MIS 5203. Systems & Infrastructure Lifecycle Management 1. Week 13 April 14, 2016

Similar documents
A Strategic Approach to Web Application Security The importance of a secure software development lifecycle

Vulnerability management lifecycle: defining vulnerability management

Integrating Application Security into the Mobile Software Development Lifecycle. WhiteHat Security Paper

ITSM Process Description

Product Build. ProPath. Office of Information and Technology

Adobe Systems Incorporated

Release Management Policy Aspen Marketing Services Version 1.1

Program Lifecycle Methodology Version 1.7

Appendix A-2 Generic Job Titles for respective categories

California Department of Technology, Office of Technology Services WINDOWS SERVER GUIDELINE

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

Domain 1 The Process of Auditing Information Systems

How To Audit The Mint'S Information Technology

Appendix 2-A. Application and System Development Requirements

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

Secure Development Lifecycle. Eoin Keary & Jim Manico

Enabling Continuous Delivery by Leveraging the Deployment Pipeline

SRA International Managed Information Systems Internal Audit Report

HP Fortify application security

DIVISION OF INFORMATION SECURITY (DIS)

SACM and CMDB Strategy and Roadmap. David Lowe ActionableITSM.com March 20, 2012

Information Systems Development Process (Software Development Life Cycle)

Network Configuration Management

N e t w o r k E n g i n e e r Position Description

CITY UNIVERSITY OF HONG KONG. Information System Acquisition, PUBLIC Development and Maintenance Standard

The ITIL Foundation Examination

PHASE 5: DESIGN PHASE

Your Software Quality is Our Business. INDEPENDENT VERIFICATION AND VALIDATION (IV&V) WHITE PAPER Prepared by Adnet, Inc.

Certified Information Systems Auditor (CISA)

INFORMATION TECHNOLOGY SERVICES IT CHANGE MANAGEMENT POLICY & PROCESS

EXHIBIT L. Application Development Processes

Patch and Vulnerability Management Program

Colorado Department of Health Care Policy and Financing

OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)

Control Design & Implementation Week #5 CRISC Exam Prep ~ Domain #4. Bill Pankey Tunitas Group. Job Practice

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

Standard: Web Application Development

FOLLOW-UP REPORT Change Management Practices

Microsoft SDL: Agile Development

THE TOP 4 CONTROLS.

Page 1 of 8. Any change, which meets the following criteria, will be managed using IM/IT Change Management Process.

Building Security into the Software Life Cycle

Project Lifecycle Management (PLM)

Cybersecurity and internal audit. August 15, 2014

Software Application Control and SDLC

IT Sr. Systems Administrator

Information Technology Services Classification Level Range C Reports to. Manager ITS Infrastructure Effective Date June 29 th, 2015 Position Summary

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

December 21, The services being procured through the proposed amendment are Hosting Services, and Application Development and Support for CITSS.

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

PDS (The Planetary Data System) Information Technology Security Plan for The Planetary Data System: [Node Name]

SAFECode Security Development Lifecycle (SDL)

Streamlining Patch Testing and Deployment

Critical Controls for Cyber Security.

! Resident of Kauai, Hawaii

THE BLUENOSE SECURITY FRAMEWORK

Certified Identity and Access Manager (CIAM) Overview & Curriculum

Managing and Maintaining Windows Server 2008 Servers

Evaluation Report. Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review. April 30, 2014 Report Number 14-12

Introduction. Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia

Novo Service Desk Software

Technology Risk Management

DELL. Unified Server Configurator Security Overview. A Dell Technical White Paper. By Raja Tamilarasan, Wayne Liles, Marshal Savage and Weijia Zhang

PASTA Abstract. Process for Attack S imulation & Threat Assessment Abstract. VerSprite, LLC Copyright 2013

Cisco Network Optimization Service

Bellevue University Cybersecurity Programs & Courses

Autodesk PLM 360 Security Whitepaper

SAP Secure Operations Map. SAP Active Global Support Security Services May 2015

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

CCIT Technical Support Policy

Example Software Development Process.

Check Point and Security Best Practices. December 2013 Presented by David Rawle

Network Test Labs (NTL) Software Testing Services for igaming

SERVICE EXCELLENCE SUITE

Project Management Plan for

The Protection Mission a constant endeavor

The introduction covers the recent changes is security threats and the effect those changes have on how we protect systems.

What is a life cycle model?

OFFICE OF THE CITY AUDITOR

PHASE 8: IMPLEMENTATION PHASE

Cisco Change Management: Best Practices White Paper

SIEM Implementation Approach Discussion. April 2012

Why Test ITSM Applications for Performance? Webinar

ITIL Service Lifecycles and the Project Manager

HP Server Automation Standard

Integrating web application security control in the system development lifecycle

Securing the Service Desk in the Cloud

The ITIL v.3 Foundation Examination

Service Catalog. it s Managed Plan Service Catalog

Professional Services Overview

California Department of Technology, Office of Technology Services AIX/LINUX PLATFORM GUIDELINE Issued: 6/27/2013 Tech.Ref No

TIBCO Spotfire and S+ Product Family

Software Testing Lifecycle

How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis

Cisco Unified Communications and Collaboration technology is changing the way we go about the business of the University.

R3: Windows Server 2008 Administration. Course Overview. Course Outline. Course Length: 4 Day

The ITIL Foundation Examination

Root Cause Analysis Concepts and Best Practices for IT Problem Managers

Information Technology Engineers Examination. Information Technology Service Manager Examination. (Level 4) Syllabus

Transcription:

MIS 5203 Lifecycle Management 1 Week 13 April 14, 2016

Study Objectives Systems Implementation contd Configuration Management Monitoring and Incident Management Post implementation Reviews Project Success Criteria Lesson Learned Secure SDLC 2

Configuration Management What s the role of Configuration Management? Managing access to the program files such as source code to the authorized individuals (developers for code, for example) Prevent corrupting the program by accidently overwriting by one user, when other user is also working on the same module Provide ability to check out and check in Provide ability to keep separate versions of the program to track the changes 3

Configuration Management What s the role of Configuration Management? Managing access to the program files such as source code to the authorized individuals (developers for code, for example) Prevent corrupting the program by accidently overwriting by one user, when other user is also working on the same module Provide ability to check out and check in Provide ability to keep separate versions of the program to track the changes 4

Configuration Management Tools Used for Configuration Management TFS (Team Foundation Server) in Microsoft Development Environment CVS for Java Environment Continuus Artifacts typically managed by a Configuration Management Tool Code Design Configuration files Test Scripts Release Management Documentation Reports DDLs 5

Configuration Management Contd. Checking-out /Checking-in An artifacts can be checked in in the Configuration Management Tool (version n) Subsequent version must be checked out before changes can be made. Once the changes have been made and tested, the artifact can be checked back in as the next version (version n+1) Configuration Management Policy Should be developed, and the process should be understood be the developers, designers, tester, etc. 6

Monitoring and Incident Management Monitoring deals with keeping an eye to the vital signs of the systems in production There can be different types of monitoring OS and hardware monitoring Database monitoring Application monitoring Response time Error rate Monitoring availability of the system Helps in the performance measurement of the project 7

Monitoring and Incident Management Incident Management ensures if an incident has occurred such as outage or a problem ticket is reported, the incident is properly handled and the problem is resolved in timely manner In the outage situation various teams such as Level 1, Level 2, and Level 3 support should get engaged on as needed basis Communication to the stakeholders including IT and Business Management and User community are notified in timely manner on the progress of resolution RCA (Root Cause Analysis) and Corrective Actions should be documented and followed-up on to avoid repetition of the similar incident 8

Auditing Implementation Review data conversion plan and test results to ensure proper conversion of data (accuracy and completeness) Review User-Acceptance plan, involvement of Users, and the results, to ensure user buy-in Ensure proper Change Management procedure has been in place to ensure Change has been documented, artifacts planned, and approved by stakeholders test results, implementation steps, roll-back plan, etc. are there and previously tested All the changes to the programs during the testing has been incorporated A smoke or mini-regression test is performed after the change to the programs has been frozen Review implementation approach and if that is appropriate (parallel changeover, phased changeover, abrupt changeover) 9

Auditing Implementation contd. Go decision has been made by the stakeholder (typically User Management, Business, Development, Testing, and Project Manager) as part of go/ no-go decision typically before the day of implementation Ensure a communication plan has been developed during implementation and after successful implementation Verify the best practices for implementation is in place such as practice related to minimizing user impact only authorized access to production environment to the Operation team (developers shouldn t have access) Ensure production performance monitoring, incident management, and outage management processes are in place to address any production issues in timely manner 10

Questions What kind of testing(s) is/are done as part of Software implementation? A. Regression B. Progression C. UAT D. Smoke 11

Questions What kind of testing(s) is/are done as part of Software implementation? A. Regression B. Progression C. UAT D. Smoke 12

Phase 1 Feasibility Phase 2 Requirements Post Implementation Review Phase 3 Design/Selection What is applicable to Post Implementation Reviews? Phase 4 Development/ Configuration Phase 5 Implementation Phase 6 Post Implementation A. Conduct Lesson Learned Meetings B. Assess the actual benefit of the project against the Business Case C. Closing the project D. Assign Open Action Items to the relevant teams E. Fix the outstanding issues and conduct postimplementation reviews again and again until the project benefits are realized 13

Phase 1 Feasibility Phase 2 Requirements Post Implementation Review Phase 3 Design/Selection What is applicable to Post Implementation Reviews? Phase 4 Development/ Configuration Phase 5 Implementation Phase 6 Post Implementation A. Conduct Lesson Learned Meetings B. Assess the actual benefit of the project against the Business Case C. Closing the project D. Assign Open Action Items to the relevant teams E. Fix the outstanding issues and conduct postimplementation reviews again and again until the project benefits are realized 14

Steps for Post Implementation Reviews 1. Review Project Performance Business benefits against business case 2. Review Project Conformance Did the project meet the project plan? Was the project delivered on time? Was the project delivered on budget? Was the project delivered with acceptable quality? Did the project conform to the communication, change management, risk management, issue management, and vendor management goals 3. Identify project accomplishments 4. Identify major issues or failure 5. Identify Lesson Learned 6. Close the Project Adapted from http://blog.method123.com/2007/01/01/postimplementation-review/ 15

Benefit Realization Measurement Once the project is implemented Business Owner and IT Leaders typically collaborate to measure the benefits of the project Benefit Cost analysis, NPV etc. are quantitative measures that can be computed over time The benefit can be compared against original business goals This analysis often helps in prioritizing new functionality or enhancements for future projects Sometimes, if the benefit is not as thought initially to be, the management team can make a decision not to continue with the future phases of the projects 16

Project Conformance Against the planned goals within the standard Project Management areas Time, Budget, Quality are 3 major KPIs 17

Project Accomplishments and Failures These could be functional or process related Could be quantitative or qualitative Not restricted to financial goals 18

Lesson Learned Meetings Also called sometimes post mortem Development, Test, Business Partners, Users typically after a Release Implementation get together to Discuss activities that went well Pain areas and challenges What can be done better The topics include all areas including processes, communication, functional items, scope etc The goal is to learn from each other and become better Action Items are often documented and managed by the Release Manager to be incorporated in the next or future releases 19

Closing a Project Typically after implementation of one or more releases of the project When project is implemented for most part and the benefit is realized, or when the project is implemented and benefits thought not to be as expected Major follow-ups can be recorded and provided to the key stakeholders The project team is disbanded 20

Post Implementation Reviews Additional References ITIL Library http://wiki.en.itprocessmaps.com/index.php/checklist_post_im plementation_review_%28pir%29 21

Secure SDLC Secure SDLC has a lot of emphasis today where Cyber Security is a key maturing discipline in organizations Spans all phases of SDLC Waterfall: Secure Requirements, Design, Coding, Testing, Implementation, Infrastructure, Operations Agile: Secure SDLC user stories Training and Secure SDLC is a key area of focus Constant Vulnerability Management is Required Code and System scanning Remediation 22

Secure SDLC Applicable All Across Development & Operation Phase 1 Feasibility Phase 2 Requirements Phase 3 Design/Selection Phase 4 Development/ Configuration Phase 5 Implementation Phase 6 Post Implementation Data Protection Requirement (sensitive, public, PII, etc.) Accessibility of system and data User Access Partner communication Reports Non-functional requirements Threat modeling Infrastructure design System logic design least privilege, logics on protected servers, tiered architecture Authentication / Password Management Cryptography Input validation / Output Encoding Session Management Access Control Error Handing and Logging Data Protection Communication Security Database Access File Access Memory management System configuration Coding and UT Developer training Application of Secure Coding design principles Static code analysis with the build Secure coding modules such as for cryptography Peer reviews Testing Vulnerability scanning or penetration testing Dynamic code analysis Security Metrics Tools Threadfix Dell Secureworks Hardware/OS scanning Change Management controls Access to production systems using least privilege for hardware, network, OS, Services Firewalls across application tiers Multiple network zone Regular Production system scanning or penetration testing Vulnerability prioritization and mitigation Adherence to standards for cryptography, communication, etc. Access control reviews 23

Secure SDLC Further Read Secure Coding Not just for code, but includes design concepts https://www.owasp.org/index.php/owasp_secure_coding_practices_-_quick_reference_guide A good Secure SDLC presentation http://www.issala.org/wp-content/uploads/jim-manico-sdlc-architecture-v14.pdf 24

Upcoming Assignments/Tests 1. Group Case Study -3 (Testing): Thu 4/14 before the class 2. Extra Credit for Class Participation: Choose your own topic. 3-5 pages of Report, Analysis, Design, etc within the domain of SDLC. Due: Thu 4/21 before the class. Send an email to Vasant with you work. Encourage you Submit a hard copy in the class as well. Note: As we discussed in the class on 4/7, this exercise is at request of some of you, and is OPTIONAL 3. Final (multiple choice questions 40-50 modeled after CISA exam. Covers entire course.): Thu 4/28 Note: We will use TU Classroom Exam Answer Sheet (bubble sheet). Bring your pencils in the class Questions? 25

Summary of Today s Class Change Management Release Management Post Implementation Review Secure SDLC Focus of the Next Class and Reading Questions 26

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information