Attachment A Georgia Web Based Application Checklist Additional Information

calvesnorthΔίκτυα και Επικοινωνίες

24 Οκτ 2013 (πριν από 3 χρόνια και 9 μήνες)

87 εμφανίσεις

1


Attachment A


Georgia Web Based Application Checklist


Additional Information


PURPOSE OF USING ONLINE MEAL APPLICATOINS


The purpose of this document is to provide additional
information

requested on the Georgia Web
Based Application Checklist.

Parents/ guardians who have access to the Internet can complete the Meal Benefits Application
from anywhere in the world.
Utilizing a web based system offers
added value for Districts and
parents/guardians.

This process saves
time for District personnel
to process the application

avoiding

costly delays in processing applications
. I
t
makes it convenient,
quick and easy for a
parent/guardian to apply for benefits
.
Parents/guardians

are

sent
an email
as "proof" that the
application was submitted.


The web application provides several strategies in order to ensure
that the data being submitted is
accurate

and
complete
.


Each step (and the entire application as
a whole) is checked for completeness both during the application process and on the final r
eview
screen.


On the final review screen
the

web application will double check the data entry using
predefined rules

to e
nsure that most common mistakes
are corrected by the user before
submission.

Please refer to

Attachment

B


Online Application Process

pages 9 through 12 for
more information.

This website

does not

determine meal eligibility benefits.

It simply gathers the information from
the parent/guardian much like the paper application.

However, the AFL website direc
tly
interfaces with the District's

MCS Free & Reduced Application

software, where the final eligibility
of each student is determined and parent notification letters are generated.

The

MCS Free &
Reduced Application

software interfaces with the District's

Student Information System (SIS).

The
District receives alert messages sent via email of possible system issues, the number of
applications ready to be imported, and the number of applications that were imported.


Do you have written internal procedures f
rom processing web
-
based applications for school
meals? (Please attach a copy of the procedures.) Procedures should address:


Please see attached internal procedures for processing web
-
based applications.



(
The District needs to include their internal procedures here. The District can also reference
Interfacing with MCS Free & Reduced Application Software
” on pages 18 and 19 of the “Online
Application Process” document “
)


Conversions steps to make this proc
ess available


Parents/Guardians visit the web site
www.ApplyForLunch.com
, select a zip code or state,

and then
select the school District name.

The District can insert a link to the web site from any web page
(e
.g. APS Nutrition Web page, Parent portal for online payments, District’s Student Registration
page, etc.).

2



(
The
District may want to add additional information here pertaining to not
ifying
parents/guardians.)



(The District may want to include the attached “
AFL
-

Parent Postcard2.pdf
”) file.


Contingency plan to address unauthorized access and security risks


The MCS Free & Reduced software
utilize
s

an SQL Server back
-
end that is housed
on

the District
’s
file server
. At no time is confidential production data moved outside of this environment.
The MCS
online application
web
site,
www.ApplyForLunch.com

does

not
transmit sensitive information
outside of the District. The
site simply

collects the data from the information entered online by
the parent/guardian. The system then passes that information to the MCS Free & Reduced
Application software at the Distri
ct, which then compares and matches students accordingly. All
data is secured via SSL HTTPS transmission. The school District also has the option in the web
application to specify the exact IP address of their back office server in order to limit the scop
e of
all integration attempts.


Furthermore, integration attempts are protected against brute force
attacks by implementing an integration lockout after multiple invalid attempts.


The site
is independently scanned by ControlScan to check for cross
-
site sc
ripting, SQL injection,
remote file inclusion and many other application and

network
-
based vulnerabilities.
In the event of
a breach, MCS would take steps to identify the extent of the breach (via host, firewall, application logs,
etc
.
) and take appropriat
e action from there. For example, if the breach
was user token related, MCS
would alert affected use
rs via email and force password

resets. If
there is
a data breach, MCS
would take appropriate actions up to and including alerting the
District

in detail regarding the
nature of the breach.
Finally
, MCS also has the option to disable/shutdown the service at any
time if deemed necessary.


The ApplyForLunch web site meets all of the Level 2 requirements as recommended in the
USDA
Memo Code: SP

10
-
2007, SFSP 06
-
2007, CACFP 07
-
2007, “Update on Electronic Transactions in
the Child Nutrition Programs”
.


The ApplyForLunch web site uses an
encryption system

that

includes additional security for
preventing “guess attacks” to the Administration Area th
at will force users to use a CAPTCHA
(challenge
-
response test used to ensure that the response is not generated by a computer) to
login after three (3) failed login attempts and the user account is locked after six (6) failed login
attempts. Unlocking the

user must be performed by a District Administrator. Additionally, audit
trails are in place for all login attempts, both successful and failed attempts.


The audit trail is a
record in the database that includes the username attempted, date attempted, su
ccess or failure
attempt, and the IP address of the user.


3


Access to the Administration Area is only provided to the School District and is a view
-
only access
tool to review reports containing information entered by the applicant on the web site. The
inf
ormation entered cannot be altered by anyone once the application is submitted.


Confidentiality, including who has access to the information and why


Three parties have access to the information captured by the online application ApplyforLunch:


The
District
's back end systems

(
MCS
Free
&

Reduced)


Integration (data
transfer
) between the
web server and the
District
's back end server (
MCS Free & Reduced
) is protected by
user/password tokens as well as a unique global identifier only known by the
Distr
ict
. Actual
electronic access via integration can also be configured to be limited by IP or sub
-
net for enhanced
security.

District

a
dministrators



These are
people at the
District

with user accounts on the
ApplyForLunch
.com

site

that are responsible for managing and reporting on the application data.

MCS
System
Administrators



This is the MCS employee who developed the web site and
continues to modify the site for enhancement capabilities.

Description of how identity of all p
eople, both inside and outside of the local agency, will be
authenticated. Include how passwords, PINs and encryption codes will be preserved to maintain
access to archived information.


All users of the system are authenticated via user/password tokens. Integration requests by
District

servers are further authenticated by unique global identifiers and optional IP/subnet
filtering methods. All information that is transmitted to the
Distr
ict

is stored on the
District
's
servers (
same
server
as the MCS Free & Reduced system
) for archival purposes. The
District
’s IT
Department maintains

access

rights
, backups,

and the

integrity of the data once it is transferred to
their site.


(The District

may want to add additional information about the security measures in place for
accessing the data, backups, and the integrity of the data once it is transferred to their site.)


Implementation and training.

Include records that will be retained to reveal how the
transaction was processed.


Implementation and training will be provided by MCS in conjunction with key
District

personnel.


Implementation and training includes the following steps:




MCS creates A
pplyForLunch Account for the District. This includes client information and
4


user setup (user names and passwords).



MCS
u
pload
s the list of s
chools
in the District
to the web site
.



MCS sets up a

schedule task on District’s server to pull in
the online
applications to the
MCS Free & Reduced client server application.



MCS
train
s

the District Administrators on how to customize the site.



MCS e
nsure that all District settings are

appropriate and

correct.



MCS demonstrates

how the District can run in test m
ode to make sure the site is operating
as expected.



The Districts approves the operational features and settings.



MCS a
ctivate
s

the District to run on the live site.


Once the
once the online

applications
are pulled into
the MCS Free & Re
duced client
server
application, users can view the information entered online exactly the way the parent/guardian
typed it in.


All
online
records are retained and secured by MCS for one school year. Further r
ecord retention
is the responsibility of the
District

once
the data has been transmitted to
District

back end servers
(
housing the MCS Free & Reduced software
).

Microsoft scheduled tasks

are setup to
run

as often
as the District desires, which
pull
s
/download
s

the data from the web site
and automatically
import
s

the data
into the client/server application (MCS Free & Reduced).


Legal risks


When the applicant begins the process, the web site “Terms and Conditions" are displayed.


In
order to continue, the applicant must perform the following:



Scroll through the “
Terms and Conditions of Use” to read the entire terms.

(Please refer
to

Appendix A

for a complete description of our web site terms and conditions of use.)



Check a box titled “I have read and agree to the above terms."

Click a button titled “I agree to th
e Terms."


Back
-
up procedures


Data backups are retained in two locations and in two software applications:
(1)

at the MCS
operated datacenter (ApplyForLunch) and
(2) at the school's
District

location (
MCS Free &
Reduced
). The web application's current year data is backed up in full nightly and transactionally
during the operating day to ensure aggressive backup coverage. Furthermore, the backups are
synchronized locally to another securely isolated backup server during

the operating day. At the
end of each day the entire day's data is encrypted and securely transmitted to a third party offsite
backup location to ensure additional disaster recovery precautions.


(
The
District may want to add additional information here
pertaining
it’s backup procedures)


5


Periodic review, evaluation and update


MCS performs a yearly re
view of the site and implements requests made by the
District
s and State
departments in
the month of June

each year
. The site is tested and then updated
July 1 of each
year
.

In addition, Atlanta Public Schools will conduct periodic reviews, evaluations, and updates.


Record retention and storage, including a description of how information will be made
accessible to reviewers and auditors


T
he data is
transmitted from the online web application system (ApplyForLunch) to
the
District
's
back end servers.

The software places no limit on the number of years that can be archived and
accessible to reviewers and auditors.
During the End Of Year process, the
MCS Free & Reduced
software archives the data (makes a copy of the database).
The MCS Free & Reduced system contains
a feature allowing the user to login to previous year databases and view
any and all information as
it does with the live database.



(The

District may want to add additional information here pertaining to the District’s backup
reten
tion policy
)
.


Has the process been reviewed and approved by your local technology staff and the Board’s
attorney? (Attach documentation.)


(The District should
respond to this question)

Do you have the capability to provide for legally binding electronic signatures? (If this is not
included in your procedures, please attach an explanation.)

The web application creates a legally binding electronic record as define
d by the
USDA Memo
Code: SP 10
-
2007, SFSP 06
-
2007, CACFP 07
-
2007, Update on Electronic Transactions in the Child
Nutrition Programs
, by capturing the following data in a persistent data store (database) at the
time of submission.



When combined these act
as a

signature

for the application.





Date/time snapshot of the exact time of submission



Record of the IP address of the computer submitting the online
application



Confirmation by the user (check box) that they are 'signing' the online
a
pplication

and agree
to the defined terms (available for review) for submission



The user must type their full name in a provided field which, is captured as entered on the
record.

6


Note
: The above meet
s

the USDA recommendations for electronic signature, however acco
rding
to these recommendations it is
the District’s

responsibility to review your state and/or district
regulations and guidelines to ensure that they also meet your local requirements.

Are households able to submit a paper application?

(The District to
respond to this question)


Has the process been reviewed to ensure that it accommodates any new School Nutrition
Program requirements?

MCS
reviews State and Federal regulations changes regularly and are implemented yearly, unless
the requirement requires i
mmediate attention. If this is the case, MCS will make the change as
quickly as possible.

Do your electronic records contain, at a minimum:

Date and Time of Transaction?

Yes, each submission contains a UTC (Coordinated Universal Time) date time stamp.

Identity and location of each person who transmitted information

Yes, the
IP address of the computer that transmitted the application

is captured
.

Confirmation from the system that the transaction was received

The parent/guardian receives a notification on

the screen that the transaction was submitted.
In addition
, if an email address is

provided during the
online
application submittal process, the
parent/guardian will receive an

email confirmation letter that the application was submitted
online and recei
ved by the District.

Online applications are downloaded
to

the
District
s back
end servers (
MCS Free & Reduced
) from the web application

using SSL encryption. The
download is transactional in nature to ensure completeness during the download process.
Applications can then be reviewed in either the
MCS Free & Reduced

back

end software or in
the online web application administrative interf
ace.

Complete contents of the transaction

The applicant is provided a confirmation screen at the end of each application process. This
review screen displays all the information entered by the applicant so that it can be verified
before submission. The a
pplicant is also prompted to sign the application by checking a box
confirming they understand the terms as well as enter their full name.


Complete instructions and terms of the agreement and confirmation that these were made
available to the person sub
mitting the information


7


At the start and end of the application process, the applicant is required to check a box confirming
they understand the terms and instructions. This information is captured and stored on the
application record.


Certification tha
t the person submitting the information is legally bound by the terms of the
transaction and that they agree to be held accountable for the information provided


The applicant is required to check a box on the application agreeing to the terms as well as s
ign
the application by entering their full name. This data is included in the application record and
tra
n
smitted to the school
District
's back end servers (
MCS Free & Reduced
).


Certification that the information is true and accurate


The web application provides several strategies in order to ensure that the data being submitted is
accurate and complete.


Each step (and the entire application as a whole) is checked for
completeness both during the application process and on the final r
eview screen.


On the final
review screen
the

web application double check
s

the data entry using predefined rules to ensure
that most common mistakes are corrected by the user before submission.


For a complete list of
the predefined rules, please refer to

pages 10
-
13, of the attached “Online Application Process”.


Mechanism to prove that the transaction was not altered

After submission of the application the applicant cannot review or change any data entered by the
applicant
. I
t is final once submitted. Furthermore, District users can only review and cannot
change any application data entered by the applicant.
All access to the
Administration Area

of
the website is allowed only by approved District users. Permissions to all
areas are granular and
role based.


All user accounts are password protected and require opt
-
in/email verification in order
to be activated.


The entire site is accessible using secure SSL technology (HTTPS only) and is
hosted in a secure datacenter.

The f
ollowing mechanisms are in place to ensure transaction integrity / identity:



Date/time snapshot of the exact time of submission



Record of the IP address of the computer submitting the online School Meal Benefits
Application



Confirmation by the user (check
box) that they are 'signing' the online School Meal Benefits
Application and agree to the defined terms (available for review) for submission



The user must type their full name in a provided field which, is captured as entered on the
record.


Is your syste
m reliable so that the document is always preserved in a useable format

8



Once the original data is transmitted to the District's servers from the online system it is stored in
XML format in the District server's database and always preserved in a usable fo
rmat.


Will you be able to recover the data once the software is outdated?


Yes, the data is stored on the
District

owned/operated servers in XML and commercially
supported database formats. All MCS software modules are backward compatible.


Does the
system have the capability to allow submission of the application if non
-
required
information is requested?


Yes, the web application system (ApplyforLunch) has a multitude of customizable settings to allow
for submission of the application even if non
-
req
uired information is requested. Examples of this
include birthdate, gender, and school name. The user can easily recognize optional/required
information based on bold text and red outlined highlights.