Date post: | 03-Jan-2016 |
Category: |
Documents |
Upload: | shelly-forbes |
View: | 23 times |
Download: | 0 times |
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
Chapter 4Project Processes
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
2© Cengage Learning 2015
Objectives
• Understand the purpose and benefit of processes in the project processes area
• Structure and run an effective project planning process
• Conduct effective, ongoing risk management• Control critical project activities such as configuration
management and knowledge management
3© Cengage Learning 2015
Overview of Project Processes
• The project processes involve all the control activities that ensure ICT work meets business, technology, and assurance goals– Control: a specific action or actions taken to ensure
a desired outcome• Project management: oversees the organization’s
ICT acquisition, development, and sustainment processes– Enforces the ICT policies and procedures– Ensures effective coordination and control of the
organization’s everyday work practicesCybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
4© Cengage Learning 2015
Defining and Coordinating the Project
• Project management involves defining and deploying a fully integrated set of activities to achieve a given purpose
• Project definition and subsequent coordination ensure the efficient use of resources
• A project management plan defines the requisite activities and tasks for each project– The plan should always consist of concrete
specifications of the work to be done– The plan is typically reviewed and refined over time
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
5© Cengage Learning 2015
Defining and Coordinating the Project
• The project manager is the person who writes the plan
• The plan specifies the major elements of the project during the planning period– As well as the organizational resources allocated to
support each element• Strategic planning progress: a set of rational
activities that an organization undertakes to accomplish its long-range goals
• Project activities are planned, documented, evaluated, and adjusted when necessary
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
6© Cengage Learning 2015
Building the Project Team
• Project teams are typically composed of an integrated mix of business and information technology (IT) workers
• Questions to ask when building a team:– What is the precise mission of the team?– What organizational competencies are required to
achieve that mission? – Are those competencies available for the particular
project?• Capability: the level of assessed competence of a
processCybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
7© Cengage Learning 2015
Organizing the Project
• Failure to satisfy the business purpose is a frequent cause of overall project failure
• The planned involvement of business stakeholders ensures that all points of view are represented in the final product
• Differences must be resolved for projects to move forward
• It is a challenge to incorporate everyone’s vision and capabilities into project planning– Following the project process of the 12207 standard
ensures best practiceCybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
8© Cengage Learning 2015
The Project Processes of ISO 12207-2008
• The 12207 standard presents the processes in a logical order– Ranging from general best practices for planning,
assessment, and implementation to specific project management and control practices
• The project planning process establishes the generic management function for the given project
• The project assessment and control area deals with all related implementation concerns
• Figure 4-1 on the following slide shows the relationship of these process areas
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
9© Cengage Learning 2015
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
10© Cengage Learning 2015
The Project Planning Process (6.3.1)
• Overall goal of project planning is to develop an effective and realistic set of plans for overall conduct of the project– Decides the scope and purpose of the project as well
as the timeline and activities involved• The project planning process is responsible for
describing the scope of work to be done and evaluating whether the work can be carried out with available resources and known constraints– Seeks to ensure proper alignment between project
goals and reality
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
11© Cengage Learning 2015
Project Initiation
• First step in the project planning process is to establish the scope of the project– Includes defining objectives, motivations, and
boundaries• Boundary: a perimeter that incorporates all items
to be secured• Managers can then establish the feasibility of the
project by confirming that all required personnel, materials, and technology are available– And that the project can be completed on time
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
12© Cengage Learning 2015
Project Initiation
• Project initiation involves ensuring that the actions of all participants are correctly aligned and coordinated with the achievement of project goals
• The initiation activity must ensure that the project’s day-to-day activities and tasks are specified with appropriate detail
• Project initiation must assure that adequate lines of communication have been established among all participants to guarantee effective cooperation
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
13© Cengage Learning 2015
Project Planning
• Plans usually include:– Schedules, milestones, time and resource estimates,
and the assignment of roles, responsibilities, and work tasks
• Might also include:– A detailed risk estimate for each activity and task– Lifecycle measures to assess the quality and
security of each product and process• Security: confidence that a given approach will
produce dependable and intended outcomes
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
14© Cengage Learning 2015
Project Authorization and Launch
• After receiving the appropriate from other managers– The project manager takes steps to launch project
• Projects are established by the creation of a customized management process that establishes:– Visibility– Management control over project activities
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
15© Cengage Learning 2015
The Project Assessment and Control Process (6.3.2)
• The project assessment and control process ensures that events are on schedule, on budget, and fulfill the technical objectives laid out in the project plan
• Quantitative data can be used to evaluate the options and implications of a decision
• Managers cannot exercise control over projects unless they have an objective means of evaluating how well a project is going– Ability to obtain good measurement data is essential
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
16© Cengage Learning 2015
The Project Assessment and Control Process (6.3.2)
• By collecting standard project performance data managers can ensure project run appropriately and within budget– Project performance measures should be defined
and instituted to support quantitative decision making
• Performance data can also help identify emerging problems so that managers can judge potential risks and rewards of making further investments in an ongoing project– Based on reliable corporate benchmarks
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
17© Cengage Learning 2015
The Project Assessment and Control Process (6.3.2)
• Many different quantitative measures exist, including basic production metrics such as:– Project productivity measured in lines of code (LOC)
or function points (FP)• The ISO 9126 standard also outlines metrics that
consider the functionality, reliability, usability, efficiency, maintainability, and portability of the product under development
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
18© Cengage Learning 2015
The Project Assessment and Control Activities
• The aim of project assessment and control is to ensure that project objectives are successfully achieved and properly recorded
• This process ensures:– Progress is monitored and reported– Interfaces between project elements are properly
monitored– That managers can correct deviations from the
project plan and prevent them from recurring
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
19© Cengage Learning 2014
20© Cengage Learning 2015
Project Monitoring
• Project monitoring is the first formal activity• Ensures the:
– Project is executed correctly– Outcomes of monitoring are reported to all internal
and external project stakeholders• Project monitoring must account for the status of
interfaces between internal project elements and outside interfaces with other relevant projects
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
21© Cengage Learning 2015
Project Control
• Managers must monitor a project in order to control it– Monitoring and control are closely associated
• To enforce proper project control– The project manager must be able to investigate,
analyze, and resolve any deviations from the project’s planned course of action
• The impact from any deviation must be evaluated, authorized, and monitored
• Routine reporting ensures general management oversight
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
22© Cengage Learning 2015
Project Assessment
• Formal assessment activities during ICT product development are an essential part of good management practice
• Goal is to ensure that the work continues to run correctly from beginning to end of a project
• Systematic assessments assure the ICT product requirements and the project’s ongoing activities satisfy the plan’s objectives
• Assessment results can be used to establish steps that prevent future problems
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
23© Cengage Learning 2015
Project Closure
• Projects must be formally terminated– To avoid wasted resources
• Reasons a formal termination procedure is necessary:– An organization must document that all ICT
development activities have been completed as contracted
– Project data has to be archived to preserve a history of the project
• Lessons learned from previous projects can help in planning similar efforts in the future
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
24© Cengage Learning 2015
The Decision Management Process (6.3.3)
• Decision management is a fundamental process of project management– Seeks to ensure the best outcome for any concern
that arises in the project environment– Evaluates all possible directions among a given set
of alternatives and chooses the one that provides the likeliest benefit
• Decision management is initiated by standard operating policies and procedures that are followed when a decision is needed
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
25© Cengage Learning 2015
Decision Management Activities
• A decision management policy allows managers to make quick and rational decisions about issues that arise in the day-to-day execution of a project
• Goal is to record, categorize, and promptly report problems and to develop alternative course of action to resolve those problems
• With standard policies in place:– The project team can ensure decisions made during
the project lifecycle are valuable to organization’s goals
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
26© Cengage Learning 2014
27© Cengage Learning 2015
Decision Planning
• A planning process is the first activity in decision management– Involves enumerating and prioritizing all categories
of likely decisions• In addition to identifying the each type of decision:
– Authorization and responsibilities for making it are assigned to the appropriate decision maker
• Policies and procedures are selected to guide decisions in each category– A formal process is defined to address situations
when no policy guidance is available
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
28© Cengage Learning 2015
Decision Analysis
• Overall aim of decision management is to come up with a decision that leads to the best result– Decisions are usually guided by policy
• If there is no policy:– A decision-making strategy or decision protocol must
be in place to ensure the right decision is made• A decision-making strategy includes functions for
gathering information and making trade-offs– Allows for the project team to make the best decision
from a range of alternatives
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
29© Cengage Learning 2015
Decision Tracking
• Each decision should be recorded and its outcomes should be tracked, evaluated, and reported– Ensures that the decision resolved problems or
leads to the desired benefit– If not, knowledge gained can provide guidance
• To track a decision:– Records of problems and decisions must be kept– Actions associated with the decision must be
monitored through reviews, inspections, or audits
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
30© Cengage Learning 2015
The Risk Management Process (6.3.4)
• Risk management: a set of formal organizational processes that are designed to respond appropriately to any identified adverse event– Applies to all types of lifecycle activity
• Goal is to identify, analyze, treat, and monitor all active and latent risks in the project
• Threat: an adversarial action that could produce harm or an undesirable outcome
• Threat assessment ensure that all project risks are identified and categorized
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
31© Cengage Learning 2015
The Risk Management Process (6.3.4)
• Risk analysis: the assessment of the overall likelihood and impact of a threat
• Organizations must institute a targeted risk analysis function– Which facilitates qualitative and quantitative
analyses of any newly identified or emerging risk event
• Once a risk analysis function has been established– The organization must specify formal responses to
correctly address all meaningful risks as they occur
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
32© Cengage Learning 2015
Risk Management Activities
• To determine the scope of the process, organizations must answer two questions:– What is the likelihood that each identified risk will
occur?– What is its anticipated impact?
• Answers are normally expressed as an estimate of loss, harm, failure, or danger for each risk
• After scope is determined, risk management policies are defined and implemented– Organizations should set priorities for applying the
resources needed to mitigate each risk
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
33© Cengage Learning 2014
34© Cengage Learning 2015
Risk Management Planning
• Risk management planning goal:– To identify critical risks and then create and maintain
an effective set of formal steps to manage each risk• Risk management planning helps an organization
assign specific roles and responsibilities for the risk management function
• The plan should describe the process for evaluating and improving overall risk management– Including how to use lessons learned
• Acceptable risk: a situation in which the likelihood or impact of an adverse occurrence can be justified
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
35© Cengage Learning 2015
Risk Profile Management
• Risk profile management establishes a link between the risk management process and the project’s environment– By recording specific information for the state of
each risk and its probability, consequences, and risk thresholds
• Provides explicit policy guidance– Priorities established by the risk profile determine the
application of resources for treatment• Risk thresholds dictate the conditions under which
an organization may accept a level of riskCybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
36© Cengage Learning 2015
Risk Analysis
• Risk analysis: information-gathering function that focuses on understanding the nature of risks– Documents mitigation strategies for every risk that
surpasses its threshold– Defines measures for evaluating potential mitigation
• Risk analysis ensures the most efficient use of security resources
• Likelihood of occurrence: an assessment of the probability that an event will occur
• Anticipated impacts are normally expressed as an estimate of loss, harm, failure, or danger
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
37© Cengage Learning 2015
Risk Treatment
• Risk treatment develops solutions for identified risks
• The scope of coverage and the required level of assurance are primary influences that define this context
• Roles and responsibilities have to be defined to carry out the actions necessary to mitigate risks– Establishes accountability
• Each risk has to be categorized by priority to allow for decisions regarding resource allocation
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
38© Cengage Learning 2015
Risk Monitoring
• Risk monitoring tells decision makers whether risk management objectives are being achieved– And whether risk control performance is in line with
expectations• Qualitative analysis is useful in determining
priorities– One of the main purposes of risk monitoring– Expressed through a set of nominal values, such as
high, medium, and low• A blend of quantitative and qualitative measures is
often used to monitor riskCybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
39© Cengage Learning 2015
Risk Management Evaluation
• Information should be collected throughout the project lifecycle to help improve risk management
• Data includes identified risks, their sources, their causes, their treatment, and the success of selected treatments
• An important element of risk management is a series of periodic reviews
• Two types of review are commonly used:– Time-based - occur at regular intervals– Event-based - capture information about a particular
aspect of the risk management processCybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
40© Cengage Learning 2015
The Configuration Management Process
• Configuration management: a formal process to ensure the continuing status of ICT products– To ensure the status of every meaningful item in an
ICT product is documented and known at all times• Goal: to establish and maintain the integrity of all
project components by placing them under formal decision making and oversight control
• Configuration management serves as the basis to measure quality by confirming the integrity of changes and ensuring they are verified as correct
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
41© Cengage Learning 2014
42© Cengage Learning 2015
Configuration Management Planning
• A configuration management strategy must be planned for each project– Describes how configuration baselines are
established, maintained, and archived for a project– Specifies which staff have the right to authorize,
access, and reintegrate changes to baseline items– Must also specify the level of integrity, security, and
safety for each baseline as well as storage medium• Once established, the project manager must
specify which items are subject to configuration control (known as identification)
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
43© Cengage Learning 2015
Configuration Management Execution
• The recording, retrieval, and maintenance of current and preceding configurations should be kept under management control to:– Assure correctness, timeliness, integrity, and
security• A project baseline represents the status of the
project at a fixed point in time or circumstance• Once the project baseline is established, any
changes are described in the configuration record and maintained throughout the system lifecycle– Audits may be performed as needed
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
44© Cengage Learning 2015
The Information Management Process (6.3.6)
• The information management process is a formal function that records and maintains information needed to manage a project over its lifecycle– Generates, collects, transforms, retains, retrieves,
disseminates, and disposes of all necessary project information
• Goal is to provide relevant, timely, complete, and valid information to decision makers
• Ensures the form and content of all project information is proper and correct
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
45© Cengage Learning 2014
46© Cengage Learning 2015
Information Management Planning
• The organization must identify and classify all relevant information and designate which media to use to capture and store information
• The plan must specify the exact procedure used to capture the data kept for each information item– Must stipulate how each item under information
management control is developed, inspected, and modified
• Information management defines the rights, obligations, and commitments of designated parties for retaining and transmitting information
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
47© Cengage Learning 2015
Information Management Planning
• Information management planning also defines individual access rights for each information item under its control
• Other primary drivers of information management planning are:– Legal– Security– Privacy
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
48© Cengage Learning 2015
Information Management Execution
• Once the plan is complete and all responsibilities are assigned:– The project team begins to capture and retain the
information identified in the plan• Stored records are maintained according to
integrity, security, and privacy requirements established by the planning function
• Information can more easily be distributed to all authorized parties by request, by scheduled agreement, or by defined circumstances
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
49© Cengage Learning 2015
Information Management Execution
• To ensure availability:– The medium, location, and protection of information
must be ensured and must be compatible with all storage and retrieval requirements
• Information management ensures that arrangements are in place to retain necessary documentation after a project ends
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
50© Cengage Learning 2015
The Measurement Process (6.3.7)
• The purpose of the measurement process is to collect, analyze, and report data for an organization’s products and processes– To ensure effective management of processes and
to objectively demonstrate product quality– Also ensures all measurement activities are defined
• Ensuring consistency of data is important because managers use it to make decisions about all types of project activity
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
51© Cengage Learning 2014
52© Cengage Learning 2015
Measurement Planning• Measurement planning involves the establishment
of a standard schedule for each assessment and a defined process for collecting and reporting results
• Project measurement uses a defined set of criteria to evaluate the performance of project functions
• Outcome of the planning process must be a set of measures for judging elements of a project’s performance– Such as timeliness, security, and fiscal responsibility
• Decision makers use information to review and approve resources for each task
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
53© Cengage Learning 2015
Measurement Performance
• The first step in implementing a project measurement process is to develop a formal means of recording relevant data about events in the organization’s environment
• The project needs to install procedures for data generation, collection, analysis, and reporting within the relevant project processes
• Project measurement involves the collection, storage, and verification of data
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
54© Cengage Learning 2015
Measurement Evaluation
• Measurement evaluation assesses the project and its measurement process– Achieved through benchmark comparisons
• Benchmarks capture and record the performance of a target process over time
• First step in creating a metrics program based on benchmarks:– To confirm all elements of the project measurement
function have been evaluated and document at a certain point in time
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
55© Cengage Learning 2015
Measurement Evaluation
• Documentation should include an overall statement about the standard assessment mechanism for each element under project management control– Should also include a generic testing and review
plan to ensure that procedures retain their effectiveness
• Once the organization understands the status of all activities:– It can track the performance of the measurement
process against prior assessments• Ensures long-term effectiveness of measurements
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
56© Cengage Learning 2015
Summary• Project management ensures alignment of ICT work
with an organization’s goals• Project management integrates a range of
management perspectives as well as coordinates and controls all related functions to do the work of an ICT project
• Project management plans achieve a logically related set of management objectives
• Assessment data supports good decisions, but it is important to know how to provide the proper data to the right people
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
57© Cengage Learning 2015
Summary• Risk management is essentially built around formal
processes to provide information about risk to decision makers
• Every risk process must be designed to fit its specific environment
• Configuration management is built around maintaining baselines composed of relevant elements of the project or product