ASP Architecture Questions

Submitted by jjanssen on Mon, 11/21/2005 - 16:47. Technical Architecture Reviews

Suggested Use: Include in RFI's to Vendors supplying APU with applications/services over the Internet.

Architecture Working Group
Version 0.9
Date 2005-11-14

What is your Web Services, or Service Oriented Architecture strategy?
What technologies, frameworks, and language(s) do you use in the application/service? (Please include architecture models, diagrams etc.)
What hardware infrastructure supports your application/service?
Where is data stored? List all locations, database types.
Does a server-side upgrade require any changes on the client side?
Do you have a test environment to which APU can connect to test the application? Which functions/services can be tested?
Do you also offer a non-hosted product?

Is the application completely web-based?
Does it support W3C standards? Which ones?
Does the application support multiple browsers? Which ones, on which platforms?
Does the application use plain vanilla HTML?
Does the application have a non-web based rich client (e.g. Java Application)?
Do you have any plans for adding Rich Internet App (RIA) functionality to your application (e.g. AJAX)?
Are there specific software requirements, such as support of plugins, proprietary extensions (e.g. ActiveX), particular flavors of Javascript, etc?
Is end-user installation required?
Is end-user maintenance or management required?
Is your application compliant with the Americans with Disabilities Act (ADA)?
Does APU need to have someone monitor or install anything within our environment to support this application, whether on a server or on every workstation that uses the application?
What devices support the application? Is an actual computer required, or could a PDA or other mobile device do the job?

Does the application integrate with other known applications or services?
Do you publish portlets for Portal Integration (e.g. JSR-168)?
Do you have any experience with JA-Sig uPortal?
Do you currently publish any Web Services? Via what means? (e.g. SOAP, XML RPC, RMI) For what functions?
If Data level integration is required what methods are available (XML, JDBC, ODBC)?
Do you support multiple forms of interaction, e.g., asynchronous messaging?
Do you support any message oriented messaging for process level integration? (EJB, JMS)?

Is the application extensible? Is it easy to add functionality to the system?
Can we augment it with an alternate front-end?
Can we extract data for processing on our side?
Does this extraction require the use of particular technology, language or API?
How readily can the application be modified if something like government rules change? How long to become compliant in such a situation?
Is business logic separate from the presentation layer?

Can your application defer all authentication to our central authentication system? (one way trust, no passwords in your system)
How do you support Web Single Sign On?
Do you plan to support any Federated Identity systems such as those based on Security Assertion Markup Language, SAML (e.g. Shibboleth, Liberty Alliance)?
Can your application dynamically use authorization attributes, group information, or other attributes from our LDAP directory securely over the Internet?
How does your system consume identity data that we do not want leaving our organization?
What is the smallest bit of account information that is required to be housed in your system?
How are accounts managed over time?
What is required to create a user account?
Can the ability to create an account be restricted?
Can the ability to change a password via your mechanisms be disabled, in order to defer to our processes?

Is the application available 24 x 7? With what level of Guarantee?
Is it monitored 24 x 7 for failure? By whom?
Are there peak load times that could cause certain functions to fail for users?
Is the current hardware configuration more than adequate to handle the highest current load?
Are servers clustered?
Is load balancing used?
What is your typical transaction rate at peak times?
Do you have redundant Internet gateways, Co-Location or other availability in your design? Which providers (tier)?
Do routes auto-failover? How does this affect access to your application during this period of time?
How often do you typically have outages? How long do they last? Can you provide a report for the last year?
How often is the application updated?
What impact do updates have on availability?

If data is not readily accessible in an open format, such as XML, what would be involved in getting a copy of the data in a well-known format?
Do you have a documented Disaster Recovery Plan? Has this ever been tested?
What is your time to recovery?
Are there failover servers?
Where are servers located?
How often are backups of data made?
Where are backups kept?
Is the application itself kept in a regularly backed up code repository?
Where is that repository physically?
How do you handle revision control, and regression testing?
Is your application tightly tied to one particular vendor, such as through the use of .NET or Weblogic extensions?
How portable is your application? Is it agile enough to move to other hardware/software platforms if the industry shifts?
Is a Database Abstraction Layer used? If needed could you switch to a different Database product?

What mechanism is used to protect data from the user to the application?
What measures are used to protect data at the ASP’s site?
Does the ASP share data with other companies? If so, how is data safeguarded in transit and at the other company’s site?
Do you have any mandated security requirements for any third party products or services incorporated into your solution?
What provisions are there for network security?
What physical security policies do you enforce?
Who at the ASP may access data?
Who can manage account creation/maintenance?
What are password failed attempt and change policies?
How often do you conduct security audits?
Are all transactions logged? Are those logs available to us if necessary, in some form?
If requested, can you supply us with security, traffic, and authentication logs?
Describe the method of gaining access to such logs?
Can APU turn off access in case of a security problem?

Describe how your solution protects the confidentiality of personal financial information, as required by the Gramm-Leach-Bliley Act (GLBA) of 1999

Describe how your solution complies with the terms of the CFPIA, protecting the confidentiality of consumer financial information.

Describe how your solution complies with the requirements of the Family Education Rights and Privacy Act.

If applicable, describe how your company complies with the Payment Card Industry Data Security Standard Program

If appilcable, describe how your company complies with NACHA (eCheck) requirements and guidelines for risk management

If applicable, describe how your company complies with the Health Insurance Portability and Accountability Act (HIPAA) enacted by the U.S. Congress in 1996.

Is support available 24 x 7?
How is support available? Telephone? Email? Web site?
Is support extra? If so, how much per incident?
Who may ask for support?
What is required to ask for support?
What is your standard Service Level Agreement?
What is the expected time frame for response to and resolution of user problems?
How and when do you notify customers that you are going to perform an update to a system or have a planned outage?
What documentation is available?
How much does documentation cost per copy?
What training is available?
How much training should be needed?
How much does training cost?