"IT Governance and Compliance in an Agile World"



Similar documents
Your Software Quality is Our Business. INDEPENDENT VERIFICATION AND VALIDATION (IV&V) WHITE PAPER Prepared by Adnet, Inc.

Making Compliance Work for You

How To Compare Itil To Togaf

An introduction to the benefits of Application Lifecycle Management

Bridging Development and Operations: The Secret of Streamlining Release Management

"Testing in the DevOps World of Continuous Delivery"

Mapping COBIT 5 with IT Governance, Risk and Compliance at Ecopetrol S.A. By Alberto León Lozano, CISA, CGEIT, CIA, CRMA

Continuous Delivery. Jez Humble, ThoughtWorks #continuousdelivery DevOpsDays, Hamburg

Key Benefits of Microsoft Visual Studio Team System

NIH PROJECT MANAGEMENT COMMUNITY THE DEVOPS EFFECT DONNA KNAPP ... educate & inspire ITSM Academy

Continuous Delivery Workshop

Continuous Delivery of Software

Surviving SOX with Scrum. Integrating Scrum in IT Governance at Allianz

The Future of Best Practices in IT Service Management - ITIL Version 3 Explained

Enabling Continuous Delivery by Leveraging the Deployment Pipeline

IT Organisation in Change

Incorporate CMMI with Corporate Governance Using Enterprise Software Change Management Solutions

Sustainable Software Development in Agile and CMMI: Apply Lessons Learned today

Collaborative Project Management in a DevOps Culture

Continuous Delivery Software-Deployments ohne graue Haare. 3. April 2012 Corsin Decurtins

2015 IBM Continuous Engineering Open Labs Target to better LEARNING

Continuous Delivery: implementation considerations. Léon Hagenaars-Keus Edwin van Dillen

EA vs ITSM. itsmf

"World Quality Report: Trends in Technology, Organization and Outsourcing"

Leveraging RUP, OpenUP, and the PMBOK. Arthur English, GreenLine Systems

10 Best-Selling Modules For Home Information Technology Professionals

A Viable Systems Engineering Approach. Presented by: Dick Carlson

Why continuous delivery needs devops, and why devops needs infrastructure-as-code. Sriram 25-Oct-2012

Agile Release Management: Towards Frequent, Low Risk Releases. by Jez Humble, Build and Release Principal, ThoughtWorks Studios.

ITIL A guide to service asset and configuration management

Serena Dimensions CM. Develop your enterprise applications collaboratively securely and efficiently SOLUTION BRIEF

CMS Policy for Configuration Management

How can I be agile and still satisfy the auditors?

Camber Quality Assurance (QA) Approach

Continuous Delivery / Continuous Deployment How to automate your Deliveries. Bernhard Keprt

Continuous Delivery. Martin Fowler, Jez Humble YOW! Brisbane, 5 December Wednesday, December 7, 11

Navigating the Standards for Information Technology Controls

Applying ITIL v3 Best Practices

GLOBAL STANDARD FOR INFORMATION MANAGEMENT

IPL Service Definition - Project Management, Programme Management and Governance

Configuration Management System:

ITIL Asset and Configuration Management in the Cloud. January 2016

How To Improve Your Business

Total Quality Management (TQM) and ITSM A Practical Recipe for Continuous Service Improvement (CSI)

HP DevOps by Design. Your Readiness for Continuous Innovation Rony Van Hove/ April 2 nd, HP Software: Apps meet Ops 2015

Collaborative DevOps Learn the magic of Continuous Delivery. Saurabh Agarwal Product Engineering, DevOps Solutions

18/09/2015. DevOps. Prof. Filippo Lanubile. Outline. Definitions Collaboration in DevOps Automation in DevOps. Prof.

Bridging the Gap Between Acceptance Criteria and Definition of Done

Combine ITIL and COBIT to Meet Business Challenges

Agile Systems Engineering: What is it and What Have We Learned?

IT Risk Management Life Cycle and enabling it with GRC Technology

IT Governance. Infocom India Presentation. Pathfinder Technology Solutions. December 6, 2006

Domain 1 The Process of Auditing Information Systems

SESSION 303 Wednesday, March 25, 3:00 PM - 4:00 PM Track: Support Center Optimization

Free ITIL v.3. Foundation. Exam Sample Paper 1. You have 1 hour to complete all 40 Questions. You must get 26 or more correct to pass

Orchestrated. Release Management. Gain insight and control, eliminate ineffective handoffs, and automate application deployments

Service Orchestration

COBIT 5 and the Process Capability Model. Improvements Provided for IT Governance Process

The IT Infrastructure Library (ITIL)

Agile SW Siemens

HP Application Lifecycle Management

Future of CMM and Quality Improvement. Roy Ko Hong Kong Productivity Council

Microsoft s Compliance Framework for Online Services

In today s acquisition environment,

A Flexible and Comprehensive Approach to a Cloud Compliance Program

DevOps: The Key to Delivering High Quality Application Services Faster

Introducing Agility into a Phase Gate Process

CA HalvesThe Cost Of Testing IT Controls For Sarbanes-Oxley Compliance With Unified Processes.

Maximize the synergies between ITIL and DevOps

How SUSE Manager Can Help You Achieve Regulatory Compliance

Preparation Guide. EXIN IT Service Management Associate based on ISO/IEC 20000

Using the Agile Methodology to Mitigate the Risks of Highly Adaptive Projects

White Paper Achieving GLBA Compliance through Security Information Management. White Paper / GLBA

SESSION 703 Wednesday, November 4, 9:00am - 10:00am Track: Advancing ITSM

What is Application Lifecycle Management? At lower costs Get a 30% return on investment guaranteed and save 15% on development costs

Enhancing IT Governance, Risk and Compliance Management (IT GRC)

Collaborating for Quality in Agile Application Development From Beginning to End

The Basics of Scrum An introduction to the framework

Agile SW Siemens

Life Cycle Models, CMMI, Lean, Six Sigma Why use them?

Leveraging Agile and CMMI for better Business Benefits Presented at HYDSPIN Mid-year Conference Jun-2014

Security Services. A Solution for Providing BPM of Security Services within the Enterprise Environment.

Transcription:

AW6 Concurrent Session 11/7/2012 2:15 PM "IT Governance and Compliance in an Agile World" Presented by: Bob Aiello CM Best Practices Consulting Brought to you by: 340 Corporate Way, Suite 300, Orange Park, FL 32073 888 268 8770 904 278 0524 sqeinfo@sqe.com www.sqe.com

Bob Aiello CM Best Practices Consulting Bob Aiello is a consultant, editor-in-chief of CM Crossroads, and author of Configuration Management Best Practices: Practical Methods that Work in the Real World, Bob Aiello is a consultant and software engineer specializing in software process improvement, including software configuration and release management. He has more than twenty-five years of experience as a technical manager at top New York City financial services firms, where he held company-wide responsibility for configuration management. He is vice chair of the IEEE 828 Standards Working Group on CM Planning and a member of the IEEE Software and Systems Engineering Standards Committee (S2ESC) Management Board. Contact Bob at Bob.Aiello@ieee.org, via LinkedIn, or visit cmbestpractices.com.

IT Governance and Compliance in an Agile World Bob Aiello, Principal Consultant and Author of Configuration Management Best Practices : Practical Methods that Work in the Real World http://www.linkedin.com/in/bobaiello /i /B ll http://cmbestpractices.com 1 CM Best Practices Consulting 2012 Who am I? CM Lead & Consultant for over 25 years Editor-in-Chief in at CM Crossroads Author of CM Best Practices IEEE Management Board Tools and process agnostic The guy the auditors call on! http://cmbestpractices.com 2012 2 1

Books, Articles & Webcasts Mike Huetterman Agile ALM Mario Moreira Adapting Configuration Management for Agile Teams Agile Journal Developerworks CM Journal ALM Journal ITSM Portal http://cmbestpractices.com 2012 3 Published on Audit for Agile Adapting Configuration Management for Agile Teams: Balancing Sustainability and Speed by Mario Moreira CM that is adapted to suit the continuous nature of change that Agile provides without sacrificing i the values of CM. http://cmbestpractices.com 2012 4 2

Agile Configuration Management Individuals and interactions over processes and tools Working software over comprehensive documentation Customer collaboration over contract negotiation Responding to change over following a plan http://cmbestpractices.com 2012 5 Agile World Focus on individuals and interactions Working software Customer collaboration Welcome change even late in the process Rapid iterative development http://cmbestpractices.com 2012 6 3

Agile Works! Avoid documenting requirements we do not t( (yet) understand d Managing risk Decisions at last responsible moment Honesty regarding what we know http://cmbestpractices.com 2012 7 Test Cases at the NYSE POS Displaybook used by the Specialist Challenged the user rep to write test cases The first hour we determined that what we have asked for is not what we want Examining milestone releases while writing test cases is essential! http://cmbestpractices.com 2012 8 4

Agile Misconceptions Coding without t requirements Lack of processes & tools Lack of documentation No contracts No plans http://cmbestpractices.com 2012 9 Goals of Agile CM Rapidly build, package and deploy Reliable and repeatable process Traceability and forensics Emergence of DevOps http://cmbestpractices.com 2012 10 5

Characteristics of Agile CM Customer-centric (which one?) Rapid iterative ti development Pragmatic approach to requirements Support for testing Collaborative communication Role in the SCRUM http://cmbestpractices.com 2012 11 Knight Capital August 1 st outage Erroneously purchased 7 billon dollars of stock Loss of 440 Million dollars Old software that was left on the system Lack of DevOps http://cmbestpractices.com 2012 12 6

Batman and Superheros Lucious Fox warns Batman about a possible malfunction in autopilot for the Bat Batman s own life depends upon the autopilot Patch was documented by Bruce Wayne http://cmbestpractices.com 2012 13 SEC Investigation Lack of controls Proper testing & process Impact to shareholders Impact to market http://cmbestpractices.com 2012 14 7

Banks Compliance with SOX Office of the Currency - Treasury FFIEC Federal Financial Institutions Council And government agencies http://cmbestpractices.com 2012 15 GAO FDIC cited Numerous government agencies cited Lack of controls Failing internal audit http://cmbestpractices.com 2012 16 8

Agile Focus Productivity it Quality Did we mention working software? Agile testing http://cmbestpractices.com 2012 17 Deming Build Quality In Verification meeting requirements Validations are the requirements correct? Agility helps us build quality in from the beginning Test cases and scripts are valuable artifacts http://cmbestpractices.com 2012 18 9

IT Governance IT Governance needs to be in alignment with corporate governance Provides transparency Helps senior management make the right decisions Educate your boss! http://cmbestpractices.com 2012 19 ISACA Board Briefing on ITG Fundamentally, IT governance is concerned about two things: IT s delivery of value to the business Mitigation of IT risks Source www.isaca.org http://cmbestpractices.com 2012 20 10

Compliance Usually to regulatory requirements Interpreted based upon frameworks such as Cobit Financial reports need to be accurate http://cmbestpractices.com 2012 21 Examples Separation of controls Steps are logged - including results Traceable to the Change Request Security measures to prevent unauthorized changes Audit in place for intrusion detection http://cmbestpractices.com 2012 22 11

What Are the Regs? Section 404 of the Sarbanes-Oxley Ol Act of 2002 HIPPA and CFR 21 SSAE 16 (formerly SAS 70) Audit requirements http://cmbestpractices.com 2012 23 What is Agile Process Maturity? Adherence to the principles i (purity) Scalability (Scrum of Scrums) Transparency and traceability Coexistance with Non-Agile Consider the items on the right http://cmbestpractices.com 2012 24 12

Agile Process Maturity Repeatable process Tools matter Adequate documentation Contracts required Gotta have a plan http://cmbestpractices.com 2012 25 Emergence of DevOps Agile Systems Administration i ti Critical with rapid iterative development Development is not taking over Ops Synergy of development and Ops http://cmbestpractices.com 2012 26 13

Moving Upstream Developing automated t build, package and deployment early in the process Starting in development Developing the automation is a project itself Using Agile principles http://cmbestpractices.com 2012 27 Virtual Build Engineer Separate Build Engineer Account Completely automated Provides traceability Logging and reporting http://cmbestpractices.com 2012 28 14

Agile Views What are some of the views of others in the Agile Community? http://cmbestpractices.com 2012 29 Agile Release Train (ART) Making each product a successful and routine event an event tthat tis indeed d planned and eagerly anticipated, yet one that happens almost on autopilot Dean Leffingwell s Agile Software Requirements, p. 299 http://cmbestpractices.com 2012 30 15

Deployment Pipeline A deployment pipeline is an automated t implementation ti of your application s build, deploy, test and release process Jez Humble and David Farley s Continuous Delivery, p 3. http://cmbestpractices.com 2012 31 Aim of the Pipeline Makes building, deploying, testing and releasing software visible to everyone involved Improves feedback so that t problems are identified, and so resolved, as early in the process as possible Enables teams to deploy and release any version of their software to any environment at will through a fully automated process (p. 4) http://cmbestpractices.com 2012 32 16

Antipatterns Deploying Software Manually Deploying to Production-like environment only after Development is complete Manual Configuration of Production Environments Continuous Deployment, p. 7 10 http://cmbestpractices.com 2012 33 Devops Synergy of Agile & ITIL Full lifecycle approach Good communication to all stakeholders Break down barriers Don t forget separation of roles http://cmbestpractices.com 2012 34 17

Dev/QA Focus Development QA & Testing Operations Self-Managing/Organizing Teams http://cmbestpractices.com 2012 35 Sox Compliance Section 404 of the Sarbanes-Oxley Act of 2002 Using ISACA Cobit 4.1 34 high level IT controls PCI compliance SSAE 16 (formerly SAS-70) http://cmbestpractices.com 2012 36 18

ISO 9001 Establishes the quality management system (QMS) ISO 90003 is the software standard in the 9000 family of standards Uses ISO 12207 (or 15288) to specify lifecycle processes ISO 10007 for CM IEEE 828, EIA 649-B, Mil Std coming! http://cmbestpractices.com 2012 37 Which Standards? IEEE 828 CM Planning EIA 649-A Non-compliance ISO 90003 to support QMS Full lifecycle ISO 12207 Tailor! http://cmbestpractices.com 2012 38 19

Moving Upstream Dev to CM to QA to Ops Cross-functional focus Speed up development Build a great deployment architecture Give it to Devs as a service! http://cmbestpractices.com 2012 39 Frameworks ITIL v3 including CMDBs, federated CMDBs, CMS, DML Cobit for SOX CMMI ->>>> Agile http://cmbestpractices.com 2012 40 20

Configuration Management Configuration Identification Status t Accounting Change Control Configuration Audit Tracking and Controlling Changes to Configuration Items http://cmbestpractices.com 2012 41 Your Agile Process Should be Lean Processes need to be reviewed Tailor down or tailor up More collaboration and consensus building Use standards and frameworks http://cmbestpractices.com 2012 42 21

Assessment First step is to assess current practices - As-Is Compare to industry standards and frameworks Determine To-Be Create a plan for improving your CM processes http://cmbestpractices.com 2012 43 Plan for Improvement Improve training and use case for source code management Improve build automation Set up or improve continuous integration Automate package and deployment Create procedures for configuration audit http://cmbestpractices.com 2012 44 22

IT Governance and Compliance in an Agile World Bob Aiello, Principal Consultant and Author of Configuration Management Best Practices : Practical Methods that Work in the Real World http://www.linkedin.com/in/bobaiello /i /B ll http://cmbestpractices.com 45 CM Best Practices Consulting 2012 23

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information