cybersecurity: engineering a secure information technology organization, 1st edition

Cybersecurity: Engineering a Secure Information Technology

Organization, 1st Edition

Chapter 3Organizational Project-Enabling

Processes

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

2© Cengage Learning 2015

Objectives

• Understand the relationship of organizational process models to individual project lifecycles

• Understand the role of lifecycle management in organizing an ICT product and its processes into manageable components

• Understand the importance of infrastructure management within an ICT organization

• Understand project portfolio management and its effect on individual ICT projects



Objectives

• Understand the role of human resource planning in support of ICT lifecycle processes

• Understand the role of quality management in support of ICT lifecycle processes


Overview of Project-Enabling Processes

• The five project-enabling processes defined by the ISO 12207 standard are:– Lifecycle Model Management process (6.2.1)– Infrastructure Management process (6.2.2)– Project Portfolio Management process (6.2.3)– Human Resource Management process (6.2.4)– Quality Management process (6.2.5)



Why Are Organizational Processes Important?

• A successful project needs to have both maximum flexibility and absolute control (a contradiction)

• The solution is to build the model from the highest applicable level of abstraction– Model can then be used as a general classification

structure in which all ICT processes can be defined



Why Are Organizational Processes Important?

• Operating process model: the sequence of interconnected activities, relevant inputs, and consequent outputs that make up a business or operating process

• Organizational process framework: a mechanism for harmonizing process disparity and managing associated complexities that uses five architectural views– This model is project specific and generally cannot

be characterized in any common way



Lifecycle Model Management Process (6.2.1)

• This process almost always involves functions for planning, resource allocation, monitoring and review, control, and reporting

• The lifecycle model management process establishes policies and procedures for an organization’s ICT lifecycle processes and defines the organization’s standard lifecycle models

• 6.2.1 also includes activities for assessing and improving organization-level processes– Makes specific reference to ISO/IEC 15504 for

details on assessment activitiesCybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


Lifecycle Model Management Activity 6.2.1.3.1: Process Establishment

• ICT lifecycle models often affect many areas of an organization– Processes to manage and control the model can be

defined at multiple levels and may be related hierarchically



Lifecycle Model Management Activity 6.2.1.3.2: Process Assessment

• 12207 stipulates that lifecycle model processes should be assessed routinely

• The following criteria may drive the need for assessments:– To identify the need for process improvement– To verify the progress of process improvement– To promote better buyer/supplier relationships– To encourage and facilitate buy-in

• Equally important as the need for assessment is formal review of each process at regular intervals



Lifecycle Model Management Activity 6.2.1.3.3: Process Improvement

• The purpose of this activity is to plan, implement, and deploy process improvements – Based on current strengths and weaknesses of

lifecycle processes• Improvement initiatives for lifecycle processes are

a result of data collected from various sources• Benchmarking: a measurement of the quality of

an organization’s policies, products, programs, and strategies, and their comparison with standard measurements against the organization’s peers



Lifecycle Model Management Activity 6.2.1.3.3: Process Improvement

• Policies and procedures are documented in an organization’s process improvement plan– Also contains details related to process action

planning, pilot planning, and deployment planning• Any proposed improvements should be tested on a

small group before being deployed across the organization

• Once processes are established:– Historical, technical, and quality cost data should be

collected, maintained, and used with evaluation data generated by monitoring the processes



Infrastructure Management Process (6.2.2)

• Infrastructure management: the role that defines, provides, and maintains the facilities, tools, communication, and information technology assets of an organization’s business– Creates a consistent architecture within the

organization• The infrastructure model must encompass and

describe the complete structure from top to bottom– Of every process at every level

• An organization must be able to trace and derive all of these levels and elements from each other




• The basic element of an infrastructure process model is the task cell– Each cell is designed to carry out a specific task and

is uniquely identified as such• The model must also specify a set of exit

conditions that includes:– Results to be produced– Level of validation required to authenticate results– Any unusual post-task conditions that might be

specific to a particular cell




• Once a set of standard process cells has been defined– An organization can construct a process model by

interconnecting the basic set of task cells in various ways

• Process models can take three basic forms:– The State view: a set of defined stages– The Organizational view: a definition of roles and

responsibilities – The Control view: authorization and measurement

features




• To establish a formal infrastructure appropriately tailored to an organization’s needs:– A standard process framework must be adopted for

tailoring (the ISO 12207 standard)– Formally define entry/task/exit (ETX) specifications

for each task to fit within that adopted framework• Allows the organization to monitor and track the

outcomes of each cell as each task is completed

• Configuration management: the detailed recording and updating of information that describes an enterprise’s hardware and software



Infrastructure Management Activity 6.2.2.3.1: Process Implementation

• The standard’s requirements in this area are not very specific– Lack of specificity allows it to be applicable to all

organizations, serving an infinite range of purposes• The mechanism for performing essential activities

is not specified• However, once the infrastructure is established, the

method for implementing it requires a formal plan and full documentation



Infrastructure Management Activity 6.2.2.3.2: Establishment of the

Infrastructure• Next step if implementation

– Requires an organization to execute and fully document the detailed plans produced by the preceding activity

• Criteria to consider for implementation:– Functionality, performance, safety, security,

availability, space requirements, equipment, costs, and time constraints

• The standard also stipulates that any process defined/installed by the infrastructure activity must be in place in time to execute the relevant process



Infrastructure Management Activity 6.2.2.3.3: Maintenance of the

Infrastructure• Ongoing maintenance of infrastructure is based on

the standard software quality assurance (7.2.4) and configuration management (7.2.2) operations that the organization installed

• The standard requires this to assure that the underlying infrastructure continues to satisfy the requirements of each process



Project Portfolio Management Process (6.2.3)

• Project portfolio management (PPM) is sometimes managed haphazardly– Often not understood or embraced in large

organizations• PPM is not just enterprise-wide project

management• PPM is the construction and management of a

portfolio of projects that make a maximum contribution to an organization’s overall goals and objectives




• Organizations need PPM for the following reasons:– PPM enables organizations to choose projects that

are aligned with overall goals– PPM balances resource capability and project

resource requirements– PPM brings realism and objectivity into project

planning and funding– PPM provides visibility into projects, how they are

funded, and the human/financial capabilities– PPM follows the same principles as financial

portfolio management and allows a return on investment




• PPM has three main components:– 1. Deals with building the pipeline– 2. Assures that the right projects are selected– 3. Deals with prioritizing the selected projects

correctly• A structured process is needed to build the project

pipeline and select the right projects




• PPM focuses on decision making about an organization’s existing ICT products and services– As well as those in development

• PPM aims to establish and maintain a balanced product portfolio that:– Maximizes value– Supports the business strategy– Makes the best use of an organization’s resources



Project Portfolio Management Activity 6.2.3.3.1: Project Initiation

• First step of portfolio management is for organizations to prioritize their business strategies– Portfolios can then be assembled and assessed

based on how they meet strategic needs• Once priorities are identified, portfolios will need to

be broken down• Next, the organization needs to develop the metrics

used to measure a portfolio’s success



Project Portfolio Management Activity 6.2.3.3.2: Portfolio Evaluation

• The 12207 standard makes portfolio evaluation a separate activity in an attempt to prevent it from being forgotten

• Organization should consider the following while evaluating projects:– How well the project maps against the strategic

initiatives of the organization– Risks in terms of technology and change

management– Number of people the project affects– Whether the project involves extensive reengineering



Project Portfolio Management Activity 6.2.3.3.3: Project Closure

• Changes in business, economic, or market conditions can force some project to be cancelled

• Cancellation does not invalidate the initial decision to fund the project

• Realizing that investments should be viewed as components of a unified portfolio is the first step to responsible ICT portfolio management



Human Resource Management Process (6.2.4)

• Human resource management: the function within an organization that focuses on recruiting, managing, and directing employees– Assures that competent people are always available

to fulfill an organization’s needs• Section 6.2.4 specifies a general framework that

can help refine an organization’s workforce and personnel practices– The model is intended to improve practices, not the

people




• The human resource management process:– Focuses on refining and presenting plans for

workforce recruitment and development– Specifies a means for establishing a culture of

continual progress within a fully capable workforce– Allows an organization to move from an operating

model based on inconsistent personnel practices to one that supports disciplined evolution of essential knowledge, skills, and motivation within the workforce




• The human resource management process begins by thoroughly analyzing the requirements of the organization or project

• The next stage is to create a training plan that develops the workforce– Contains itemized training documentation

• The next step is to implement the training plan• Final step is to establish the mechanisms by which

a qualified workforce will be trained and made available to perform roles on project teams



Human Resource Management Activity 6.2.4.3.1: Skill Identification

• Human resource management process begins with a review of the organization or project’s requirements– Determines the mechanism the organization

employs to acquire or develop resources and skills required by management or technical staff

• Helps determine if new employees can be hired if capable personnel are not available on staff– That determination is based on comparing the types

and levels of training required with the categories of personnel who need training



Human Resource Management Activity 6.2.4.3.2: Skill Development

• Organizations need a plan that provides strategy and a practical mechanism for managing human resources through a focused training process

• This plan includes:– Itemized training tasks – An implementation schedule– Associated resource requirements that are

referenced to each training need identified• The planning phase lead to the development of the

training program



Human Resource Management Activity 6.2.4.3.3: Skill Acquisition and

Provision• Data from assessment in the preceding section is

used to provide feedback to the organization about its progress in obtaining trained resources

• An objective of this activity is to have the right people in the right place within the organization at the right time

• Accomplished through:– Understanding organizational and project objectives – A feedback process through established evaluation

procedures– Maintenance of performance records



Human Resource Management Activity 6.2.4.3.4: Knowledge

Management• An organization’s chief asset is intellectual property• ICT organizations need to maintain a consistent

level of competence in order to win contracts and complete projects successfully

• Inclusion of knowledge management is important in the human resource management process in terms of learning, capturing, and reusing experience in ICT organizations

• CMMI model: a framework that describes best practices in managing, measuring, and monitoring software development



Quality Management (6.2.5)

• Quality management system: a set of related and interacting elements that organization use to direct and control how quality policies are implemented– As well as how quality objectives are achieved

• Quality management is meant to assure that faults do not occur in the first place

• International standards have been adopted to provide the framework for establishing process quality policies and control mechanisms



Quality Management (6.2.5)

• Benefit of a defined quality management system:– Employees cannot “do their own thing”– Organizations conduct business in an orderly

manner• Quality management systems assure that quality is

designed and built into products rather than tested later

• Quality management standards provide an organization with a template for setting up and running a quality system



Quality Management Activity 6.2.5.3.1: Quality Management

• First step: to prepare documentation that reflects and respects what you do, how you do it, and prioritizes customer satisfaction

• The quality plan should:– 1. Define the scope of your quality management

system– 2. Identify quality objectives and then specify the

operating processes and resources needed to achieve those objectives

– 3. Describe how your quality management processes interact




• The quality plan should (cont’d):– 4. Document your quality procedures or refer to

them– 5. Identify the resources required at all levels to

obtain and maintain the level of quality needed to achieve the defined objectives

– 6. Clearly define the authority and responsibilities of internal and external participants in the quality management system




• Once the plan is developed:– The next step is to provide policies that assure the

plan is followed• The final step in this activity is for management to

show commitment to quality• Management should:

– Support the implementation of defined policies and procedures

– Support efforts to continually improve the quality management system



Quality Management Activity 6.2.5.3.2: Quality Management Corrective Action• Quality management corrective action implies the

need for procedures to correct or prevent inconsistencies within the process

• The 12207 standard includes the use of configuration management (7.2.2) procedures to control corrective actions that affect ICT products

• Process requires developing procedures to:– Assure that problems are identified and corrected

without delay– Assure that potential problems are routinely detected

and preventedCybersecurity: Engineering a Secure Information Technology Organization, 1st Edition



Summary• The organizational project-enabling processes are

much larger in concept and less homogenous in their application than many other process categories of the ISO 12207 standard

• The five project-enabling processes help provide the essential framework of an organization based on maximum flexibility and absolute control

• The lifecycle model management process establishes an organization’s policies and procedures for system lifecycle processes and defines the organization’s lifecycle models



Summary• The infrastructure management process establishes

and maintains the resources needed to address project and organizational objectives

• The project portfolio management process controls the commitment of an organization’s funding and resources to establish and maintain projects

• The human resource management process provides projects with the skilled people needed to meet project objectives and maintain the competencies of an organization’s staff



Summary• Human resource management establishes and

maintains mechanisms that manage knowledge generated by projects that uses that knowledge to promote repeatability throughout processes

• The purpose of the quality management process is to assure that the organization’s quality goals are achieved and customers are satisfied

cybersecurity: engineering a secure information technology organization, 1st edition

Documents

quality management process

role of lifecycle management

operating process model

ict processes

organizational project

role of quality management

edition6 cengage learning

edition8 cengage learning