EZAZ has an existing LMS that is having a lot of performance and technical issues. We are rebuilding the existing software to duplicate the existing functionality, all defined in Project Scope section.
Some of the issues current facing include ability to maintain security, PCI compliance, regulatory compliance, general software security, AOC requirements, and general performance and reliability of the application.
Our replacement will be done with modern code and best practices for enterprise web application development. We’ll support and provide on-going server and software maintenance at Amazon Web Services through Maintenance and Support agreement.
The new application will run on modern code with an optimized database. The site will be fast and work correctly for both customers, sign-ups and running reports.
This will increase sales, customer satisfaction, reputation and allow staff to be more productive.
We know and understand that things change. With custom application development the world is possible, and just about anything can be done. This is a fantastic solution for your business and allows for all types of growth and customization opportunities.
We don’t want to limit this flexibility and encourage you to add important features that will help your business.
So why a project scope? and what is it about?
When we propose a project and attach a number of hours to that project, we base that on the number of hours it will take to complete a specific amount of work. That specific amount of work is the scope of the project.
The quote is directly tied the scope. So, if items are changed, modified or added, this will adjust the scope and in turn will will need to adjust the budget for the project, and we will provide a quote for the changes in the form of a change order.
This project scope is paramount to keep the project on time, on track and on budget.
If there is a discussion about functionality that is either not included in the scope or is functioning differently from the quote this will be considered a change order. If we discuss something that is out of scope we will carefully compare the functionality to the scope. If we determine it’s out of scope, we will provide an estimate of hours for the change and have you sign-off on the change order before we start any work. Depending on the size of the change order, we may request up-front payment for the change order to start work.
The EZAZ LMS will be built as a completely custom application. There will be no WordPress or plugins. This gives you the flexibility to build to meet your specific business. It also means that any application changes will need to programmed and this will require a quote and be billable.
Access level defines the type/groups of users that will have access to the application.
Admin level users have the following privileges:
Student level account will have the follow privileges:
When the student clicks from the wordpress site to the ezazlms site, they will see only the course specific to that school/course they are signing up for.
The will then be able to sign up directly for that course.
The payment processing will be done through Authorize.net. We will allow for multiple Authorize.net account to process the orders, based on course signup.
Administrative staff will need to perform an eligibility check before the students are granted access to the course. There will be a report available of all the newly signed up students. The eligibility check will be performed outside of the app, and the staff will grant access individually to each student.
Admin staff will have the ability to search for student, update name, update email address, grant, and revoke access to classes and see class progress.
Staff will have access to add new admin staff accounts. edit other staff accounts.
All users will have the ability to edit their profile:
Admin staff will have access to manage the course material.
Course are built in a series of Units and Quizzes. The user may add a unit or a quiz at any step of the course.
Each Unit may consist of mixed media content. The content may consist of any combination of text, images and videos. Unit have timer countdowns. The “next” button is not available until the timer has counted all the way down to 0:00 for that unit. Timer countdown may be set in minutes: seconds for each unit separately. The countdown will be displayed at the bottom of the unit page.
Images will be uploaded through a media gallery, and may be embedded in the content of the pages.
Videos will need to be initially uploaded to a video hosting service. This may be any video service, but we recommend a paid service, like Vimeo, to maintain branding and domain locking.
Videos can be embedded within the content with an embed link.
Students have access to view the course material and take quizzes for the course they are enrolled.
They must wait for the course time to count down to 0:00 before the “next” button will be available.
The can not skip sections or jump around in the course. They can only proceed from unit to unit within the course until the course is complete.
Courses quizzes are scored and the course total is provided at the end of the course. If they don’t pass the course they may retake the course any number of times to pass, starting from the beginning.
Students may stop at any section of the course and come back to it later. It will pickup from the point they left off by clicking the continue course button once the log in.
The admin will be able to run reports. Report will be available as csv export files and PDF version.
Here are the list of Reports required by EZAZ:
• Student Search – Dropdown providing Customer Service Intervention vs. Student Intervention (ability to track who initiated the transaction)
• Quick Search – This is not necessary if the Student Search above is fast, not like the current platform
• All Portals
• On Hold
• Completion Detail (same as the Registration Detail) – Also, ability to download in .xml to send to the AOC
• Classroom Registration*** (see note below)
• Online Registrations***(see note below)
• Signup Abandoned
• Student Remittance Report
• Online User List
• Student Roster
All reports will provide the existing fields and functionality of the app. Any additional reports in the existing app do not function and are not used.
Although additional reporting and visualization of data may be required and can be built in the future these are the reports that will be provided within the scope of this quote.
Follow controls specified in NIST SP 800-171 for access, awareness and training, audit and accountability, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, and information integrity, at a minimum. ISO 27001 controls may be employed instead. Provide third-party certification of compliance with either standard at the frequency specified by the AOC*.
Maintain or ensure the payment processing provider maintains all credit card data in compliance with the current release of the Payment Card Industry Data Security Standard
We will be using Authorize.net Accept Hosted API to process payments. This is a form that is pulled from Authorize.net and embedded in an iframe on the clients website for payment. This is the most secure way of submitting payment through Authorize.net and puts the client in the SAQ-A. This removes a lot of the liability on the server, network, application out of scope of PCI compliance, making PCI compliance very easy to meet, and the most affordable and secure.
The following requirements will be met by the software. It is the financial responsibility for the client to meet these requirements. We will assist in meeting and will bill for any additional work required to meet these requirements.
These are the requirement that need to be implemented in the software:
(missing numbers from this list is due to the fact that it isn’t the responsibility of the software to perform this task, but it’s a business process or policy outside of the scope of the software application.)
1.1 Individual UserIDs all conform to a standard format. Guest and generic UserIDs should be disabled.
All users will access EZAZLMS by using email address to login. All default username, admin level access will be disabled.
1.2 User IDs are deactivated after a 30-day period of inactivity. IDs are reviewed for deletion after 60 days. Deactivation or deletion may be extended by written management approval.
1.3 Passwords have a minimum length of 8 characters with complexity enforced to include upper case, lower case, and numbers.
1.4 Every user ID has a password conforming to 1.3. Passwords are changed at least once every 90 days.
1.5 Every password on a system is changed at the time of the next log-in whenever that system’s security has been compromised or there is a convincing reason to believe it has been compromised.
2.2 All servers and workstations have approved anti-virus screening software enabled on their computers at all times. Users can not disable or deactivate this software.
2.3 All “private ” or “confidential personal information” as defined in A.R.S. §18-551 transmitted in digital format is only communicated in encrypted.
SSL certificates used.
2.6 All computer and network devices are maintained with the latest vendor-provided security updates available for the specific operating system.
This will require a monthly maintenance & support agreement to keep the server, software, php, and all used frameworks up to date.
2.7 Security audit scans of all computing devices occur not less than twice per year. Any vulnerabilities identified must be remediated prior to accessing the court network. AOC may request scan results and will maintain such information as confidential.
PCI scanning services should provided by the merchant account provider or authorize.net. If there is anything that needs to be remediated, forward the entire scan or provide access to the scan so it may be addressed. It’s the responsibility of the client to run the scan and submit any remediation requests for review.
2.10 All credit card data shall be maintained in compliance with the current release of the Payment Card Industry Data Security Standard. AOC may request the most recent audit results and will maintain such information as confidential.
EZAZ will be meeting SAQ-A. All credit card data will be submitted directly to the payment processor from the client form limiting the liability of PCI compliance of the client and shifting all that responsibility to the payment processor, authorize.net. No credit cards, or PII will pass through or be stored on the EZAZ servers.
As time marches on, new version of Operating Systems, PHP version and other software will be released. The old versions will be retired and end-of-life and will no longer receive security updates or patches.
In important make keep all the software running the websites up to date at all times to avoid any lapses or gaps in the security of the software, server and your customers data and PII.
Continuous updates are always less costly and less painful than waiting years to do an upgrade.
We keep this simple and charge a flat monthly fee.
We will maintain the servers, php, software frameworks and the code while the agreement is in place.
No matter how well software is built, there is alway need for support. So, we include client support with our Maintenance & Support agreement. This give you someone to call that is deeply familiar with the application and code if you have questions or something does go wrong.
We’ll be happy to help, but these would be quoted and billable.
The process is outlined below with an approximate timeline. The timeline may change based on customer response time and availability.
We will be programming a custom LMS (Learning Management System) and Authorize.net payments which will adhere to regulatory compliance requirements and PCI SAQ-A.
There will be no ongoing license costs like other WordPress Plugins. EZAZ will own this code.
The process is outlined below with an approximate timeline. The timeline may change based on customer response time and availability.
There will be points at which we will require client sign-off before continuing. This makes sure we are on the right track before we get too far along and ensures you get what you are expecting. It also limits the scope of changes that will be requested.
The total buildout will take approximately 6 to 8 weeks.
Design and development of user interface (UI), programming, optimized database. Hourly Rate beyond Project Scope is $125/hour
On-going support for Web Applications. Includes technical support, application support, platform, and software maintenance (including software security updates and patches). This keeps the application and platform up to date, secure and error free.
We’re firm believers in staying on track and building it right the first time. We base our work efforts around that. It just saves frustration for everyone.
We will require client sign-off and key points in the development process before we continue. We’ll let you know when those come up. It also gives you insight into where the project is and what we have accomplished.
With that said, if there are changes or addition to the project as it’s described, that’s ok. It happens and we’re happy to accommodate changes. We handle project scope changes on a one-by-one basis. If it requires adding functionality that will take us longer than anticipated or having to rewrite code that was approved, it will result in a change order and adjustment of the quote.
We don’t like bugs either and we test the code thoroughly. But sometimes there are issues. If there are any issues, simply let us know and we’ll fix them within the first 90 days. Since technology changes and we can’t predict what may happen years from now, we do have to limit the scope of our responsibility to potentially older code.
With that said, It’s just a good idea to keep the code up to date, and we’ll be happy to jump in and help with that as needed.
4EightyEast will employ the technical standards required to meet these requirements., but will not provide certification or proof of compliance. All compliance or certification, NIST SP800-171, ISO-27001, PCI or any other compliance or certification need to be completed by a third party. All certification, compliance, services, or tests will be paid by the client. 4EightyEast will not pay for anything related to compliance.
Any hosting or code requirements need to meet compliance will be performed by 4EightyEast and such professional services will be billable.
All software or server scanning or testing services will be paid for by the client.