Auditing the Software Development Lifecycle ISACA Geek Week. Mike Van Stone Sekou Kamara August 2014

Similar documents
State of Oregon. State of Oregon 1

ITS Project Management

Project Management Plan for

The Final Quality Gate: Software Release Readiness. Nancy Kastl, CSQA Kaslen Group, Inc. (630)

ITSM Maturity Model. 1- Ad Hoc 2 - Repeatable 3 - Defined 4 - Managed 5 - Optimizing No standardized incident management process exists

OE PROJECT CHARTER TEMPLATE

SDLC- Key Areas to Audit in IT Projects ISACA Geek Week /21/2013. PwC

Dallas IIA Chapter / ISACA N. Texas Chapter. January 7, 2010

Project Implementation Process (PIP)

Appendix 2-A. Application and System Development Requirements

Appeals Case Management System Project. Scope Management Plan. November 20, 2014

Driving Excellence in Implementation and Beyond The Underlying Quality Principles

Department of Administration Portfolio Management System 1.3 June 30, 2010

Information Technology Project Oversight Framework

RFP Attachment C Classifications

Using Microsoft SharePoint for Project Management

Appendix A-2 Generic Job Titles for respective categories

Release Management Policy Aspen Marketing Services Version 1.1

Project Management Life Cycle (PMLC)

Develop Project Charter. Develop Project Management Plan

The College of New Jersey Enterprise Risk Management and Higher Education For Discussion Purposes Only January 2012

PROJECT SCOPE STATEMENT

ID Task Name Time Pred

PROJECT MANAGEMENT PLAN TEMPLATE < PROJECT NAME >

Central Agency for Information Technology

U.S. Department of Education Federal Student Aid

CONTENTS. List of Tables List of Figures

Introductory Certificate. The APM Project Fundamentals Qualification

Project Management Guidelines

ENTERPRISE RISK MANAGEMENT FRAMEWORK

Feature. A Higher Level of Governance Monitoring IT Internal Controls. Controls tend to degrade over time and between audits.

Integrating Project Management and Service Management

MNLARS Project Audit Checklist

COMMONWEALTH OF MASSACHUSETTS EXECUTIVE OFFICE OF HEALTH AND HUMAN SERVICES

Information Technology Services Project Management Office Operations Guide

Data Governance Center Positioning

Domain 1 The Process of Auditing Information Systems

Bridging Development and Operations: The Secret of Streamlining Release Management

DEVELOPING AN IT SERVICE MANAGEMENT TRAINING STRATEGY & PLAN. Version : 1.0 Date : April 2009 : Pink Elephant

SIEM Implementation Approach Discussion. April 2012

Project Lifecycle Management (PLM)

Business Resiliency Business Continuity Management - January 14, 2014

Requirements Change Management

Unifying IT Vision Through Enterprise Architecture

The PNC Financial Services Group, Inc. Business Continuity Program

Presented By: Leah R. Smith, PMP. Ju ly, 2 011

U.S. Department of Education Federal Student Aid

Life Cycle Quality Gates

Skatteudvalget (2. samling) SAU Alm.del Bilag 48 Offentligt. Programme, Project & Service Management Analysis

PHASE 1: INITIATION PHASE

hi Information Technologies Change Management Standard

How To Integrate Legacy Management With Distributed Systems

MKS Integrity & CMMI. July, 2007

Crosswalk Between Current and New PMP Task Classifications

No Surprises! The Support Center s Role in Successful Change and Release Management

VA Office of Inspector General

Incident Standard Service Request Information Request. IT Request. Minor/Low Impact Change to Existing Service. Capture and refine the idea

Implementing a Data Governance Initiative

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

PHASE 8: IMPLEMENTATION PHASE

Defining a Governance Model for Portals

Enterprise Test Management Standards

Stakeholder management and. communication PROJECT ADVISORY. Leadership Series 3

ISO :2005 Requirements Summary

Project Integration Management

ITS Project Management Methodology

UDC Software Development Life Cycle

Release Management: Effective practices for IT delivery

PMP Examination Tasks Puzzle game

Enterprise Project and Portfolio Management Implementation Project. Update to the ETS Customer Utility Board Julie Pearson May 27, 2015

Certified Information Security Manager (CISM)

INFORMATION TECHNOLOGY PROJECT EXECUTION MODEL GUIDE FOR SMALL AND MEDIUM PROJECTS

Agenda. Project Management Pain Points. Solution Option Highlights. The Dark Side. Discussion. Identify your business needs / requirements

PROJECT SCOPE STATEMENT

BAL2-1 Professional Skills for the Business Analyst

IT audit updates. Current hot topics and key considerations. IT risk assessment leading practices

PROJECT DELIVERY METHODOLOGY (PDM) Florida Department of Transportation Office of Information Systems. Business Systems Support Office

Control Design & Implementation Week #5 CRISC Exam Prep ~ Domain #4. Bill Pankey Tunitas Group. Job Practice

CISM ITEM DEVELOPMENT GUIDE

Integration Mgmt / Initiating Process Group 4.1 Develop Project Charter

Essential Elements for Any Successful Project

Program Lifecycle Methodology Version 1.7

PHASE 3: PLANNING PHASE

The ITS Project Management Framework

PROJECT MANAGEMENT PLAN Outline VERSION 0.0 STATUS: OUTLINE DATE:

Business Performance & Data Quality Metrics. David Loshin Knowledge Integrity, Inc. loshin@knowledge-integrity.com (301)

Collaborating for Quality in Agile Application Development From Beginning to End

Project and Operational processes, Key differences. Gotchas when deploying projects into operations

How To Write A Project Management Plan

Company A Project Plan

The Road to Enterprise Data Governance: Applying the Data Management Maturity Model in a Financial Services Firm

Sound Transit Internal Audit Report - No

Draft Document STATE OF MICHIGAN. SACWIS Planning Department of Human Services Strategic Implementation Plan: Project Staffing

Project Governance Plan Next Generation Project Oregon Military Department, Office of Emergency Management, Program (The OEM 9-1-1)

THE COMPLETE PROJECT MANAGEMENT METHODOLOGY AND TOOLKIT

Transcription:

Auditing the Software Development Lifecycle ISACA Geek Week Mike Van Stone Sekou Kamara August 2014

Agenda Introduction Audit Scope Project Initiation SDLC Processes Stakeholders Common Development Methodologies Auditing the Software Development Lifecycle Other Key Topics ERP Application Controls Secure Development

Audit Scope Project Governance IT Controls Financial Controls

Project Initiation Is the project aligned with the company s strategy? Are there adequate supporting artifacts? Strategic plan Business case or scoping document (features) Project charter Executive sponsorship

SDLC Processes Process Overviews Project Initiation Governance Functional and Technical Requirements Coding Process Overviews Quality Assurance Rollout Plan Product Readiness Implementation Support

SDLC Stakeholders Senior Leadership Team Product Management Development Quality Assurance Compliance/Legal Information Security Chief Technology Office Project (or Program) Management Office Accounting/Finance Sales Services Training Support Data Center Customer Operations

Common Development Methodologies Iterative

Auditing the Software Development Lifecycle

Governance Are the project management policies, procedures, and standards complete and up-to-date? Development, maintenance, and monitoring Common tools and training on tools How effective is the project planning and management oversight? Stakeholder engagement Risk and issue management Resource management Inter-dependencies and ongoing communications Scope change controls Project closure and hands-off

Project Planning Are estimates based on complexity and completeness of required activities? Is the team considering other dependencies when prioritizing key tasks? Does the plan highlight critical path versus critical activities? How are inter-dependent project plans synchronized and maintained? Are key task owners identified in the project plan? Do major milestones align with the business case? Has the project plan been formalized reviewed and approved by the project sponsor?

Risk & Issue Management Have issue documentation and prioritization standards been established? Is the risk and issue register periodically reviewed? Are risks and issues escalated to appropriate level of management per the issue and risk management policy? Do the issue management standards distinguish between risks and issues? Is there a process to promote the sharing of knowledge of workarounds and lessons learned? Is there a standard issue management tool with appropriate access controls? Does the project team audit the risk and issue register against project management standards?

Resource Management Is there a complete integrated enterprise resource plan? Are resource model assumptions documented and significant changes revalidated? Can the resource plan requirements align with the business case and financial forecasts? Is there an up-to-date resource availability calendar? Has the availability of shared resources been evaluated? Can the project plan highlight resource shortages in the enterprise resource management plan?

Ongoing Communication Is the communication plan designed to inform both technical (IT) and nontechnical (business) personnel? Is the communication effort focused on: Promoting dialogue between project teams (regular team update)? Creating awareness about the progress, risks, and issues? Building cooperative environment? Managing and preventing conflict? Getting stakeholders input and maintaining executive commitment? Communicating and addressing risks and issues as soon as they are identified? Has the plan been documented and assigned an owner? Effective communication involves more than the periodic status deck

Scope Change Controls Are all change requests submitted in writing and/or are all changes traceable? How is the project manager ensuring that everyone (requester, reviewer, approver, and implementer) follows the change control process? Is there an exception procedure for emergency changes? Are approvals obtained after an impact analysis? The goal is to minimize change impact through communication and coordination.

Functional and Technical Requirements Have business requirements been adequately documented and vetted with process owners, analysts, and end users? Can the requirements be traced to business case objectives? Are there standards for documenting requirements? Have implementation requirements been considered? Is the design team considering key technical criteria such as: compatibility, extensibility, fault-tolerance, maintainability, and integration? Do the requirements include security and regulatory compliance? Has the architectural team provided visibility to the technology platform and strategies?

Coding Is the process designed to support the development workflow? Has a policy been implemented to facilitate environment planning, prioritization, and security? Has the team established peer code review process? Are automated testing scans performed against coding standards? What controls are in place to ensure adequate version control, code review, and code promotion? Is there a policy governing the use of open source code?

Quality Assurance Have quality requirements been defined including how to measure them? Are coding and naming standards included in quality control requirements? Does the project plan include steps for testing quality before a quality assurance validation? Does the project team include an independent quality assurance function? Is there a follow-up point to ensure quality between project phases? Is there an exception handling process?

Rollout Plan Did the team include the transition/rollout activities in the project plan with due dates/owners? Did the plan include testing to ensure the product will meet all requirements in full production? Has the team finalized all documentation including user and technical training material? Are the help desk and operations teams ready to support users and the system without relying on the project team? Was the rollout schedule coordinated with user training? Does the project plan include steps to formally close the project and obtain all sign-offs?

Product Readiness Is there a product general availability approval process evidenced by supporting documentation? Key criteria include: Customer testing (pilot) Patch management plan Minimum quality/defect requirements Exceptions and follow-up plans

Implementation Is there a detailed implementation plan with major milestones? Did the planning include coordination with development and support? Is the implementation schedule aligned with customer readiness and other priorities? Is there an effective implementation issue management process including triage and escalation of issues? Does the process include knowledge sharing among various teams? Have the go/no-go criteria been defined and approved by management? Is there a tested back-out plan? Is the transition plan approved by both implementation and support? What are the sign-offs requirements?

Transition to Support

Other Key Topics

Financial Controls How are project expenses tracked against approved business case? Are revisions to the business case approved by the right level of management? Is time accurately tracked and managed against budgets? Is vendor performance aligned with spending to date? Is the software capitalization impairment analysis completed and documented? Is there a formalized process for revenue recognition and capitalization journal entry review? Is there a product pricing review board?

ERP Controls Is there an access and segregation of duties design matrix? Have automated accounting instructions been assessed? Intercompany eliminations? Transaction mapping? Account rollups? Are there adequate supporting documents for the design and controls for: Interfaces? Job scheduling? Report design? Application controls and integrity reporting? Are policies, procedures, and process flows kept to date?

Appendix

Product Development Security Framework Security training Security requirements in design Threat modeling Design reviews Quality assurance testing Access reviews General availability (and interim gating) Incident response planning

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information