How can I be agile and still satisfy the auditors?

Welcome & Introductions• Steve Ropa

– Steven.ropa@versionone.com– Agile Coach– Certified Scrum Master– Certified Scrum Product Owner– 19 years software development

• 11 years programming• 8 years director of development

– 10 years Agile experience• XP• Scrum

– http://blog.versionone.com/blog/agile-musings

Agile Values• Individuals and Interactions OVER Processes and Tools• Working Software OVER Comprehensive Documentation• Customer Collaboration OVER Contract Negotiation• Responding to Change OVER Following a Plan

That is to say…• While there is value

to those items on the right, we value the items on the left more.

• So there is no law saying that you may not do those items on the left – we won’t even withhold your merit badge

The Big Fallacy..• We are Agile• We don’t need documentation

The Other Fallacy..• We are {CMMI;ISO;HIPAA;EIEIO} compliant• We need reams of documentation

What about auditing?• Most audits are based on a very

specific set of requirements, to address a specific need or vulnerability

– Sarbanes-Oxley• Confirm financial calculations are

correct• Ensure compliance with visibility

– PCI• Ensure software is secure• Protect private, personally

identifiable information– HIPAA

• Protect privacy of health information

Auditable/Standard specific stories

• “As a healthcare customer, I can use the OnlineRx system in a secure manner, so that I am confident that my personal information will not be accessible by the public”.– This may be an epic, perhaps

break down into specific security measures

– Consider citing the specific standard and requirement.

– Be sure to write acceptance tests that confirm, and are automated

Automated Acceptance Tests• The best possible checklist on

standards• Write automated tests that are run

*every* check in– Verify each standard is adhered

to– Break the build when they are not

• Fitnesse is a great example of automated acceptance tests

• These tests become ideal tools for documenting each

Definition of Done

• Teams need to agree on what “done” means for each story.– Usually starts with all

the tests passing– Add a standard that

stories aren’t done until audit requirements are met

Agile and CMM(I)CMM(I) KPA’s Level 2 Agile PracticesRequirements Management •User stories

• product backlogSoftware Project Planning •Release planning

•Iteration planningSoftware Project Tracking and Oversight

•Daily stand-ups•Burndown charts•Iteration reviews.

Software subcontract management Not addressed

Software Quality Assurance •Automated user acceptance tests•Automated unit tests

Software Configuration Management Continuous Integration

Requirements Management

• A well maintained product backlog is a list of every user story and feature that is in the system

• User stories include the acceptance criteria that define the story, and many times will also include the tasks that satisfy the actual criteria

Software Project Planning• Release Planning provides a vision early

on as to what will be delivered. – When a release will happen is fixed, thus

removing a large amount of uncertainty• Sprint planning is a tight, well defined

feedback loop– Change is recognized early and

implemented quickly– Teams that reach a sprint rhythm are highly

effective and repeatable

Software Project Tracking and Oversight

• Daily stand-ups provide near instantaneous feedback

• Sprint burndown shows status and projected path to completion of stories

• Iteration reviews show working software

• Retrospectives proved a continuous improvement mechanism

Software Quality Assurance• Automated Acceptance Tests

– The test have to pass every time, not just the first time– Broken tests are found quickly, before the system can reach entropy

• Automated Unit Tests– Code is rigorously exercised continuously

• Merciless refactoring– Design is improved continuously

Software Configuration Management

• Continuous Integration– Code is checked in several times a day– Builds and tests are run every time

• Continuous delivery– Working software is available all the time

What about Level 3?

• Most level 3 KPA’s are organizational in nature– Process focus– Training program– Intergroup coordination

• Agile practices are exceptionally well suited to the organizational changes and attitudes that will satisfy these requirements.

The bottom line• CMM(I) level 2 is a “slam-dunk” if you

are using agile practices• CMM(I) levels 3 and 4 are highly

facilitated by the collaborative nature of agile teams.

• Even level 5 gets a great jump start from agile practices– Defect prevention – unit tests, pair

programming coupled with automated acceptance tests make this a slam dunk also

– Other KPA’s are again more organizational in nature at this level

Requirements Traceability

• Early on, XP said “tear up the cards”• Keep your stories somewhere

– Excel spreadsheets– Project management tools

• You can still be agile with these tools, just remember to keep it light.

How to Claim Your PDU• Go to ccrs.pmi.org/• Search for ASPE as a Registered Education

Provider. Our number is 2161• At the bottom of our details page, select “See

Provider’s Activities”• Find the activity code stated by the moderator during

the presentation: WS032911 • The seminars are Category A (formerly category 3)

for one PDU.