The Advantages of ISO 9001 Certification

Transcription

1 Standards, d Certification and Regulations Reprisal: Types of Requirements Functional requirements: requirements that specify a function that a system or system component must be able to perform The watch shall display the time. Nonfunctional requirements: not specifically concerned with the functionality of a system but place restrictions on the product being developed User visible aspects of the system not directly related to functional behavior Usability; reliability; privacy; security; availability; performance Best to translate non-functional to measurable. The response time must be less than 1 second Constraints ( Pseudo requirements ): not user-visible; imposed by the client that restricts the implementation of the system or the development process The implementation language must be Java. Unit tests must be written in JUnit.

2 Topics Standards/Frameworks [voluntary] ISO 9001 CMMI Certification [voluntary] CCHIT (Healthcare) Regulations [law] HIPAA [see Privacy lecture] Sarbanes Oxley (SOX) What is ISO and ISO 9001? "ISO", the abbreviation for the "International Organization for Standardization" The ISO is a worldwide federation of ~150 national standards bodies Strives to promote the growth of manufacturing, trade and communication through the development of generic quality standards ISO 9001 is the most widely recognized ISO standard ISO 9001 defines the minimum elements an organization needs to implement in order to establish an effective Quality Management System The latest version of this standard was published in December 2000

3 ISO 9001 is not just for software Areas Must establish policies and procedures to address each of these Management responsibility Quality systems Contract review Design control Document and data control Product identification and traceability Process control Inspection and testing Inspection and testing Corrective and preventative action Control of quality records Internal quality audits

4 The principles behind ISO 9000 DECLARE WHAT YOU DO Standards & Procedures DEMONSTRATE IT Certification Records RECORD WHAT YOU DID DO WHAT YOU DECLARE Responsibility ISO : Measures degree to which an organization Says what they do, and does what they say ISO "Will this process help you achieve your stated objectives? Is it a good process or is there a way to do it better?" ISO 9001 Certification Performed by external, independent, trained auditor Not done by ISO itself Countries have accreditation bodies to authorize certification bodies, which audit organizations applying for ISO 9001 compliance certification. Organizations desire the competitive advantage of being able to say they are ISO certified. Danger: organizations sometimes don t want to change (improve) their process once they are certified.

5 Topics Standards/Frameworks [voluntary] ISO 9001 CMMI Certification [voluntary] CCHIT (Healthcare) Regulations [law] HIPAA [see Privacy lecture] Sarbanes Oxley (SOX)

6 Capability Maturity Model Integration (CMMI) Creation of the Software Engineering Institute (SEI) at Carnegie Mellon University The quality of a system or product is highly influenced by the quality of the process used to develop and maintain it. Process improvement approach Collection of best practices Framework for organizing and prioritizing activities Organized into levels... Capability Maturity Model Levels (Staged Representation) 5 4 Focus on process improvement Process measured and controlled Optimizing Quantitatively Managed Process characterized for the organization and is proactive Process characterized for projects and is often reactive Process unpredictable, poorly controlled and reactive Performed Managed Defined Source: Phillips, Mike CMMI V1.1 and Appraisal Tutorial, FEB by Carnegie Mellon University

7 Process Areas by Maturity Level (staged) Level 5 Optimizing Focus Continuous process improvement Process Areas Organizational Innovation and Deployment Causal Analysis and Resolution 4 Quantitatively Managed 3 Defined 2 Managed 1 Performed Quantitative management Process standardization Basic project management Organizational Process Performance Quantitative Project Management Requirements Development Technical Solution Product Integration Verification Validation Organizational Process Focus Organizational Process Definition Organizational Training Integrated Project Management Integrated Supplier Management Risk Management Decision i Analysis and Resolution Organizational Environment for Integration Integrated Teaming Requirements Management Project Planning Project Monitoring and Control Supplier Agreement Management Measurement and Analysis Process and Product Quality Assurance Configuration Management Source: Phillips, Mike CMMI V1.1 and Appraisal Tutorial, F 2004 by Carnegie Mellon Universi CMM Levels Some organizations must attain a certain CMMI level to be considered as a contractor. Especially to be a contractor for the (US) government. Organizations prioritize process improvement activities to attain a CMMI level. Organizations must be appraised by a SEI- trained and certified CMMI appraiser to officially have attained a CMMI level.

8 Maturity Profile by All Reporting USA and Non-USA Organizations 100% 90% 80% USA: 100 % = 498 Non-USA: 100 % = 879 % of Organizations 70% 60% 50% 40% 30% 20% 10% 0% Not Given Performed Initial Managed Defined Quantitatively Managed 271 Based on 498 USA organizations and 879Non-USA organizations Optimizing Source: Phillips, Mike Cost Benefits Industry Examples

9 Topics Standards/Frameworks [voluntary] ISO 9001 CMMI Certification [voluntary] CCHIT (Healthcare) Regulations [law] HIPAA [see Privacy lecture] Sarbanes Oxley (SOX) CCHIT Certification body nonprofit organization with the sole public mission of accelerating the adoption of robust, interoperable health information technology (HIT) by creating a credible, efficient certification process comprehensive, practical definition of what capabilities were needed in [electronic health records systems Current: Functional requirement oriented 2011: also Security and Reliability criteria; interoperability criteria

10 Example Certified Products Topics Standards/Frameworks [voluntary] ISO 9001 CMMI Certification [voluntary] CCHIT (Healthcare) Regulations [law] HIPAA [see Privacy lecture] Sarbanes Oxley (SOX)

11 Sarbanes Oxley (SOX) Executive management of publicly held companies reporting $75 million revenue dollars or more to the SEC must be compliant with the Sarbanes-Oxley Act of 2002 (SOX) legislation. SOX enacted after high profile corporate/accounting scandals such as Enron, WorldCom, Authur Anderson and others. Mandates strict rules relating to corporate transactions and operating practices. Independent corporate auditors examine if an organizations is SOX compliant. Sarbanes-Oxley 2002 Requires management to demonstrate knowledge of underlying process of the business Must be able to describe how transactions are authorized or accepted for input into processing Identify critical data files used during processing Separation of duties. Developers cannot have write access to production system. Define key reports resulting from processing Ongoing process to monitor internal controls while continuously evaluating and improving their effectiveness

12 Useful Links ISO Main Page SEI CMMI Main Page: CCHIT CMMI Models: Sarbanes Oxley