280 likes | 481 Views
Project Management Methodology. Quality Control. What constitute the product quality?. ISO definition of Quality: “The totality of characteristics of an entity that bear on its ability to satisfy stated or implied needs” More practical definition: Conformance to requirements
E N D
Project Management Methodology Quality Control
What constitute the product quality? • ISO definition of Quality: • “The totality of characteristics of an entity that bear on its ability to satisfy stated or implied needs” • More practical definition: • Conformance to requirements • Fitness to use, means a product can be used as intended
Project Quality Management • The following processes are in place: • Planning for quality • Performing quality assurance • Performing quality control
Planning for quality • Define the product requirements and evaluate them from business perspective • Do they ensure improved security? • Would they fit to up-to-date technology? • Do they improve a user’s experience? • Are they in sync with the enterprise security requirements? • Do they comply with regulatory requirements?
Planning for quality (cont) • Three main sources of security requirements: • Security risk assessment results • Legal, statutory, regulatory, and contractual requirements • The particular set of principles, objectives and business requirements specific for the company
Planning for quality (cont) • Define documents you need to manage quality through the project, e.g. Quality Management Plan • Define standards to be followed in the project development and control • Create appropriate metrics and/or quality checklist
Security Solutions Quality Standards • Information Security Management System (ISMS) is a framework for an enterprise security architecture that summarizes security solutions implemented by the company • Quality requirements for security solutions have been presented by the following two standards: • ISO 27001. “…Security technique. ISMS – Requirements” • ISO 27002. “…Code of practice for information security management”
Security Solutions Quality Standards • ISO 27001 provides the list of security requirements that any company should consider, and relevant security controls to be implemented • ISO 27002 provides best practice recommendations and guideline for security controls implementation
Security Solutions Quality Standards • Other relevant security standards • PIPEDA – Canadian standard for data privacy • PCI DSS – Payment Card Industry Data Security Standard • PA-DSS – Payment Application Data Security Standard • FIPS 140 – The requirements and standards for cryptographic modules
Planning for quality • Quality management plan is a deliverable where you describe: • Quality criteria • Methodology and standards • Quality assurance process and checkpoints • Resources requirements • Methods of applying corrective actions • Quality assurance checklist
Performing Quality Assurance • Quality assurance includes activities related to satisfying quality requirements for a project • Quality assurance is the product of integration of the solution development process with related processes in the company organizational model • Strict enforcement of the processes is the basis of the product quality
Performing Quality Assurance • Major processes are: • Secure system development lifecycle • Change management • Release management • Configuration management • Project management • Companies must have the processes enforced to be compliant with security standards
Performing Quality Assurance • Secure SDLC • Security is built into the product from the beginning • Every stage has relevant security deliverables • Required resources have been provisioned into the project • Control activity consider security in scope
Change management • Formal change control must be implemented • Change control assumes having a formal processes and procedures of • Filing Change Requests (CR) • Reviewing CRs by major stakeholders • Approval following standard process • Planning for implementation
Change management • If approved, CR will be promoted to implementation and respectively will be covered by other processes, such as project management, release management, configuration management • Change Management tool should allow recording of the decisions made during the CR review
Change management • Change management assures that • All changes are clearly defined, documented and communicated • Approval is obtained before proceeding • Changes are tested • Deployment will be allowed only for authorized changes • Post-implementation review conducted
Release Management • Coordinate the processes through the system development life cycle • Ensure the quality of production version • Manage the project artifacts
Release Management Processes • Processes/activities • Release Design • Monitor and Verify the progress of Release • Obtain sign-off • Approve Production Implementation • Coordinate Release Deployment Activity • Implement Release • Post Implementation Review • Security solutions should be built-in into one of upcoming releases
Configuration management • Must ensure that the descriptions of the project products are correct, complete, and consistent at any point of time • Configuration management activities: • Identify and document the functional and physical characteristics of the products • Control any changes to such characteristics • Record and report changes • Audit the product to verify conformance to requirements
Configuration management • The scope of configuration management (CM) depends on the subject • Standards define • CM for software • CM for computer hardware
Configuration management • All components of a computer system must be registered with CM and recorded into CM database • CM responsibilities: • identification • control • status accounting • verification
Security Audit • This is verification of implemented security solutions • Baseline for verification is established in accordance to the audit goal • Internal audit may evaluate compliancy of implemented security solutions to internal policies and standards
Security Audit • Often audit is initiated in order to verify compliancy with regulatory requirements and standards • Examples of that would be audit for • PCI DSS compliance, • ISMS compliance with ISO 27001 • Network security compliance with ISO 27002 • SSAE 16
Security Audit Standards • Standards set the framework of security audit planning and implementation • Most known standards • Control Objective for IT (COBIT) • Standards for Attestation Engagements (SSAE 16), replacement for SAS70
Performing Quality Control • The product must meet the requirements • It also must meet the time and cost constraints • Performing quality control means periodical evaluation of the overall project performance • Final testing
Quality control tools • Special tools used to monitor project parameters to ensure that they are compliant with the relevant quality standards • Capability Maturity Model (CMM) • Six sigma methods • Quality metrics and diagrams (Pareto charts, Fish bones)
Exercise • Assume that your company wants to hire new project manager for security projects. Develop a list of quality criteria that you can use in making this hiring decision