Senior User Group

1
Senior User Group

• 25th June 2008

2
Project Progress Test Status

• Nigel Williams, Mark Swan

3
Progress Test Status, Topics

• Progress against plan
• Current test status
• Progress Full MCIS
• Progress Core MCIS
• Test Script coverage and Statistics
• A.o.b / questions

4
Key Messages Actions from Last SUG

• Focus on defining go live release scope, seek RDA
  agreement
• Identify known work-arounds
• Plan for go live release only, cease other
  activities (inc implementation planning visits
  to RDAs)
• Re-organise team to ensure delivery appointment
  of additional staff
• Fully test system before User Testing
• Stabilise Data Dictionary, issue after testing
  and when fully complete
• Prepare Acceptance strategy
• Establish go live sign off compliance
  requirements (inc information requirements for
  aggregate claim)
• Publish test statistics
• Organisational study and procurement work-streams
• Key date is 25 July 2008 for system sign off

5
Current Status

• Develop go live release COMPLETED 16/6
• Start (informal) System testing STARTED 17/6
• Test Core XML Upload facility STARTED 17/6
• Update Data Dictionary inc validation Rules
  DONE (will release on completion of system test)
• Appoint Security CLAS consultant DONE 16/6
• Appoint Pen Testing Contractor IN PROGRESS,
  start 7/7
• Collate Finalised CA Requirements IN PROGRESS
• Complete Go Live Scope Document AWAITING RDA
  SIGN OFF
• Draft of Proposed Workarounds IN PROGRESS

6
Current System Testing Status

• Release 1.7.2 Full and Core System Users
• Function
• Programme Set-up and maintenance Partial
  Success, defects raised
• Aggregate Project Set-up and maintenance of
  priority axis data Partial Success, defects
  raised
• Aggregate Claims (Includes generation of claim
  via MCIS and XML)
• Generating Claims In Progress
• Validation In Progress
• Grant calculation Full - In Progress Core -
  NS
• Submission of Claims Full - Passed Core
  - NS
• Certification of Claims Full - In Progress
  Core - NS
• SAP Payments Interface manual workaround agreed

7
Current System Testing Status (Contd)

• Release 1.7.2 Full System Users
• Function
• Intermediate Body Project Passed
• Electronic Funding Agreements Passed
• Preparation of Project Claim In progress
• Includes workflow, variance detection, routing
  function, validation rules
• Project Grant Calculation
• Interim Claims Passed
• Restricted Passed (yesterday)
• Submit Project Claim
• 3 stage Approval Process Passed
• Suspend function NS
• User Visibility In Progress
• Comments Passed
• Amending Project Claims NS
• Risk Rating of Projects NS

8
Current System Testing Status (Contd)

• Release 1.7.2 Core Full System Users
• Miscellaneous Functions
• Government Gateway NS
• Access Control In progress

9
Test Script Coverage StatisticsLast SUG, 21/05
10
Test Script Coverage Statistics This SUG, 25/06
11
Test Script Coverage and Statistics Comparison

• of resolved and closed issues as a of total,
  as at last SUG, 21/05
• Defects 27.5
• Questions 30.2
• Requirements 23.5
• Total 27.5
• of resolved and closed issues as a of total,
  as at this SUG, 25/06
• Defects 49.1 A lot better
• Questions 42.1 Better
• Requirements 33.3 Better
• Total 44.7 A lot better

12
Test Script Coverage and Statistics Trend
Analysis
13
Progress Test Status

• A.o.b / questions?

14
Audit Authority Compliance

• Alex McIntosh, Karan Price, Nigel Williams

15
Audit Authority Compliance, Topics

• Current Work-Around Proposals
• Items for discussions
• Requirements of CA for Aggregated Claims
• AA audit of MA
• Sign off of RDA systems
• A.o.b / questions?

16
Current Work-Around Proposals

• Due to staged release of MCIS some aspects of the
  business process require work around activities
  until system functionality is available
• Current work around proposals include
• Visits, Irregularities Clawbacks data capture
• Funding Agreement
• Project Categorisations
• Expenditure Forecasting
• RDA to Beneficiary Payment Processing (Finance
  Interface)
• Work around proposals to be cleared with the
  Managing, Certifying and Audit Authorities to
  ensure suitability as temporary solutions

17
Current Work-Around Proposals

• Visits, Irregularities Clawbacks
• MCIS Project Team to provide a single spreadsheet
  to capture high level project visit, irregularity
  and clawback data, as specified in the data
  dictionary
• Spreadsheet to be attached and submitted to the
  CA with the aggregate claim
• Visit forms to be attached and submitted to the
  CA with the aggregate claim
• Spreadsheet to capture irregularities at a NIFF
  level. SFIR forms to be completed manually and
  submitted to the CA with the aggregate claim
• Project clawbacks to be demand note only until
  offsetting functionality is available within
  full and core MCIS

18
Current Work-Around Proposals

• Funding Agreement
• Electronic Funding agreement not available in
  MCIS for go-live
• MCIS to produce the completed funding agreement
  schedules for inclusion in the document
• Schedules to be produced in Cognos from MCIS and
  cut and paste into the funding agreement before
  being issued to the Beneficiary
• Other funding agreement variables to be edited
  manually by the RDA
• Electronic or scanned copies of the funding
  agreement to be attached to the project within
  MCIS

19
Current Work-Around Proposals

• Project Categorisations Cross Cutting Themes
• The tables within MCIS required to capture and
  store project categorisations and cross cutting
  themes will not be ready for go-live
• MCIS Project Team to provide a spreadsheet
  solution as short term work around
• One spreadsheet per project to capture
• Priority Themes
• Codes for the Form of Finance Dimension
• Codes for the Territorial Dimension
• Codes for the Economic Activity Dimension
• Codes for the Location Dimension
• NUTS Codes
• Indicator Cross Cutting Themes (BAME/Gender/Disabi
  lity)
• Spreadsheet not required for submission to the CA
  as part of the Aggregate claim

20
Current Work-Around Proposals

• Expenditure Forecasting
• HMT requirement for the RDA to submit an accurate
  monthly expenditure forecast
• CA to use the monthly cash forecast as a proxy
  for their cash forecast
• MCIS does not currently provide the functionality
  to enter or track against a monthly expenditure
  forecasting
• CA have provided a work book which is to be
  submitted by the RDA as part of the aggregate
  claim

21
Current Work-Around Proposals

• RDA to Beneficiary Payment Processing
• MCIS Development Team have developed a work
  around for the manual update of claims within
  MCIS
• RDAs that wish to go-live without the finance
  interface being available to them shall manually
  update the status of a claim in MCIS by
  allocating a Claim Paid Date
• Date field has been added to the Claim Comments
  screen and is updated by the RDA Claim Approver
  once the payment has been made in the finance
  systems
• Only claims with a status of Paid are included
  within the aggregate claim submission to the CA,
  therefore manual reconciliation with the RDA
  finance system must be accurate

22
Items for Discussion

• AA agreement of the workarounds
• Requirements of CA for Aggregated Claims
• AA audit of MA
• Sign off of RDA systems

23
End of Morning Agenda Items Any Other Business?

• All

24
Lunch

• All!

25
User Acceptance Go Live

• Nigel Williams, David Olivant, Griffin Security
  Group

26
User Acceptance Go Live, Topics

• Acceptance criteria and Sign-Off by RDAs
• Security Accreditation ISO 27001
• Security Load performance testing
• Any other questions?

27
Acceptance Roll Out Criteria

• Functional Testing
• Non Functional Testing (especially performance)
• Security Accreditation, ISO 27001
• Security Testing
• End to End User Testing, Full Core System
• Gateway 4 review, prior to full roll out
• Post Go Live Development Plans
• Implementation Plans for remaining offices

28
Security Accreditation, HMG Requirement

• HMG require all Government IT systems to be
  security accredited to ensure that the risks to
  them are properly managed Information Assurance
• The Information Security standard is a risk
  analysis of the information or communication
  system to produce documentation to be signed off
  by the Departmental Accreditor
• Business driven process

29
Security Accreditation, Risk Assessment

• Assess the business impact of any loss
• e.g. financial loss to public sector
• Assess the threats to the system
• HMG financial system fraud, organised crime
• Defence foreign intelligence services
• Assess the vulnerabilities against appropriate
  baseline security standards
• e.g. compliance with ISO/IEC 27002

30
Security Accreditation, Information Assurance

• Confidentiality
• Information not available or disclosed to
  unauthorised individuals
• Loss of personal and sensitive data
• Integrity
• Accuracy and completeness of records
• Non-repudiation
• Availability
• Information is accessible and usable by
  authorised entities
• Disaster Recovery and Business Continuity

31
Security Accreditation, Risk Reduction

• Prioritise risks
• Identify risk treatments
• Apply countermeasures

• Risk Treatment
• Reduce
• Avoid
• Transfer
• Accept

32
Security Accreditation, MCIS Scope
33
Security Load and Performance Testing

• Alan Hazell

34
Security Testing

• The purpose of Security Testing is to identify
  security vulnerabilities so that mitigating
  action can be taken before they are exploited by
  malicious individuals
• This will involve using penetration testing
  experts (experts hackers), who will carry out
  various black-box and white-box testing scenarios
  that will identify security roles and weaknesses
• The testing will included both application and
  infrastructure testing
• The testing will be carried out by an approved
  CHECK/CREST organisation. These schemas are
  approved by CESG

35
Performance/Load Testing

• The purpose of performance testing is to
  eliminate bottlenecks and to establish a baseline
  for future regression testing
• The target baseline for MCIS performance testing
  is as follows
• 60 of application web pages should be returned
  within 3 secs
• 20 of application web pages should be returned
  within 5 secs
• 10 of application web pages should be returned
  within 10 secs
• The purpose of load testing is to exercising the
  system under load and to establish a baseline for
  future regression testing
• The target baseline for MCIS load testing is as
  follows
• up to 3000 system users
• with up to 300 concurrent users assuming a 20
  minute time-out
• These tests will be carried out by a specialist
  performance and load tester prior to the full
  role out to all RDAs

36
MCIS New Roles - MCIS User Types

• Alan Hazell

37
MCIS New Roles MCIS User Types, Topics

• MCIS User Types / Roles
• Questions?

38
User Type and User Roles Go-live release

• User Types and User Roles are used by to control
  the system functionality available to individual
  users
• The following User Types are available within
  MCIS
• Managing Authority User
• Audit Authority User
• Certifying Authority User
• Intermediate Body User
• Beneficiary User
• Global Grant User

39
User Type and User Roles Go-live release cont..

• Managing Authority User
• Data Viewer
• Data Administrator
• User Administrator
• administrate Managing Authority Users and assign
  Managing Authority Roles
• Programme Administrator
• Report Author
• Audit Authority User
• Data Viewer
• User Administrator
• administrate Audit Authority Users and assign
  Audit Authority Roles
• Report Author

40
User Type and User Roles Go-live release cont..

• Certifying Authority User
• Data Viewer
• Data Administrator
• User Administrator
• administrate Certifying Authority Users and
  assign Certifying Authority Roles,
• administrate Intermediate Body Users, but only
  assign Aggregate Claim Editor, Aggregate Claim
  Reviewer Roles
• Organisation Administrator
• Claim Approver
• Certifier
• Authoriser
• Report Author

41
User Type and User Roles Go-live release cont..

• Intermediate Body User
• Data Viewer
• User Administrator
• administrate Intermediate Body Users and assign
  Intermediate Body Roles only excluding Aggregate
  Claim Editor and Aggregate Claim Reviewer roles
• administrate Beneficiary Users/Global Grant Users
  and assign Beneficiary/Global Grant User roles
• Organisation Administrator
• Aggregate Claim Editor
• Aggregate Claim Reviewer

42
User Type and User Roles Go-live release cont..

• Intermediate Body User cont..
• Grant Approver
• Grant Appraiser
• Project Deliverer
• Grant Requestor
• Grant Acceptor
• Claim Editor
• Claim Reviewer
• Claim Approver
• Certifier
• Authoriser
• Report Author

43
User Type and User Roles Go-live release cont..

• Beneficiary User cont..
• Grant Requestor
• Grant Acceptor
• Claim Editor
• Claim Reviewer
• Global Grant User
• Grant Requestor
• Grant Acceptor
• Claim Editor
• Claim Reviewer

44
PlansNigel Williams RDAs
45
Plans, Topics

• 3 month look-ahead
• RDAs plans dependencies
• Risks issues

46
Plan Dependencies
47
Release Plan
48
End of Afternoon Items Any Other Business?

• All