APPENDIX D. Questions from Technical Architecture Review Committee


Last updated September 27, 2014.

1. Functional purpose

  1. What is the functional purpose to be served by this design?
  2. Is this one element of a suite that together achieves the purpose?
  3. Are there particular use cases that especially shape the design? Please describe them.
  4. What are the overall system availability and time to recover requirements?
  5. What's the expected life cycle for the system to be built?
  6. Does this replace something else?
  7. Does it overlap with something else?

2. Data management, data security, and data retention

  1. What data must be provided from systems external to this design?
  2. What data will be provided by this system to systems external to it?
  3. By what technical means will data move into and out of the system?
  4. How sensitive is any of this data? Is any subject to specific compliance requirements?
  5. How will data be protected, both at rest and in transit?
  6. Are there specific retention requirements for any of the data produced by this design?
  7. Are the stewards of this data involved in the design process?
  8. Has a data usage agreement been prepared?
  9. If the data is going to be used outside the US borders, are there any restrictions, laws, policies, or practice that should be considered?

3. Users and access management

  1. Who are the intended users of this system? Are they all UChicago people (including UC Medical Center)?
  2. Will any VIPs be among the users? Senior faculty?
  3. What credentials will be used? How will non-UChicago people access the system?
  4. What authentication technology will be used, and how will the system be protected by it?
  5. Are there different roles (sets of access privileges) that a user may have with this system? How will those be managed?
  6. Will you use shibboleth?
  7. Will you use Grouper?
  8. Are there requirements for user audit (a record of who took which management action when) or point-in-time audit (what did things look like at a given time in the past)?

4. Client environment

  1. What technologies will users use to interact with the system?
  2. What platforms (desktop, laptop, mobile) are to be supported?
  3. Must client software be distributed and maintained in this design?
  4. What requirements must the client environment meet?
  5. How will security of the client software be validated?
  6. Are there any export laws or sourcing requirements for technology that is being considered for use outside the US?

5. Hosting requirements

  1. Servers & storage
    1. What set of servers with what operating systems are needed by the design?
    2. Will all servers be virtual? (And if a vendor supplied system, does the vendor support the system in a virtualized environment?)
    3. What are the storage, backup, and restoration requirements and how will those be met?
    4. Capacity planning and modeling? What’s the test plan to validate the ability to meet the required capacity?
    5. Performance goals?
  2. Databases
    1. What database technologies and versions will be used in the design?
    2. How many databases will be used, with what operational requirements (size, auditing, redundancy, etc.) etc.)?
    3. What is the average number of concurrent users?
    4. Are there any character set requirements?
    5. Is access to the database server required?
    6. What are the availability requirements?
    7. What is the maintenance window?
    8. Are there database options required as part of the install?
    9. What are the backup retention requirements?
    10. Will the database contain sensitive data?
  3. Platforms & Middleware
    1. What middleware technologies will be used in the design, e.g., application servers, .NET, web servers, integration brokers, ESBs, web services, etc.?
    2. Will this system be hosted on an existing in-house platform such as K-split?
    3. Does the design include or depend on Application Service Providers, SaaS, IaaS, PaaS, or any other sort of services operated externally to UChicago? Please describe.
    4. If not covered above, please describe how this system will leverage any existing infrastructure services operated by IT Services. Also, please identify any infrastructure service needs of the design that are not met by current ITS operated infrastructure services.

6. Network requirements

  1. Performance and functional requirements
    1. What will be the footprint on the network, i.e., number of physical ports, interface type and speed?
    2. What are the estimated bandwidth, latency, and jitter requirements?
    3. What load balancing requirements are there?
    4. Is a proxy of any sort (OSI layer 3 and upwards) needed (e.g.? E.G.: VPN, ssh bastion, port forwarding, HTTP proxy or reverse proxy)?
    5. Is the physical architecture documented?
  2. Firewall requirements
    1. What set of ports will provide user access (use placeholder IP addresses if they are not already assigned)?
    2. What set of ports will provide administrative access?
    3. What set of ports will provide access to back-end services such as storage, database servers, system monitoring, system management, syslog server, etc.?
    4. Who, either specifically or by role, will be authoritative for identifying the users permitted through firewalls to access user-facing ports?

7. Monitoring, metrics, and logging

  1. What metrics are needed for capacity planning, diagnostic, availability, and usage tracking needs?
  2. How will the system be monitored or instrumented to produce those metrics?
  3. What Key Performance Indicators are defined for the system, i.e., targets for performance, availability, etc.?
  4. What is the expected load in terms of concurrent users, transaction volume, etc.?
  5. What are the issues that will need ongoing governance to address, and what are the KPIs and metrics needed to enable those decision processes?
  6. What monitoring is needed to ensure the security and integrity of the system?

8. Reporting

  1. Are there particular reporting requirements?
  2. Does the design include appropriate integration with ITS operated business intelligence or reporting services?
  3. Have data confidentiality, classification, and sensitivity been considered in the reporting requirements?
  4. What type of authorization will be used to insure that data confidentiality is preserved where needed?

9. Workflow

  1. What workflow requirements are implemented by the design, and how?
  2. Are there business process implications that will be impacted by the technology, and vice versa?
  3. Is a new workflow engine being added where an existing one might be utilized?

10. Other dependencies and integrations

  1. What co-requisites or dependencies are integral to the design that have not been mentioned above? E.g., email, VoIP, SharePoint, webshare, IM, etc.
  2. Do you have the necessary documents, tools, and skills to do the integrations required?
  3. Have you discussed the integration requirements with other units to insure resource availability to do the necessary integrations?

11. Application development

  1. How is the system produced and maintained? Are we adequately staffed for that?
  2. How does this application's architecture relate to that of other applications we maintain?

12. Vendor support & viability

  1. How well does the vendor support this product or service?
  2. How viable is this vendor?
  3. How does this vendor align with ITS strategic vendor management?

13. Compliance

  1. How have you addressed accessibility and Section 508 compliance?
  2. Is there any PII (Personally Identifying Information) transmitted, processed, or stored in this system? Same question for ePHI (electronic Personal Health Information).
  3. Same question for payment card data or other personal financial account information.
  4. Are children under the age of 13 going to access this system?
  5. Will students use this? Is this application going to depend upon information about students in any way?

14. Mobile Technology

  1. Will authentication and authorization be required for the application?
  2. Are there privacy terms required for the application?
  3. Is this interface already usable on a small screen device (do not consider tablet devices)? If not sure, contact User Experience Consultant, Web Services.
  4. Is there already an app developed? If so, then complete the “Mobile App Disclosure Form” at:
  5. If the current web interface isn't optimized for the web, then determine if there is a significant set of use cases which would compel us to optimize the interface for mobile.
    1. Would someone use this site while not at their desk to get work done? If yes, go to B.
    2. Would someone return to this site on an almost daily basis? If yes, go to C.
    3. What are the 3 things people use the site most for? Can those be fit onto a small screen?
  6. Compliance with the Mobile Security Guidelines at: