In the Implement stage of the project the proper transition of the application and technical infrastructure, along with strong client engagement are crucial to the success of the project.
From a technical perspective, the Internal Security Assessment (ISA) review should be completed by EA SDI after all testing by the client has been signed-off (typically completed in the Execute stage). This signals that development is over and there are no coding changes pending. After the ISA response is addressed (e.g. all issues from that report resolved) a Vulnerability Assessment (VA) can then be completed (if required). It is recommended that all outstanding issues from the VA be resolved (or deviations signed off) in order to move forward with the rollout of the application.
In order to ensure client buy-in, user acceptance and sign-off of the test results is needed. End-user training and support resource training may also need to be performed. A large number of other deliverables are required to be completed in this stage before the application and / or technical infrastructure can be transitioned to the support groups and the Go Live can be scheduled. For custom build projects, Source Code Handover should also be finalized and signed-off (as necessary). Transitioning to AIMS and O&S can only occur in a timely and appropriate manner if all predecessor tasks are completed.
O&S will accept support for technical infrastructure once the Operational Readiness Checklist is signed off (there is no need for a transition period). If possible, EA SDI encourages the transition of the technical infrastructure to O&S immediately before / at go-live so adequate up front discussion with EA SDI is required to ensure the Operational Readiness Checklist activities are accounted for in the plan. For application support, typically, there is a 30-day transition period at Go-Live (as mentioned, for some projects, a stabilization period occurs at go-live prior to the transition period commencing) where AIMS will be tier 1 for application issues and the project team will be available during the transition period for backup support.
A detailed Go Live Communication should be sent to all impacted stakeholders (see template for instructions).
Important Note: There is inherent risk to the OCIO and the client if a solution is released to the users without the proper production support in place. For this reason, if the PM wishes to close the project without the technical infrastructure transfer of all environments to O&S, approval from the Executive Director of Corporate Services & Projects is required. The DM and Director should be consulted before seeking this approval.
Internal Security Assessment (ISA)
The PM will require the assistance of the EA SDI group to complete this activity (Nessus infrastructure scans). Although the timeline between requesting the ISA and receiving a report from the SDI group usually takes only 3-4 days, the PM should allow for two weeks in the project plan during the Implement stage to resolve any issues highlighted in the Internal Security Assessment report.
As detailed in the Transition Agreement, all servers in all environments should be transitioned from the EA division to the O&S branch for long-term support by the end of the transition period (ideally, technical infrastructure support is transitioned to O&S shortly before Go-Live). The O&S branch will not allow the servers to transition if there are issues outstanding from the ISA report. Also note that if a VA is required, it should not be performed until the ISA is completed.
Request for Change (RFC) – Corporate Services & Projects
All changes to production related environments will go through the CS&P Change Coordinator (CS&PCC) and will follow the OCIO change management process. A meeting with the CS&PCC is recommended once a project team begins planning a Request for Change (RFC). The CS&PCC is responsible for facilitating the change and the project team is responsible for liaising with all required resources to ensure a successful RFC execution. The CS&PCC will monitor the request and represent the RFC at the OCIO Change Advisory Board (CAB) meeting, if required. Note that not all changes will need to be reviewed by CAB. Contact the CS&PCC for further information.
Normal Request for Change (RFC)
It is important to plan accordingly when submitting an RFC: there is a five (5) day change window required from the time of RFC submission to the start of the change window, with a Change Advisory Board Meeting somewhere within those five days to review the request.
The RFC will detail the resources and tasks required to implement the requested change. If the change requires OCIO resource(s) external to the project team such as O&S and/or AIMS then the PM is responsible for contacting the required resource(s) and confirming their availability for the scheduled time.
The SDI group manages requests for changes to firewall rules. The PM should schedule a meeting with the SDI group to discuss the request and to determine the amount of lead time required, as this will vary depending on the type of change being requested.
Requests to implement a change in less than the five (5) day window will require the completion of an Expedited Request form. The level of approval required to proceed with the change will depend on the requested implementation date.
It is recommended that an RFC form be completed for all production changes, from which SM7 tickets will be created and then processed. The CS&PCC will keep the PM updated on ticket status throughout the process.
|Chart of Authorities (COA)|
|COA Template (132 KB)||Personnel Table (124 KB)||Instructions (137 KB)|
|COA – GNL Static Website Template (135 KB)||COA – Secure Server Template (132 KB)|
- Application Build Book Template (55 KB)
- Application Quality Assurance Checklist Template (64 KB)
- Client Acceptance Form Template (50 KB)
- Database Build Book Template (56 KB)
- Disaster Recovery Plan Template (76 KB)
- Go Live Communication Template (53 KB) Updated: 2017-12
- Internal Security Assessment Report Response New: 2017-06
- Operational Procedure Manual (OPM) Template (62 KB)
- Post Implementation Support Plan Template (56 KB)
- Vendor Supported Server Build Book Template (Request from EA SDI or Operations and Security Prime)
- Service Desk Support Guide Template (66 KB)
- Source Code Handover Template
- Vulnerability Assessment FAQs (86 KB)
Note: PMs should review their project’s Deliverables Matrix to understand which of the above deliverables are mandatory for their project (deliverable requirements are dependent on project type, size, etc.). The Preliminary Deliverables Matrix is initially completed by the Project Management Office (PMO) in the Initiate stage and PMs should request the PMO complete the Finalized Deliverables Matrix at the end of the Analysis stage (in the event the project type and/or size has changed). PMs are also encouraged to contact the PMO if they feel a deliverable listed as mandatory is not relevant (e.g. eligible for an exemption).
Adobe® Acrobat® Reader software can be used for viewing PDF documents. Download Acrobat® Reader for free .