Project Success Factors when using System Development Life Cycle IT Symposium October 2015 By Edward...
-
Upload
georgia-hoover -
Category
Documents
-
view
215 -
download
0
Transcript of Project Success Factors when using System Development Life Cycle IT Symposium October 2015 By Edward...
Project Success Factors when using System Development Life CycleIT Symposium October 2015ByEdward M. Dennis
Project Success Factors when using System Development Life Cycle
Introduction (slide 3-6)
Thank You
What IT costs
In the mid-1960s, less than five percent of American capital expenditures.
(Carr, 2003) At the turn of the century nearly 50 percent of capital expenditures went to IT
(Carr, 2003) 2012 and 2013 IT expenditures totaled 3.5 trillion world wide (Gartner,
2013) Over the next five years this will go up 2.1, 3.7, 3.8, 3.4, and 3.2 percent
respectively (Gartner, 2013).
Zachman John Zachman - relationship between following a
lifecycle framework and success (Zachman, 1987)
Classical engineering – construction of buildings, roads and bridges (Zachman 1987)
Classic Engineering Lifecycle process Requirements Design w/innovation Reliability (testing) Implementation Use and eventual destruction
(Spector, A. and D. Gifford, 1986).
Bridges to nowhere
The Standish Group and CHAOS
1994 - 69 percent reached O&M 2012 – 82 percent reached O&M Success = on time within budget and met
requirements
Standish Report 1994 Standish Report 2013 2015 Survey of Participants
1 User involvement Executive management support Skilled resources
2 Executive management support User involvement User, customer involvement
3 Clear statement of requirements Clear business objectives Agile process
4 Proper planning Emotional maturity Tools and infrastructure
5 Realistic expectations Optimizing scope Clear business objectives
6 Smaller project milestones Agile process Project management expertise
7 Competent staff Project management expertise Team member maturity
8 Ownership Skilled resources Project execution based plan
9 Clear vision and objectives Execution Executive management support
10 hard-Working, focused staff Tools and infrastructure Optimization of scope
All respondents results
O&M on time in budget requirements Successful0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
Survey
Role in IT
Level in education
Certifications
Experience in IT and in this position
Experience on team
Types of projects
Use of life cycle, lifecycles used, and project Management training
Number of projects, on time, within budget, success, met requirements, and scope creep
Success from development life cycle and Project Management training
O&M on time in budget Met requirements Successful0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Using Dev Life CycleNo Dev Life CycleTraining in dev CycleTraining in PM
ConclusionsSuccess factors Development Lifecycle and training in Project Management
These two aspects ranked in the top 2 in every category
Lifecycles and project management do effect project success
Life cycles
Troubleshooting Defining the problem Testing and research
Gather information
Analysis Implement fix Did it resolve problem
Quality Brainstorm possible
problems Define problem to resolve Brainstorm solutions Analyze solutions Implement solution Did it resolve problem
System or Software Development Lifecycle Planning Requirements Design Implementation Test Deployment Operations and Maintenance
SDLC and NIST
Zachman Model
Waterfall
Project planning – overview of project – determining goals System analysis – requirements, goals of project System Design – features, detailed operation, business case,
process Implementation – writing code Integrate and test – testing environment – test interoperability
resolve issues Acceptance and deployment – production Maintenance Decommission
Secure development life cycle
Planning Requirements Design Implementation Test Deployment Operations and Maintenance
Planning
Who – representatives from all stakeholders
What business strategies take priority
Budget
When is the deadline for the project to be accomplished
Where in my network architecture will this reside
Developing a system by analyzing and meeting mission or business need of the information system using available and cost–effective technologies
Security requirements dictate technologies needed to protect system information
Assess risk of project planned
Define scope
Present to stakeholders/management for concurrence
Requirements Defining system requirements
Defining security requirements
Account management and access control
Information flow
System use parameters
Verify requirement fall within scope (scope creep)
Information input and output restrictions
Estimated cost of implementation
Compliance with regulations and policies
Keep stakeholders/management informed (concurrence)
Scope Creep Process by which the project grows beyond its
original requirements, function or feature Proper documented and agreed upon requirements Can cost and time overruns Need for good stakeholder communications Clearly defined scope of work
Work process breakdown Written agreement on scope (requirements, function, and
features)
Understood, collaborated, defined, agreed upon, and cost effective
Design Necessary documentation
Hardware and software redundancy
Risk assessment and analysis
Mitigating security controls documented
Data requirements and protection
Planning and basic testing of code and applications
Open source or COTS
Application and Operating system hardening
Keep stakeholders/management informed (concurrence)
Beware of scope creep
Implementation System builds and software installation Vulnerability Management
System and application scanning
Penetration testing where applicable
Verify requirements are met Verify compliance with regulations and policies Contingency planning Risk assessment and Privacy Impact Documentation of Standard operating Procedures and
Processes Keep stakeholders/management informed (concurrence)
Test
User testing
Functionality
Test backup and restore processes
Update documentation
User training
Vulnerability Management
System and application scanning
Penetration testing where applicable
Deployment Set up Change management process
Set up configuration management process
System and user monitoring plan
Auditing of security logs
Security Event and Incident Management
Vulnerability Management Plan
Risk Management
Stakeholder acceptance/Authorization to proceed
Feedback/concerns, requirements met, Communications Plan
Operations and Maintenance
Periodic Change Control Board Meetings
Change and configuration Control Plan
Periodic Vulnerability Scanning
Vulnerability Management Plan
Contingency Plan updates and periodic test
Maintenance of Standard operating proceedures
SANS Critical Top 20 Security Controls
Controls of Interest (Top 4+):
• 1. Inventory of Authorized and Unauthorized Devices
• 2. Inventory of Authorized and Unauthorized Software
• 3. Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
• 4. Continuous Vulnerability Assessment and Remediation
• 5. Malware Defenses• 12. Controlled Use of
Administrative Privileges
Software Development Best practices
Development test and production on separate systems and networks
VM’s, NAT, ACL’s
Software Development library
Retrieve to update
Update and put back in library
Don not hold on developer system
Restrict access to production
Software release Process (controlled)
Application Scanning
Test and scan before release
Mitigate vulnerabilities
Industry Standards and Best Practices
Source: http://www.servicecatalog.dts.ca.gov/services/professional/security/docs/3117_network_architecture_standard.pdf
Source: OWASP Cheat Sheets
Secure Development Lifecycle
Source: http://www.microsoft.com/en-us/SDL/adopt/tools.aspx
Building Security in SDLC DHS Guidance – Improve Security and Software Assurance
https://buildsecurityin.us-cert.gov/
DHS Guidance – Secure Coding Sites and Training
https://buildsecurityin.us-cert.gov/resources/secure-coding-sites
Microsoft Trustworthily Computing Initiative
http://www.microsoft.com/en-us/twc/
Open Web Application Security Project (OWASP)
https://www.owasp.org/index.php/Main_Page
(ISC)2® – Top 10 Best Practices for Secure Software Development
https://www.isc2.org/uploadedfiles/%28isc%292_public_content/certification_programs/csslp/isc2_wpiv.pdf
University of California Berkley Security
https://security.berkeley.edu/content/application-software-security-guidelines
Best Practices - Takes planning
Project Success Factors when using System Development Life Cycle
Q & A Session
Project Success Factors when using System Development Life CycleIT Sec Architecture
Design
Vulnerability Management
Secure Development Lifecycle
Secure Development Lifecycle
Risk Assessments Drive All IT Security and Risk Management
Activities