Group 4

Knowledge in IS/IT processes and standards

Group 4 Members• 951765 　吳劉軒　 COBIT• 961633 　謝彥敏　 ILIT 　• 961742 　 謝泓廷　 PCIDSS• 961716 　陳冠嘉　 CISSP• 961748 　許逸民　 ISMS• 961717 　蕭宇婷　 BS25999• 961741 　江柏緯　 ISO/ICE　12207• 961720 　顏伯旭　 ISO　20000• 961747 　游原丞　 ISO/ICE　38500• 971715 　范雋彥　 ISO　15288• 971704　 　黃馨儀　 CMMI

COBIT

951765 吳劉軒

What is the COBIT? (Control Objectives for Information and related Technology)

COBIT is the set of best practices (framework) for information technology (IT) management created by the Information Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI). COBIT provides managers, auditors, and IT users with a set of generally accepted measures, indicators, processes and best practices to assist them in maximizing the benefits derived through the use of information technology and developing appropriate IT governance and control in a company.

IT Governance Focus Areas

COBIT Principle

COBIT Cube

COBIT Package Content

• Executive Summary • Governance and Control Framework • Control Objectives • Management Guidelines • Implementation Toolset Guide

• IT Assurance Guide

The Difference Between COBIT and Other IT/IS Standards

• ISO/IEC 27002 (was ISO17799) is an international standard which provides best practice advice and guidance on Information Security. ITIL is source of best practice information and processes relating to the delivery of IT as a service.

COBIT and the above standards/frameworks can be used together to

achieve process improvement. COBIT does not supply a how-to route map for implementation of IT or Information Security best-practices.  This is where ISO/IEC 17799 and ITIL come in. They supply best practice information and processes. COBIT provides a us the control by which we can measure the processes contained in ISO 17799 and ITIL and which can be leveraged for process improvement.

COBIT Structure

COBIT includes 34 IT processes that

are grouped into four domains. The

four domains are:• Plan and Organize • Acquire and Implement • Deliver and Support • Monitor and Evaluate

IT Processes Using COBIT_1

IT Processes Using COBIT_2

What are the benefits of implementing COBIT?

• A common language for executives, management and IT professionals

• A better understanding of how the business and IT can work together for

• successful delivery of IT initiatives• Improved efficiency and optimization of cost• Reduced operational risk• Clear policy development• More efficient and successful audits• Clear ownership and responsibilities, based on process

orientation• as a tool for Sarbanes-Oxley Act Compliance

Certification Institution

• http://www.iiiedu.org.tw/ites/COBIT.htm

• http://edu.uuu.com.tw/

• http://www.isaca.org/

The Picture Of COBIT License

ITIL Information Technology

Infrastructure Library

961633 謝彥敏

What is ITIL

• ITIL is a set of concepts and practices for Information Technology Services Management (ITSM), Information Technology (IT) development and IT operations.

• Developed by the Office for Government Commerce (OGC) in England

• ITIL gives detailed descriptions of a number of important IT practices and provides comprehensive checklists, tasks and procedures that any IT organization can tailor to its needs.

ITIL

• Information flow modularization For manage IT Infrastructure including

hardware, software, organization communicating, process, documents and employee.– Help Desk– 10 management process modules

• IT Service Support• IT Service Delivery

ITIL v3 library

• Five volumes comprise the ITIL v3, published in May 2007:– ITIL Service Strategy– ITIL Service Design– ITIL Service Transition– ITIL Service Operation– ITIL Continual Service Improvement

ITIL v3 process model

ITIL v3 library

Service Strategy • Providing guidance on clarification and

prioritization of service-provider investments in services.

• Key topics covered include service value definition, business-case development, service assets, market analysis, and service provider types.

ITIL v3 library

Service Design • Providing good-practice guidance on the

design of IT services, processes, and other aspects of the service management effort.

ITIL v3 library

Service Transition

• Related to the delivery of services required by a business into live/operational use, and often encompasses the "project" side of IT rather than "BAU" (Business as usual).

ITIL v3 library

Service Operation • The part of the lifecycle where the services

and value is actually directly delivered.

• The monitoring of problems and balance between service reliability and cost etc are considered.

ITIL v3 library

Service Improvement • Service Improvement aims to align and

realign IT Services to changing business needs by identifying and implementing improvements to the IT services that support the Business Processes.

ITIL v3 Life Cycle

Certification Institutions

• ITIL Certification Management Board (ICMB)

- EXIN

- ISEB

Payment Card Industry Data Security Standard（ PCI DSS ）

961742 謝泓廷

What is PCI DSS? 1. The standard was created to help

organizations that process card payments prevent credit card fraud through increased controls around data and its exposure to compromise.

2. PCI DSS is a standard that all organizations, including online retailers, must follow when storing, processing and transmitting their customer's credit card data.

It include six principles and twelve requirements

1.Build and Maintain a Secure Network

a. Install and maintain a firewall configuration to protect cardholder data b. Do not use vendor-supplied defaults for system passwords and other security parameters

2.Protect Cardholder Data

c. Protect stored cardholder data d. Encrypt transmission of cardholder data across open, public networks

3.Regularly Monitor and Test Networks

e. Track and monitor all access to network resources and cardholder data f. Regularly test security systems and processes

4.Maintain an Information Security Policy

g. Define information security responsibilitiesh. Maintain a policy that addresses information security

5.Maintain a Vulnerability Management Program

i.Use and regularly update anti-virus software j.Develop and maintain secure systems and applications

6.Implement Strong Access Control Measures

k. Restrict access to cardholder data by business need-to-know l. Assign a unique ID to each person with computer access

Steps to reach the standard

1. QSA: Qualified Security Assessor(third-party validator)

1. ASV: Approved Scanning Vendor (third-party scanning service provider)

1. SAQ:Self-Assessment Questionnaire

Self-Assessment Questionnaire

• 1. A validation tool intended to assist merchants and service providers in self-evaluating their compliance .

TÜV Rheinland Group is a QSA

Qualys is an Approved Scanning Vendor (ASV)

Certification Level1.PCI DSS include four levels. Different organizations reach the standard according to the transaction volume.

Certification Institutions

• 1. Payment Card Industry Security Standards Council. (PCI SSC).

• 2. The PCI SSC is also responsible for the training and QSA and ASV that validate merchant and service provider.

Certified Information Systems Security

Professional(CISSP)

961716 陳冠嘉

What is CISSP?

1. CISSP is a certification for a information security professionals. Certified Information Security Professional is offered by the International Information Systems Security Certification Consortium.

What is CISSP?

2. A certification reflecting the qualifications of information systems security practitioners. The CISSP covering topics such as Access Control Systems, Cryptography, and Security Management Practices.

What is CISSP?

3. Employers feel the need to protect their assets and their networks. Hackers had evolved a group of specialized malicious code writers and spread their code over the internet.

CISSP ten domains

CISSP include ten domains1.Access Control

– For access control on a highway, see limited-access highway. For standardised forms of names in a library catalog, see authority control

2. Application Development Security – Application security encompasses measures taken

throughout the application's life-cycle to prevent exceptions in the security policy of an application or the underlying system (vulnerabilities) through flaws in the design, development, maintenance of the application

3. Business Continuity and Disaster Recovery Planning– After a disaster , Enterprises can continue to operate &

Expected to shorten the impact on business interruption time after disaster

CISSP include ten domains4. Cryptography

– Modern cryptography intersects the disciplines of mathematics, computer science, and engineering. Applications of cryptography include ATM cards, computer passwords, and electronic commerce.

5. Information Security Governance & Risk Management– The information used by an organization to implement

comprehensive management, in order to properly protect the information.

– Risks can come from uncertainty in financial markets, project failures credit risk, accidents, natural causes and disasters as well as deliberate attacks from an adversary.

CISSP include ten domains6.Legal, Regulations, Investigations and Compliance

– Laws, regulations and other legal obligations the company advice and staff training.

Include (1)Major Legal Systems

(2)Common and Civil Law

(3)Regulations, Laws and Information Security

7.Operations Security

– Operations security is a process that identifies critical information to eliminate or reduce adversary exploitation of friendly critical information.

CISSP include ten domains8.Physical (Environmental) Security

– Physical security can be as simple as a locked door or as elaborate as multiple layers of armed Security guards and Guardhouse placement.

9.Security Architecture and Design– A computer security model is a scheme for specifying

and enforcing security policies. A security model may be founded upon a formal model of access rights, a model of computation, a model of distribute computing, or no particular theoretical grounding at all.

10. Telecommunications and Network Security– Include (1)The concept of network security and risk (2)Business goals and network security

CISSP information security develop cycle

Five processes to become a certified CISSP

1. Examination 2. Certification3. Endorsement 4. Audit5. Maintenance Requirements

Certified Organization

(ISC) 2 is the top information security certification organizations, was founded in 1989, and now has more than 120 countries to more than 50,000 security experts awarded the relevant certificates. (ISC) 2 now offers the following six kinds of authentication

Certified Organization1. SSCP (Systems Security Certified Practitioner)

2. CAP (certification and evaluation experts)

3. CISSP (Certified Information Systems Security Professional)

4. CISSP upgrade version of the CISSP-ISSAP (Information Systems Security Architecture Expert)

5. CISSP-ISSMP (Information Systems Security Management Specialist)

6. CISSP-ISSEP (Information Systems Security Engineering Expert)

ISO 27000-series--Information security

management systems (ISMS) 961748 許逸民

What is ISO 27000-series

• The ISO/IEC 27000-series comprises information security standards published jointly by the International Organization for Standardization(ISO) and the International Electrotechnical Commission (IEC).

• The series provides best practice recommendations on information security management, risks and controls within the context of an overall Information Security Management System (ISMS).

ISMS implementation and certification process flowchart

ISO/IEC 27003

• Full name:ISO/IEC 27003 — Information security management system implementation guidance

• The purpose of ISO/IEC 27003 is to provide help and guidance in implementing an ISMS (Information Security Management System).

How to Implementing an ISMS

1. Obtaining management approval for initiating an ISMS project. (Chapter 5 in ISO/IEC 27003)

2. Defining ISMS scope, boundaries and ISMS policy. (Chapter 6)

3. Conducting information security requirements analysis. (Chapter 7)

4. Conducting risk assessment and planning risk treatment. (Chapter 8)

5. Design the ISMS. (Chapter 9)

1.Obtaining management approval for initiating an ISMS project

• Clarify the organization’s priorities to develop an ISMS.

• Define the preliminary ISMS scope.

• Create the business case and the project plan for management approval.

2.Defining ISMS scope, boundaries and ISMS policy

• Define organizational scope and boundaries.

• Define information communication technology (ICT) scope and boundaries.

• Define physical scope and boundaries.• Integrate each scope and boundaries to

obtain the ISMS scope and boundaries • Develop the ISMS policy and obtain

approval from management

3.Conducting information security requirements analysis

• Define information security requirements for the ISMS process.

• Identify assets within the ISMS scope.

• Conduct an information security assessment.

4.Conducting risk assessment and planning risk treatment

• Conduct risk assessment.

• Select the control objectives and controls .

• Obtain management authorization for implementing and operating an ISMS.

5.Design the ISMS

• Design organizational information security.

• Design ICT and physical information security.

• Design ISMS specific information security.

• Produce the final ISMS project plan.

ISO/IEC 27001

• Full name: ISO/IEC 27001 — Information security management systems — Requirements

ISO 27001 Audit Process

Stage1Informal Review

of ISMS

Stage2Formal

ComplianceAudit

Stage3Follow-upReviews

Audit Process: Stage1

• Stage 1 is a preliminary review of the ISMS.

• This stage serves to familiarize the auditors with the organization.

Audit Process: Stage2

• Stage 2 is a more detailed and formal compliance audit, independently testing the ISMS against the requirements specified in ISO/IEC 27001.

• Passing this stage results in the ISMS being certified compliant with ISO/IEC 27001.

Audit Process: Stage3

• Stage 3 involves follow-up reviews or audits to confirm that the organization remains in compliance with the standard.

• Certification maintenance requires periodic re-assessment audits to confirm that the ISMS continues to operate as specified and intended. These should happen at least annually.

ISMS Certification/Consulting

• Certification:Bureau of Standard, Metrology & Inspection, M.O.E.A., R.O.C.

• Consulting:– CHYUN-HUNG INTERNATIONAL BUSINESS

CO., LTD.– ETBEST INTERNATIONAL Co. Ltd.

BS 25999 Business Continuity

ManagementReference numberBS 25999-2:2007

©BSI 2007961717 蕭宇婷

What is BS 25999?

Definition:

BS 25999 is British Standards Institution's standard in the field of Business Continuity Management. The standard establishes the process, principles and terminology of BCM.

BS 25999(I)

1. BS 25999 aims to achieve:① Provides a basis for understanding business

continuity management.

② Provides a means of measurement that is consistent and recognized.

③ Provides a system based on established good practice.

BS 25999(II)

2. BS 25999 comprises two parts.① The first part of BS 25999 (BS 25999-

1:2006) was published by the British Standards Institution in December 2006.

② The second part of BS 25999 (BS 25999-2:2007) was published in November 2007.

BS 25999-1:2006

a. The first, "BS 25999-1:2006 Business Continuity Management. Code of Practice", takes the form of general guidance and seeks to establish processes, principles and terminology for Business Continuity Management.

BS 25999-2:2007

b. The second, "BS 25999-2:2007 Specification for Business Continuity Management", specifies requirements for implementing, operating and improving a documented Business Continuity Management System (BCMS), describing only requirements that can be objectively and independently audited.

PLAN-DO-CHECK-ACT model

The Process of BS 25999-2:2007(I)

1. Planning the Business Continuity Management System.(PLAN)

• The first step requires that the organization defines its business continuity requirements in terms of its overall objectives and that the scope of the BCMS is clearly defined.

• Also establish business targets, controls, processes and procedures.

The Process of BS 25999-2:2007(II)

2. Implementing and Operating the BCMS. (DO)

a. Internal Audit• If the organization already has an internal

audit function it may make sense to utilize the processes and procedures already being used.

• Even personnel not specifically trained in business continuity may be used as internal audit should be an objective process.

The Process of BS 25999-2:2007(III)

b. Management Review• Management review would ordinarily be an

annual exercise involving review of internal and external audit activity, resources and other inputs and outputs.

• The overall objective of the management review is to determine if the BCMS continues to meet the organizations needs.

• A management review may also take place in light of significant organizational change.

The Process of BS 25999-2:2007(IV)

3. Monitoring and Reviewing the BCMS.(CHECK)

• To ensure that the BCMS is continually monitored the Check stage covers internal audit and management review of the BCMS.

• Developing and implementing a BCM response. Include incident management structures, incident management and business continuity plans.

The Process of BS 25999-2:2007(V)

4. Maintaining and Improving the BCMS.(ACT)• To ensure that the BCMS is both maintained

and improved on an ongoing basis this step looks at preventative and corrective action.

• The standard requires that organizations continually improve the general effectiveness of the BCMS with a mixture of both preventative and corrective actions.

The Process of BS 25999-2:2007(VI)

• Preventative and corrective actions are identified by a range of activities such as audits, event analysis or management reviews.

• They have to be formally recorded and acted upon and these records held for inspection.

The Process of BS 25999-2:2007(VII)

• Exercising, maintenance, audit and self-assessment of the BCM culture.

• Without testing the BCM response an organization cannot be certain that they will meet their requirements.

• Exercise, maintenance and review processes will enable the business continuity capability to continue to meet the organizations goals.

The Process of BS 25999-2:2007(VIII)

Conclusion:

The general requirement of the standard is that the organization, fairly obviously, develops, implements, maintains and improves a business continuity management system in line with familiar the PLAN-DO-CHECK-ACT model.

ISO/IEC 12207software lifecycle processes

961741 江柏緯

Reference Number :ISO/IEC 12207:2008

©ISO 2008

What is ISO/IEC 12207?

Definition

ISO 12207 is an ISO standard for software lifecycle processes. It aims to be the standard that defines all the tasks required for developing and maintaining software.

Five Processes of ISO/IEC 12207

1. Acquisition Process

2. Supply Process

3. Development Process

4. Operation Process

5. Maintenance Process

Acquisition Process (I)① Start acquisition :

The need is described why to acquire,

develop, or enhance a product; System requirements are defined and approved if applicable Evaluation of other options, like a purchase of an off-the-shelf product or enhancement of an existing

product; ……

Acquisition Process (II)

② Request for proposal preparation:

③ Prepare Contract Selection procedure for suppliers are developed; Suppliers, based on the developed selection

procedure, are selected; The tailor-made ISO/IEC 12207 standard must be

included in the contract;

Acquisition Process (III)

④ Negotiate changes Negotiations are held with the selected suppliers

⑤ Update contract Contract is updated with the result from the

negotiations in the previous activity.

⑥ Supplier monitoring Activities of the suppliers according to the agreements made are

monitored

⑦ Acceptance and completion

Supply Process

① The supply phase a project management plan is developed.

② This plan contains information about the project such as different milestones that need to be reached.

③ This project management plan is needed during the next phase which is the development phase.

Development Process (I)

① Define software requirements: Gather the software requirements, or demands, for the product that is to be created.

② Create High level design: A basic layout of the product is created

③ Create Module design:

Development Process (II)④ Coding

The code is created according to the high level design and the module design.

⑤ Execute Module test The different modules are tested for correct functioning.

⑥ Execute Integration test The communication between modules is tested for correct functioning.

⑦ Execute System test This test checks whether all software requirements are present in the product.

Operation & Maintenance Process

① The operation-phase consists of activities like assisting users in working with the created software product

② The maintenance-phase consists of maintenance-tasks to keep the product up and running.

ISO 20000- Information Technology Service

Management

961720 顏伯旭

What is ISO/IEC 20000?

ISO / IEC 20000 is the first worldwide standard specifically aimed at IT Service Management. It describes an integrated set of management processes for the effective delivery of services to the business and its customers.

ISO / IEC 20000 is aligned with and complementary to the process approach defined within ITIL from the Office of Government Commerce (OGC).

ISO/IEC 20000 consists of two parts: ISO / IEC 20000 consists of two parts:

1. ISO / IEC 20000-1:2005

2. ISO / IEC 20000-2:2005

ISO / IEC 20000-1:2005

ISO / IEC 20000-1:2005 is the formal Specification and defines the requirements for an organisation to deliver managed services of an acceptable quality for its customers. The scope includes:

• Requirements for a management system; • Planning and implementing service management; • Planning and implementing new or changed services; • Service delivery process; • Relationship processes; • Resolution processes; • Control processes; and Release processes

ISO / IEC 20000-2:2005

ISO / IEC 20000-2:2005 is the Code of Practice and describes the best practices for Service Management processes within the scope of ISO / IEC 20000-1. The code of Practice will be of particular use to organisations preparing to be audited against ISO / IEC 20000 or planning service improvements.

ISO 20000 Service Management Processes

ISO 20000 Service Management Processes(2)

ISO 20000 include 13 process. emphasizing on continuous improvement process

Service delivery

- Service level management -To negotiate Service Level Agreements with the customers and to design services in accordance with the agreed service level targets. Service Level Management is also responsible for ensuring that all Operational Level Agreements and Underpinning Contracts are appropriate, and to monitor and report on service levels.

- Capacity management-To ensure that the capacity of IT services and the IT infrastructure is able to deliver the agreed service level targets in a cost effective and timely manner. Capacity Management considers all resources required to deliver the IT service, and plans for short, medium and long term business requirements.

ISO 20000 Service Management Processes(3)

- Continuous Service Improvement- Service management system plan, implement and improve the optimization should follow the "planning, implementation, inspection and improvement," a continuously loop, spiral process to continuously improve the effectiveness of monitoring and management system, the PDCA process of continuous improvement consistent with the principles of Quality Control .

- Security Management -includes the security controls that are implemented and maintained to address the impact and likelihood of incidents at various stages. Services are planned to identify, control, and protect assets used in connection with the storage, transmission, and processing of information.

-Budgeting & Accounting- To manage the service provider's budgeting, accounting and charging requirements

ISO 20000 Service Management Processes(4)

-Service reporting-

Central -Change Management-One of ITIL processes, change

management through control and management of IT related change, so change may impact the production environment and minimize risk, thereby enhancing the overall stability of the IT environment.

-Configuration Management One of ITIL processes, configuration management is responsible for description, tracking

and reporting of all IT infrastructure for each device or system management processes. These devices and systems are called configuration items (CI). Each CI to effective management, tracking and control to support the company's IT infrastructure services and run successfully

ause.

ISO 20000 Service Management Processes(5)

Release

-Release Management One of ITIL processes, release management through standardized

methods and procedures, planning and monitoring of new services (including software and hardware) of the deployment and release process, improve the success rate of on-line and reduce the possible problems and risks.

Resolution

-Incident Management One of ITIL processes, Incident Management is responsible for handling

IT incidents and user requests. It is designed to quickly restore the interrupted or affected by IT services, is to meet for the purpose of characterization of the phenomenon, rather than find the root c

ISO 20000 Service Management Processes(6)

-Problem Management One of ITIL processes, problem management is responsible for resolving major

emergency or with the same symptoms in a group event. Its purpose is to identify the root causes of the incident, and by lifting the root causes to prevent similar incidents from happening again. At the same time the problem management process is also responsible for preventing incidents.

Relationship-supplier management To ensure that all contracts with suppliers support the needs of the business, and

that all suppliers meet their contractual commitments.

-Business Relationship Management To decide on a strategy to serve customers, and to develop the service provider's offerings

and capabilities.

ISO 20000 Verification process

ISO 20000 Verification process (step1)

Step1- prepare• know the meaning of the Certification• Determine the scope of IT Service Management Certification • Establish the vision ， decide the respect and the order of the Service Management

Improvement• Determine the expect earning from each parts.• Understand the content of certification Comprehensive and the affect to the individual and the

organization• Access to information ：　 Exchange of experiences with the similar organization and

Consulting with

the Consultant 、　 Training providers and Forums• Get the support from Senior managers• Get the knowledge of ITIL 、 ISO20000• Choose a Verification Agency ，　 Confirm the scope of audit

ISO 20000 Verification process (step2)

Step2- Initial assessment and plan development

• Preliminary assessment and do the gap analysis ； determine the Areas of

improvement ；　 manage the risk in the process of Certification 。　• Formulate an overall plan ， get the Support and commitment from related

respect

ISO 20000 Verification process (step3)

Step3- Narrow the gap• Establish Management Service Improvement Plan(use PDCA)• Basic on ISO 20000 ：《服務管理規範》 to do the Assess ； • use ISO 20000 、 ITIL to develop the service management policies,

processes,

procedures • Implement the service management processes • Periodic inspection and review 。 WHAT is PDCA?

P （ Plan ） D （ Do ）

C （ Check ）A （ Action ）

ISO 20000 Verification process (step4)

Step4- prepare to Legalize the Audit • If necessary ， contact Certification agency to do the Internal Audit

and order the schedule for the Formal review• Full exchange the opinion with Certification Agency to establish the

common understanding of scope of the audit and the content of the

audit • Prepare the ” evidence” for the audit ： For example:

Documentation 、　 Record

ISO 20000 Verification process (step5)

Step5- Legalize the Audit Typical certification audit include ： • The Provision of the Reference and the scope of audit. • The assess to the documentation and process –(not in Scene)• The audit to staff and process(in Scene)• The statement of the audit results

If the system achieve ISO 200000 System requirement, ISO 20000 will do the Certification statement and Award the Certificate.

ISO 20000 Verification process (step6)

Step6- Maintain

The expiration date of Certification is three years.So ， the Comprehensive Certification audit is needed every three years. The Certification Agency do the “Supervise Audit” to ensure the quality certification and Continuous improvement of service management every year.

ISO 20000 Certification Award

Certification Institutions

BSI

BSI is a leading global provider of standards, management systems, business improvement and regulatory approval information.

ISO/IEC 38500

Corporate Governance of Information Technology standard

961747游原丞

Reference numberISO/IEC 38500:2008(E)

© ISO/IEC 2008

What is ISO/IEC 38500Corporate governance of information

technology standardProvides a framework for effective

governance of IT to assist organizations to understand and fulfill their legal, regulatory, and ethical obligations in respect of their organizations’ use of IT.

Objectives Provide a framework of principles for Directors to use

when evaluating, directing and monitoring the use of IT in their organizations.

Assuring stakeholders that they can have confidence in the organization's corporate governance of IT

Informing/guiding Directors in governing the use of IT in their organization

Providing a basis for objective evaluation of the corporate governance of IT

Also intended to guide those involved in designing and implementing the management system of those policies and processes that support governance.

Framework for Good Corporate Governance of IT

Principles Guide decision making what should happen 6 principles for good corporate governance of IT

1. Responsibility

2. Strategy

3. Acquisition

4. Performance

5. Conformance

6. Human Behavior

The six principles (1)

Principle 1: Responsibility

Individuals and groups within the organization understand and accept their responsibilities in respect of both supply of, and demand for IT.

Principle 2: Strategy

The organization’s business strategy takes into account the current and future capabilities of IT.

Principle 3: Acquisition

IT acquisitions are made for valid reasons, on the basis of appropriate and ongoing analysis, with clear and transparent decision making.

The six principles (2)

Principle 4: Performance

IT is fit for purpose in supporting the organization, providing the services, levels of service and service quality required to meet current and future business requirements.

Principle 5: Conformance

IT complies with all mandatory legislation and regulations.

Principle 6: Human Behavior

IT policies, practices and decisions demonstrate respect for Human Behavior, including the current and evolving needs of all the ‘people in the process’.

Model

Model for Corporate Governance of IT

Directors should govern IT through three main tasks:

a) Evaluate the current and future use of IT.

b) Direct preparation and implementation of plans and policies to ensure that use of IT meets business objectives.

c) Monitor conformance to policies, and performance against the plans.

Evaluate Directors should examine and make judgment on the current and

future use of IT.

Directors should consider the external or internal pressures acting upon the business, such as technological change, economic and social trends, and political influences.

Directors should undertake evaluation continually, as pressures change.

Directors should take account of both current and future business needs.

Direct

Directors should assign responsibility for, and direct preparation and implementation of plans and policies.

Directors should ensure that the transition of projects to operational status is properly planned and managed.

Directors should encourage a culture of good governance of IT in their organization by requiring managers to provide timely information, to comply with direction and to conform with the six principles of good governance.

If necessary, directors should direct the submission of proposals for approval to address identified needs.

Monitor

Directors should monitor, through appropriate measurement systems, the performance of IT. They should reassure themselves that performance is in accordance with plans, particularly with regard to business objectives.

Directors should also make sure that IT conforms with external obligations (regulatory, legislation, common law, contractual) and internal work practices.

Guidance for the corporate governance of IT

Principle 1: Responsibilitya. Evaluate

Directors should evaluate the options for assigning responsibilities in respect of the organization’s current and future use of IT.

b. Direct

Directors should direct that plans be carried out according to the assigned IT responsibilities.

c. Monitor

Directors should monitor that appropriate IT governance mechanisms are established.

Guidance for the corporate governance of IT (cont.)

Principle 2: Strategya. Evaluate

Directors should evaluate developments in IT and business processes to ensure that IT will provide support for future business needs.

b. DirectDirectors should direct the preparation and use of plans and policies that ensure the organization does benefit from developments in IT.

c. MonitorDirectors should monitor the progress of approved IT proposals to ensure that they are achieving objectives in required timeframes using allocated resources.

Guidance for the corporate governance of IT (cont.)

Principle 3: Acquisitiona. Evaluate

Directors should evaluate options for providing IT to realize approved proposals, balancing risks and value for money of proposed investments.

b. DirectDirectors should direct that IT assets (systems and infrastructure) be acquired in an appropriate manner.

c. Monitor

Directors should monitor IT investments to ensure that they provide the required capabilities.

Guidance for the corporate governance of IT (cont.)

Principle 4: Performancea. Evaluate

Directors should evaluate the risks to continued operation of the business arising from IT activities.

b. Direct

Directors should ensure allocation of sufficient resources so that IT meets the needs of the organization, according to the agreed priorities and budgetary constraints.

c. Monitor

Directors should monitor the extent to which IT does support the business.

Guidance for the corporate governance of IT (cont.)

Principle 5: Conformancea. Evaluate

Directors should regularly evaluate the organization’s internal conformance to its system for Governance of IT.

b. Direct

Directors should direct that all actions relating to IT be ethical.

c. Monitor

Directors should monitor IT compliance and conformance through appropriate reporting and audit practices, ensuring that reviews are timely, comprehensive, and suitable for the evaluation of the extent of satisfaction of the business.

Guidance for the corporate governance of IT (cont.)

Principle 6: Human Behaviora. Evaluate

Directors should evaluate IT activities to ensure that human behaviors are identified and appropriately considered.

b. Direct

Directors should direct that IT activities are consistent with identified human behavior.

c. Monitor

Directors should monitor IT activities to ensure that identified human behaviors remain relevant and that proper attention is given to them.

ISO 15288

The System Life Cycle Process standard for the 21 st century 21st

S971715 范雋彥

Key business domains

• Aerospace

• Telecommunications

• Transportation systems

• Military systems

• Ship building

• Finance and Administrative systems

• Information Technology systems

ISO 15288 Scope

• ISO/IEC 15288 establishes a common framework for describing the life cycle of systems created by humans. It defines a set of processes and associated terminology. These processes can be applied at any level in the hierarchy of a system’s development.

Use of ISO 15288

• Acquisition model • Supplier management • Supply model • Development • Risk reduction • Organizational development • Professional development • Process improvement program

Example of life cycle stages, objectives and decisions

Concept

• The outcomes of the concept stage should provide:1. identification of new system concepts;2. assessment of system concepts and solutions

(including enabling systems);3. stakeholder requirements preparation and baselining

(technical and usability4. specifications for the selected system concept);5. identification of the enabling systems infrastructure.

Development

• The Development stage is based on the refined objectives and requirements from the previous stage. During this stage the system soft- and hardware, computers,personnel, production capability, training, support and facilities are determined,analysed, designed, fabricated, integrated, tested and evaluated.

Production

• During this stage the system product will be (individually or mass) produced. The product may go through redesigns and enhancements

• The Production stage starts with the approval to produce the system product for the acquirer or the market. It may continue through the remainder of the life cycle. The purpose is to produce the system product(s) and the enabling system products. In addition, it aims to store, deliver, and install the product(s) as needed by acquirer /market.

Utilization.

• This stage includes the processes involved in the use of the system's products in order to provide services, monitor performance and identify and report anomalies. The response to the problems may range from no action through to minor changes, major (permanent) modifications, and end-of-life retirement.

• The purpose of this stage is to operate and use the system products and services within specified environments and to ensure constant operational effectiveness.

Support

• This stage includes operating the support system and providing support services to users of the operational system, monitoring performance of the support system and services and reporting of anomalies, failures and deficiencies.

• The purpose of this stage is to provide logistics, maintenance and support services to ensure sustained system operation and suitable service.

Retirement

• The purpose is to remove the system and related operational and support services and to operate and support the retirement system.

CMMICapability Maturity Model

Integration

971704　 黃馨儀Date： 2010/05/30

What is Capability Maturity Model Integration? (CMMI)

Definition• A process improvement approach

• Helping organizations improve their performance.

• Guiding process improvement across a project, a division, or an entire organization.

CMMI Staged Maturity Levels

• Level 1 – Initial. – The software process is characterized as ad

hoc, and occasionally even chaotic.

• Level 2 – Repeatable. – Basic project management processes are

established to track cost, schedule, and functionality.

CMMI Staged Maturity Levels

• Level 3 – Defined. – Use an approved, tailored version of the

organization's standard software process for developing and maintaining software.

• Level 4 – Managed. – Detailed measures of the software process

and product quality are collected.

CMMI Staged Maturity Levels

• Level 5 – Optimizing. – Continuous process improvement is enabled

by quantitative feedback from the process and from innovative ideas and technologies.

The Model of CMMI Staged

• The model has several nested components.

• It described below with the help of an example from Requirement Management process area.

CMMI Staged Model

CMMI Implementation Steps

• 1. Secure Sponsorship and Funding.  – Ensure that your process improvement

program has a senior management sponsor and funding.

• 2. Take Core Training.  – To understand basic concepts of the CMMI

Product Suite, attend the appropriate CMMI, Version 1.2 course.

CMMI Implementation Steps

• 3. Prepare Your Organization for Change. – Treat process improvement as a project.

Establish the business reasons and the business goals for the effort.

• 4. Form a Process Group.   – This group coordinates process improvement

activities across the enterprise and exists for the duration of the process improvement activity. 

CMMI Implementation Steps

• 5. Know Where You Are.  – Determine how your processes compare to

CMMI model practices using an ARC Class C compliant appraisal method.

• 6. Know Where You Are Going. – Using the same format as the picture of where

you are, create a picture of where you want to be.

CMMI Implementation Steps

• 7. Communicate and Coordinate. – Share the plan with everyone who will be

affected and listen to their comments.

• 8. Track Your Progress. – Compare the picture of where you are to the

one of where you want to be. The difference is the focus of your process improvement program. 

• 1.

http://www.sei.cmu.edu/cmmi/start/index.cfm

• 2. Process area (CMMI)

http://en.wikipedia.org/wiki/Process_area_(CMMI)

• 3. CMMI Appraisal

http://www.cmmiconsulting.co.uk/cmmi-appraisal

• 4. Parker SCITech Group - CMMI Implementation

http://www.parkerscitech.com/CMMI.htm

Reference Website

Reference Website

• 5. Achieving CMMI Levels

http://zone.ni.com/devzone/cda/tut/p/id/6026

• 6. What? CMMI Processes ways than one

http://w3.cyu.edu.tw/kwsheng/20050204.pdf

• 7. Capability Maturity Model Integration – Wikipedia

http://en.wikipedia.org/wiki/Capability_Maturity_Model_Integration