You need to do the following in the private beta phase.
Hire and onboard a developer (if required)
If after going through your service assessment it is determined that a beta version will be technically complicated enough to justify hiring a qualified, external developer to build it, eServices for Citizens will assist the Department Service Owner to find a suitable vendor.
The process you use to contract the work – direct award or public tender – will depend on your budget and Government of Yukon procurement limits.
Contract a vendor
- Work with the vendor to prepare potential cost, scope and timeframe. You should apply the user stories from the project backlog in order to inform the scope. Have the vendor submit a quote (including scope, time and budget) which will need to be approved by Department Service Owner as well as eServices for Citizens.
- If the quote is approved and a contract is generated, get the developer to complete the YNET Network Access Agreement and YNET account request forms, then send these to email@example.com to be processed. Once they are granted access to YNET, developers need to be set up with a VPN account so that they can access GitLab where an account will in turn be created for them by eServices for Citizens.
- Have the developer download and configure the VPN client Endpont Security VPN client using the gateway configuration of 126.96.36.199/remoteaccess.gov.yk.ca.
Complete vendor training and agreements
- Depending on the nature of the project, developers may need to complete the appropriate Access to Information and Protection of Privacy Act (ATIPP) or Health Information Privacy and Management Act (HIPMA) training.
- Review the standard template for the Network Services Agreement that will be shared with contractor and have the Department Service Owner make adjustments as needed.
Provide vendor access to internal systems
- After the developer is inside the VPN, have them create a GitLab account at https://app-cms-git01.gov.yk.ca. Once their account is setup, they will need to download the Government of Yukon Drupal Platform from the goy-dru-v2 repository and install it into their local development environment.
Build functional prototypes
- Using iterative methods, the developer shall improve upon the service prototypes by testing it with users based on the user stories created in the alpha phase. The developer shall follow our standards for code review and deployment. Management of user stories and bug reports can take place in the eServices for Citizens backlog tool.
Define internal data collection and credentials
- A data collection statement needs to be written for the service start screen. This statement may require legal consultation to ensure it complies with Government of Yukon acts and legislation.
- Confirm with the Department Service Owner that the default 12 month data retention schedule of the eServices Platform is sufficient for their purposes. If the schedule should be longer or shorter, submit this request to firstname.lastname@example.org and the change will be made to the eServices Platform reporting system on a per-service basis.
Organize internal user support and training
- Ensure that service delivery staff – the internal department employees – have the correct Active Directory group credentials to access the eServices Platform reporting system. Contact email@example.com to verify that they do.
- Determine what level and methods of support (email, telephone, in-person, etc) will be provided to department staff, both for reporting issues and for getting help.
Decide on service content management strategy and training
- While the technical maintenance and management of all eServices Platform-based services and websites are centrally monitored and controlled by eServices for Citizens, when it comes to service content updates, additions and deletions this is the responsibility of individual organizations. If the organization wishes to hire an external team to manage its content, this is acceptable but we encourage corporations and other public bodies to do it themselves. If a third party is hired to perform these content management activities, this cost should be accounted for in the organization’s service delivery and support budget.
- Create a training plan for internal users of new service who will support and operate it. Training should include how to use the service interface online as well as the eServices Platform reporting tools and merchant account reports.
Organize technical and legal asssessments
- If the service is required to adhere to the Access to Information and Protection of Privacy Act (ATIPP) determine who will head up the Privacy Impact Assessment (PIA) process and have them organize and lead its research and completion.
- Contact the Chief Information Security Officer (CISO) to organize a Security Threat Risk Assessment (STRA) for the new service. Work with the CISO to complete the STRA and perform any remediation tasks to their satisfaction.
- If the service adds new features to the eServices Platform, determine if a separate STRA is required and assign this task to a suitably skilled employee, then review with the CISO.
- Discuss service with the Information Privacy Commissioner (IPC) to maintain transparency and encourage collaboration, seeking input from IPC.
- Review template for the Service Agreement (SA) and have the department operating the service make adjustments as needed, then sign and submit to eServices for its signature. Both groups require a final version for their own records.
- Ensure that before proceeding to a public beta, the department's Deputy Minister is made aware of any audits or assessments performed on the service (PIA, STRA, PCI, etc) and this person approves and signs off on these documents.
Additional steps for services that will take money
- Set up a merchant account for development purposes (sometimes known a sandbox account). Later on this sandbox account can be turned into a live account before it goes to a public beta.
- Determine if a Payment Card Industry (PCI) compliance audit and Self-Assessment Questionnaire (SAQ) are required and assign this task to a qualified employee. Once completed, the SAQ should be sent to Department of Finance for review and to seek approval.
- Review the eServices Service Providers list to ensure all service providers are accurately listed, including the services they provide, roles and responsibilities. For payment services, specifically identify PCI DSS responsibilities. Review responsibilities with the service providers.
- If PCI training is necessary for the department managing the service, arrange for PCI compliance training for this group and in particular, the staff who will regularly operate the service.
- Depending on the interface design of the particular service, a payment form template may need to be created. eServices for Citizens will advise.
- Complete and have approved by Department of Finance the necessary application forms for the department's merchant account. These forms can include those for Moneris as well as applications for individual credit cards and whatever else is necessary.
- Review the PCI SAQ form, all of the financial documents and walk through an end-to-end demonstration of your service with the Government of Yukon PCI Steering Committee. After your demonstrration, the committee will be in a position to approve and sign off on this work.