490 likes | 646 Views
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition. Chapter 3 Organizational Project-Enabling Processes. Objectives. Understand the relationship of organizational process models to individual project lifecycles
E N D
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Chapter 3 Organizational Project-Enabling Processes
Objectives • Understand the relationship of organizational process models to individual project lifecycles • Understand the role of lifecycle management in organizing an ICT product and its processes into manageable components • Understand the importance of infrastructure management within an ICT organization • Understand project portfolio management and its effect on individual ICT projects Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Objectives • Understand the role of human resource planning in support of ICT lifecycle processes • Understand the role of quality management in support of ICT lifecycle processes Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Overview of Project-Enabling Processes • The five project-enabling processes defined by the ISO 12207 standard are: • Lifecycle Model Management process (6.2.1) • Infrastructure Management process (6.2.2) • Project Portfolio Management process (6.2.3) • Human Resource Management process (6.2.4) • Quality Management process (6.2.5) Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Why Are Organizational Processes Important? • A successful project needs to have both maximum flexibility and absolute control (a contradiction) • The solution is to build the model from the highest applicable level of abstraction • Model can then be used as a general classification structure in which all ICT processes can be defined Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Why Are Organizational Processes Important? • Operating process model: the sequence of interconnected activities, relevant inputs, and consequent outputs that make up a business or operating process • Organizational process framework: a mechanism for harmonizing process disparity and managing associated complexities that uses five architectural views • This model is project specific and generally cannot be characterized in any common way Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Lifecycle Model Management Process (6.2.1) • This process almost always involves functions for planning, resource allocation, monitoring and review, control, and reporting • The lifecycle model management process establishes policies and procedures for an organization’s ICT lifecycle processes and defines the organization’s standard lifecycle models • 6.2.1 also includes activities for assessing and improving organization-level processes • Makes specific reference to ISO/IEC 15504 for details on assessment activities Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Lifecycle Model Management Activity 6.2.1.3.1: Process Establishment • ICT lifecycle models often affect many areas of an organization • Processes to manage and control the model can be defined at multiple levels and may be related hierarchically Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Lifecycle Model Management Activity 6.2.1.3.2: Process Assessment • 12207 stipulates that lifecycle model processes should be assessed routinely • The following criteria may drive the need for assessments: • To identify the need for process improvement • To verify the progress of process improvement • To promote better buyer/supplier relationships • To encourage and facilitate buy-in • Equally important as the need for assessment is formal review of each process at regular intervals Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Lifecycle Model Management Activity 6.2.1.3.3: Process Improvement • The purpose of this activity is to plan, implement, and deploy process improvements • Based on current strengths and weaknesses of lifecycle processes • Improvement initiatives for lifecycle processes are a result of data collected from various sources • Benchmarking: a measurement of the quality of an organization’s policies, products, programs, and strategies, and their comparison with standard measurements against the organization’s peers Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Lifecycle Model Management Activity 6.2.1.3.3: Process Improvement • Policies and procedures are documented in an organization’s process improvement plan • Also contains details related to process action planning, pilot planning, and deployment planning • Any proposed improvements should be tested on a small group before being deployed across the organization • Once processes are established: • Historical, technical, and quality cost data should be collected, maintained, and used with evaluation data generated by monitoring the processes Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Infrastructure Management Process (6.2.2) • Infrastructure management: the role that defines, provides, and maintains the facilities, tools, communication, and information technology assets of an organization’s business • Creates a consistent architecture within the organization • The infrastructure model must encompass and describe the complete structure from top to bottom • Of every process at every level • An organization must be able to trace and derive all of these levels and elements from each other Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Infrastructure Management Process (6.2.2) • The basic element of an infrastructure process model is the task cell • Each cell is designed to carry out a specific task and is uniquely identified as such • The model must also specify a set of exit conditions that includes: • Results to be produced • Level of validation required to authenticate results • Any unusual post-task conditions that might be specific to a particular cell Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Infrastructure Management Process (6.2.2) • Once a set of standard process cells has been defined • An organization can construct a process model by interconnecting the basic set of task cells in various ways • Process models can take three basic forms: • The State view: a set of defined stages • The Organizational view: a definition of roles and responsibilities • The Control view: authorization and measurement features Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Infrastructure Management Process (6.2.2) • To establish a formal infrastructure appropriately tailored to an organization’s needs: • A standard process framework must be adopted for tailoring (the ISO 12207 standard) • Formally define entry/task/exit (ETX) specifications for each task to fit within that adopted framework • Allows the organization to monitor and track the outcomes of each cell as each task is completed • Configuration management: the detailed recording and updating of information that describes an enterprise’s hardware and software Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Infrastructure Management Activity 6.2.2.3.1: Process Implementation • The standard’s requirements in this area are not very specific • Lack of specificity allows it to be applicable to all organizations, serving an infinite range of purposes • The mechanism for performing essential activities is not specified • However, once the infrastructure is established, the method for implementing it requires a formal plan and full documentation Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Infrastructure Management Activity 6.2.2.3.2: Establishment of the Infrastructure • Next step if implementation • Requires an organization to execute and fully document the detailed plans produced by the preceding activity • Criteria to consider for implementation: • Functionality, performance, safety, security, availability, space requirements, equipment, costs, and time constraints • The standard also stipulates that any process defined/installed by the infrastructure activity must be in place in time to execute the relevant process Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Infrastructure Management Activity 6.2.2.3.3: Maintenance of the Infrastructure Ongoing maintenance of infrastructure is based on the standard software quality assurance (7.2.4) and configuration management (7.2.2) operations that the organization installed The standard requires this to assure that the underlying infrastructure continues to satisfy the requirements of each process Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Project Portfolio Management Process (6.2.3) • Project portfolio management (PPM) is sometimes managed haphazardly • Often not understood or embraced in large organizations • PPM is not just enterprise-wide project management • PPM is the construction and management of a portfolio of projects that make a maximum contribution to an organization’s overall goals and objectives Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Project Portfolio Management Process (6.2.3) • Organizations need PPM for the following reasons: • PPM enables organizations to choose projects that are aligned with overall goals • PPM balances resource capability and project resource requirements • PPM brings realism and objectivity into project planning and funding • PPM provides visibility into projects, how they are funded, and the human/financial capabilities • PPM follows the same principles as financial portfolio management and allows a return on investment Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Project Portfolio Management Process (6.2.3) • PPM has three main components: • 1. Deals with building the pipeline • 2. Assures that the right projects are selected • 3. Deals with prioritizing the selected projects correctly • A structured process is needed to build the project pipeline and select the right projects Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Project Portfolio Management Process (6.2.3) • PPM focuses on decision making about an organization’s existing ICT products and services • As well as those in development • PPM aims to establish and maintain a balanced product portfolio that: • Maximizes value • Supports the business strategy • Makes the best use of an organization’s resources Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Project Portfolio Management Activity 6.2.3.3.1: Project Initiation • First step of portfolio management is for organizations to prioritize their business strategies • Portfolios can then be assembled and assessed based on how they meet strategic needs • Once priorities are identified, portfolios will need to be broken down • Next, the organization needs to develop the metrics used to measure a portfolio’s success Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Project Portfolio Management Activity 6.2.3.3.2: Portfolio Evaluation • The 12207 standard makes portfolio evaluation a separate activity in an attempt to prevent it from being forgotten • Organization should consider the following while evaluating projects: • How well the project maps against the strategic initiatives of the organization • Risks in terms of technology and change management • Number of people the project affects • Whether the project involves extensive reengineering Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Project Portfolio Management Activity 6.2.3.3.3: Project Closure Changes in business, economic, or market conditions can force some project to be cancelled Cancellation does not invalidate the initial decision to fund the project Realizing that investments should be viewed as components of a unified portfolio is the first step to responsible ICT portfolio management Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Human Resource Management Process (6.2.4) • Human resource management: the function within an organization that focuses on recruiting, managing, and directing employees • Assures that competent people are always available to fulfill an organization’s needs • Section 6.2.4 specifies a general framework that can help refine an organization’s workforce and personnel practices • The model is intended to improve practices, not the people Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Human Resource Management Process (6.2.4) • The human resource management process: • Focuses on refining and presenting plans for workforce recruitment and development • Specifies a means for establishing a culture of continual progress within a fully capable workforce • Allows an organization to move from an operating model based on inconsistent personnel practices to one that supports disciplined evolution of essential knowledge, skills, and motivation within the workforce Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Human Resource Management Process (6.2.4) • The human resource management process begins by thoroughly analyzing the requirements of the organization or project • The next stage is to create a training plan that develops the workforce • Contains itemized training documentation • The next step is to implement the training plan • Final step is to establish the mechanisms by which a qualified workforce will be trained and made available to perform roles on project teams Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Human Resource Management Activity 6.2.4.3.1: Skill Identification • Human resource management process begins with a review of the organization or project’s requirements • Determines the mechanism the organization employs to acquire or develop resources and skills required by management or technical staff • Helps determine if new employees can be hired if capable personnel are not available on staff • That determination is based on comparing the types and levels of training required with the categories of personnel who need training Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Human Resource Management Activity 6.2.4.3.2: Skill Development • Organizations need a plan that provides strategy and a practical mechanism for managing human resources through a focused training process • This plan includes: • Itemized training tasks • An implementation schedule • Associated resource requirements that are referenced to each training need identified • The planning phase lead to the development of the training program Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Human Resource Management Activity 6.2.4.3.3: Skill Acquisition and Provision • Data from assessment in the preceding section is used to provide feedback to the organization about its progress in obtaining trained resources • An objective of this activity is to have the right people in the right place within the organization at the right time • Accomplished through: • Understanding organizational and project objectives • A feedback process through established evaluation procedures • Maintenance of performance records Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Human Resource Management Activity 6.2.4.3.4: Knowledge Management An organization’s chief asset is intellectual property ICT organizations need to maintain a consistent level of competence in order to win contracts and complete projects successfully Inclusion of knowledge management is important in the human resource management process in terms of learning, capturing, and reusing experience in ICT organizations CMMI model: a framework that describes best practices in managing, measuring, and monitoring software development Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Quality Management (6.2.5) • Quality management system: a set of related and interacting elements that organization use to direct and control how quality policies are implemented • As well as how quality objectives are achieved • Quality management is meant to assure that faults do not occur in the first place • International standards have been adopted to provide the framework for establishing process quality policies and control mechanisms Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Quality Management (6.2.5) • Benefit of a defined quality management system: • Employees cannot “do their own thing” • Organizations conduct business in an orderly manner • Quality management systems assure that quality is designed and built into products rather than tested later • Quality management standards provide an organization with a template for setting up and running a quality system Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Quality Management Activity 6.2.5.3.1: Quality Management • First step: to prepare documentation that reflects and respects what you do, how you do it, and prioritizes customer satisfaction • The quality plan should: • 1. Define the scope of your quality management system • 2. Identify quality objectives and then specify the operating processes and resources needed to achieve those objectives • 3. Describe how your quality management processes interact Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Quality Management Activity 6.2.5.3.1: Quality Management • The quality plan should (cont’d): • 4. Document your quality procedures or refer to them • 5. Identify the resources required at all levels to obtain and maintain the level of quality needed to achieve the defined objectives • 6. Clearly define the authority and responsibilities of internal and external participants in the quality management system Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Quality Management Activity 6.2.5.3.1: Quality Management • Once the plan is developed: • The next step is to provide policies that assure the plan is followed • The final step in this activity is for management to show commitment to quality • Management should: • Support the implementation of defined policies and procedures • Support efforts to continually improve the quality management system Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Quality Management Activity 6.2.5.3.2: Quality Management Corrective Action • Quality management corrective action implies the need for procedures to correct or prevent inconsistencies within the process • The 12207 standard includes the use of configuration management (7.2.2) procedures to control corrective actions that affect ICT products • Process requires developing procedures to: • Assure that problems are identified and corrected without delay • Assure that potential problems are routinely detected and prevented Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Summary • The organizational project-enabling processes are much larger in concept and less homogenous in their application than many other process categories of the ISO 12207 standard • The five project-enabling processes help provide the essential framework of an organization based on maximum flexibility and absolute control • The lifecycle model management process establishes an organization’s policies and procedures for system lifecycle processes and defines the organization’s lifecycle models Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Summary • The infrastructure management process establishes and maintains the resources needed to address project and organizational objectives • The project portfolio management process controls the commitment of an organization’s funding and resources to establish and maintain projects • The human resource management process provides projects with the skilled people needed to meet project objectives and maintain the competencies of an organization’s staff Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Summary • Human resource management establishes and maintains mechanisms that manage knowledge generated by projects that uses that knowledge to promote repeatability throughout processes • The purpose of the quality management process is to assure that the organization’s quality goals are achieved and customers are satisfied Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition