Project Success Factors when using System Development Life CycleIT Symposium October 2015ByEdward M. Dennis

Project Success Factors when using System Development Life Cycle

Introduction (slide 3-6)

Thank You

What IT costs

In the mid-1960s, less than five percent of American capital expenditures.

(Carr, 2003) At the turn of the century nearly 50 percent of capital expenditures went to IT

(Carr, 2003) 2012 and 2013 IT expenditures totaled 3.5 trillion world wide (Gartner,

2013) Over the next five years this will go up 2.1, 3.7, 3.8, 3.4, and 3.2 percent

respectively (Gartner, 2013).

Zachman John Zachman - relationship between following a

lifecycle framework and success (Zachman, 1987)

Classical engineering – construction of buildings, roads and bridges (Zachman 1987)

Classic Engineering Lifecycle process Requirements Design w/innovation Reliability (testing) Implementation Use and eventual destruction

(Spector, A. and D. Gifford, 1986).

Bridges to nowhere

The Standish Group and CHAOS

1994 - 69 percent reached O&M 2012 – 82 percent reached O&M Success = on time within budget and met

requirements

  Standish Report 1994 Standish Report 2013 2015 Survey of Participants

1 User involvement Executive management support Skilled resources

2 Executive management support User involvement User, customer involvement

3 Clear statement of requirements Clear business objectives Agile process

4 Proper planning Emotional maturity Tools and infrastructure

5 Realistic expectations Optimizing scope Clear business objectives

6 Smaller project milestones Agile process Project management expertise

7 Competent staff Project management expertise Team member maturity

8 Ownership Skilled resources Project execution based plan

9 Clear vision and objectives Execution Executive management support

10 hard-Working, focused staff Tools and infrastructure Optimization of scope

All respondents results

O&M on time in budget requirements Successful0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

Survey

Role in IT

Level in education

Certifications

Experience in IT and in this position

Experience on team

Types of projects

Use of life cycle, lifecycles used, and project Management training

Number of projects, on time, within budget, success, met requirements, and scope creep

Success from development life cycle and Project Management training

O&M on time in budget Met requirements Successful0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Using Dev Life CycleNo Dev Life CycleTraining in dev CycleTraining in PM

ConclusionsSuccess factors Development Lifecycle and training in Project Management

These two aspects ranked in the top 2 in every category

Lifecycles and project management do effect project success

Life cycles

Troubleshooting Defining the problem Testing and research

Gather information

Analysis Implement fix Did it resolve problem

Quality Brainstorm possible

problems Define problem to resolve Brainstorm solutions Analyze solutions Implement solution Did it resolve problem

System or Software Development Lifecycle Planning Requirements Design Implementation Test Deployment Operations and Maintenance

SDLC and NIST

Zachman Model

Waterfall

Project planning – overview of project – determining goals System analysis – requirements, goals of project System Design – features, detailed operation, business case,

process Implementation – writing code Integrate and test – testing environment – test interoperability

resolve issues Acceptance and deployment – production Maintenance Decommission

Secure development life cycle

Planning Requirements Design Implementation Test Deployment Operations and Maintenance

Planning

Who – representatives from all stakeholders

What business strategies take priority

Budget

When is the deadline for the project to be accomplished

Where in my network architecture will this reside

Developing a system by analyzing and meeting mission or business need of the information system using available and cost–effective technologies

Security requirements dictate technologies needed to protect system information

Assess risk of project planned

Define scope

Present to stakeholders/management for concurrence

Requirements Defining system requirements

Defining security requirements

Account management and access control

Information flow

System use parameters

Verify requirement fall within scope (scope creep)

Information input and output restrictions

Estimated cost of implementation

Compliance with regulations and policies

Keep stakeholders/management informed (concurrence)

Scope Creep Process by which the project grows beyond its

original requirements, function or feature Proper documented and agreed upon requirements Can cost and time overruns Need for good stakeholder communications Clearly defined scope of work

Work process breakdown Written agreement on scope (requirements, function, and

features)

Understood, collaborated, defined, agreed upon, and cost effective

Design Necessary documentation

Hardware and software redundancy

Risk assessment and analysis

Mitigating security controls documented

Data requirements and protection

Planning and basic testing of code and applications

Open source or COTS

Application and Operating system hardening

Keep stakeholders/management informed (concurrence)

Beware of scope creep

Implementation System builds and software installation Vulnerability Management

System and application scanning

Penetration testing where applicable

Verify requirements are met Verify compliance with regulations and policies Contingency planning Risk assessment and Privacy Impact Documentation of Standard operating Procedures and

Processes Keep stakeholders/management informed (concurrence)

Test

User testing

Functionality

Test backup and restore processes

Update documentation

User training

Vulnerability Management

System and application scanning

Penetration testing where applicable

Deployment Set up Change management process

Set up configuration management process

System and user monitoring plan

Auditing of security logs

Security Event and Incident Management

Vulnerability Management Plan

Risk Management

Stakeholder acceptance/Authorization to proceed

Feedback/concerns, requirements met, Communications Plan

Operations and Maintenance

Periodic Change Control Board Meetings

Change and configuration Control Plan

Periodic Vulnerability Scanning

Vulnerability Management Plan

Contingency Plan updates and periodic test

Maintenance of Standard operating proceedures

SANS Critical Top 20 Security Controls

Controls of Interest (Top 4+):

• 1. Inventory of Authorized and Unauthorized Devices

• 2. Inventory of Authorized and Unauthorized Software

• 3. Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

• 4. Continuous Vulnerability Assessment and Remediation

• 5. Malware Defenses• 12. Controlled Use of

Administrative Privileges

Software Development Best practices

Development test and production on separate systems and networks

VM’s, NAT, ACL’s

Software Development library

Retrieve to update

Update and put back in library

Don not hold on developer system

Restrict access to production

Software release Process (controlled)

Application Scanning

Test and scan before release

Mitigate vulnerabilities

Industry Standards and Best Practices

Source: http://www.servicecatalog.dts.ca.gov/services/professional/security/docs/3117_network_architecture_standard.pdf

Source: OWASP Cheat Sheets

Secure Development Lifecycle

Source: http://www.microsoft.com/en-us/SDL/adopt/tools.aspx

Building Security in SDLC DHS Guidance – Improve Security and Software Assurance

https://buildsecurityin.us-cert.gov/

DHS Guidance – Secure Coding Sites and Training

https://buildsecurityin.us-cert.gov/resources/secure-coding-sites

Microsoft Trustworthily Computing Initiative

http://www.microsoft.com/en-us/twc/

Open Web Application Security Project (OWASP)

https://www.owasp.org/index.php/Main_Page

(ISC)2® – Top 10 Best Practices for Secure Software Development

https://www.isc2.org/uploadedfiles/%28isc%292_public_content/certification_programs/csslp/isc2_wpiv.pdf

University of California Berkley Security

https://security.berkeley.edu/content/application-software-security-guidelines

Best Practices - Takes planning

Project Success Factors when using System Development Life Cycle

Q & A Session

Project Success Factors when using System Development Life CycleIT Sec Architecture

Design

Vulnerability Management

Secure Development Lifecycle

Secure Development Lifecycle

Risk Assessments Drive All IT Security and Risk Management

Activities