NSI Guide Supplement for QA Best Practices Certification/Verification
Issue 1.1.01 - March 4, 2008
Table of Contents
1.1 Referenced Specifications
2.1 Registering your Business Practice within the Web-Based Certification/Verification System3. Renewals Process2.1.1 Payment2.2 Producing a Conformance Statement
4. Certified/Verified Entity Modifications and Updates
This document is a supplement to the Guide to the NSI Certification and Verification Program and is intended to be used in conjunction with that document. This supplement is for organizations who want to certify or verify a business practice in the North American Association of State and Provincial Lotteries (NASPL) Standards Initiative Certification and Verification Program for Quality Assurance Best Practices.
This Guide Supplement will guide you through all the Quality Assurance specific steps required for certification or verification. Steps that are common to all NASPL Standards Initiative (NSI) certification/verification programs are provided in the Guide to the NSI Certification and Verification Program.
Note: In the event of any conflicts, this guide defers to the NSI Certification/Verification Policy and Policy Supplements, the applicable NASPL Trademark License Agreement, and the NSI Certification/Verification Agreement.
The specifications currently referenced for QA Best Practices certification/verification are:
These are referenced by the NSI Conformance Requirements documents and are located at http://www.opengroup.org/naspl/published.
The current NSI Conformance Requirements documents against which Quality Assurance business practices can be certified are:
The current NSI Conformance Requirements documents against which Quality Assurance business practices can be verified are:
Certification/verification will involve validating that your organization has correctly and completely implemented the Best Practice(s) within your organization. The first step towards certification or verification against any of the Quality Assurance Best Practices is to deploy the Best Practice(s) within your organization. This involves making the changes necessary to your business processes to ensure that your organization is operating in accordance with the requirements defined in the Best Practice(s). Your organization then needs to use the overall business practice (i.e., for Requirements Definition, Development Process, etc.) on several projects related to the creation or updating of hardware and/or software systems for a NASPL lottery environment.
To achieve certification or verification, your organization must complete both the organization-level steps described in the Guide to the NSI Certification and Verification Program as well as the Quality Assurance specific steps described below.
The organization-level steps are registering your organization within the web-based certification/verification system and completing the applicable Trademark License Agreement. These steps need to be performed only once per organization.
Prior to registering your business practice, please ensure that:
The first step for QA Best Practices certification or verification is to register your business practice. Then, the following three steps may be performed in parallel for producing a conformance statement, selecting projects and providing documentation on those projects, and completing the checklist.
To register a business practice to be certified or verified, go to http://www.opengroup.org/naspl/conformance, enter the secure web server, and "Login" to the NSI certification or verification web site, as appropriate, using your username and password. Note: If you see a login link immediately upon accessing the system, then you are already on the secure server and may proceed directly with the login. The next step is to click on Organization Home to go to your organization's home page and select "New business practice or technology registration" (in the middle of the page).
When you register your business practice, you are required to select the NSI Conformance Requirements document against which you wish to certify or verify, provide information on your business practice, and have the ability to send notes to the Certification and Verification Authority. Within the system you must specify the following:
In addition, you will need to specify the certification/verification contacts specific to certification/verification of the business practice you are registering:
Once you have completed all fields, select the "Submit for registration" button. You will then be presented with the NSI Certification/Verification Agreement, which you must accept in order to proceed with this business practice registration. The final step in the registration phase is providing payment information, as detailed in Section 2.1.1, Payment, below.
You are then returned to your organization's certification or verification home page, from which you can select the "Next" link for the business practice being submitted. Through use of the "Next" link, the system will guide you through the steps that you need to follow to certify or verify a business practice.
Details concerning payment procedures common to all NSI certifications/verifications can be found in Section 4.1.1, "Payment" , in the Guide to the NSI Certification and Verification Program. See Section 2.1.2, "Payment for Two Concurrent Quality Assurance Best Practice Certifications/Verifications", below, for payment procedures that are specific to NSI QA Best Practices certifications/verifications.
If you have indicated that you would like to concurrently certify or verify your product development business practice against two QA Conformance Requirements Documents, please note that although you will be asked to pay the standard certification/verification fee for the first registration during the registration process and will be asked to provide information concerning your method of payment, processing of your payment will be deferred for up to four days. If a second registration for concurrent certification/verification takes place within this time frame, the registration form will reflect the remainder of the concurrent certification/verification fee for this second registration and The Open Group will collect a single payment for the two concurrent certifications/verifications.
Otherwise, if a second registration is not made within four days, the standard fee will be collected for the initial registration. Any subsequent certification/verification registrations will be charged the standard certification/verification fee.
This step, along with the following two (Project Selection and Document Submission, and Completing the Checklist) can all be completed in parallel. All must be completed before the Certification and Verification Authority can begin the assessment process for your organization.
A Conformance Statement describes your business practice and how it meets the conformance requirements. Your Conformance Statement will be linked into the Register entry for the business practice once it is certified or verified. A Conformance Statement Questionnaire is available for each Conformance Requirements document at http://www.opengroup.org/naspl/conformance/docs/csqs.html.
The currently available Conformance Statement Questionnaires are listed below. There is one corresponding to each Conformance Requirements document:
You must complete the relevant questionnaire to create a Conformance Statement for your business practice. See Sections 2.3 and 3.3 of the NSI Certification/Verification Policy document for further information on the purpose of the Conformance Statement.
Within the web-based certification/verification system, you have the ability to create a new Conformance Statement, edit a Conformance Statement Questionnaire that is in the process of being completed, and finally, when ready, submit the completed Conformance Statement to the Certification and Verification Authority. This is done by going to your organization home page, selecting the "Next" step button for your business practice, clicking the "Conformance Statement" link and then selecting the "Create/edit/submit Conformance Statement" button. Please see Appendix A, "Using the Editing Tool", in the Guide to the NSI Certification and Verification Program for information on using the editing tool to create, edit, and submit your Conformance Statement.
The Conformance Statement Questionnaires have common front matter, which asks for the following information about your organization, the business practice to be certified or verified, and rationales for any requirements of the Best Practice(s) that your organization did not implement:
The Conformance Statement Questionnaires also contain questions specific to the set of conformance requirements against which your business practice is to be certified or verified. These questions are intended to characterize how your business practice meets the conformance requirements.
Prior to submitting documents to the Certification and Verification Authority to provide evidence that your organization has correctly implemented the Best Practice, you are required to provide information on several recent projects on which the Best Practice has been deployed. The Certification and Verification Authority will then select two of those projects for which your organization will submit the relevant documentation.
Please note that the documentation provided to the Certification and Verification Authority at this stage will be used by the assessors for the documentation and telephone assessment phases of the assessment process and that, during the on-site assessment, the assessors reserve the right to review and inspect additional documentation on the specified projects or other projects, as deemed appropriate by the assessors.
Within the web-based certification/verification system, you have the ability to provide information on your recent projects. This is done by going to your organization home page, selecting the "Next" step button for your business practice, and then clicking the "Information on recent projects" link.
There is a form provided for defining a project. You should complete it for each project for which you are providing information. You should provide information on at least four projects that have been performed over the past two years. You should specify at least one project that includes a new lottery system component and at least one that includes an update to an existing lottery system component. As each project is defined, it will be added to a table listing the projects that have currently been defined. When you have completed your project definitions, you must submit them to the Certification and Verification Authority by selecting the "Declare project definitions to be complete?" button.
You may modify or delete project definitions up to the point at which you submit them to the Certification and Verification Authority. Modifications are done by selecting the project identifier from the table. Deletions are done by selecting Delete in the table for the project you wish to delete.
To define a project, you will need to provide the following information:
Once you have completely defined a project, select the "Input project details" button to add the project to the list of defined projects.
In the event that you are unable to fully meet the requirements of providing information on at least four projects and specifying at least one project that includes a new lottery system component and at least one that includes an update to an existing lottery system component, you must provide a rationale for not meeting these requirements in the free-form text box at the bottom of the Project Definition page.
Your rationale should explain:
In your rationale, please briefly cover what your organization has done thus far and what your future plans are with respect to deploying the applicable NSI Quality Assurance Best Practice within your organization. This could include information on other recent projects, plans for future projects, or a description of your QA practices on prior projects.
When you are finished entering your rationale into the form, select the button labeled "Insert/update supporting rationale".
Once you have submitted your project definitions, the Certification and Verification Authority will select the two projects for which you must submit the relevant documentation. After the Certification and Verification Authority has selected the projects, your organization's Primary and Alternate Technical Contacts for this business practice will be notified via email that the selection is complete and they may now proceed with submission of the relevant documentation. This information will also be available via the web-based certification/verification system by viewing the next steps for this business practice certification or verification.
Submission of relevant documentation is done by going to your organization home page, selecting the "Next" step button for your business practice, clicking on the "Process documentation and documentation from recent projects" link and then selecting the "Submit Supporting Documentation files" button.
Documentation must be submitted for each project that the Certification and Verification Authority selected. In addition, for certification or verification against the Development Process Conformance Requirements, additional documentation on the organization's processes must be submitted.
You may upload more than one file to satisfy the requirement for a particular document, if that document is contained in multiple files. Likewise, a single file may satisfy the requirements for more than one type of documentation. The Document Title and Identifier and the Documentation Checklist in the Checklist form will be used to map specific files to the documentation requirements.
For each document to be uploaded, you will need to supply the following:
Once you have provided the information on a particular file, select the "Upload" button. When you have completed uploading all files, select the "Declare document submission to be complete" button, which is located just below the list of uploaded files.
Documentation requirements are as follows:
Completing the Checklist is the third step (along with "Producing a Conformance Statement" and "Project Selection and Document Submission") that your organization must complete before the Certification and Verification Authority can begin the assessment process on your organization.
The checklist identifies the various documents your organization is uploading with its certification or verification registration along with information on where in each of these documents there is evidence that the your organization has correctly deployed the Best Practice requirements.
Within the web-based certification/verification system, you have the ability to create a new checklist, edit a checklist that is in the process of being completed, and finally, when ready, submit the completed checklist to the Certification and Verification Authority. This is done by going to your organization home page, selecting the "Next" step button for your business practice, clicking the "Checklist" link and then selecting the "Create/edit/submit Checklist" button. Please see Appendix A, "Using the Editing Tool", in the Guide to the NSI Certification and Verification Program for information on using the editing tool to create, edit, and submit your Checklist.
This section of the checklist contains a table for each of the types of documents that you need to submit to the Certification and Verification Authority. You must submit documents for each of the two projects selected by the Certification and Verification Authority, and in the case of the Development Process Conformance Requirements, you will need to submit process documentation as well. (Note that for Development Process certifications/verifications, for each document you will need to select a Process or Document Category from the drop-down menu and also, for project documentation, enter the Project Identifier that you assigned to the project during Project Definition; for other QA certifications/verifications, there will be a separate table for each document category.)
In each table, for each submitted document, enter the Document Title along with a Document Identifier. This Document Identifier is a short, unique identifier used by you and the Certification and Verification Authority to enable shorthand references to the document. The Document Identifier should be the same as the Document Identifier used when the document itself is uploaded via the web-based certification/verification system (see Section 2.3.3, Document Submission ). The Comments field may be used to provide any comments to the Certification and Verification Authority. (For example, if the same document file includes information that satisfies multiple requirements, the document should be listed in each table, with a comment indicating such.)
This section of the checklist contains tables listing each requirement (from the Best Practices) that your business practice must meet in order to be considered conformant. You should fill out these tables as completely as possible.
For each of the two projects selected by the Certification and Verification Authority, you will be submitting the relevant documents to the Certification and Verification Authority. In these tables, you must specify the Document Identifier for the document in which a given requirement is met, and provide a reference, where applicable, to the specific section of the document that provides the evidence that your organization has met the requirement.
Your organization is required to implement all of the 'Must' requirements. Your organization is also required to implement all of the 'Should' requirements, unless you specified otherwise on your Conformance Statement. You should be able to provide evidence for most of the requirements with a Level of 'Must' or 'Should'. Any requirements with a Level of 'May' are optional, and evidence only needs to be provided in cases where that requirement is implemented within your business practice.
Requirements for which evidence of implementation cannot be provided via submitted documentation must have their implementation validated during the On-site Assessment.
During the assessment process, the Certification and Verification Authority will take the lead in progressing your registration through the process. At any point in time, you will be able to see the status and progress of the assessment process in the web-based certification/verification system by selecting the "Next" step button for your certification or verification registration from your organization's home page.
In cases where your organization has responsibility for progressing the assessment process, notification will be sent to your Primary Technical Contact and Alternate Technical Contact regarding what is required of your organization.
Throughout the process you will see the following information on your web view:
Once the On-site Assessment has been completed, you will also see an indication of whether corrective action is required.
If corrective action is required, you will also see some or all of the following:
Once the assessment process has been completed, your web view will display either the date the Assessment Report was approved or else an indication that review of the Assessment Report is still in progress.
Once the assessment process is complete, your Primary and Alternate Technical Contacts will receive an email indicating that they may now return to the web-based certification/verification system and select "Proceed to final registration". The system displays a form into which you enter the final details that are required to complete your registration. This is done in two stages:
Once your submission, including the assessment process, is complete and a NASPL Trademark License Agreement is in place, you will be notified of successful certification or verification within 10 business days. If for any reason the submission was not complete, you will be notified so that any corrections can be made and resubmitted. This step, which is common to all NSI Certification and Verification Programs, is described in detail in the Guide to the NSI Certification and Verification Program.
You should note that certification/verification is valid for a defined period as stated in Section 9.1, "Duration of Certification/Verification", of the NSI Certification/Verification Policy document. At the end of that period, if you wish your business practice to remain certified or verified, you will need to renew your certification or verification as defined in Section 3, Renewals Process, below.
When your business practice is certified or verified, it remains so for a defined period, after which it must be renewed or the business practice will no longer continue to be certifiedl/verified. At any time, you may use the web-based certification/verification system to obtain the renewal date for each of your certified or verified business practices or technologies.
Renewal implies that your business practice continues to conform for the duration of the renewal period.
Around three months prior to the expiration of your business practice's certification or verification, your Primary and Alternate Technical Contacts will be notified that renewal is due. They must respond to the Certification and Verification Authority within 30 calendar days indicating whether or not your organization would like to renew certification/verification; otherwise, your certification or verification will expire on the renewal date. Renewal is subject to a re-assessment of your business practice and must be completed prior to your renewal date.
Renewal is performed using the web-based certification/verification system. You may access the renewals page from your organization's home page in the system. When you select the certified or verified business practice to be renewed, you will be presented with a web renewal form to complete.
Please see Section 9, "Renewal", of the NSI Certificationl/Verification Policy document for further information on the requirements and process for renewal.
Any modifications to your Certified/Verified Entity must be made in accordance with the requirements defined in the Certification/Verification Policy. You should read the requirements in the policy documents thoroughly since they describe multiple scenarios related to business practice changes. In some cases, the modification or update necessitates a new certification or verification, whereas in other cases, you can update your existing certification or verification.
Updates to your business practice's certification or verification are performed using the web-based certification/verification system. You may access the updates page from your organization's home page in the system. When you select the certified or verified business practice to be updated, you will be presented with a web form to be used to indicate to the Certification and Verification Authority the type of change.
The types of changes that may be made to a business practice certified or verified against the Quality Assurance Best Practices are defined in Section 5, "Certification/Verification Requirements for Modifications of a Certified/Verified Entity", of the NSI Certification/Verification Policy Supplement for QA Best Practices. Please note that you are required to contact the Certification and Verification Authority within 30 calendar days of any changes to your business practice.
If the "Certification/Verification Requirement" identified in the policy document is either "Certification/Verification Information update" or "Conformance Statement update", you must complete the web form to provide information on the requested change and provide the Certification and Verification Authority with any required information or documentation. Upon review and acceptance of such information or documentation and receipt of payment for amending your registration, the Certification and Verification Authority will update your certificationl/verification information.
If the "Certification/Verification Requirement" is "New Certification/Verification", then this change is considered a new business practice and is subject to a new certification or verification. In this case, your organization should register this business practice for certification or verification using the "new business practice or technology registration" link accessible from your organization's home page.
Any other change must be communicated to the Certification and Verification Authority within 30 calendar days of such change. The Certification and Verification Authority will then determine what the associated assessment and certification/verification requirements are for such change.
© The Open
For other help on registering your business practice or product please also see The Frequently Asked Questions File. You may also contact the NSI Certification and Verification Portal Certification and Verification Authority