/ Government of Newfoundland and Labrador
Office of the Chief Information Officer
Corporate Services & Projects: Enterprise Architecture
Detailed Architecture Design (DAD)

Detailed Architecture Design (DAD)

Project Number – Project Name

Office of the Chief Information Officer (OCIO)

Government of Newfoundland & Labrador

This document contains highly sensitive, confidential information thatmay revealthe security and/or technology posture of the Government of Newfoundland and Labrador's Information Technology environment. Distribution of this document islimited to Authorized Individuals only.

As information within this documentwill be used to protect Government's technology assets and information, it is essentialthat its contents remain accurate and up to date. For more information, please contact .

Detailed Architecture Design (DAD) / Page 1 of 24
Template Version 7.0, 2015-03-31
/ Government of Newfoundland and Labrador
Office of the Chief Information Officer
Corporate Services & Projects: Enterprise Architecture
Detailed Architecture Design (DAD)

Note – The contents of this document are subject to review and revision upgrades. This template is owned and maintained by the Enterprise Architecture (EA) Division within the Corporate Services & Projects Branch of the Office of the Chief Information Officer (OCIO). Direct your questions about this template to .

Document History

Version / Date / Summary / Responsible
YYYY-MM-DD

Purpose and Responsibilities

Purpose

  • Evaluates proposed system architectures (e.g. DAD) to:
  • Ensure adherence to the OCIO’s technical standards;
  • Evaluate the fitness of the proposed design for stability, availability, security, and supportability; and
  • Provide feedback to project teams on areas of architectural design fitness or deficiency, and recommendations for improvement.

Responsibilities

  • PARB
  • Provide clear instructions on required updates;
  • Provide pertinent information, if applicable; and
  • Streamline the approval process as much as possible.
  • Project Team
  • Take advantage of the resources provided, i.e. sample DAD, Guidelines and Best Practices, EA Prime, etc.
  • Make updates in a timely manner.

Important Information for Completing this Document

The purpose of the DAD document is to determine the technical suitability of a project’s architectural design. The proposed solution will be reviewed for adherence to OCIO technical standards as well as stability, availability and security.

A review of the DAD is meant to provide feedback to project managers on areas of architectural design fitness or deficiency, and recommendations for improvement.

The DAD is NOT meant to determine support requirements or the need to assign OCIO resources to the project (although it may be used as supporting documentation in those decision making processes).

This document may contain inline guidance to assist you with the completion of various sections. The inline guidance is contained within a table layout. The information and the table must be deleted prior to submitting the document to SDEA for review.

The document also contains a table of contents, a table of figures and a table of tables. If you do not use tables or images within this document those headings must be deleted prior to submitting the document to SDEA for review.

If you encounter any difficulty or are unsure about anything within this document, please contact your assigned EA Prime.

Completed in Full

Each section of the DAD must be completed in full. If a particular section is not applicable to this project, then you must write Not Applicable and provide a reason.No sections are to be deleted from this document.

Guidance

Text contained within < > provides information on how to complete that section and should be deleted once the section has been completed. When appropriate, individual sections of this documentreference the Guidelines and Best Practices for Government Technology Solutions document.

TRIM

Insert the TRIM document number in the footer. Project teams can obtain a document number from the Information Services Centre (ISC) by emailing .

Document Embedding

To insert a document (BRD, PPIA, PIA, etc.) into this document, perform the following steps:

  • From the Insert Menu, click Object;
  • Click the Create from File Tab;
  • Find the document via the Browse button;
  • Check the Display as icon checkbox;
  • Click OK; and
  • Add the TRIM number.

Detailed Architecture Design (DAD) / Page 1 of 24
Template Version 7.0, 2015-03-31
/ Government of Newfoundland and Labrador
Office of the Chief Information Officer
Corporate Services & Projects: Enterprise Architecture

Table of Contents

1.Project Information

1.1Summary Details

1.2Key Project Contacts

1.3Key Dates

2.Project Information Assessments

2.1Information

2.1.1Public Facing

2.1.2Corporate Services & Projects

2.2Information Security Classification

2.2.1Availability

2.2.2Solution Location

2.3Results

2.3.1Pre-Threat Risk Assessment

3.Design and Technology Details

3.1System Profile

3.1.1Solution Type

3.1.2Project Type

3.2Solution Details

3.2.1COTS Customization (NOT Configurations)

3.3Virtualization

3.4Guidelines and Best Practices

3.4.1Deviations

3.4.2Reason for Deviation(s)

3.4.3Deviation Approval

4.User Community

4.1User Community Profile

5.Application Architecture

5.1Application Architecture Diagram

5.2Description

6.Network Architecture

6.1Network Architecture and Design Description

6.1.1Network / Technical Architecture Diagram

6.1.2Network Enhancements / Changes

6.2Communications and Performance

6.2.1Data Flows and Network Protocols

6.2.2Network Traffic

7.Database Architecture

7.1Initial Size of Database

7.2Anticipated Annual Growth

7.3Database Features

7.3.1Database Environment

7.3.2Database Connection Account Type

7.4Stored Procedures

7.5Clustering

7.6Database Normalization

8.Security Architecture

8.1Threat Mitigation Plan

8.2Application Security

8.2.1Roles

8.2.2Authentication Authorization and Access Control

8.2.3Account and Password Management

8.2.4Session Management

8.2.5Cached Data / Temporary Files

8.2.6Application Logging

8.3Infrastructure and Network Security

8.3.1Separation of Administrative and User Traffic

8.3.2Operating System Accounts and Privileges

8.3.3Server Hardening

8.4Database Security

8.4.1Description

8.4.2Local User Management

8.4.3Database Logging

8.4.4Database Link Privileges

8.5Cryptography and Key Management

8.5.1Appropriate Use of Encryption

8.5.2Digital Certificate Management

9.Enterprise Backup and Recovery

9.1Backups

Table of Tables

Table 1 - Project Summary

Table 2 - Key Project Contacts

Table 3 - Key Dates

Table 4 - Information Security Classification

Table 5 - Deviation Approval Contact Information

Table 6 - User Community Profile

Table 8 - Data Flow Inbound and Outbound, Network Protocols

Table 9 - User Locations

Table 10 - Sample Data Object List

Table 11 - Data Object List

Table of Figures

Figure 1 - Application Architecture Diagram

Figure 2 – Network / Technical Architecture Diagram Template

  1. Project Information
  2. Summary Details

Name / Description
Project Number / <Please provide the project DTC.
Project Name / Please provide the name of the project.
Project Description / <Provide a short description of the project, including any planned phases.

Table 1 - Project Summary

1.2Key Project Contacts

Role / Name / Email / Phone
Project Manager
Delivery Manager
Enterprise Architecture (EA) Prime
Manager of Operations& Security – Server / Storage
Manager of Operations& Security – Network / Security
Manager of Operations & Security – Service Delivery
Manager of Application & Information Management Services

Table 2 - Key Project Contacts

1.3Key Dates

Event / Date (YYYY-MM-DD)
Estimated Date for Beginning of Execute Phase
Anticipated Implementation Date

Table 3 - Key Dates

  1. Project Information Assessments
  2. Information
  3. Public Facing
  1. Will any component of this system be Public Facing? Yes No
  1. Has the Project Team held a consultation with the Web Development
    Team to ensure compliance with the Web Development Standards? Yes No

2.1.2Corporate Services & Projects

Will any component of this system be delivered via the Internet as part of
its solution delivery (not applicable to remote access for technical support

only purposes)? Yes No

Please refer to the following section(s) in the Guidelines and Best Practicesdocument for specific guidance:

  • Section 3.5: Architectural Patterns
  • Section 4.4.4: Web Security
  • Section 6.2: Architecture Components

2.2Information Security Classification

High / Medium / Low / Unclassified
Confidentiality
Integrity
Availability

Table 4 - Information Security Classification (Provided by Information Management & Protection)

Please refer to the following section(s) in the Guidelines and Best Practicesdocument for specific guidance:

  • Section 6.1: Information Security Classification
  • Section 6.2: Security Functional Controls
  • Section 6.3: Security Physical Architecture
  • Section 6.4: Use Of Cryptography
  • Availability

< Explain how your solution is architected to meet availability requirements.>

2.2.2Solution Location

Based on IM classification, can the proposed solution reside with
other applications of same classification? Yes No

2.3Results

2.3.1Pre-Threat Risk Assessment

Insert the results of the Pre-TRA performed on this solution.

Note: To insert the Pre-TRA, follow the instructions found in the “Important Notes for Completing this Document” section at the beginning of the template.

  1. Design and Technology Details
  2. System Profile
  3. Solution Type

Select one:

Commercial off The Shelf (COTS)

Custom Developed Software

Please refer to the following section(s) in the Guidelines and Best Practicesdocument for specific guidance:

  • Section 2.1: Principle of Solution Acquisition
  • Project Type

Select one:

Primarily an Infrastructure Project

Primarily an Application Project

3.2Solution Details

3.2.1COTS Customization (NOT Configurations)

<Identify level of customization within COTS solution, if applicable.

Please refer to the following section(s) in the Guidelines and Best Practicesdocument for specific guidance:

  • Section 2.7.3: Vendors Supported
  • Virtualization

Does this system support virtualization? Yes No

If no, please explain.

Please refer to the following section(s) in the Guidelines and Best Practicesdocument for specific guidance:

  • Section 2.6: Principle of Virtualization
  • Section 3.3: Virtualization of Information Systems
  • Guidelines and Best Practices

Note - All projects are expected to follow the Guidelines and Best Practices for Government Technology Solutions document and the Enterprise Architecture (EA) Web Development Standards document. (

Please refer to the following section(s) in the Guidelines and Best Practicesdocument for specific guidance:

  • Section 4.4.3: Web Standards
  • Deviations

Are there any deviations from Guidelines and Best Practices for Government Technology Solutions? Yes No

<If yes, identify all deviations.

3.4.2Reason for Deviation(s)

<Identify the reason(s) for the deviations.

3.4.3Deviation Approval

All deviationsmust be approved by the EA Division. Embed the email approval for the deviation into this document.

Note: To embed the email, follow the instructions found in the “Important Notes for Completing this Document” section at the beginning of the template.

Deviation Approval Contact

Name / Email / Phone

Table 5 - Deviation Approval Contact Information

  1. User Community
  2. User Community Profile

User / Number of Users / Who / Distinct User Groups / Connection
Internal / <Identify estimated number of internal users. / <Identify who the users are. / <Identify estimated number of departments. / <How do they connect (e.g. VPN, Intranet, etc.).
External / <Identify estimated number of external users. / <Identify who the users are. / <Identify estimated number of distinct external organizations. / <How do they connect (e.g. VPN, Intranet, etc.).
Extranet Partners / <Identify estimated number of users from extranet partners. / <Identify who the users are. / <Identify estimated number of distinct extranet partners. / <How do they connect (e.g. VPN, Intranet, etc.).
Remote Access / <Identify estimated number of Remote Access users. / <Identify who the users are. / <Identify estimated number of distinct Remote Access groups. / <How do they connect (e.g. VPN, Intranet, etc.).

Table 6 - User Community Profile

  1. Application Architecture

Please refer to the following section(s) in the Guidelines and Best Practicesdocument for specific guidance:

  • Section 4: Application Architecture
  • Application Architecture Diagram

<Insert an application architecture diagram for this section. The following template is included as a guide.

Figure 1 - Application Architecture Diagram

Note: Ensure the diagram is labeled appropriately, including all application components, and integration of internal and external components / applications.

5.2Description

For Custom Applications:Describe the solution’s application architecture in terms of technologies used, logical layers and where they reside within the physical architecture,and the method of inter-layer/inter-tier communication.

  1. Network Architecture

Please refer to the following section(s) in the Guidelines and Best Practicesdocument for specific guidance:

  • Section 6.1: Network Best Practices
  • Section 6.2: Architecture Components
  • Section 6.3: Network Topologies
  • Network Architecture and Design Description

Provide a detailed description of the network architecture, including:

  • An overview of how the proposed solution aligns with the Networking Section of the Guidelines and Best Practices for Government Technology Solutions;
  • A description of the potential impacts on the following areas:
  • Enterprise-Wide network infrastructure and architecture; and
  • Operational management.
  • An outline of how the solution is expected to interface with the government network infrastructure and/or systems, including:
  • System tier segmentation/separation across perimeter and production firewalls; and
  • Legacy systems, servers, firewalls, security zones, ports, protocols, and traffic management devices (e.g. load balancers).
  • Network / Technical Architecture Diagram

Provide a network / technical architecture diagram of the production environmentproposed for this solution. The following template is provided for your reference. To edit the Technical Architecture Design Template within Microsoft Visio, right click the image below and select Visio Object  Open.

Figure 2 – Network / Technical Architecture Diagram Template

Note: The following conventions should be used when submitting diagrams:

  • All physical and logical components of the system (servers, firewalls, zones, etc.) and how they are interconnected must be represented in a network/technical architecture diagram for solution’s production environment proposal;
  • Where complexity of the solution or system requires multiple instances of environments or structures, additional diagrams may be included when they provide details about interfaces with other systems;
  • Diagrams must include the components required for the production application and data environments;
  • Components of the diagram(s) must be organized by the tiers of the n-tier architecture; and
  • Details of the n-tier architecture must include hardware and software that comprises the detailed architecture design proposed.
  • Communication between components must be indicated, including ports and/or protocols, as well as directionality of communication

Indicate which of the following environments are being deployed to the OCIO infrastructure:

Production

Staging

Test

Development

6.1.2Network Enhancements / Changes

Are network enhancements / changes required? Yes No

These changes could include but are not limited to any of the following:

  • Implementing Quality of Service on WAN links that are at capacity; and
  • New networking devices such as routers, switches, firewalls, or load balancers that are required for the new solution.

If yes, outline and describe any network enhancements or changes required.

6.2Communications and Performance

6.2.1Data Flows and Network Protocols

Outline the required communication requirements for the intended solution including the expected security rules that will be configured in the table below. Refer to the Sample DAD for assistance.

Source / Destination / Port(s) / Protocols / Encrypted or Not Encrypted / Description / Estimated Number of Connections
Between Untrusted Zone (Internet) and Public Access Zone (DMZ)
Within Public Access Zone (DMZ)
Between Public Access Zone (DMZ) and Production Zone (Restricted)
Within Production Zone (Restricted)
Between VPN and Production Zone (Restricted)[[1]]

Table 7 - Data Flow Inbound and Outbound, Network Protocols

6.2.2Network Traffic

Identify the location of the users of the application the network access required.

Site / Number of Users
at Location / Local Area
Network / Wide Area
Network / Internet

Table 8 - User Locations

Identify the types of data objects that will be passed between the user and the application, and the anticipated size.

The table below offers a sample list of data objects. For more information, consult the EA Prime assigned to your project.

Type of Object / Size in Kbytes
Terminal Screen / 4
E-Mail Message / 10
Web Page / 50
Spreadsheet / 100
Word Document / 200
Graphical Terminal / 500
Presentation Document / 2000
High-Resolution Image / 50,000
Multimedia Object / 100,000

Table 9 -Sample Data Object List

Type of Object / Size in Kbytes

Table 10 - Data Object List


  1. Database Architecture

Please refer to the following section(s) in the Guidelines and Best Practicesdocument for specific guidance:

  • Section 5.3: Database Security

Note: For Database Security considerations refer to the Security Model section of this document.

7.1Initial Size of Database

<Identify the estimated size of the database in gigabytes.____ GB

7.2Anticipated Annual Growth

<Identify the anticipated annual growth in gigabytes.____ GB

7.3Database Features

Select all that apply:

Primary Keys (all tables) Triggers

Indices (includingforeign keys) Views

Foreign Key Constraints Private Database Links

Stored Procedures Public Database Links

Transactions Global Database Links

7.3.1Database Environment

Must the database server run in a physical environment? Yes No

If yes, please explain.

7.3.2Database Connection Account Type

Individual user accounts Shared user accounts

Please refer to the following section(s) in the Guidelines and Best Practicesdocument for specific guidance:

  • Section 3.5: Architecture Patterns for Information Systems
  • Section 7.5: Application Level Security Requirements
  • Stored Procedures

Are stored procedures used? Yes No

If yes, please explain.

Please refer to the following section(s) in the Guidelines and Best Practicesdocument for specific guidance:

  • Section 3.5: Architecture Patterns for Information Systems
  • Clustering

Is database clustering being used? Yes No

7.6Database Normalization

Does the database conform to third normal form or above? Yes No

For custom application:If no, please explain.

  1. Security Architecture
  2. Threat Mitigation Plan

<Describe any controls in the application that would address vulnerabilities such as those identified in the “Open Web Application Security Project (OWASP)Top Ten Vulnerabilities”, and the following:

  • Input validation: Describe the level of validation used when implementing precautions against malicious input at each tier;
  • Security of interfaces to the Internet and/or other systems: Describe the security methodologies used to interface with the Internet and/or other systems (e.g. ePayment System);
  • Use of Mobile Code: Describe the use of secure mobile coding practices (e.g. ActiveX, Javascript, etc.); and
  • Exception handling: Indicate security strategy for handling application errors in order to prevent Denial of Service attacks and information disclosure to unauthorized users such as displaying stack trace to users, etc.

Please refer to the following section(s) in the Guidelines and Best Practicesdocument for specific guidance: