technical requirements - cdss public site technica… · web viewportal and external users...

California Department of Social Services (CDSS) County Expense Claim Reporting Information System

1 Technical RequirementsThis document contains technical requirements to support the design, development, testing, implementation, and maintenance of the CECRIS. The State will be responsible to fulfill the technical requirements. The technical requirements are divided into the following requirements sets:

1.1 CECRIS Technical Overview1.2 System Architecture1.3 Analytics and Reporting1.4 Usability1.5 Hosting1.6 Facilities1.7 Capacity1.8 Security1.9 Logging and Auditing

1.1 CECRIS Technical OverviewThis section presents introductory information on the technical requirements.

1.1.1 CECRIS Technical Reference Architecture

The CECRIS Technical Reference Architecture (TRA) defines the CECRIS system context, technology architecture, process, and standards.

This section presents the overall CECRIS Technical Reference Architecture (TRA) as shown in the diagram below.

CECRIS Technical Requirements,


Figure 1.1, CECRIS Technical Reference Architecture

1.1.1.1 CECRIS Presentation Services LayerThe top layer, the Presentation Services Layer includes various composite applications that allow interaction between various users and the system itself. The CECRIS web portal provides access to business functions through standard web browsers. Role Based Access Control (RBAC) implemented using the DSS Security Access Framework (SAF) is used to manage user access to access CECRIS business functions. Both an intranet and Internet portal are used; CDSS internal users will use the intranet web



portal and external users (counties and other state agencies and departments) would use the Internet web portal.

1.1.1.2 Security ZonesThe CECRIS deployment architecture is characterized as a multi-zone architecture with each zone separated by security components to support application systems and data security. There are three main security zones including:

Presentation Zone: The presentation zone includes the CECRIS Presentation Services layer and strictly includes public data security.

Application Zone: The Application Zone supports business logic and technology service components for the business services defined in the Business Architecture. The business process logic, supported by business service logic and the specific technology components necessary to implement the business services, reside in the Application Zone. The CECRIS Service Layer, Business Process Layer and the Service Bus belong to this security zone.

Data Zone: The Data Zone contains the data/information used by various CECRIS services. In CECRIS multi-layer architecture, the CECRIS Data Layer belongs to this security zone.

1.1.1.3 InterfacesCECRIS will interface with the following two external systems:

CALSTARS: CALSTARS is the State’s current financial system and all claim payment data is sent to this CALSTARS for processing. The files are anticipated to be sent using batch transmission.

FI$Cal: Fi$Cal will replace CALSTARS and therefore once implemented, all claim payment data will be transmitted to Fi$Cal for processing.

1.1.2 CECRIS Hosting

The State is focusing on the best business solution for CECRIS and is therefore using State-Hosted Cloud. This hosting solution utilizes the assets of the California “CalCloud” environment.

1.1.3 CECRIS Technology Standards and Tools

Figure 1.2 presents the proposed CECRIS system implementation.



Figure 1.2 Proposed CECRIS System Implementation

Table 1.1 details the CECRIS Architecture Layer, Technical Capability and Tools, Technologies and Standards.

Table 1.1, CECRIS Architecture Layer, Technical Capabilityand Tools, Technologies and Standards

Architecture Layer Technical Capability

Tools, Technologies and Standards

CECRIS Hosting Platform/Infrastructure Layer

Operating System:Web Server:Application Framework:

Microsoft Windows Server 2012Microsoft Internet Information Server (IIS) v7.5 or higherMicrosoft .NET Framework 4.0 and up

CECRIS Data Layer Database ServerDirectory Server

Microsoft SQL Server 2012 or higherWindows Server Active Directory

CECRIS Service Layer

Rules EngineETL ToolData Analysis ToolReporting Tool

Custom C#Microsoft BizTalk ServerMicrosoft SQL Server Integration Services (SSIS)Microsoft SQL Server Analysis Services (SSAS)Microsoft SQL Server Reporting



Services (SSRS)CECRIS Business Process Layer

Business Process Management (BPM)/Workflow

K2 BlackPearl 4.6.4

CECRIS Presentation Services

Web Portal, Report Portal etc.Office Tools (MS Excel)Web Application Framework

Microsoft SharePoint ServerMicrosoft OfficeMicrosoft .NET Framework 4.0+: ASP .NET

1.2 Coding StandardsThis section defines the coding standards that will be followed in the CECRIS project.

1.2.1 Coding Standards Requirements

# Requirement

1 All parts of the CECRIS application will conform to CDSS’ coding standards, including style and comments, to be determined by the State.

1.3 System ArchitectureA Service Oriented Architecture (SOA) is to be used as the fundamental architectural style for defining the CECRIS architecture to establish a highly flexible and responsive business, technology and data architecture.

1.3.1 Architecture Requirements

# Requirement

2 The CECRIS architecture shall conform to an n-tiered web architecture and realizes the CECRIS TRA based on Service Oriented Architecture (SOA).Please refer to the CECRIS Technical Reference Architecture (TRA) for details.



# Requirement

3 The CECRIS solution shall provide the following web portals for the human users to access all CECRIS business functions:

a. CECRIS Intranet Web Portal: The CDSS internal users shall access CECRIS business services and reporting through the CECRIS Web Portal through the intranet.

b. CECRIS Internet Web Portal: The external users such as County Fiscal Staff, CWDA, etc. shall access CECRIS business services and reporting through the CECRIS Web Portal through the internet:

4 The CECRIS Web Portal shall support, at a minimum, the latest version of the following browsers:

a. Internet Explorerb. Microsoft Edgec. Firefoxd. Chromee. Safari

5 If required, the CECRIS solution shall use electronic signature functionality that is compliant to the State, federal and agency requirements and standards for electronic signature.

6 The CECRIS Presentation Services shall conform to TRA.

7 The CECRIS solution shall store all the master data and the transaction data in a Relational Database Management System (RDBMS).

8 The CECRIS solution shall use Microsoft SQL Server Database 2012 to store all CECRIS master data, transaction data and reports data.

9 The CECRIS solution shall expose CECRIS services consistent with WS-I Basic Profile Version 2.0 web service guidelines (http://ws-i.org/profiles/basicprofile-2.0-2010-11-09.html) and interoperability tests that are based on Service Contract Specification.

10 The CECRIS solution shall implement business and technical functions as web services using the following open standards, at a minimum:

a. XMLb. SOAP/WSDL:c. WS-I Basic Profile 2.0d. WS-Security

11 The CECRIS solution shall use K2 BlackPearl 4.6.4 to implement Business Processes.


http://ws-i.org/profiles/basicprofile-2.0-2010-11-09.html


# Requirement

12 The CECRIS solution shall implement at a minimum services for:a. Loggingb. Auditingc. Exception Management functions.

13 The CECRIS solution shall implement services to provide centralized implementation, management, monitoring, administration and governance of CECRIS security and compliance policies.

14 The CECRIS solution shall use Microsoft Windows Server 2012 or later as the Operating System in the CECRIS Platform/Infrastructure Layer.

15 The CECRIS solution shall use Microsoft Internet Information Server (IIS) v7.5 or higher as the Web Server in the CECRIS Platform/Infrastructure Layer.

16 The CECRIS solution shall use Microsoft .NET Framework 4.0 or higher as the Application Framework in the CECRIS Platform/Infrastructure Layer.

1.4 Analytics and ReportingThis section presents the technical requirements related to reporting. Business requirements related to reporting are provided in Section 6.16, Reporting.

1.4.1 Analytics and Reporting Requirements

# Requirement

17 The CECRIS solution shall provide the ability to generate reports in batch mode using predefined report formats.

18 The CECRIS solution shall provide the ability to generate ad-hoc reports in real-time.

19 The CECRIS solution shall implement the BI internal and external dashboard providing clients with the ability to visualize metric claims in xRM.

20 The CECRIS solution shall provide both the batch reports and ad-hoc reporting functionalities through the CECRIS Web Portal using CDSSSAF Role Based Access Control (RBAC) mechanism.

21 The CECRIS solution shall include a mechanism for both batch and ad-hoc reporting from a datamart.

22 The CECRIS solution shall provide processes to Extract, Transform and Load (ETL) data on a nightly schedule from the CECRIS transaction database to the reporting datamart.



# Requirement

23 The CECRIS solution shall use Microsoft SQL Server 2012 or later for the implementation of the reporting datamart.

24 The CECRIS solution shall use BizTalk to implement the CECRIS ETL processes.

25 The CECRIS solution shall use Microsoft SQL Server 2012 or later Analysis Services (SSAS) as the Data Analysis Tool.

26 The CECRIS solution shall use Microsoft SQL Server 2012 or later Reporting Services (SSRS) as the Reporting Tool.

1.5 UsabilityUsability refers to the both the State and Federal regulations and laws that guide accessibility of systems as well as the user experience of ease of use, intuitiveness, and overall user experience.

1.5.1 Usability Requirements

# Requirement

27 The CECRIS solution web portal shall be compliant with the American Disabilities Act (ADA).

28 The CECRIS solution web portal shall be compliant with the California policy regarding accessibility per Cal Gov. Code 11135.

29 The CECRIS solution web portal shall be compliant with the Accessibility requirements of Section 508 of the Rehabilitation Act of 1973, as amended (29 U.S.C. Sec 794d), and regulations implementing that act as set forth in Part 1194 of Title 36 of the Federal Code of Regulations.

30 The CECRIS solution shall provide real-time access to system job and maintenance schedules, submission and processing statistics, and System performance tools for authorized users.

31 The CECRIS solution web portal shall only support English language.

32 The CECRIS solution shall have the capability to pre-populate screens, with the relevant information already existing in the system.

33 The CECRIS solution shall support mandatory input fields on the user interface screens.

34 The CECRIS solution shall support on-screen notification of, at a minimum, Data saves, Data validation errors, mandatory fields.



# Requirement

35 The CECRIS solution shall allow users to download forms, reports and documents through the Web Portal. The downloadable forms, reports and documents shall be identified during joint requirements/design sessions.

36 The CECRIS solution shall allow navigation between multiple, related input screens without losing information input from the original screen.

37 The CECRIS solution shall allow users to print each input screen using a print layout that is formatted for printing.

38 The CECRIS solution shall provide print options for printing the forms, reports and other related documents through the web portal.

39 The CECRIS solution shall provide role-based workflow routing and allows tasks to be assigned to job functions.

40 The CECRIS solution shall provide the capability to notify the user prior to deleting the user's incomplete work due to a timeout.

41 The CECRIS solution shall provide a mechanism for the webmaster to obtain feedback accessibility improvement, general comments and other recommendations from the users

42 The CECRIS solution shall provide a web frontend using role-based access to users that requires no desktop software to be installed and configured except supported web-browsers (Internet Explorer, Firefox, Chrome, and Safari) and some of the commonly used browser plug-ins.

43 The CECRIS solution shall display CECRIS data using consistent formats with respect to: color, layout, font, menus, navigation, graphics, and location information.

44 The CECRIS solution shall use a Model-View-Controller (MVC) pattern for web application development.

1.6 Data MigrationThis section presents the technical requirements related to migrating existing County Expense Claim (CEC) and County Assistance Claim (CA 800) data

1.6.1 Data Migration Requirements

45 The most recent three fiscal years of final audited CEC and CA 800 summary data shall be migrated to CECRIS.

46 The current CEC and CA 800 system and all historical data shall be migrated to a central server accessible to State and County staff.



1.7 HostingThis section presents requirements related to the hosting of CECRIS.

The State shall be responsible for providing:

Development and Implementation (D&I) Environment (State on-prem)

Test Environment (CalCloud)

Production Environment (CalCloud)

Disaster Recovery Environment (CalCloud)

1.7.1 Hosting Requirements

# Requirement

47 CDSS shall provide and host the Development and Implementation (D&I) environment that includes all the hardware and software needed to design, develop and unit test the system.

48 CDSS shall provide and host the Performance/Interface/UAT Test environment that includes all the hardware and software needed to test the system.

49 CDSS shall provide and host the Production environment includes all the hardware, software and data needed for CECRIS system.

50 CDSS shall provide all environments to host the Disaster Recovery (DR) environment that includes hardware, software, and data for the system.

1.8 CapacityThere will be periods of time each month and each quarter where usage amongst users is high and it is expected that CECRIS easily support the number of concurrent users. Through a structured process, CECRIS’ capacity is managed by measuring the system performance, growth, and projected increase of use.

1.8.1 Capacity Requirements

# Requirement

51 CDSS shall provide the necessary Hardware, Storage and Network Capacity to meet the CECRIS capacity requirements.



# Requirement

52 The CECRIS System shall have a capacity for a minimum of:a. Processing 1000 claims per yearb. Supporting 350 concurrent users

53 The CECRIS solution shall have the capability and storage capacity to retain seven (7) years of data online and ten (10) years of data offline storage.

1.9 SecurityThe CECRIS solution shall implement a comprehensive and integrated security mechanism to protect the security of CECRIS and its data. CECRIS security implementation shall leverage government, industry, and federally funded academic research on security, privacy, and continuity of operations, with a strong link to available and emerging products and solutions. All security functions shall be developed in accordance with State security policies and regulations.

1.9.1 Security Requirements

# Requirement

54 The CECRIS solution shall provide the security of the system and data utilizing the following fundamental security elements:

a. Multi Zone Security Architectureb. User ID and Password based Authenticationc. Role Based Access Control (RBAC) using DSSSAFd. Encryption of sensitive data in transit and in storage

55 The CECRIS solution shall provide a defense-in-depth, multi-zone computing architecture that physically separates the layers between the System components utilizing the following zones:

a. Presentation Zoneb. Application Zonec. Data Zone

Please refer to the TRA for details.

56 The CECRIS solution shall provide a data encryption mechanism for sensitive data in transit and in storage that protects data confidentiality and integrity as appropriate, based on the sensitivity of data.



# Requirement

57 The CECRIS solution shall provide Public Key Infrastructure (PKI) that follows standard practices that includes at a minimum:

a. Accepted Certification Authorities (CA), documented Certificate Policies (CP), and Certificate Practice Statements (CPS) which will include key escrow strategy

b. Fundamental technical standards such as X.509 certificate format and Public Cryptographic Standards (PKCS)

58 The CECRIS solution shall use DSSSAF to provide Credential and Access Management (CAM) services with the following functionalities:

a. Authentication: Enabling User ID and Password based authentication, password policies, and automatic password expiration policies.

b. Authorization: Users will be assigned roles to ensure that they have access to business functions and data that is needed to get the job done and nothing more (least privilege).

59 The CECRIS solution shall generate alerts for conditions that violate security rules, including at a minimum:

a. Unauthorized access attempts on data and System functionb. Logon attempts that exceed the maximum allowedc. Termination of authorized sessions after a specified time of no activity

60 The CECRIS solution shall provide security incident reporting and mitigation mechanisms, including at a minimum:

a. Generate warning or report on System activity based on security parameters

b. Terminate access and/or generate report when potential security violation detected

c. Preserve and report specified audit data when potential security violation detected

61 The CECRIS solution shall using DSSSAF to automatically prompt users to change their passwords after a configurable, defined period has passed.

62 The CECRIS solution shall use DSSSAF to provide the ability to disable user IDs for a configurable time frame after a configurable number of consecutive invalid login attempts.

63 The CECRIS solution shall time-out web portal users after a configurable period of inactivity.

64 The CECRIS solution shall display passwords using masked characters.

65 The CECRIS solution shall encrypt passwords when they are routed over the network.



# Requirement

66 The CECRIS solution shall ensure that the integrity and confidentiality of data is protected by safeguards to prevent release of information without proper consent.

67 The CECRIS solution shall use DSSSAF to provide secure access control based upon single unique user login.

68 The CECRIS solution shall use DSSSAF to provide secure unique identifiers for each user.

69 The CECRIS solution shall use DSSSAF to perform secure checks on each user’s access privileges at login, and automatically disables or enables user functions, in real time, based upon the user’s role and access privilege.

70 The CECRIS solution shall utilize appropriate security architecture and control to address various security attacks, including at a minimum:

a. Spoofingb. Tamperingc. Repudiationd. Information disclosuree. Denial of servicef. Elevation of privilege

71 The CECRIS solution shall provide a mechanism to perform annual auditing to track and monitor access and modification to all sensitive and business critical data.

72 The CECRIS solution shall use secured coding practices that comply with the following standards:

a. NIST SP 800-64, Security Considerations in the System Development Life Cycle

b. NIST SP 800-95, Guide to Secure Web Services

1.10Logging and AuditingThis section presents requirements related to tracking and recording user transactions within CECRIS.

1.10.1 Requirements

# Requirement

73 The CECRIS solution shall communicate errors to the end user in plain language with an explanation of required action.



# Requirement

74 The CECRIS solution shall allow system administrators to view, filter, sort, and search the error log.

75 The CECRIS solution shall log the following events to a centralized ANSI-SQL Database Error Log:

a. Business activities (e.g., audit activities, user login, new user role/permission change etc.)

b. Business events (e.g., claim submission/file upload, business rules changes, aid code changes)

c. Business errors and exceptionsd. System errors and exceptions

The list of items to be logged will be decided in the detailed requirements and design phases.

76 For each event, the CECRIS solution shall log the following data to a centralized ANSI-SQL Database Audit Log:

a. Business or system activity, event or errorb. Who (human user) or what (system user) performed the activity or

triggered the eventc. What the activity/event was performed on - the details of activity/event

related datad. Data and time of evente. Result/status of the eventf. Before and after valuesg. Subsystem/business process/service name

The list of data elements to be logged and the log format will be decided in the requirements and design phase.

77 The CECRIS solution shall provide audit reports to CDSS on a weekly basis and also on demand.

78 The CECRIS solution shall log application-level audit trails to monitor and log user and system activities, including, at a minimum, data files opened and closed, specific actions (e.g., reading, editing, and deleting records or fields), and printing reports, claims data modification, claims data receive, audit event etc. The list of the user and system activities to be logged will be defined in the requirements and design session.

79 The CECRIS solution shall allow users to configure the frequency and content of audit reports.



1.11System PerformanceThis section presents the technical requirements related to system performance.

1.11.1 Requirements

# Requirement

80 The CECRIS solution shall have a 2 to 5 second response time for the requests submitted through the CECRIS web portal.

81 The CECRIS solution shall provide a message to the users if a request is being processed and takes longer than 2-5 second response time for the requests submitted through the CECRIS web portal.

82 The CECRIS solution shall be operational 6:00 AM to 11:00 PM Monday through Friday, Pacific Standard Time (PST).

83 The CECRIS application shall be operational 2:00 AM to 6:00 PM Monday through Sunday (Pacific Standard Time) for Batch Processing

84 The CECRIS server system shall be available 99.9 percent of the operational hours.

85 Required system maintenance shall be performed within a two (2) hour window that is outside the regular operational hours for both application and batch processes.


technical requirements - cdss public site technica… · web viewportal and external users...

Documents