How can I be agile and still satisfy the auditors?
Welcome & Introductions Steve Ropa Steven.ropa@versionone.com Agile Coach Certified Scrum Master Certified Scrum Product Owner 19 years software development 11 years programming 8 years director of development 10 years Agile experience XP Scrum http://blog.versionone.com/blog/agile-musings
Agile Values Individuals and Interactions OVER Processes and Tools Working Software OVER Comprehensive Documentation Customer Collaboration OVER Contract Negotiation Responding to Change OVER Following a Plan
That is to say While there is value to those items on the right, we value the items on the left more. So there is no law saying that you may not do those items on the left we won t even withhold your merit badge
The Big Fallacy.. We are Agile We don t need documentation
The Other Fallacy.. We are {CMMI;ISO;HIPAA;EIEIO} compliant We need reams of documentation
What about auditing? Most audits are based on a very specific set of requirements, to address a specific need or vulnerability Sarbanes-Oxley PCI Confirm financial calculations are correct Ensure compliance with visibility Ensure software is secure Protect private, personally identifiable information HIPAA Protect privacy of health information
Auditable/Standard specific stories As a healthcare customer, I can use the OnlineRx system in a secure manner, so that I am confident that my personal information will not be accessible by the public. This may be an epic, perhaps break down into specific security measures Consider citing the specific standard and requirement. Be sure to write acceptance tests that confirm, and are automated
Automated Acceptance Tests The best possible checklist on standards Write automated tests that are run *every* check in Verify each standard is adhered to Break the build when they are not Fitnesse is a great example of automated acceptance tests These tests become ideal tools for documenting each
Definition of Done Teams need to agree on what done means for each story. Usually starts with all the tests passing Add a standard that stories aren t done until audit requirements are met
Agile and CMM(I) CMM(I) KPA s Level 2 Requirements Management Software Project Planning Software Project Tracking and Oversight Software subcontract management Software Quality Assurance Software Configuration Management Agile Practices User stories product backlog Release planning Iteration planning Daily stand-ups Burndown charts Iteration reviews. Not addressed Automated user acceptance tests Automated unit tests Continuous Integration
Requirements Management A well maintained product backlog is a list of every user story and feature that is in the system User stories include the acceptance criteria that define the story, and many times will also include the tasks that satisfy the actual criteria
Software Project Planning Release Planning provides a vision early on as to what will be delivered. When a release will happen is fixed, thus removing a large amount of uncertainty Sprint planning is a tight, well defined feedback loop Change is recognized early and implemented quickly Teams that reach a sprint rhythm are highly effective and repeatable
Software Project Tracking and Oversight Daily stand-ups provide near instantaneous feedback Sprint burndown shows status and projected path to completion of stories Iteration reviews show working software Retrospectives proved a continuous improvement mechanism
Software Quality Assurance Automated Acceptance Tests The test have to pass every time, not just the first time Broken tests are found quickly, before the system can reach entropy Automated Unit Tests Code is rigorously exercised continuously Merciless refactoring Design is improved continuously
Software Configuration Management Continuous Integration Code is checked in several times a day Builds and tests are run every time Continuous delivery Working software is available all the time
What about Level 3? Most level 3 KPA s are organizational in nature Process focus Training program Intergroup coordination Agile practices are exceptionally well suited to the organizational changes and attitudes that will satisfy these requirements.
The bottom line CMM(I) level 2 is a slam-dunk if you are using agile practices CMM(I) levels 3 and 4 are highly facilitated by the collaborative nature of agile teams. Even level 5 gets a great jump start from agile practices Defect prevention unit tests, pair programming coupled with automated acceptance tests make this a slam dunk also Other KPA s are again more organizational in nature at this level
Requirements Traceability Early on, XP said tear up the cards Keep your stories somewhere Excel spreadsheets Project management tools You can still be agile with these tools, just remember to keep it light.
How to Claim Your PDU Go to ccrs.pmi.org/ Search for ASPE as a Registered Education Provider. Our number is 2161 At the bottom of our details page, select See Provider s Activities Find the activity code stated by the moderator during the presentation: WS032911 The seminars are Category A (formerly category 3) for one PDU.