RLD PCI Compliance Project

Project Charter For Certification

Executive Sponsor – robert unthank, Superintendent, RLD
Business Owner –robert unthank, Superintendent, RLD
Project Manager – Michelle Langehennig, CIO, RLD
Project Manager – Fabio Mir, RLD
Original Plan Date: January 17, 2018
Revision Date: NA
Revision: 1.0

table of contents

About This Project Charter DOCUMENT

table of contents

1. project background

1.1 Executive Summary -rationale for the project

1.2 Summary of the foundation planning and documentation for the project

1.3 Project Certification Requirements

2.0 Justification, Objectives and impacts

2.1 Agency Justification

2.2 Business Objectives

2.3 Technical Objectives

2.4 Impact on Organization

2.5 Transition to Operations

3.0 Project/Product Scope of Work

3.1 Deliverables

3.1.1 Project Deliverables

3.1.2 Product Deliverables

3.2 Success and QUALITY METRICS

4.0 Schedule Estimate

5.0 Budget Estimate

5.1 Funding Source(s)

5.2. Budget By Major Deliverable or Type of expense -

5.3 Budget By Project Phase or Certification Phase

6.0 Project Authority and Organizational Structure

6.1 STAKEHOLDERS

6.2 PROJECT GOVERNANCE PLAN

6.3 PROJECT MANAGER

6.3.1 PROJECT MANAGER CONTACT INFORMATION

6.3.2 PROJECT MANAGER BACKGROUND

6.4 PROJECT TEAM ROLES AND RESPONSIBILITIES

6.5 Project management Methodology

7.0 Constraints

8.0 Dependencies

9.0 Assumptions

10.0 Significant Risks and Mitigation Strategy

11.0 COMMUNICATION PLAN FOR EXECUTIVE REPORTING

12.0 INDEPENDENT VERIFICATION AND VALIDATION - IV&V

13.0 Project Charter Agency Approval Signatures

14.0 Project Charter Certification Approval Signature

Revision History

Revision Number / Date / Comment
1.0 / January 17, 2018 / Submitted for PCC Initiation

1

Project Charter [RLD PCI Compliance Project]1

1. project background

1.1Executive Summary -rationale for the project

The Regulation and Licensing Department (RLD) Construction Industries Division (CID) and Boards and Commissions Division are responsible for inspecting and issuing permits and licensing for the State of New Mexico. All commercial entities, both within and outside New Mexico and that conduct business in the state, must be inspected and obtain or maintain the required permit and/or license in good standing with the RLD. To perform this function, the Boards and Commissions Division uses external public facing portal (EGov) and an internal portal (MyLicense office). These permitting and licensing portals include payment card processing, which falls within the scope of mandatory Payment Card Industry (PCI) Data Security Standards (DSS); however, the current systems and processes are not PCI compliant.

To address the PCI compliance requirements, RLD plans to change the architecture of the permitting and licensing payment subsystem to use a hosted payment page. This change will dramatically reduce the compliance burden on RLD, while ensuring the security of card-based payments. This is a four-part solution:

  • Contract with the current system provider, System Automation,to redesign the Permitting and Licensing portal payment module that captures and transmits cardholder data (CD) through RLD servers and network to redirect Permitting and Licensing portal users to a payment page hosted by RLD’s current PCI DSS- compliant payment gateway provider, CyberSource.
  • Amend contract with CyberSource from an API-based payment processing plan to CyberSource Secure Acceptance Web/Mobile, an externally hosted payment page that separates all CD from our servers and networks.
  • Eliminate payment card processing using two existing internal payment kiosks– thus taking those systems out of PCI scope.

To contract with a professional services company to write new security policies and procedures appropriate to the PCI DSS guidelines.

1.2 Summary of the foundation planning and documentation for the project

For nearly four years, RLD has struggled to meet PCI Compliance with its current payment applications, Accela and MLO. The costs of migrating to another solution are far greater than the cost savings approach outlined in this Project Charter. RLD submitted the C2 Business Case for this project in mid-November 2017.

1.3Project Certification Requirements

Does the project fit into the criteria for certification? Which and how?

CRITERIA / YES/NO / EXPLANATION
Project is mission critical to the agency / YES / Without a PCI compliant payment environment, RLD will no longer be able to accept credit card payments.
Project cost is equal to or in excess of $100,000.00 / YES / Proposed solution requires $334,400.
Project impacts customer on-line access / YES / During permitting and/or license application, user will be routed to another server to process the payment.
Project is one deemed appropriate by the Secretary of the DoIT / YES
Will an IT Architecture Review be required? / YES / Architecture is remaining the same. A TARC waiver will be requested.

2.0 Justification, Objectives and impacts

2.1 Agency Justification

RLD must support its mission to provide services to the citizens of New Mexico by maintaining a PCI compliant technical environment.

Number / Description
Agency MISSION / The purpose of the construction industries and manufactured housing program is to provide code compliance oversight; issue licenses, permits and citations; perform inspections; administer exams; process complaints; and enforce laws, rules and regulations relating to general construction and manufactured housing standards to industry professionals.

2.2 Business Objectives

The following are the business objectives of the PCI compliance project:

Number / Description
Business Objective 1 / Achieve full PCI DSS 3.2 compliance for RLD and associated Permitting and Licensing application.
Business Objective 2 / Maintain PCI DSS 3.2 compliance through the life of the Permitting and Licensing program and for as long as the PCI DSS compliance specification is relevant.
Business Objective 3 / Reduce long-term cost of achieving and maintaining PCI compliance over the current status quo costs.

2.3 Technical Objectives

The following are the technical objectives of the PCI compliance project:

Number / Description
Technical Objective 1 / redesign and recode the payment module in the Permitting and licensing Portal to use a CyberSource hosted page.
Technical Objective 2 / Segment network so redirect servers are in separate environment from rest of DMZ zone.

2.4 Impact on Organization

The following areas may impact RLDand will be addressed by the project through its planning process.

Area / Description
End user / robust and easy-to-use online system for Business Services Division customers to access vital business and financial services online and at their convenience. This convenience tends to increase compliance with existing business and corporate filing requirements and statutes while reducing the need for additional Business Services Division staffing.
Business Processes / Simplifies application adaptation to new payment methods (such as Amex) and security technologies due to CyberSources’ strong relationships and integration with key financial institutions, credit card providers, and payment technology providers.
It Operations and staffing / Greatly reduces the number of hours spent meeting PCI requirements.
Other / Prevents penalties due to non-compliance which are currently over $1,200/month for the RLD and could, conceivably, grow to $10,000/month for the RLD. If it is the only agency unable to achieve PCI compliance, this could amount to $120,000 / year for non-compliance.

2.5 Transition to Operations

The following transition to operations areaswill be accounted for in the project’s planning and requirements specifications:

Area / Description
Preliminary Operations location and staffing plans / The payment page will be fully hosted by CyberSource. RLD IT staff will have necessary access to make any changes to the layout, wording and data format as required.
Data Security, Business Continuity / There will be minimum downtime with this proposed project since the payment portal will be programmed off site and will only need to be pointed to by the current payment systems. CyberSource is certified as a PCI compliant vendor.
Maintenance Strategy / Maintenance will be nearly seamless with our current maintenance practices.
Interoperability / Since the project will create a fully hosted payment environment through web protocols, integration with RLD’s applications is easily done through redirect code added to the existing systems.

3.0 Project/ProductScope of Work

3.1 Deliverables

3.1.1 Project Deliverables

This Project Charter and the Initiation Certification form were prepared for the Project Certification Committee. Additional project deliverables will be added as they are completed.

3.1.2 Product Deliverables

The product deliverable documents will be listed as they are provided by the vendor.

3.2Success and QUALITY METRICS

The following metricswere selected to meet the end goals of the Executive Sponsor and the Business Owner, as well as the ability of the project team to stay within schedule and budget.

Number / Description
Quality Metrics 1 / Meet all applicable security controls and compliance items from PCI SAQ-A. To be validated by Risk Sense.
Quality Metrics 2 / Decrease Annual expenditure attributable to PCI compliance activities under the proposed solution compared to the expenditure under the status quo.

4.0 Schedule Estimate

The project is being presented for Initiation on January 24, 2018. The planned project end date is June 30, 2018.

5.0 Budget Estimate

The following is the information regarding the funding sources, budget by major deliverable and by project phase.

5.1 Funding Source(s)

Source / Amount / Associated restrictions
PCI Compliance fund, Rld operating budget and computer system enhancement fund / $334,400 / the money must be used for the purpose of bringing RLD into PCI SAQ-A Compliance.

5.2. Budget By Major Deliverable or Type of expense -

Item / Cost Estimate
CyberSource hosted payment portal / $267,400
hardware / $67,000
RLD IT Staff / $30,000
Total / $364,400

5.3Budget By Project Phase or Certification Phase

Item / Cost Estimate
initiation / $67,000
planning / $0
implementation / $267,400
Total / $334,400

6.0 Project Authority and Organizational Structure

6.1 STAKEHOLDERS

Stakeholders should be a mix of agency management and end users who are impacted positively or negatively by the project.

name / Stake in Project / Organization
License & Permit Applicants / Ability to Pay online / general public requiring permits or licenses
Front Desk Staff / process applications and answer questions in person and via telephone / RLD
IT Operations staff / Support the new system / RLD
CID/MHD Director / manage the division that processes applications for permits / RLD
B&C Director / manage the division that processes applications for licenses / RLD

6.2 PROJECT GOVERNANCE PLAN

The following is a diagram of the organization structure including steering committee members, project manager and technical/business teams.

6.3 PROJECT MANAGER

6.3.1 PROJECT MANAGER CONTACT INFORMATION

name / Organization / Phone #(s) / Email
Michelle Langehennig / RLD / 505-629-2016 /
Fabio Mir / RLD / 505-470-5200 /

6.3.2 PROJECT MANAGER BACKGROUND

6.4 PROJECT TEAM ROLES AND RESPONSIBILITIES

Role / Responsibility
Michelle langehennig / oversee project as cio and lead project as project manager
fabio mir / provide support to the lead project manager
chuck slocter / provide technical expertise

6.5 Project Management Methodology

The PCI Compliance Project will follow a standard solution development life cycle (SDLC) with plan, define, design, build, and closeout steps.

7.0 Constraints

The following are project constraints:

Number / Description
constraint 1 / Approval of requested computer system enhancement funds
constraint 2 / need to complete project in a very short timeline

8.0 Dependencies

The following are dependencies inherent to the work being done.

Number / Description / Type M,D,E
Dependency 1 / Project initiation / M

9.0 Assumptions

The following are assumptions made regarding the project.

Number / Description
Assumption 1 / Contract will require Software Development Vendor will stay with project to completion.
Assumption 2 / Payment Page Provider Vendor, CyberSource, will stay in business.
Assumption 3 / Requirements gathering will be full and complete.
Assumption 4 / RLD and vendor staff will ensure multiple members of each organization are present during requirements gathering and design phases. This will provide safety against key staff leaving an agency or organization.
Assumption 5 / Vendor is deeply familiar with RLD’s products, lowering the risk of high staff utilization.
Assumption 6 / Vendor will honor service contract to fix any discovered bugs or flaws.

10.0 Significant Risksand Mitigation Strategy

The following are identified project risks and mitigation strategies.

Risk 1

Description - Vendor abandonment (software development): If the contracted vendor were to abandon the project then the project would be halted or seriously delayed. / Probability Low / ImpactHigh
Mitigation Strategy: Continue with reliable vendor
Contingency Plan:If the vendor were to abandon the project early in the process, before funds were used then another developer could be brought in. If the vendor were to abandon the project late in the development process it would be possible for existing RLD IT staff to finish the required software development work to finish the project. If neither of these were feasible we would need to turn to one of the other alternatives listed.

Risk 2

Description - Vendor abandonment (payment page provider): If CyberSource, our payment page provider, were to remove or significantly alter their hosted payment page service then additional development work may be required to adapt to new provider or to the page changes. / Probability Low / ImpactMedium
Mitigation Strategy: Our financial service provider would likely have a new recommended payment page host.
Contingency Plan: Payment gateway providers are numerous and our financial service provider would likely have a new recommended payment page host. RLD IT would likely be able to make the small required changes to the application to accommodate a different payment page host given that most of the initial integration has been completed.

Risk 3

Description - Inadequate or incomplete requirements gathering: If project requirements are not fully understood or updated early in the process the final product may not address the true needs of the project or additional time or funding would be required to remedy the situation. / Probability Low / Impact High
Mitigation Strategy: Proper Project Management
Contingency Plan: Project management would occur both inside the contracted organization, System Automation and Accela Replacement, and from RLD IT with cross-checking occurring between each organization throughout the requirements gathering and design phases. This has worked well in past endeavors.

Risk 4

Description - Loss of key staff: Application and business process knowledge exists in only one or two individuals, depending on knowledge type. If one of the key individuals were to leave during key points in the project the finished product might not be adequate to the task and resulting in continued PCI non-compliance. / Probability Medium / Impact High
Mitigation Strategy: Include overlaps in knowledge
Contingency Plan: Include multiple RLD IT personnel during requirements gathering and design phases.Ensure good written documentation of requirements.Split project management between external and internal entities. ensure that there are multiple sources for all key project knowledge.

Risk 5

Description - High staff utilization: If key staff are over-utilized and cannot properly contribute to key phases then a poor final product could result or be delayed resulting in continued PCI non-compliance. / Probability High / Impact Low
Mitigation Strategy: Vendors who know the product
Contingency Plan: external vendor is already deeply familiar with the product.Ensure staffing is available for the requirements, design, and, to some extent, the testing phases.

Risk 6

Description - Critical bug or flaw discovered: If a critical bug or flaw is discovered in the existing Permitting and Licensing portal application or in the new development the application could be rendered unusable or deemed unreliable. / Probability Low / Impact High
Mitigation Strategy: Good service contract
Contingency Plan: Our existing service contract covers bugs and flaws discovered. If the vendor should fail to honor this service contract and/or fail to fix the discovered flaw then RLD IT may be able to fix the flaw on its own or an additional external developer would need to be engaged.

11.0 COMMUNICATION PLAN FOR EXECUTIVE REPORTING

Bi-weekly project planning meetings are being held and upon project initiation, executive steering committee meetings shall be held on a weekly basis through project completion.

12.0 INDEPENDENT VERIFICATION AND VALIDATION - IV&V

A waiver will be requested for IV&V. If the waiver is granted, the following items will be monitored by internal IT staff.

Project/Product Area / Include –Yes/No
Project Management / Yes
Quality Management / Yes
Training / Yes
Requirements Management / Yes
Operating Environment / Yes
Development Environment / Yes
Software Development / Yes
System and Acceptance Testing / Yes
Data Management / Yes
Operations Oversight / Yes
Business Process Impact / Yes

13.0 Project Charter Agency Approval Signatures

signature / date
Executive Sponsor
Business Owner
Project Manager

14.0 Project Charter Certification Approval Signature

signature / date
DoIT / PCC Approval

Page 1