WHO NEEDS DOCUMENTATION ANYWAY?Ales Zivkovic

Agenda Why, who and how much

documentation? Documentation in different SDLCs Documentation from the QA perspective

IT Audits, security audit ISO, CMMI appraisals

Documentation best practices ground rule policy documentation throughout the

project/product lifecycle

Why we need documentation? to support communication

make informed decisions

to minimize risk of staff rotation

enable traceability

Who needs documentation? to support communication

Team (internal, partners, subcontractors) Management (team lead, project manager) Client (technical team, users)

make informed decisions PM, IT director, CEO client's management (project level & company

level) to minimize risk of staff rotation

development team enable traceability

QA team, internal auditors, external auditors

How much documentation? depends on many factors

domain, project (size, type, risks, no. of participants), SDLC, regulatory requirements, organization, etc.

start with more and trim down if not useful

understand the purpose of every document or information container

understand the risks of not having documentation

don't produce documents to justify spending

documentation might be time dependent (during the project, after completion)

SDLC & documentation good process will define project artifacts

provide guidelines on how to tailor (mandatory vs. optional)

different templates for more formal and lean projects

required by the SDLC, but not used not defined in SDLC, but would be useful documentation can be in different form

is burn down chart documentation? information in Jira, Confluence, Trello, etc.

Examples – IBM RUP 9 domains 76 work products

Examples - OpenUP 7 disciplines 29 (only) work products

Examples - SCRUM

Source: Essential SCRUM: A Practical Guide to Most Popular Agile Process

Traditional vs. Agile

Source: http://www.agilemodeling.com/essays/agileDocumentationBestPractices.htm

Documentation & QA Can we do quality assurance without

documentation?

How can we do IT audit without documentation? example: outsourced government project

that went bad

Can we replace team member or vendor without documentation?

Example: IT audit Typical documentation (depends on audit

goals) software requirements specification high level architecture description of the SDLC quality plan, test plan, test data, test

reports change management & configuration

management If efficiency and costs are also evaluated

project plan project data – plan vs. actual quality – technical depth

1205 Evidence

Source: ISACA, ITAF 2nd edition

Example: security audit Typical documentation (depends on the

goals) penetration testing

no documentation required security audit

user manual software requirements specification risk evaluation technical documentation (key security concepts

– encryption, implementation of Access Control List, access controls, etc.)

network schema SDLC

ISO 27001

ISO 27002

CMMI & documentation Model does not specify documents, it

defines goals and practices (specific and generic) specific goal (SG 2) Develop a project plan

A project plan is established and maintained as the basis for managing the project.

Fulfilling goals without any documentation might be difficult.

In some cases CMMI is more specific about the expectations SP 1.1-1 Estimate the scope of the project

Establish a top-level work breakdown structure (WBS) to estimate the scope of the project.

Documentation best practices Documentation is necessary!

How much and when, depends on many factors.

Every company/group should tailor the documentation.

Have a clear policy what can be changed and how.

QUESTIONS?e-mail: ales.zivkovic@vede.si