Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Chapter 4 Project Processes Objectives • Understand the purpose and benefit of processes in the project processes area • Structure and run an effective project planning process • Conduct effective, ongoing risk management • Control critical project activities such as configuration management and knowledge management Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 2 Overview of Project Processes • The project processes involve all the control activities that ensure ICT work meets business, technology, and assurance goals – Control: a specific action or actions taken to ensure a desired outcome • Project management: oversees the organization’s ICT acquisition, development, and sustainment processes – Enforces the ICT policies and procedures – Ensures effective coordination and control of the organization’s everyday work practices Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 3 Defining and Coordinating the Project • Project management involves defining and deploying a fully integrated set of activities to achieve a given purpose • Project definition and subsequent coordination ensure the efficient use of resources • A project management plan defines the requisite activities and tasks for each project – The plan should always consist of concrete specifications of the work to be done – The plan is typically reviewed and refined over time Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 4 Defining and Coordinating the Project • The project manager is the person who writes the plan • The plan specifies the major elements of the project during the planning period – As well as the organizational resources allocated to support each element • Strategic planning progress: a set of rational activities that an organization undertakes to accomplish its long-range goals • Project activities are planned, documented, evaluated, and adjusted when necessary Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 5 Building the Project Team • Project teams are typically composed of an integrated mix of business and information technology (IT) workers • Questions to ask when building a team: – What is the precise mission of the team? – What organizational competencies are required to achieve that mission? – Are those competencies available for the particular project? • Capability: the level of assessed competence of a process Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 6 Organizing the Project • Failure to satisfy the business purpose is a frequent cause of overall project failure • The planned involvement of business stakeholders ensures that all points of view are represented in the final product • Differences must be resolved for projects to move forward • It is a challenge to incorporate everyone’s vision and capabilities into project planning – Following the project process of the 12207 standard ensures best practice Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 7 The Project Processes of ISO 122072008 • The 12207 standard presents the processes in a logical order – Ranging from general best practices for planning, assessment, and implementation to specific project management and control practices • The project planning process establishes the generic management function for the given project • The project assessment and control area deals with all related implementation concerns • Figure 4-1 on the following slide shows the relationship of these process areas Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 8 Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 9 The Project Planning Process (6.3.1) • Overall goal of project planning is to develop an effective and realistic set of plans for overall conduct of the project – Decides the scope and purpose of the project as well as the timeline and activities involved • The project planning process is responsible for describing the scope of work to be done and evaluating whether the work can be carried out with available resources and known constraints – Seeks to ensure proper alignment between project goals and reality Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 10 Project Initiation • First step in the project planning process is to establish the scope of the project – Includes defining objectives, motivations, and boundaries • Boundary: a perimeter that incorporates all items to be secured • Managers can then establish the feasibility of the project by confirming that all required personnel, materials, and technology are available – And that the project can be completed on time Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 11 Project Initiation • Project initiation involves ensuring that the actions of all participants are correctly aligned and coordinated with the achievement of project goals • The initiation activity must ensure that the project’s day-to-day activities and tasks are specified with appropriate detail • Project initiation must assure that adequate lines of communication have been established among all participants to guarantee effective cooperation Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 12 Project Planning • Plans usually include: – Schedules, milestones, time and resource estimates, and the assignment of roles, responsibilities, and work tasks • Might also include: – A detailed risk estimate for each activity and task – Lifecycle measures to assess the quality and security of each product and process • Security: confidence that a given approach will produce dependable and intended outcomes Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 13 Project Authorization and Launch • After receiving the appropriate from other managers – The project manager takes steps to launch project • Projects are established by the creation of a customized management process that establishes: – Visibility – Management control over project activities Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 14 The Project Assessment and Control Process (6.3.2) • The project assessment and control process ensures that events are on schedule, on budget, and fulfill the technical objectives laid out in the project plan • Quantitative data can be used to evaluate the options and implications of a decision • Managers cannot exercise control over projects unless they have an objective means of evaluating how well a project is going – Ability to obtain good measurement data is essential Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 15 The Project Assessment and Control Process (6.3.2) • By collecting standard project performance data managers can ensure project run appropriately and within budget – Project performance measures should be defined and instituted to support quantitative decision making • Performance data can also help identify emerging problems so that managers can judge potential risks and rewards of making further investments in an ongoing project – Based on reliable corporate benchmarks Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 16 The Project Assessment and Control Process (6.3.2) • Many different quantitative measures exist, including basic production metrics such as: – Project productivity measured in lines of code (LOC) or function points (FP) • The ISO 9126 standard also outlines metrics that consider the functionality, reliability, usability, efficiency, maintainability, and portability of the product under development Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 17 The Project Assessment and Control Activities • The aim of project assessment and control is to ensure that project objectives are successfully achieved and properly recorded • This process ensures: – Progress is monitored and reported – Interfaces between project elements are properly monitored – That managers can correct deviations from the project plan and prevent them from recurring Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 18 Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2014 19 Project Monitoring • Project monitoring is the first formal activity • Ensures the: – Project is executed correctly – Outcomes of monitoring are reported to all internal and external project stakeholders • Project monitoring must account for the status of interfaces between internal project elements and outside interfaces with other relevant projects Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 20 Project Control • Managers must monitor a project in order to control it – Monitoring and control are closely associated • To enforce proper project control – The project manager must be able to investigate, analyze, and resolve any deviations from the project’s planned course of action • The impact from any deviation must be evaluated, authorized, and monitored • Routine reporting ensures general management oversight Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 21 Project Assessment • Formal assessment activities during ICT product development are an essential part of good management practice • Goal is to ensure that the work continues to run correctly from beginning to end of a project • Systematic assessments assure the ICT product requirements and the project’s ongoing activities satisfy the plan’s objectives • Assessment results can be used to establish steps that prevent future problems Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 22 Project Closure • Projects must be formally terminated – To avoid wasted resources • Reasons a formal termination procedure is necessary: – An organization must document that all ICT development activities have been completed as contracted – Project data has to be archived to preserve a history of the project • Lessons learned from previous projects can help in planning similar efforts in the future Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 23 The Decision Management Process (6.3.3) • Decision management is a fundamental process of project management – Seeks to ensure the best outcome for any concern that arises in the project environment – Evaluates all possible directions among a given set of alternatives and chooses the one that provides the likeliest benefit • Decision management is initiated by standard operating policies and procedures that are followed when a decision is needed Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 24 Decision Management Activities • A decision management policy allows managers to make quick and rational decisions about issues that arise in the day-to-day execution of a project • Goal is to record, categorize, and promptly report problems and to develop alternative course of action to resolve those problems • With standard policies in place: – The project team can ensure decisions made during the project lifecycle are valuable to organization’s goals Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 25 Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2014 26 Decision Planning • A planning process is the first activity in decision management – Involves enumerating and prioritizing all categories of likely decisions • In addition to identifying the each type of decision: – Authorization and responsibilities for making it are assigned to the appropriate decision maker • Policies and procedures are selected to guide decisions in each category – A formal process is defined to address situations when no policy guidance is available Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 27 Decision Analysis • Overall aim of decision management is to come up with a decision that leads to the best result – Decisions are usually guided by policy • If there is no policy: – A decision-making strategy or decision protocol must be in place to ensure the right decision is made • A decision-making strategy includes functions for gathering information and making trade-offs – Allows for the project team to make the best decision from a range of alternatives Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 28 Decision Tracking • Each decision should be recorded and its outcomes should be tracked, evaluated, and reported – Ensures that the decision resolved problems or leads to the desired benefit – If not, knowledge gained can provide guidance • To track a decision: – Records of problems and decisions must be kept – Actions associated with the decision must be monitored through reviews, inspections, or audits Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 29 The Risk Management Process (6.3.4) • Risk management: a set of formal organizational processes that are designed to respond appropriately to any identified adverse event – Applies to all types of lifecycle activity • Goal is to identify, analyze, treat, and monitor all active and latent risks in the project • Threat: an adversarial action that could produce harm or an undesirable outcome • Threat assessment ensure that all project risks are identified and categorized Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 30 The Risk Management Process (6.3.4) • Risk analysis: the assessment of the overall likelihood and impact of a threat • Organizations must institute a targeted risk analysis function – Which facilitates qualitative and quantitative analyses of any newly identified or emerging risk event • Once a risk analysis function has been established – The organization must specify formal responses to correctly address all meaningful risks as they occur Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 31 Risk Management Activities • To determine the scope of the process, organizations must answer two questions: – What is the likelihood that each identified risk will occur? – What is its anticipated impact? • Answers are normally expressed as an estimate of loss, harm, failure, or danger for each risk • After scope is determined, risk management policies are defined and implemented – Organizations should set priorities for applying the resources needed to mitigate each risk Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 32 Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2014 33 Risk Management Planning • Risk management planning goal: – To identify critical risks and then create and maintain an effective set of formal steps to manage each risk • Risk management planning helps an organization assign specific roles and responsibilities for the risk management function • The plan should describe the process for evaluating and improving overall risk management – Including how to use lessons learned • Acceptable risk: a situation in which the likelihood or impact of an adverse occurrence can be justified Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 34 Risk Profile Management • Risk profile management establishes a link between the risk management process and the project’s environment – By recording specific information for the state of each risk and its probability, consequences, and risk thresholds • Provides explicit policy guidance – Priorities established by the risk profile determine the application of resources for treatment • Risk thresholds dictate the conditions under which an organization may accept a level of risk Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 35 Risk Analysis • Risk analysis: information-gathering function that focuses on understanding the nature of risks – Documents mitigation strategies for every risk that surpasses its threshold – Defines measures for evaluating potential mitigation • Risk analysis ensures the most efficient use of security resources • Likelihood of occurrence: an assessment of the probability that an event will occur • Anticipated impacts are normally expressed as an estimate of loss, harm, failure, or danger Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 36 Risk Treatment • Risk treatment develops solutions for identified risks • The scope of coverage and the required level of assurance are primary influences that define this context • Roles and responsibilities have to be defined to carry out the actions necessary to mitigate risks – Establishes accountability • Each risk has to be categorized by priority to allow for decisions regarding resource allocation Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 37 Risk Monitoring • Risk monitoring tells decision makers whether risk management objectives are being achieved – And whether risk control performance is in line with expectations • Qualitative analysis is useful in determining priorities – One of the main purposes of risk monitoring – Expressed through a set of nominal values, such as high, medium, and low • A blend of quantitative and qualitative measures is often used to monitor risk Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 38 Risk Management Evaluation • Information should be collected throughout the project lifecycle to help improve risk management • Data includes identified risks, their sources, their causes, their treatment, and the success of selected treatments • An important element of risk management is a series of periodic reviews • Two types of review are commonly used: – Time-based - occur at regular intervals – Event-based - capture information about a particular aspect of the risk management process Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 39 The Configuration Management Process • Configuration management: a formal process to ensure the continuing status of ICT products – To ensure the status of every meaningful item in an ICT product is documented and known at all times • Goal: to establish and maintain the integrity of all project components by placing them under formal decision making and oversight control • Configuration management serves as the basis to measure quality by confirming the integrity of changes and ensuring they are verified as correct Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 40 Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2014 41 Configuration Management Planning • A configuration management strategy must be planned for each project – Describes how configuration baselines are established, maintained, and archived for a project – Specifies which staff have the right to authorize, access, and reintegrate changes to baseline items – Must also specify the level of integrity, security, and safety for each baseline as well as storage medium • Once established, the project manager must specify which items are subject to configuration control (known as identification) Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 42 Configuration Management Execution • The recording, retrieval, and maintenance of current and preceding configurations should be kept under management control to: – Assure correctness, timeliness, integrity, and security • A project baseline represents the status of the project at a fixed point in time or circumstance • Once the project baseline is established, any changes are described in the configuration record and maintained throughout the system lifecycle – Audits may be performed as needed Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 43 The Information Management Process (6.3.6) • The information management process is a formal function that records and maintains information needed to manage a project over its lifecycle – Generates, collects, transforms, retains, retrieves, disseminates, and disposes of all necessary project information • Goal is to provide relevant, timely, complete, and valid information to decision makers • Ensures the form and content of all project information is proper and correct Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 44 Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2014 45 Information Management Planning • The organization must identify and classify all relevant information and designate which media to use to capture and store information • The plan must specify the exact procedure used to capture the data kept for each information item – Must stipulate how each item under information management control is developed, inspected, and modified • Information management defines the rights, obligations, and commitments of designated parties for retaining and transmitting information Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 46 Information Management Planning • Information management planning also defines individual access rights for each information item under its control • Other primary drivers of information management planning are: – Legal – Security – Privacy Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 47 Information Management Execution • Once the plan is complete and all responsibilities are assigned: – The project team begins to capture and retain the information identified in the plan • Stored records are maintained according to integrity, security, and privacy requirements established by the planning function • Information can more easily be distributed to all authorized parties by request, by scheduled agreement, or by defined circumstances Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 48 Information Management Execution • To ensure availability: – The medium, location, and protection of information must be ensured and must be compatible with all storage and retrieval requirements • Information management ensures that arrangements are in place to retain necessary documentation after a project ends Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 49 The Measurement Process (6.3.7) • The purpose of the measurement process is to collect, analyze, and report data for an organization’s products and processes – To ensure effective management of processes and to objectively demonstrate product quality – Also ensures all measurement activities are defined • Ensuring consistency of data is important because managers use it to make decisions about all types of project activity Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 50 Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2014 51 Measurement Planning • Measurement planning involves the establishment of a standard schedule for each assessment and a defined process for collecting and reporting results • Project measurement uses a defined set of criteria to evaluate the performance of project functions • Outcome of the planning process must be a set of measures for judging elements of a project’s performance – Such as timeliness, security, and fiscal responsibility • Decision makers use information to review and approve resources for each task Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 52 Measurement Performance • The first step in implementing a project measurement process is to develop a formal means of recording relevant data about events in the organization’s environment • The project needs to install procedures for data generation, collection, analysis, and reporting within the relevant project processes • Project measurement involves the collection, storage, and verification of data Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 53 Measurement Evaluation • Measurement evaluation assesses the project and its measurement process – Achieved through benchmark comparisons • Benchmarks capture and record the performance of a target process over time • First step in creating a metrics program based on benchmarks: – To confirm all elements of the project measurement function have been evaluated and document at a certain point in time Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 54 Measurement Evaluation • Documentation should include an overall statement about the standard assessment mechanism for each element under project management control – Should also include a generic testing and review plan to ensure that procedures retain their effectiveness • Once the organization understands the status of all activities: – It can track the performance of the measurement process against prior assessments • Ensures long-term effectiveness of measurements Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 55 Summary • Project management ensures alignment of ICT work with an organization’s goals • Project management integrates a range of management perspectives as well as coordinates and controls all related functions to do the work of an ICT project • Project management plans achieve a logically related set of management objectives • Assessment data supports good decisions, but it is important to know how to provide the proper data to the right people Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 56 Summary • Risk management is essentially built around formal processes to provide information about risk to decision makers • Every risk process must be designed to fit its specific environment • Configuration management is built around maintaining baselines composed of relevant elements of the project or product Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition © Cengage Learning 2015 57
© Copyright 2026 Paperzz