1. ict project management

Introd uc tion o f Pro je c t Ma na g e me nt & Ko re a In fo rm a tio n Syste m Au d it

Young H. Choi Kor ea I T Consul t i ng I nc. ,

SW Pr of essi onal Engi neer

J un 12, 2014

Co nfid e ntia l

Young H. C hoi

• Se n . Au d ito r / Ko re a IT C o n su lt in g • In d u st ry Pro fe sso r (IC T) • Pre sid e n t / Ko re a SW Q u a lity Assu ra n c e • Fo rm e r IT Dire c to r / Fa irc h ild Se m ic o n d u c to r (US) • Fo rm e r Se n . Ma n a g e r / Sa m su n g SDS • Fo rm e r Ma n a g e r / Hyu n d a i Ele c t ro n ic s • IS Pro fe ssio n a l En g in e e r • IS Se n io r Au d ito r • IC T Se n io r Au d ito r • C ISA (ISAC A, Au st in C h a p te r in Te x a s, US)

2

Profile

Co nfid e ntia l 3

Contents

1. ICT Project Management

2. The introduction of Korea IS Audit

3. COBIT Framework of ISACA

4. Key challenges

5. Q&A

Co nfid e ntia l 4

About 8,400 Miles (20h 50m by flight)

Co nfid e ntia l 5

In the past, all roads lead to Rome

However now, all roads lead to SNS

Social System Relation

Co nfid e ntia l 6

● World is small enough thru 6 stages, 4 stages via Twitter

Be Small World Network

● Word of mouth -> World of mouth

the theory that everyone and everything is six or fewer steps away, by way of introduction, from any other person in the world, so that a chain of "a friend of a friend" statements can be made to connect any two people in a maximum of six steps

http://en.wikipedia.org/wiki/Theory�

http://en.wikipedia.org/wiki/Friend_of_a_friend�

Co nfid e ntia l 7


Over Worked !! !

Co nfid e ntia l 8

▶ To understand the meaning and processes of managing projects to raise its success rate


Wha t is ICT Pro jec t

▶ To provide benefits for people and their organizations,

and improve the quality of life of citizens,

Given the constraints of funds, time and resources, policymakers,

Co nfid e ntia l 9

-Information and Communication Technologies (ICT) is not only with hardware, networking systems, software and applications to achieve a goal,


ICT Project

H/W

S/W

N/W

Appl.

but requires a substantial amount of human activity in the projects aligned with the larger goals of the organization.

Co nfid e ntia l 10

Definition o f ICT Pro jec t Ma na gement


■ A set of tools

for planning, implementing, maintaining, monitoring and

evaluating progress of activities in line with larger goals and

objectives of the organization, it defines what has to be

accomplished

■ A method, a discipline, and a process

Source : AICICT (Th e Un ite d Na tio n s Ec o n o m ic a n d So c ia l C o m m issio n )

Co nfid e ntia l 11

▶ People, Process and Technology which are influential factors to project performance in achieving the project’s goals or objectives.

▶ Defining, balancing and integrating the relationships among these factors can result in the project’s optimum performance.


Vita l Fa c to rs o f Pro jec t Ma na gement

Co nfid e ntia l 12

☞ Poor project design


Ma jo r Rea sons o f Pro jec t Fa ilure

So process, outputs(deliverables) and resources should be managed responsibly

☞ Poor project management

Co nfid e ntia l 13

▶ The project plan should detail all areas of discipline that will

answer the question, how do we achieve the goals, objectives

and requirements of the project?


Disc ip lines o f Pro jec t Ma na gement

▶ Qualified and competent managers must be prepared to

handle the following disciplines:

Co nfid e ntia l 14

1. Scope

2. Time

3. Cost

4. Human Resources

5. Risk

6. Quality

7. Procurement

8. Communication

9. Integration

10. Issues & Acceptance

11. Change


Disc ip lines o f Pro jec t Ma na gement

Co nfid e ntia l 15

To be successful Project, the following principles should be observed

1. Participation

– People who are part of the project should be involved at

every stage, from the initial needs assessment through to

monitoring.


Rec ommend ed Princ ip les fo r Suc c essful Pro jec t

Co nfid e ntia l 16

2. Local ownership and capacity development

– For projects to be sustainable, they must be locally owned and accompanied by human and organizational capacity development.


3. Alignment

– The potential benefits for the poor are more likely to be realized when ICT activities are aligned with the larger demand-driven development efforts of partners, particularly those related to poverty reduction.

Co nfid e ntia l 17

4. Institutional ownership and leadership

– A sense of ownership by and leadership of partner institutions are important.

Although successful ICT pilot programs are often driven by individuals, there must also be an institutional base to extend the project’s reach and increase the number of people involved.


Co nfid e ntia l 18

5. Competitive enabling environment

– An enabling ICT policy environment includes respect for freedom of expression, diversity and the free flow of information, completion of ICT infrastructure provisions, and investment in service development, including local content and the adoption of open source solutions


Co nfid e ntia l 19

6. Financial and social sustainability

– In order for projects to be financially sustainable, all potential costs and revenue generation should be included in the planning process from the start.


Co nfid e ntia l 20

7. Risk considerations

– Possible and unforeseeable negative impacts need to be taken into account and

carefully monitored, including watching out for how the benefits of ICT-supported interventions may be unequally distributed


– i.e. deepening economic, social and cultural divides rather than reducing poverty.

Co nfid e ntia l 21

▶ Managing the project scope and resources, particularly time, cost and people

Ma jo r Cha llenges o f Pro jec t Ma na gement


▶ To manage time, good project management practice observes the different phases of project management, which include: Planning, Implementation, Monitoring and Evaluation

Co nfid e ntia l 22

▶ Sta rte d Silve r Dig ita l Era with Sm a rt De vic e s

Ima ge o f Sma rt World

Realize Digital Democratization

Co nfid e ntia l 23

Dig ita l Divid e : Sma rtp hone Phob ia e tc

Dig ita l Toy ? Dig ita l Wea p on ?

Sma rt Devic e Boom & Knowled ge Ga p

Illite ra c y = > No PC Knowled ge = > No Sma rtp hone

Digital Divide

Co nfid e ntia l 24

Break Time !!!

Co nfid e ntia l 25

Contents




4. Key challenges

5. Q&A


Co nfid e ntia l 26

?

Co nfid e ntia l 27

■ IOT all connection via an internet

■ Information Big data

■ Personal information

■ System security

Complex I/F & Security

Co nfid e ntia l 28

As- wa s & As- Is ERP

Evolution of ERP System

Co nfid e ntia l 29

2. Korea Gov. Law of IS Audit

☞ IS Auditor who must not be influenced by project owner and

system developer is to check the information system in view

of 3rd party,

to improve the efficiency and acquire the security about

things which are related for building the system and stable

operation.

- Source: Korea Act Article 2, Paragraph 14

Definition of IS Audit

Co nfid e ntia l 30

Objective of IS Audit

▶ In view of 3rd party => IS Auditor should be objective of the problems and independent from project owner and other related ones

Correction notice -> Contractor

Control

No Delegation No Control

Contra c tor

IS Aud ito r

Pro jec t owner


Co nfid e ntia l 31

▶ Improve the system effectiveness and the contribution to business profitability

▶ Acquire IT’s cost-efficiency ; Response time, Resources etc to meet the pre-defined target

▶ Ensure the system securities; Integrity, Availability and

Confidentiality

▶ Monitor whether to follow the procedures defined by IS Audit Act


Objective of IS Audit

Co nfid e ntia l 32

▶ To lead the successful system development whilst minimizing the

significant risks ▶ What means the successful system development

Budget : Build IT enabled business system within budget Delivery : To complete the system development by the contractual

date Quality : to satisfy the business system with requirements of

functions, performance and security etc


Key Success Factor for System Development

Co nfid e ntia l

NIA (Na tiona l

Info rma tion

Soc ie ty

Agenc y)

Ministry o f Sec urity &

Pub lic Ad ministra tion

Ko rea

Government

Sta tute

33

Digital Government Act

Enforcement of ordinance for Digital Gov. Act

Notice of IS Audit Standard

Explanation of IS Audit

Guideline of IS Audit

Order / Management

Guideline of IS Audit

Execution

Management of requirement and task execution

Business type based

Checklist (48 items)

Responsible By Audit related Law / Notice / Guidance

2/2010

5/2010

2. Korea Gov. Law of IS Audit (Law enforcement)

Co nfid e ntia l 34

Type IS Audit Mandatory CY 2010 CY 2011 CY 2012

Act

Informatization promotion Act

No. 5669 (1999.1.21) Article 15 paragraph 2 (IS Audit)

Law of effective Introduction and operation of IS

No. 7816 (2005.12.30)

Digital government Law

No.10012 (2010.2.4)

Enforcement Decree

Presidential No.16458Article 10 sub-paragraph 3

Presidential No.19598

(2006. 6.30)

Presidential No. 22151 (2010.5.4)

Enforcement Rule

Enforcement rule Article 11 paragraph

1 sub-paragraph 5

Information & Communication rule No. 198 (2006. 6.30)

Standard Audit Standard of Information System (IC Notice No. 999-104)

Audit Standard of Information System (Ministry of security & public administration notice No. 2008-18)

Audit Standard of Information System (Ministry of security & public administration notice no. 2010-30 (2010.05.04) and

2010-85 (2010.12.22)

Audit Standard of Information System (Ministry of security & public administration notice no. 2010-85 (2011.7.1)

Audit Standard of Information System (Ministry of security & public administration notice no. 2012-11(2012.3.2)

Guideline Audit guideline of IS V1.0 (NIA 2009.05.28)

Audit guideline of IS V1.0 (NIA 2009.05.28)

PO Guideline of IS Audit project

(2011.7.27)

2. Korea Gov. Law of IS Audit (By period)

Co nfid e ntia l 35

Required observance by Project owner who is PO Issuer (Article 57,

Paragraph 2)

▶Support IS Auditor by project owner while working with project contractor

▶ No interrupt and unreasonable order for IS Auditor

IS Audit Observance

2. IS Audit Working Process

Mandatory Remediation about issues reported after IS Audit (Article

57, Paragraph 3)

▶ Based on the level of risk IS Auditor checked, all issues must be solved based on

the type of Mandatory correction, Warning and Recommendation

Co nfid e ntia l 36

IS Audit applicable for any public company investing more than about 0.5 M USD, which is excluding SW packages and HW in total cost

2. IS Audit Working Process

Mandatory IS Audit

However if investing less than 0.1 M USD which is small project and no worthy to audit, head officer of public company might request its exemption. But exceptions are as below. For any public service which is related with government administration Collaborated systems which many public companies are using each other

or building together In case of the system interface and common use by many public

companies If decided by head officer of public company, IS audit is required

Co nfid e ntia l 37

As Is

Arc

To Be

Arc

QA Activity

Business Management

P R O C E D U R E

O U T P U T

S E R V I C E

Tech

nology

Process

IS

Plan

ning

Imp.

Plan

System

Architecture

Application

System

Data Base

Test

Activity

Opera

tion

Ready

Com

Ple

tion

Data

Collec

tion

&

Beta

Testing

Building

Data

Quality

Control

Provide

Service

Service

Support

Building

Data

Base

Line

Mgmt

Structure

ITA ISP System Development DB OP MA

IS Audit A

rea

▶IS Audit processes include EA (Enterprise Architecture), ISP (Info. System

Planning), DB, Operation and Maintenance etc.

2. IS Audit Working Process (Framework V4.0)

Co nfid e ntia l 38

• Activities for IS audit are being taken usually at project site. They are serviced with type of stepwise IS audit and continuing audit based on

project characteristics.

• Do audit at major steps based on SW development cycle. Support steps at analysis, design and implementation

• Submit the audit report about all system areas which 4 to 10 IS auditors worked for 1-2 weeks

• Working at project site from the project beginning and guide quality and inform correction to the contractor and report to project owner

• Liaison role between project owner and contractor • Advisory for project owner in manageable and

technically with 1-2 IS auditors

Stepwise Audit

Continuous Audit

2. The execution of IS Audit (Stepwise vs. Continuous Audit)

Co nfid e ntia l 39

감리평가(▶▶▶▶ 2010 - 30▶ ) 1. Highly accepted (적정) : No risk found in achieving the project goal at the time of development stage.

2. Accepted (보통) : Small issues found but which are not impacting the project delivery and can be solved with only adjusted strategy and resources

3. Partially accepted (미흡) : Significant problem found in achieving the project goal. It requires slightly changed strategy and resources

4. Not accepted (부 적정) : Significant problems found in achieving the project goal, which can not be solved with current strategy and limited resources

Op tiona l issue s Ma nd a to ry issue s

Short Te rm Short Te rm

Long Te rm Long Te rm

Project owner will decide whether recommended issues must be solved in short or long term basis (negotiable).

2. The execution of IS Audit (Evaluation Level)

Co nfid e ntia l 40

Service

ISP Dev Audit

QA

Continuing Audit

Personal Security Planning for IS Security

System Analysis EA

ISMP PMO

Support

Planning

Define Requirement

Decision Selection Mgm’t Maint.

Biz. management & Control

Operation

Biz.

Acceptance

Proposal

Select Audit Partner

Contract

Start Prj.

Progress

Payment

Change

Audit

Completion

Biz. M

anagement

Issue PO

Prepare RFP

Maintenance Support Biz.

Cancellation

2. IS Audit Working Process (Management w/Service)

Co nfid e ntia l 41

• Apply to the best-fit audit model for accomplishing the successful improvement after analyzing the business project with the structural

and logical process in mind

Pro jec t t ype

(Devel opment or Mai n t enance

Progress l evel o f Pro jec t (Anal ys i s , Des i gn et c )

Area al l ocat i on for aud i t process (Management , Arch i t ec t ure et c )

Fi nd check po i n t for each area

IS Audi t v i ew

(Per formance or secur i t y et c )

Pro jec t A

rea

Audit View/ Check basis

Biz. Typ e /Aud it Time

Check items Review items

Check Framework

Guidance by area

Detailed review items Review method

Compliance by a rea

2. IS Audit Working Process (By Biz. Type)

Co nfid e ntia l 42

View Check Factors Description

Process

Plan Reasonability Review project plan, resources, progress etc적정성

Process Reasonability

Review procedures defined about development / operation / maintenance and r isk, quality, schedule and change etc

Compliance Review the compliance being maintained while working for the project

Product

Functionality Review the functionalities in view of completeness, integr ity and interoperability

Integr ity Review data correctness and integr ity

Usability Review the easy operation for users

Stability Review system stability in view of backup, business continuity and recovery구 신속성

Security Review system security to avoid from hacking etc

Efficiency Review business eff iciency with a reliable response t ime, scalability and adaptability

Compliance Review the output, procedure, standard and methodology to check the compliance

Consistency Requirements must be traced for any match

성과Performan

ce

Realizability ROI (Return On Investment), Achievement etc

Sufficiency Review the satisfaction of all requirements defined in the project plan

감리영역

감리관점/

점검기준

정보화전략계획수립

(ISP)

시스템개발

(SD) 유지보수

(MA)

사업유형/감리시점

데이터베이스구축

(DB)

운영

(OP)

2. IS Audit Working Process (Perspective)

Co nfid e ntia l 43

Step Check Items Explanation

Execution

&

Control

1. Change Management

Does any changes in pre-defined project scope follow the proper procedures and provide a traceability ?

2. Progress Management

Is project schedule managed in time and controlled properly ?

3. Resource Management

Are all resources being taken in schedule and managed properly as defined in the project plan ?

4. Communication Is the communication between project owner and contractor in good and reliable position ?

5. Risk Management

All risks are managed well and reported in time ? And to relieve those any procedures are being taken and traced ?

6. Quality Management

Does contractor provide activities to improve the project quality as always for the project owner and report periodically ?

2. IS Audit Working Process (In Audit Management Area)

Co nfid e ntia l

Process Normally stepwise IS audit is consisted of 9 sub-processes

IS Audit

Plan

Pre Audit

Start Audit

On-site

Audit

PO

Audit

Execution

Submit

Report

Audit Closing

Adjust Report

Remedy Plan토

Final Confirm

Approval of Audit plan

Confirm key issues

Inform corrections요구

Accepted or rejected인

Submit final scores and approval인

Submit

output

Interview &

Review Docs.

Reflect changes

Plan correction

Confirm correction & report

1 2 3 4 5 6 7 8 9

On site Remote

44

2. The execution of IS Audit

Co nfid e ntia l

Stepwise IS Audit is being taken 3 level of activities normally

as below,

A00. Preliminary

On-site Analysis

B00. On-site

Audit

C00. Confirm

Remediation

001. Report of

Audit Plan

002. Report of

Audit Processing

003. Report of

Issue Correction

2. IS Audit Common Procedure (Activities)

Co nfid e ntia l

절차도 Preliminary Audit is consisted of 3 steps as below,

A10. Prepare

Preliminary Audit

A20. Execute

Preliminary Audit A30. IS Audit Plan

A11. Scheduling A21. Receive Docs. A31. Write Audit Plan

A12. Resource plan A22. Define a scope

A23. define checklist A24. Meeting with Prj

owner & contractor

A32. Review/Confirm Audit Plan

2. IS Audit Common Procedure (Pre Audit)

Co nfid e ntia l

개요 ▶ ▶▶ B10. Start IS Audit B20. Kick-off Meeting B30. Execution of IS Audit

B11. Prepare on-site audit B21. Official Audit Meeting B31. Receive documents

B12. Confirm facilities B22. Meeting minutes B32. Review documents

B33. Find issues/risks etc

B34. Communication B35. Meeting with Contractor

B36. Meeting with Prj. owner

B37. Finalize issues

B40. Prepare IS Audit Rpt B50. Closing Meeting B60. Finalize Audit report

B41. Prepare Rpt by area

B42. Report Collection

B42. Review Reports

B51. Prepare meeting

B52. Start meeting

B61. Review issues

B62. Reconciliation

B63. Finalize report

2. IS Audit Common Procedure (On-Site Audit)

Co nfid e ntia l

시정조치는 ▶▶▶▶ ▶▶▶ ▶▶▶▶ ▶▶▶▶ ▶▶▶▶▶ ▶▶▶▶ ▶▶▶ ▶▶▶▶▶ ▶▶▶ ▶▶▶ ▶▶▶▶ ▶▶ C10. Check Remediation C20. Confirm correction

C30. Prepare Confirmation

C11. Receive contractor request

C12. Plan Check Schedule

C13. Share check plan

C21. Confirm results

C22. Mutual review

C31. Draft Report

C32. Review Report

C33. Revise Report

C23. Interview w/2 parties

C24. Submit opinion

C40. Submit Post Audit Rpt

C41. Finalize Report

C42. Submit Report

2. IS Audit Common Procedure (Remediation)

Co nfid e ntia l 49

Ind ex o f IS Aud it Rep ort

Describes all audit areas

1. Project management

2. Application

3. Data Base

4. System Architecture

IS Audit at Design level

Describes IS Audit Plan

Summarized opinion

by Audit leader

2. The execution of IS Audit (Report)

Co nfid e ntia l 50

II. Summa rized op inion

2. The execution of IS Audit (Report)

Co nfid e ntia l 51

Break Time !!!

Co nfid e ntia l 52

Contents




4. Key challenges

5. Q&A


Co nfid e ntia l

"The advanced economy could not run for thirty seconds without computers." - Alvin To ffle r in Tommrrow’ wea lth -

53


Co nfid e ntia l 54

Source : CISCO 2011

■ Future world is hyper connected environmentally with IOT (Internet

of things) and M2M (machine to machine) which not constrained with

time and space and create new business growth and values

Rapidly Changing Hyper Connected Society

Co nfid e ntia l 55

Not increasing World PC Market, Rapidly growing Smartphone/Tab


Co nfid e ntia l 56


COBIT 5 is ISACA’s globally accepted framework, providing an end-to-end business view of the governance of enterprise IT that reflects the central role of information and technology in creating value for enterprises

In 1969 incorporated in US, by a small group of individuals who recognized a need for a centralized source of information and guidance in the growing field of auditing controls for computer system.

* COBIT sta nd s fo r Co ntro l o b je c tive s fo r info rma tio n a nd re la te d te c hno lo g y

Co nfid e ntia l 57

• Provide a renewed and authoritative governance and

management framework for enterprise information and

related technology

• Integrate all other major ISACA

frameworks and guidance

• Align with other major frameworks

and standards

COBIT Cube


Co nfid e ntia l 58

▶ COBIT (Control objectives for information and related technology)

is being developed continuously.

3. COBIT Framework of ISACA (Evolution)

Co nfid e ntia l 59

▶ Korea IS Audit is focused on system development in view of functions, security and effectiveness to meet business demand,

3. COBIT Framework of ISACA (vs. Korea IS Audit)

while COBIT is business process oriented in terms of 1) Plan & Organization 2) Acquire & Implementation 3) Deliver & Support 4) Monitor & Evaluate

COBIT Control Model

Co nfid e ntia l 60

3. COBIT Framework of ISACA (Enablers)

Co nfid e ntia l

IT Goals

61

3. COBIT Framework of ISACA (Aligned with IT & Biz Goal)

Co nfid e ntia l

4 Doma ins

34 Proc esses

318 (A c t iv it ies/Ta sk s)

62

3. COBIT Framework of ISACA (Process oriented)

Co nfid e ntia l 63

3. COBIT Framework of ISACA (Primary Drivers)

Co nfid e ntia l 64

Contents




4. Key challenges

5. Q&A

Co nfid e ntia l 65

Key challenges in Auditing Environment

▶ Complex system with always connected !!!

Co nfid e ntia l 66

Wha t is Sma rt d evic e ?

Ma ny func tions a re toge the r in integ ra ted d evic e whic h is fle xib le with c ustomer a p p lic a tio n insta lled a nd tra nsfo rma tive

Smart Device ?

Co nfid e ntia l 67

Key challenges in IS Auditing

1) The scope of IS Audit

2) Communication with partners

4) Management of resource, delivery and quality

3) Process Knowledge about Information system

▶ Need to be clearly well defined about issues below !!!

Co nfid e ntia l 68

For more information Please contact:

Korea IT Consulting http://www.itall.net

[email protected]

#1503 Leaders Bldg, Seochojungang-ro, Seocho-gu, Seoul Korea 137-912

Tel 82-2-582-2400 Fax 82-2-583-9242

Contact

Co nfid e ntia l 69

Contents




4. Key challenges

5. Q&A

Q&A

Co nfid e ntia l 70

Q&A

Co nfid e ntia l 71

Gracias !!!

1. ict project management

Documents