Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Chapter 3 Organizational Project-Enabling Processes Objectives • Understand the relationship of organizational process models to individual project lifecycles • Understand the role of lifecycle management in organizing an ICT product and its processes into manageable components • Understand the importance of infrastructure management within an ICT organization • Understand project portfolio management and its effect on individual ICT projects Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 2 Objectives • Understand the role of human resource planning in support of ICT lifecycle processes • Understand the role of quality management in support of ICT lifecycle processes Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 3 Overview of Project-Enabling Processes • The five project-enabling processes defined by the ISO 12207 standard are: – – – – – Lifecycle Model Management process (6.2.1) Infrastructure Management process (6.2.2) Project Portfolio Management process (6.2.3) Human Resource Management process (6.2.4) Quality Management process (6.2.5) Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 4 Why Are Organizational Processes Important? • A successful project needs to have both maximum flexibility and absolute control (a contradiction) • The solution is to build the model from the highest applicable level of abstraction – Model can then be used as a general classification structure in which all ICT processes can be defined Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 5 Why Are Organizational Processes Important? • Operating process model: the sequence of interconnected activities, relevant inputs, and consequent outputs that make up a business or operating process • Organizational process framework: a mechanism for harmonizing process disparity and managing associated complexities that uses five architectural views – This model is project specific and generally cannot be characterized in any common way Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 6 Lifecycle Model Management Process (6.2.1) • This process almost always involves functions for planning, resource allocation, monitoring and review, control, and reporting • The lifecycle model management process establishes policies and procedures for an organization’s ICT lifecycle processes and defines the organization’s standard lifecycle models • 6.2.1 also includes activities for assessing and improving organization-level processes – Makes specific reference to ISO/IEC 15504 for details on assessment activities Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 7 Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 8 Lifecycle Model Management Activity 6.2.1.3.1: Process Establishment • ICT lifecycle models often affect many areas of an organization – Processes to manage and control the model can be defined at multiple levels and may be related hierarchically Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 9 Lifecycle Model Management Activity 6.2.1.3.2: Process Assessment • 12207 stipulates that lifecycle model processes should be assessed routinely • The following criteria may drive the need for assessments: – – – – To identify the need for process improvement To verify the progress of process improvement To promote better buyer/supplier relationships To encourage and facilitate buy-in • Equally important as the need for assessment is formal review of each process at regular intervals Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 10 Lifecycle Model Management Activity 6.2.1.3.3: Process Improvement • The purpose of this activity is to plan, implement, and deploy process improvements – Based on current strengths and weaknesses of lifecycle processes • Improvement initiatives for lifecycle processes are a result of data collected from various sources • Benchmarking: a measurement of the quality of an organization’s policies, products, programs, and strategies, and their comparison with standard measurements against the organization’s peers Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 11 Lifecycle Model Management Activity 6.2.1.3.3: Process Improvement • Policies and procedures are documented in an organization’s process improvement plan – Also contains details related to process action planning, pilot planning, and deployment planning • Any proposed improvements should be tested on a small group before being deployed across the organization • Once processes are established: – Historical, technical, and quality cost data should be collected, maintained, and used with evaluation data generated by monitoring the processes Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 12 Infrastructure Management Process (6.2.2) • Infrastructure management: the role that defines, provides, and maintains the facilities, tools, communication, and information technology assets of an organization’s business – Creates a consistent architecture within the organization • The infrastructure model must encompass and describe the complete structure from top to bottom – Of every process at every level • An organization must be able to trace and derive all of these levels and elements from each other Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 13 Infrastructure Management Process (6.2.2) • The basic element of an infrastructure process model is the task cell – Each cell is designed to carry out a specific task and is uniquely identified as such • The model must also specify a set of exit conditions that includes: – Results to be produced – Level of validation required to authenticate results – Any unusual post-task conditions that might be specific to a particular cell Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 14 Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2014 15 Infrastructure Management Process (6.2.2) • Once a set of standard process cells has been defined – An organization can construct a process model by interconnecting the basic set of task cells in various ways • Process models can take three basic forms: – The State view: a set of defined stages – The Organizational view: a definition of roles and responsibilities – The Control view: authorization and measurement features Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 16 Infrastructure Management Process (6.2.2) • To establish a formal infrastructure appropriately tailored to an organization’s needs: – A standard process framework must be adopted for tailoring (the ISO 12207 standard) – Formally define entry/task/exit (ETX) specifications for each task to fit within that adopted framework • Allows the organization to monitor and track the outcomes of each cell as each task is completed • Configuration management: the detailed recording and updating of information that describes an enterprise’s hardware and software Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 17 Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2014 18 Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2014 19 Infrastructure Management Activity 6.2.2.3.1: Process Implementation • The standard’s requirements in this area are not very specific – Lack of specificity allows it to be applicable to all organizations, serving an infinite range of purposes • The mechanism for performing essential activities is not specified • However, once the infrastructure is established, the method for implementing it requires a formal plan and full documentation Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 20 Infrastructure Management Activity 6.2.2.3.2: Establishment of the Infrastructure • Next step if implementation – Requires an organization to execute and fully document the detailed plans produced by the preceding activity • Criteria to consider for implementation: – Functionality, performance, safety, security, availability, space requirements, equipment, costs, and time constraints • The standard also stipulates that any process defined/installed by the infrastructure activity must be in place in time to execute the relevant process Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 21 Infrastructure Management Activity 6.2.2.3.3: Maintenance of the Infrastructure • Ongoing maintenance of infrastructure is based on the standard software quality assurance (7.2.4) and configuration management (7.2.2) operations that the organization installed • The standard requires this to assure that the underlying infrastructure continues to satisfy the requirements of each process Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 22 Project Portfolio Management Process (6.2.3) • Project portfolio management (PPM) is sometimes managed haphazardly – Often not understood or embraced in large organizations • PPM is not just enterprise-wide project management • PPM is the construction and management of a portfolio of projects that make a maximum contribution to an organization’s overall goals and objectives Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 23 Project Portfolio Management Process (6.2.3) • Organizations need PPM for the following reasons: – PPM enables organizations to choose projects that are aligned with overall goals – PPM balances resource capability and project resource requirements – PPM brings realism and objectivity into project planning and funding – PPM provides visibility into projects, how they are funded, and the human/financial capabilities – PPM follows the same principles as financial portfolio management and allows a return on investment Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 24 Project Portfolio Management Process (6.2.3) • PPM has three main components: – 1. Deals with building the pipeline – 2. Assures that the right projects are selected – 3. Deals with prioritizing the selected projects correctly • A structured process is needed to build the project pipeline and select the right projects Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 25 Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2014 26 Project Portfolio Management Process (6.2.3) • PPM focuses on decision making about an organization’s existing ICT products and services – As well as those in development • PPM aims to establish and maintain a balanced product portfolio that: – Maximizes value – Supports the business strategy – Makes the best use of an organization’s resources Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 27 Project Portfolio Management Activity 6.2.3.3.1: Project Initiation • First step of portfolio management is for organizations to prioritize their business strategies – Portfolios can then be assembled and assessed based on how they meet strategic needs • Once priorities are identified, portfolios will need to be broken down • Next, the organization needs to develop the metrics used to measure a portfolio’s success Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 28 Project Portfolio Management Activity 6.2.3.3.2: Portfolio Evaluation • The 12207 standard makes portfolio evaluation a separate activity in an attempt to prevent it from being forgotten • Organization should consider the following while evaluating projects: – How well the project maps against the strategic initiatives of the organization – Risks in terms of technology and change management – Number of people the project affects – Whether the project involves extensive reengineering Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 29 Project Portfolio Management Activity 6.2.3.3.3: Project Closure • Changes in business, economic, or market conditions can force some project to be cancelled • Cancellation does not invalidate the initial decision to fund the project • Realizing that investments should be viewed as components of a unified portfolio is the first step to responsible ICT portfolio management Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 30 Human Resource Management Process (6.2.4) • Human resource management: the function within an organization that focuses on recruiting, managing, and directing employees – Assures that competent people are always available to fulfill an organization’s needs • Section 6.2.4 specifies a general framework that can help refine an organization’s workforce and personnel practices – The model is intended to improve practices, not the people Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 31 Human Resource Management Process (6.2.4) • The human resource management process: – Focuses on refining and presenting plans for workforce recruitment and development – Specifies a means for establishing a culture of continual progress within a fully capable workforce – Allows an organization to move from an operating model based on inconsistent personnel practices to one that supports disciplined evolution of essential knowledge, skills, and motivation within the workforce Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 32 Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2014 33 Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2014 34 Human Resource Management Process (6.2.4) • The human resource management process begins by thoroughly analyzing the requirements of the organization or project • The next stage is to create a training plan that develops the workforce – Contains itemized training documentation • The next step is to implement the training plan • Final step is to establish the mechanisms by which a qualified workforce will be trained and made available to perform roles on project teams Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 35 Human Resource Management Activity 6.2.4.3.1: Skill Identification • Human resource management process begins with a review of the organization or project’s requirements – Determines the mechanism the organization employs to acquire or develop resources and skills required by management or technical staff • Helps determine if new employees can be hired if capable personnel are not available on staff – That determination is based on comparing the types and levels of training required with the categories of personnel who need training Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 36 Human Resource Management Activity 6.2.4.3.2: Skill Development • Organizations need a plan that provides strategy and a practical mechanism for managing human resources through a focused training process • This plan includes: – Itemized training tasks – An implementation schedule – Associated resource requirements that are referenced to each training need identified • The planning phase lead to the development of the training program Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 37 Human Resource Management Activity 6.2.4.3.3: Skill Acquisition and Provision • Data from assessment in the preceding section is used to provide feedback to the organization about its progress in obtaining trained resources • An objective of this activity is to have the right people in the right place within the organization at the right time • Accomplished through: – Understanding organizational and project objectives – A feedback process through established evaluation procedures – Maintenance of performance records Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 38 Human Resource Management Activity 6.2.4.3.4: Knowledge Management • An organization’s chief asset is intellectual property • ICT organizations need to maintain a consistent level of competence in order to win contracts and complete projects successfully • Inclusion of knowledge management is important in the human resource management process in terms of learning, capturing, and reusing experience in ICT organizations • CMMI model: a framework that describes best practices in managing, measuring, and monitoring software development Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 39 Quality Management (6.2.5) • Quality management system: a set of related and interacting elements that organization use to direct and control how quality policies are implemented – As well as how quality objectives are achieved • Quality management is meant to assure that faults do not occur in the first place • International standards have been adopted to provide the framework for establishing process quality policies and control mechanisms Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 40 Quality Management (6.2.5) • Benefit of a defined quality management system: – Employees cannot “do their own thing” – Organizations conduct business in an orderly manner • Quality management systems assure that quality is designed and built into products rather than tested later • Quality management standards provide an organization with a template for setting up and running a quality system Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 41 Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2014 42 Quality Management Activity 6.2.5.3.1: Quality Management • First step: to prepare documentation that reflects and respects what you do, how you do it, and prioritizes customer satisfaction • The quality plan should: – 1. Define the scope of your quality management system – 2. Identify quality objectives and then specify the operating processes and resources needed to achieve those objectives – 3. Describe how your quality management processes interact Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 43 Quality Management Activity 6.2.5.3.1: Quality Management • The quality plan should (cont’d): – 4. Document your quality procedures or refer to them – 5. Identify the resources required at all levels to obtain and maintain the level of quality needed to achieve the defined objectives – 6. Clearly define the authority and responsibilities of internal and external participants in the quality management system Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 44 Quality Management Activity 6.2.5.3.1: Quality Management • Once the plan is developed: – The next step is to provide policies that assure the plan is followed • The final step in this activity is for management to show commitment to quality • Management should: – Support the implementation of defined policies and procedures – Support efforts to continually improve the quality management system Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 45 Quality Management Activity 6.2.5.3.2: Quality Management Corrective Action • Quality management corrective action implies the need for procedures to correct or prevent inconsistencies within the process • The 12207 standard includes the use of configuration management (7.2.2) procedures to control corrective actions that affect ICT products • Process requires developing procedures to: – Assure that problems are identified and corrected without delay – Assure that potential problems are routinely detected and prevented Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 46 Summary • The organizational project-enabling processes are much larger in concept and less homogenous in their application than many other process categories of the ISO 12207 standard • The five project-enabling processes help provide the essential framework of an organization based on maximum flexibility and absolute control • The lifecycle model management process establishes an organization’s policies and procedures for system lifecycle processes and defines the organization’s lifecycle models Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 47 Summary • The infrastructure management process establishes and maintains the resources needed to address project and organizational objectives • The project portfolio management process controls the commitment of an organization’s funding and resources to establish and maintain projects • The human resource management process provides projects with the skilled people needed to meet project objectives and maintain the competencies of an organization’s staff Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 48 Summary • Human resource management establishes and maintains mechanisms that manage knowledge generated by projects that uses that knowledge to promote repeatability throughout processes • The purpose of the quality management process is to assure that the organization’s quality goals are achieved and customers are satisfied Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 49
© Copyright 2026 Paperzz