Privacy Domain
ID / Review Item / Response1a / Will system implementation, administration and management comply with all privacy series ITP’s that apply? / YES | NO | N/A
1b / If no, identify specific ITP’s, justification for non-compliance and compensating controls planned. (currently ITP-PRV001 and ITP-PRV002)
2a / Will system implementation, administration and management comply with all privacy-related Management Directives that apply? / YES | NO | N/A
2b / If no, identify the specific Management Directives, justification for non-compliance and compensating controls planned.
3a / Beyond CoPA ITP’s and Management Directives, do other privacy laws, regulations, legislation, executive orders, policies, agreements, standards, specifications obligations, MOU’s or other privacy-related governance requirements apply to the implementation, administration and management of system and data? / YES | NO | N/A
3b / If yes, identify specific laws, regulations, agreements, standards, etc.
4a / Beyond Commonwealth ITP’s and Management Directives, will system implementation, administration and management comply with all other privacy laws, regulations, legislation, executive orders, policies, agreements, standards, specifications, obligations, MOU’s or other privacy related governance requirements that apply? / YES | NO | N/A
4b / If no, identify the specific governance requirements, justification for non-compliance and compensating controls planned.
6.8Project Management Domain
(Responses will be reviewed by the Project Management Office)
ID / Review Item / Response1a / Have the required deliverables for this phase been completed, which includes the required business signoffs? / YES | NO | N/A
1b / If no, please explain.
2a / Have project status reporting and project logs been satisfactorily completed to this point? / YES | NO | N/A
2b / If no, please explain.
3a / Are there any existing major project decisions or interventions needed that are needed to keep this project on-track? / YES | NO | N/A
3b / If no, please explain.
4a / Are project communications and business participation meeting the plan and/or needs for the project? / YES | NO | N/A
4b / If no, please explain.
6.9Security Domain
(Responses will be reviewed by the DOH Security Team)
ID / Review Item / Response1a / Does the proposed solution comply with Commonwealth Information Technology Policies applicable to information security? / YES | NO | N/A
1b / If no, please explain.
2a / What other information security requirements apply for the protection of sensitive data, i.e., HIPAA, PCI, Act 148, etc.?
2b / Does the proposed solution comply with applicable security requirements? / YES | NO | N/A
2c / If no, please explain.
6.10Systems Management Domain
(Responses will be reviewed by ADA responsible for the project)
ID / Review Item / Response1 / What are the online availability requirements?
2a / Will system/application monitoring tools be utilized? / YES | NO | N/A
2b / If yes, please specify.
3a / Has a disaster recovery approach been identified for the application? / YES | NO | N/A
3b / If yes, please describe.
4a / What HCIS classification has been designated? (H-highly critical, C-critical, I-important, S-suspend).
Refer to OA/OIT ITB SYM004-AR1 Policy for Establishing Alternate Processing Sites for Commonwealth Agencies for more information.