IT Examination Handbook Presentation Development and Acquisition Booklet



Similar documents
Development and Acquisition D&A

Information Technology

Program Lifecycle Methodology Version 1.7

Development, Acquisition, Implementation, and Maintenance of Application Systems

What is a life cycle model?

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

PHASE 5: DESIGN PHASE

GUIDANCE FOR MANAGING THIRD-PARTY RISK

Risk Management of Outsourced Technology Services. November 28, 2000

NEOXEN MODUS METHODOLOGY

Federal Financial Institutions Examination Council FFIEC. Business Continuity Planning BCP MARCH 2003 MARCH 2008 IT EXAMINATION

Understanding the Software Contracts Process

CONTENTS. List of Tables List of Figures

OCC 98-3 OCC BULLETIN

How to Write a Software Process Procedures and Policy Manual for YOUR COMPANY

From Chaos to Clarity: Embedding Security into the SDLC

Financial Institution Letters

Your Software Quality is Our Business. INDEPENDENT VERIFICATION AND VALIDATION (IV&V) WHITE PAPER Prepared by Adnet, Inc.

Federal Financial Institutions Examination Council FFIEC BCP. Business Continuity Planning FEBRUARY 2015 IT EXAMINATION H ANDBOOK

Instructions for Completing the Information Technology Officer s Questionnaire

ACQUISITION OF SOFTWARE AND SERVICES TO SUPPORT THE CORPORATE HUMAN RESOURCES INFORMATION SYSTEM

IMPORTANT ISSUES TO CONSIDER WHEN NEGOTIATING SOFTWARE LICENSES AND AGREEMENTS

GAMP 4 to GAMP 5 Summary

Systems Programmer/Analyst (12203) ( )

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015

Vendor Management. Outsourcing Technology Services

Department of Administration Portfolio Management System 1.3 June 30, 2010

To: Our Clients and Friends March 25, 2014

Outsourcing Technology Services A Management Decision

TO: Chief Executive Officers of National Banks, Federal Branches and Data-Processing Centers, Department and Division Heads, and Examining Personnel

PROPOSAL EVALUATION WORKSHEET (INDIVIDUAL) EVALUATION FACTOR: INFORMATION TECHNOLOGY SERVICES PLAN (RATED) Selection Committee

Information Technology Risk Management Program

Vendor Management: An Enterprise-wide Focus. Susan Orr, CISA CISM CRISC CRP Susan Orr Consulting, Ltd.

INFORMATION TECHNOLOGY OFFICER S QUESTIONNAIRE. Instructions for Completing the Information Technology Examination Officer s Questionnaire

SOFTWARE DEVELOPMENT AND DOCUMENTATION

Configuration Management System:

CITY UNIVERSITY OF HONG KONG. Information System Acquisition, PUBLIC Development and Maintenance Standard

Validating Enterprise Systems: A Practical Guide

U.S. Department of Education Federal Student Aid

Application of software product quality international standards through software development life cycle

Contracting for Services

Appendix A-2 Generic Job Titles for respective categories

System Development and Life-Cycle Management (SDLCM) Methodology. Approval CISSCO Program Director

IT Outsourced Services. Preliminary Survey

Overview Software Assurance is an annual subscription that includes: Technical Support, Maintenance and Software Upgrades.

Professional Services in Cloud ERP

Department of Information Technology Software Change Control Audit - Mainframe Systems Final Report

Practical and ethical considerations on the use of cloud computing in accounting

Introduction to Change

Automated Office Systems Support Quality Assurance Plan. A Model DRAFT. December 1996

TECHNOLOGY STRATEGY AUDIT

Audit of NSERC Award Management Information System

Appendix J: Strengthening the Resilience of Outsourced Technology Services

Automated IT Asset Management Maximize organizational value using BMC Track-It! WHITE PAPER

XANGATI END USER SOFTWARE LICENSE TERMS AND CONDITIONS

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

II. Compliance Examinations - Compliance Management System. Compliance Management System. Introduction. Board of Directors and Management Oversight

Combine ITIL and COBIT to Meet Business Challenges

IBM Tivoli Netcool network management solutions for enterprise

SECURITY AND EXTERNAL SERVICE PROVIDERS

Using COBiT For Sarbanes Oxley. Japan November 18 th 2006 Gary A Bannister

Assuria Auditor The Configuration Assurance, Vulnerability Assessment, Change Detection and Policy Compliance Reporting Solution for Enterprise

The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant

Software Configuration Management Plan

Significant Revisions to OMB Circular A-127. Section Revision to A-127 Purpose of Revision Section 1. Purpose

Advisory Consulting. Maintain and support critical business applications with Managed Services

Recovery Site Evaluation: Finding Viable Alternatives

WHITE PAPER. Mitigate BPO Security Issues

Office of Inspector General

ICBA Summary of FFIEC Cybersecurity Assessment Tool

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

PHASE 6: DEVELOPMENT PHASE

V-Modell XT. Part 1: Fundamentals of the V-Modell

OpenText Information Exchange (IX) Professional Services

State of Oregon. State of Oregon 1

Commercial Software Licensing

How To Use Hp Bsm Integration For Bmbsm (Bms) On A Pc Or Macbook (Bmb) With A Microsoft Powerbook (Mmb) On An Ipa (Bsm) With An Ipam

CHAPTER 11 COMPUTER SYSTEMS INFORMATION TECHNOLOGY SERVICES CONTROLS

Strategic Procurement Services

ICT Competency Profiles framework Job Stream Descriptions

<[Z[hWb <_dwdy_wb?dij_jkj_edi ;nwc_dwj_ed 9ekdY_b

How era Develops Software

The IT Infrastructure Library (ITIL)

Introduction to Systems Analysis and Design

How To Model Software Development Life Cycle Models

Transmittal Sheet #: Date: July 12, 2005

Information Technology Policy

Phases, Activities, and Work Products. Object-Oriented Software Development. Project Management. Requirements Gathering

Risk Considerations for Internal Audit

LECTURE 1. SYSTEMS DEVELOPMENT

FFIEC Cybersecurity Assessment Tool

<name of project> Software Project Management Plan

FinTech Webinar Series: Vendor Management Principles

University of Central Florida Class Specification Administrative and Professional. Director Enterprise Application Development

Outsourcing Technology Services OT

<[Z[hWb <_dwdy_wb?dij_jkj_edi ;nwc_dwj_ed 9ekdY_b

2.1 The RAD life cycle composes of four stages:

Auditor General s Office. Governance and Management of City Computer Software Needs Improvement

Transcription:

IT Examination Handbook Presentation Development and Acquisition Booklet 1. Visual Narrative 2. Development and Acquisition an organization s ability to identify, acquire, install, and maintain appropriate information technology systems. The Federal Financial Institutions Examination Council or FFIEC defines development and acquisition, or D & A as an organization s ability to identify, acquire, install, and maintain appropriate information technology systems." 3. Development and Acquisition Internal development and maintenance External acquisition The process includes the internal development and maintenance of software, as well as, the acquisition of software, hardware, or services from third parties. 4. Development and Acquisition Development Maintenance Acquisition The D & A booklet provides guidance for examiners, financial institutions and service providers regarding applications development, maintenance, and acquisition processes. FFIEC IT Examination Handbook Page 1

5. Development and Acquisition The booklet does not address the acquisition of third-party services, which is addressed in the "Outsourcing Technology Services Booklet." A wide variety of techniques are available to financial institutions to manage development and acquisition projects. 6. Development and Acquisition 1996 1997 1998 1999 2000 2001 2002 2003 The structure, or formality, of project management techniques has evolved in recent years, largely in response to the increasing complexity and risks associated with modern technology systems. 2004 7. Closed Environments Computer Room DO NOT ENTER Computer Room DO NOT ENTER Computer Room DO NOT ENTER In the past, Information Technology, or IT, systems consisted of mainframes and mainframe terminals, and security could be limited to physical restrictions in these closed environments. 8. Distributed Environments However, modern IT systems operate in open or distributed environments that provide end users significantly increased access to systems and data. FFIEC IT Examination Handbook Page 2

9. Risk-focused Methodologies The security requirements and architectural complexity of distributed IT systems have contributed to the advancement of risk-focused software development and project management methodologies. 10. Risk-focused Methodologies Start The methodologies often involve iterative processes that require the repetitive, or cyclical, consideration of project risks and requirements throughout each project phase. Finish 11. Risk-focused Methodologies End users Auditors Start Programmers Security officers Network technicians Finish Other Iterative techniques help ensure the requirements of each project participant end users, auditors, programmers, security officers, network technicians, etc. are appropriately considered throughout a project. 12. Risk-focused Methodologies Many books have been written about various project management techniques and software development methodologies. FFIEC IT Examination Handbook Page 3

13. Risk-focused Methodologies The D & A Booklet does not attempt to duplicate all of this information, but rather presents an overview of project management activities, risks, and risk management techniques. 14. Content Revisions The D & A Booklet replaces Chapter 12 of the 1996 FFIEC IS Handbook. = Chapter 12 of the 1996 FFIEC IS Handbook. 15. Content Revisions Less: "mainframes" More: "project management" More: "software development techniques" The Booklet is less mainframe oriented and includes more information on project management and software development techniques. 16. Examiner Note Financial institutions use project management techniques of varying formality and complexity. Examiners should ensure the techniques employed are appropriately matched to the complexity of a project. FFIEC IT Examination Handbook Page 4

17. 18. Booklet Organization Introduction Development Acquisition Maintenance Appendices Booklet Organization Introduction Development Acquisition Maintenance Appendices The D & A booklet is divided into six general sections: Introduction Development Acquisition Maintenance, and Appendices Let's take a closer look at the various sections. The Introduction describes development and acquisition projects and project risks, and 19. Introduction Benefits of: Structured project management techniques Standards, policies, and procedures Points out the benefits of using: Structured techniques to control project activities and risks, and Formal project management standards, policies, and procedures. 20. Introduction Benefits of: Requirements for: Cost accountability Information security The Introduction also emphasizes the need to: Accurately account for development and acquisition costs, and Ensure security issues are appropriately addressed during development, acquisition, and maintenance projects. FFIEC IT Examination Handbook Page 5

21. Booklet Organization Introduction Development Acquisition Maintenance Appendices The section describes general project management considerations, including: 22. Standards Methodologies Plans Tools Process improvement Project management standards, methodologies, plans, tools; and methods for improving project management skills. 23. Standards Methodologies Plans Tools Process improvement Organizations should establish project management standards for all large, complex, or mission-critical projects. Institutions that routinely complete multiple projects should establish project management offices to coordinate project activities. 24. Standards Project plans Configuration management Quality assurance Risk management Testing Documentation Organizations should develop standards for all aspects of a project, including: Project plans Configuration management Quality assurance Risk management Testing, and Documentation. FFIEC IT Examination Handbook Page 6

25. Standards Methodologies Plans Tools Process improvement Financial institutions use various methods to manage technology projects. 26. SDLC Management The D & A booklet uses a systems development life cycle or SDLC model to illustrate the general project management tasks. 27. Iterative Waterfall Methodology Systems Requirements Software Requirements Analysis Program Design Coding The model portrayed in the booklet can be described as an iterative waterfall methodology. However, this model is offered merely as an example, and examiners should not be overly concerned with the specific terms assigned to the various project management techniques discussed in the booklet. Testing Operations Operations 28. Alternative Methodologies Software development Hardware/software acquisition Examiners should keep in mind that organizations may employ an SDLC-type technique or an alternative methodology when managing virtually any project, including: software development, and hardware, software, or service acquisition projects. FFIEC IT Examination Handbook Page 7

29. Methodologies Tailored to match project characteristics Board approved Deviations approved and documented Regardless of the methodology used, it should match a project s characteristics and risks. The board, or a board-designated committee, should formally approve overall project methodologies, and management should document and approve all significant deviations from approved policies. 30. Standards Methodologies Plans Tools Process improvement Detailed planning is one of the most critical aspects of effective project management due to the numerous interdependent issues that must be coordinated and addressed. Poor planning routinely prevents organizations from meeting project goals. 31. Project Plans Detail Why a project is being initiated What it hopes to accomplish Define Primary responsibilities Communication standards Formal project plans should detail why a project is being initiated and what it hopes to accomplish. Plans should define primary responsibilities and detail the communication standards. FFIEC IT Examination Handbook Page 8

32. Project overviews Roles and responsibilities Communication procedures Defined deliverables Standards Control requirements Project Plans Quality assurance plan Risk management Configuration management Documentation Budget Scheduling Testing Training Project activities should be described in as much detail as possible and include, as needed: A project overview Roles and responsibilities Communication procedures Defined deliverables Standards Control requirements Quality assurance plans Risk management Configuration management Documentation Budget Scheduling Testing, and Training 33. Standards Methodologies Plans Tools Process improvement The booklet also discusses various project management tools, such as spreadsheets or software applications, which can be used for scheduling tasks and tracking costs. As with project methodologies, plans, and standards, the sophistication of the tools employed should match the complexity of a project. 34. Process Improvement Training Structured management techniques There are several methods for enhancing the effectiveness of an organization s project management skills. Typically the methods involve training project personnel and developing structured management techniques. For the purpose of illustration, the booklet includes two examples. These are only examples and do not constitute an endorsement of a particular brand or methodology. FFIEC IT Examination Handbook Page 9

35. Capability Maturity Model LEVEL 5 Optimizing 4 - Managed 3 Defined RESULT Productivity & Quality The first example is the Capability Maturity Model, developed by the Carnegie Mellon University Software Engineering Institute. This model categorizes an organization s capability to develop software into five maturity levels and encourages organizations to implement certain management-improvement techniques at each of these levels. 2 - Repeatable 1 - Initial RISK 36. International Organization for Standardization New ISO Standard Adds Leverage of "Measurement Systems' to ISO 9000 Family A new standard in the ISO 9000 family provides organizations with a model known as a "measurement management system" to help them achieve product quality and manage risk by ensuring that measuring equipment and measurement The second example is the International Organization for Standardization or ISO s 9001 standards, which address management practices relating to design, development, production, installation, and servicing activities. 37. 9000-3 Guidelines The generic 9001 standards focus on manufacturing activities; therefore, ISO published 9000-3 guidelines to assist project managers in applying the 9001 standards in software development environments. 38. Development Projects In-house Outsourcing Combined approach. Development projects involve the creation of software in-house, through outsourcing, or by a combined approach. FFIEC IT Examination Handbook Page 10

39. Systematic Methodologies Organizations typically manage software development projects using systematic methodologies that divide large, complex tasks into smaller, more easily managed segments or phases. 40. Development Standards Project management System controls Quality assurance Change management Organizations should establish development standards that, at a minimum, address project management, system control, and quality assurance issues. Organizations should also establish development standards that help control changes during a project. 41. SDLC Management The D & A Booklet uses the SDLC model to highlight the specific activities involved in the distinct phases of a software development project. Various techniques can be used to complete the activities within each phase of the project. For example, prototyping is often used during initial project phases. Prototyping enhances a user s ability to visualize how systems will look and work after functional requirements are programmed. 42. Development Procedures Large-scale integrated systems Software development techniques Databases In addition, this section of the booklet looks at special requirements for: Large-scale integrated systems; Software development techniques; and Databases. FFIEC IT Examination Handbook Page 11

43. Booklet Organization Introduction Development Acquisition Maintenance Appendices Acquisition projects involve many of the same activities as development projects. 44. Development vs. Acquisition Similarities Approve project requests Define functional, security, and systems requirements Test and implement products In both situations, management should approve project requests, define functional, security, and system requirements, and test and implement products. 45. Development vs. Acquisition Similarities Differences Design and programming Bid solicitation Differences between the two processes occur when organizations replace application design and development activities with 46. Bid Solicitation Process Define requirements Distribute to third parties a bid solicitation process that involves developing detailed lists of functional, security, and system requirements and distributing them to third parties. FFIEC IT Examination Handbook Page 12

47. Potential Vendor Review Financial strength Support levels Security controls In addition to defining requirements and soliciting bids, organizations should also review potential vendors financial strength, support levels, and security controls prior to obtaining products or services. 48. Contract Review Once selections are made, management should review contracts and licensing agreements to ensure the rights and responsibilities of each party are clear and equitable. 49. Foreign-based Third Parties Acquiring software from foreign-based third parties presents additional challenges, and organizations should appropriately manage the unique risks presented by these arrangements. 50. Foreign-based Third Parties For example, organizations should decide which country s laws will control the relationship and ensure that they and their vendors comply with applicable laws and regulations. More information on issues institutions need to consider when dealing with foreign entities can be found in Appendix C of the Outsourcing Technology Services booklet. FFIEC IT Examination Handbook Page 13

51. Acquisition Escrowed source code and documentation Contracts and licensing agreements The D & A booklet supplements the acquisition section with two sub sections one on escrowing of source code and documentation and another on contracts and licensing agreements. 52. Escrow Allows institution to obtain source code and documentation if vendor cannot support the product Held by an independent third party Typically an institution will not receive the source code when software is licensed from a vendor. In the event the vendor cannot continue to support the software, due to bankruptcy for example, the institution will need access to the source code to make any necessary changes and updates. 53. SOURCE CODE ACCESS 9001,software"> <title>iso 9000-3, Evidence Checklist</title> </head> <body text="#000000" bgcolor="#ffffff" link="#000099" vlink="#551a8b" alink="#000099" LEFTMARGIN="0" TOPMARGIN="0" VALIGN="TOP" MARGINWIDTH="0" MARGINHEIGHT="0"> <center><table BORDER=0 CELLSPACING=0 CELLPADDING=0 COLS=1 WIDTH="100%" > To ensure the institutions have access to the source code, the code and accompanying documentation can be put into escrow with an independent third party. Under certain circumstances, the escrow agent may be authorized to release copies to specified parties. 54. Contracts and Licenses All contracts between an organization and a software vendor should clearly describe the rights and responsibilities of all the parties to the contract. FFIEC IT Examination Handbook Page 14

55. Contracts and Licenses Software licenses and copyright violations Software development specifications and performance standards Documentation, modification, updates, and conversion Bankruptcy Regulatory requirements Payments Representations and warranties Dispute resolution Agreement modifications Vendor liability limitations Security Subcontracting and multiple Vendor relationships Restrictions on adverse comments One of the most important licensing issues is the definition used for the precise scope of the license. Organizations should ensure licenses clearly state whether software usage is exclusive or nonexclusive, how many individuals at an organization can use the software, and whether there are any location limitations on its use. 56. Booklet Organization Introduction Development Acquisition Maintenance Appendices After an application or system is installed, it should be maintained. Often the resources required to maintain an application or system exceed those required to develop or acquire it. 57. 58. Maintenance Activities Hardware Software Documentation Maintenance Software maintenance Patch management Library controls Documentation Maintenance includes the routine servicing and periodic modification of hardware, software, and documentation. Organizations periodically upgrade or replace outdated or malfunctioning equipment to enhance security, performance, or storage. Software is often modified to address changed user requirements, rectify software problems, introduce new functionality, correct security vulnerabilities, or implement new technologies. Documentation maintenance is necessary to ensure technology related records, standards, and procedures are current and accurate. Maintenance issues addressed in the booklet include: Major, routine, and emergency changes, Software patches, Library controls, and Documentation maintenance. FFIEC IT Examination Handbook Page 15

59. Booklet Organization Introduction Development Acquisition Maintenance Appendices The booklet is supplemented with two appendices, Examination Procedures and a Glossary. Examiners should carefully select procedures that will provide the most appropriate risk-focused assessment of the development and acquisition activities of the institution being examined. 60. URSIT The workprogram parallels the risk assessment guidelines in the FFIEC Uniform Rating System for Information Technology. 61. Workprogram Checklists Development contracts Licensing agreements The workprogram also includes checklists for assessing other areas such as patch management, development contracts, and licensing agreements. 62. Conclusion In general, examiners should find the D & A booklet provides a basic overview of industry-standard project management techniques and a solid basis for assessing project management risks. FFIEC IT Examination Handbook Page 16

63. Conclusion Additionally, financial institutions should find implementation of various booklet concepts enhance their ability to, "identify, acquire, install, and maintain appropriate information technology systems. FFIEC IT Examination Handbook Page 17

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information