DRAFT 200-45 Grading Rubric
DRAFT
Rubric Outline for SSWG 200-45 Reviews
(These are also areas where SSWG should provide standards or best practices--or link to existing resources.)
For SSWG reviews of 200-45 submissions, the review workgroups should assess the submissions on each of the following categories. As additional standards and best practices are recommended by SSWG, this rubric should be fleshed out into a checklist that can be made available to 200-45 submitters in advance of submissions. Note that the order of items is NOT an indication of relative importance.
- Platform: the stack of hardware, middleware, and software required to provide the application
- see preliminary recommendations
- Is the platform suitable to the scope of the application (e.g., campus-wide, inter-college, intra-college, interdepartmental, intradepartmental)?
- Does the platform account for future extension of the application (if the application is a likely candidate for wider adoption, will the platform scale)?
- Does the platform leverage campus middleware services vs developing internal functionality ("recreating the wheel")?
- Development Methodology
- Does the methodology meet the needs of the application's target audience?
- Does the application roadmap allow for small, iterative releases (vs occasional massive changes)?
- Are end-users at all levels integrated into the development process (vs just sponsors or managers who don't actually use the application)?
- Is there a clear mechanism for application users to provide feedback AND track status of feedback (bug tracking or feature request system)?
- Coding Practices
- in-code documentation (commenting)
- appropriate design patterns
- MVC or other separation of concerns?
- code review process in place?
- vulnerability scanning (automated code review)
- version control for source code?
- source code shared appropriately?
- automated build process?
- unit testing?
- using common or standard frameworks where appropriate?
- modularity of design so that individual elements can be changed out easily (e.g., database transportability)?
- Data Management and Access
- Is the data model sufficiently separated from the application to easily enable direct data sharing (is there a database or other data store that can be made available to others on campus directly or via API vs only through the application's interface)?
- Has the data model been rigorously evaluated and broadly vetted to determine the value of the data to other campus units and to the campus as a whole?
- Are the data model and data store sufficiently granular to protect only security-sensitive data while easily enabling access to the rest of the data (vs denying or tightly restricting access wholesale because some fraction of the data has privacy and security implications)?
- Has the data been evaluated to determine if there would be value to extracting it into the campus data warehouse (and integrated/correlated with other warehouse data)?
- Have the sponsors established a clear policy and procedure for obtaining access to data?
- Is the policy/process integrated with the campus data management policy?
- Application Security
- Does the application comply with the CyberSafety standards ?
- How was this assessed (internal checks vs external audits)?
- Does the application deal with data protected by various legal frameworks:
- PII?
- HIPAA?
- FERPA?
- Others?
- Has security been evaluated end-to-end (both the server-side and the client-side)?
- Refer to 200-45 Security Checklist
- Does the application comply with the CyberSafety standards ?
- Usability
- Does the application leverage UI of existing applications to reduce training requirements?
- Does the application use middleware services or frameworks to generate UI (e.g., KNS)?
- Has the application been formally evaluated for usability using industry standard techniques (card sort, paper mockups, eye tracking, user testing)?
- Does the project plan include a usability improvement process?
- Accessibility
- 508 compliant per campus web standards policy?
- How was compliance assessed?
- Automated scanning tools?
- Common checklists?
- Testing by users who require accessibility accommodations?
- How was compliance assessed?
- Do project funding sources or other drivers require any additional accessibility standards compliance (e.g., federal grants)?
- 508 compliant per campus web standards policy?
- Campus Core Middleware Services Integration
- Does the application leverage available middleware services for functionality in the following areas:
- Authentication (CAS, Shib, Kerb, DistAuth, KIM, etc.)?
- Authorization (LDAP, IAM, KIM, etc.)?
- Enterprise Data Resources (DaFIS DW, PPS DW, Campus DW, etc.)?
- Workflow (KEW)?
- Service Bus (KSB)?
- UI Generation (KNS)?
- Enterprise Notification (KEN)?
- Does the application leverage available middleware services for functionality in the following areas:
- Documentation and Training for Users
- Is there end-user documentation for the application?
- Online? Context-sensitive?
- Printed book or electronic?
- Screencasts or other tutorials?
- Is there a process and sufficient resources to update the documentation?
- Training required for end-users?
- How will training be made available?
- Is there end-user documentation for the application?
- Project Management and Personnel
- Who is sponsoring the project?
- How was the development team selected?
- Who are the end-users?
- Are the interests of the end-users directly represented by the sponsors?
- Have sufficient resources been allocated for various phases of the application lifecycle:
- Development?
- Initial Data Loading (including departmental data loading)?
- Production?
- Maintenance and Revision?
- Support?
- Technical Support ("The application won't load in my browser.")?
- Subject Matter Expert Support ("How does business process X tie into process Y?")
- Will developers be recruited (external) for this application?
- Are appropriate resources, such as campus technology experts, included in the hiring process?
- Is training required for developers?
- Is training required for systems administrators?
- Business Process Analysis
- Has the workload impact of the application been evaluated from end-to-end (i.e., not just the workload impact to the sponsoring department, but also to everyone else who uses the application)? Some areas to consider include workload for:
- application systems administrators
- managers/approvers or other groups involved in workflow
- end-users
- departmental technical staff providing end-user support (e.g., how complex is the client stack to maintain?)
- Is the application creating electronic versions of existing business processes, or have the business processes been evaluated and appropriately reengineered?
- Has the workload impact of the application been evaluated from end-to-end (i.e., not just the workload impact to the sponsoring department, but also to everyone else who uses the application)? Some areas to consider include workload for:
- Sustainability
- Does this application meet UC and UC Davis sustainability guidelines in the following areas:
- reduction of printing in favor of electronic records?
- application platform hosted in a virtualized environment?
- Does this application meet UC and UC Davis sustainability guidelines in the following areas:
- Risk Management
- Has the criticality of the application to University operations been assessed?
- If the application holds critical data, does the project plan include the following:
- backup plan?
- disaster recovery plan?
Unknown macro: {gliffy}