Worldpay 2014. All rights reserved.

GTE PMO Checkpoint Passport

Delivery Approval Board (DAB)
Secure File Gateway
Checkpoint 3 - Request to Exit Development
Stage
Tobin Mathew
31/05/2016
v0.1

Request to exit

1. Project Summary

Development Stage

Project Number

WorldPay Sponsor and Stakeholders names

Secure File Gateway

GTE Project Manager: Tobin Mathew

Business Unit Project Manager: Mike Ashworth
Project Sponsor: Mike Ashworth
GTE Programme Manager: NAP director -Robin
Foote

Requesting Business Unit

NAP

Brief Project Description (Please reference which platforms the project relates to)
Secure File Gateway is the new file gateway solution for WorldPay . SFG will replace MFG . Migration is
planned to start in August. SFG will initially go live with only NAP traffic . VISA and MasterCard will integrated
to SFG . NCL 03rd Parties ( Amex , FundTech, Brighterion, UK Mail ) has been on boarded to SFG . All NAP
applications will be integrated to SFG.
Decision Required
SFG is ready to go live for NAP . Functional testing , Operation Acceptance testing , Performance testing and Integration to NAP
has been completed . ORR-3 has been completed and signed off . Production validation on SFG by Middleware has been
completed and signed off .

GTE Project Budget (HLE and Non-Resource

Costs)
GTE Mandays

GTE Non-People Costs

(Plan / Actual)

(Plan / Actual)

N/A

N/A

Benefits
SFG is replacement for MFG .
SFG is Active Active architecture decreasing the
RTO and RPO.

List the main changes from the previous checkpoint

SFG is a NAP project and has not had any of the checkpoints before .
Schedule - On track/ rebaselined/missed milestones Cost Headlines - Increased costs/on budget
Scope/ Quality - Scope changed? New requirements?
Benefits - Are any benefits likely to change/be missed?
**Please Note: Any changes to the above drivers should be approved by PMM ahead of seeking DAB approval.**

Request to exit

2. Project Status

Development Stage

RAG status of Project Control Points (this should reflect your latest Project Status report)
Overall

Schedule

Cost Estimate (Plan / actual per

stage)

Project Stage

1. Definition

(Mandays
)

(,000)
1285 MFG- SFG Migration

26/26

3.
Developmen
t

0/70

4. Delivery

0/83

28

TOTAL

189

51

2. Design

Title

NonPeople

7/7

193

51

Variance

Impact Description

S RAG

MFG to SFG migration was planned before

NCL . This was to facilitate the Migration on
to a Non Live system(SFG). However due to
the continued delay to RBS connectivity to
SFG . SFG had to go live for NCL . Migration Remot Mediu
e
m
from MFG to SFG will be done onto a live
SFG system . SFG will be fully operational
system for NCL , during the migration, This
could have impact on NAP if SFG becomes
Unavailable.

Action Plan

SFG is Active - Active . NAP will

be integrated to SFG always in 1
data centre . Migration is
planned keeping in mind there
should be no impact to BAU
Amber (legacy) process and NAP.
At No instance will SFG in DC01
and DC02 become Unavailable .
Though SFG will be running on
low resilience during the
migration from Friday to Sunday

Key Issues (Top 3 highest priority issues)

ID

Latest
Approved
Budget
(Date)

Resource

Key Risks (Top 3 highest priority risks)

ID

Resourc
e

Scope/
Quality

Cost

588

Title

Impact Description

The Issue is that RBS has put a freeze on all Firewall

changes and there is no new date scheduled for the
changes.
This Freeze has impacted the SFG (PPE and PROD )
SFG Integration with RBS
Integration to RBS .
RBS have not confirmed when the restriction on firewall
changes will be relaxed and therefore the next possible
implementation date is unknown.

RAG

Action Plan

Medi
um

Amber

Firewall changes now scheduled

for 2nd June.

3. Open DAB Actions & DAB Exceptions

Request to exit
Development Stage

1. Navigate to the DAB Actions Report and DAB Exceptions Report in SharePoint
2. Filter the list of actions and exceptions by Project name. If there are no outstanding Actions or DAB
Exceptions, the project name will not be listed - skip step 3

3. Capture a screenshot of the filtered results, crop and insert 2 separate screenshots for the open DAB Actions
and DAB Exceptions

4. If there are no outstanding DAB Actions or DAB Exceptions, please insert the following text in the centre of this
slide There are no outstanding DAB Actions or DAB Exceptions
Note: Please remove this guidance text including the example screenshots provided above

Request to exit

4.
Development
Project
Name Stage Outputs

Development Stage

Mandatory Project Deliverables

Mandatory Project Deliverables

Deliverable (with hyperlink to final document on SharePoint)

Low level Design

Version
Number
vX.X

Approvers

Date
Approved

QM Status

DD/MM/YYYY

P:\Tech-Trans\Streamline Transaction Engine\Core\Streamline Redesign-Repla

cement\SFG\SFG Docs\Low Level Design\SFG_TD_v1.0.docx
CIT completion report

OAT completion report

FG Technical Recovery Plan and SoE

P:\Datacentre Recovery\Secure File Gateway Technical Recovery Plan.do

cx
. \\UKDC2-PC-DFS01\General
Build Guide :
P:\Tech-Trans\Streamline Transaction Engine\Core\Streamline Redesign-Repl
acement\SFG\SFG Docs\Build Documents\20151106_SFGBuildGuide_v1.0.docx

Requested Exceptions or Waivers

SFG is a part of NAP project , so has not undergone tailoring process

5. Project High Level Plan

Request to exit
Development Stage

7. Enterprise Security - Slide 1 of 2

Request to exit
Development Stage
(A)

Management Summary

Security Status

CP3 Approved/Rejected (delete as applicable): Insert the management summary to support the outcome of the
assessment which should include a reason for the RAG status.

Criteria
Penetration Testing

Enterprise Security Outcome

Status

Green = Identified issues (Critical, High & Medium) remediated with the Threat & Vulnerability
Management standards.
Amber = Some outstanding minor issues to be remediated within the warranty period.
Red = Penetration testing incomplete or major outstanding issues to be remediated with the
Threat & Vulnerability Management standards.

Green = All High criticality vulnerabilities remediated. All systems and applications have been
deployed with the System & Application Security Standards.
Vulnerability scanning Amber = Some outstanding system vulnerabilities to be remediated within warranty period.
Red = Outstanding system vulnerabilities to be remediated.

Data Classification and Data is secure and access is controlled as per the Security baseline controls (Green = Yes, Red = No)
Adherence with IC&H See Information Classification and Handling Standards
Evidence to be provided to confirm adherence (PCI team approval/PM sign-off/TSA)
Standards
Security audit logging is enabled and aligned with the Security Audit & Logging standards (Green =

Auditing Enabled and

Yes, Red = No)
Logs Received by SIEM Security Ops / PM to provide evidence
File Integrity
Monitoring (FIM) has
been implemented. (If
applicable) + IDS
PCI Compliance
Adherence and
Accepted by
Responsible QSA

File Integrity Monitoring (FIM) is implemented (Green = Yes, Red = No)

Security Ops / PM to provide evidence
PCI compliance is adhered to for all components within the defined cardholder data environments
(CDE) including appropriate level of ENCRYPTION.
(Green = Yes, Red = No)

7. Enterprise Security - Slide 2 of 2

Request to exit
Development Stage
(B)

Management Summary

Security Status

CP3 Approved/Rejected (delete as applicable): Insert the management summary to support the outcome of the
assessment which should include a reason for the RAG status.

Criteria

Enterprise Security Outcome

Status

Green = All application code has been subject to a Security Review and all identified vulnerabilities
remediated with the secure application development guidelines.
Application Security / Amber = Some of the application code has been subject to a Security Review and some of the
identified vulnerabilities remediated with the secure application development guidelines.
Code Review
Red = Outstanding application code vulnerabilities are to be remediated.
Veracode (or manual review) output . Consulting approved exceptions. WAF integration (if required)

Logical Access
Management (PCI)

Green = Documentation around Access Model - Evidence of 1. Roles. 2. Users 3. Access Approvals.
4. System Check using AD
Amber Incomplete or partial documentation
Red No documentation
Removal of unnecessary access (Testers, Developers).

Implementation of
Encryption solution

Green = Encryption solution implemented as designed & approved by ES

Red = Encryption solution not implemented as in documented design

6. Service Management

Request to exit
Development Stage

Management Summary

Service Status

CP3 Approved: Service status is Green due to all Service Acceptance Criteria (SAC) being on schedule, and/or with a
clear path to green. All SAC criteria owners have given a GO decision at ORR 4 with an understanding of the
schedule/plan to get to Green.

Criteria
Service Design and
Service Ownership

Service Management Outcome

Green

Status

Green = The project change is agreed with Service Owner and Service has been identified and
approach understood.

Green

Service Transition
Artefacts

Green = All agreed artefacts (SLA, SOM, SM, Warranty) are approved and final versions have been
communicated.

Green

Technical Recovery
Plans and SOEs

Green = The SOEs have been completed following the build activities and a TRP has been created
and approved by the ITSCM representative.

Green

Awaiting baseline Production Validation activities to be completed completion date: 02/06/2016

Green

Status of Service
Acceptance

Operational Risks
Raised

Green = There are no operational risks identified at this stage or the operational risks have been
captured in the Risk register and have been accepted by the risk owner.

Green

8. Infrastructure & Operations

Request to exit
Development Stage

Management Summary
CP3 Approved subject to The Project Issuing the approved Test Completion report current target date for this
03/06/2016

Criteria

Infrastructure & Operations Outcome

Infrastructure Capacity Green = All SFG environments have been delivered.

I&O Resource Plan

I&O Checkpoint Exit

Criteria
Deliver Phase I&O
Milestones

Green = Resources hard booked under the NAP project in the I&O resource plan.

I&O
GreenStatus

Status
Green

Green

Test Completion Report Due from project by 03/06/2016.

Infrastructure Design has been approved.
No specific Milestones for the Deliver phase but I&O will support the release process where
applicable

Amber

Green

9. Approval to proceed

Request to exit
Development Stage

Overall Summary - Proposal

Business Area

Approval Comments

Name

Date

GTE Project
Manager
Business Unit
Project Manager
GTE Programme
Manager
GTE Quality
Management
GTE Finance
GTE Service
Management
GTE Enterprise
Security
GTE Infrastructure &
Operations
Head of PMO (DAB
Chair)

Meeting Decision (populated after the meeting)

 Worldpay 2014. All rights reserved.

Front Cover (Quality Management)

Project Number - Project Name (Calibri (Body), Bold, Italic, Size 32)
Checkpoint Template (1, 2, 3 or 4)
Project Manager Name
DAB Date (DD/MM/YY)
Version 1.0
DAB Passport Filename: [Project Code] [Project Name] [CP] Passport

Any questions?
Contact
GTEPMO@worldpay.com

GTE PMO Team Site

http://
teams.worldpay.local/sites/cats/cats-pmo/Pages/default.asp
x

e.g.CPT0020

Autorek CP1 Passport

Project Summary (PMO)

Project Number, Sponsors/Stakeholders, Requesting Business Unit
GTE Mandays, GTE Non-People Costs (Plan/Actuals)
Changes to Schedule, Cost Headlines, Scope/Quality, Benefits (Confirmed pre
DAB)
User Friendly PDD and Business Case/PRF URLs

Checkpoint Stage Outputs (Quality Management)

User Friendly Deliverable URLs, Approved Version Number (1.0), Date Approved
(DD/MM/YY)
SharePoint Exceptions/Waivers, ID, Stakeholder Agreement

Project Status (PMO)

Project Control Points RAG = Weekly Status Report RAG
Checkpoint Cost Estimates (Plan vs Actual)
Total, Variance Verified
Key Risks: SharePoint ID, Title, Description, P, I & S (Numerical), RAG, Action Plan
Key Issues: SharePoint ID, Title, Impact Description, Impact, RAG, Action Plan

Project High Level Plan (PMO)

Project Plan reflects current activities required to achieve subsequent checkpoint

www.worldpay.com