Upload
oliver-benson
View
216
Download
0
Tags:
Embed Size (px)
Citation preview
Group 4
Knowledge in IS/IT processes and standards
Group 4 Members• 951765 吳劉軒 COBIT• 961633 謝彥敏 ILIT • 961742 謝泓廷 PCIDSS• 961716 陳冠嘉 CISSP• 961748 許逸民 ISMS• 961717 蕭宇婷 BS25999• 961741 江柏緯 ISO/ICE 12207• 961720 顏伯旭 ISO 20000• 961747 游原丞 ISO/ICE 38500• 971715 范雋彥 ISO 15288• 971704 黃馨儀 CMMI
COBIT
951765 吳劉軒
What is the COBIT? (Control Objectives for Information and related Technology)
COBIT is the set of best practices (framework) for information technology (IT) management created by the Information Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI). COBIT provides managers, auditors, and IT users with a set of generally accepted measures, indicators, processes and best practices to assist them in maximizing the benefits derived through the use of information technology and developing appropriate IT governance and control in a company.
IT Governance Focus Areas
COBIT Principle
COBIT Cube
COBIT Package Content
• Executive Summary • Governance and Control Framework • Control Objectives • Management Guidelines • Implementation Toolset Guide
• IT Assurance Guide
The Difference Between COBIT and Other IT/IS Standards
• ISO/IEC 27002 (was ISO17799) is an international standard which provides best practice advice and guidance on Information Security. ITIL is source of best practice information and processes relating to the delivery of IT as a service.
COBIT and the above standards/frameworks can be used together to
achieve process improvement. COBIT does not supply a how-to route map for implementation of IT or Information Security best-practices. This is where ISO/IEC 17799 and ITIL come in. They supply best practice information and processes. COBIT provides a us the control by which we can measure the processes contained in ISO 17799 and ITIL and which can be leveraged for process improvement.
COBIT Structure
COBIT includes 34 IT processes that
are grouped into four domains. The
four domains are:• Plan and Organize • Acquire and Implement • Deliver and Support • Monitor and Evaluate
IT Processes Using COBIT_1
IT Processes Using COBIT_2
What are the benefits of implementing COBIT?
• A common language for executives, management and IT professionals
• A better understanding of how the business and IT can work together for
• successful delivery of IT initiatives• Improved efficiency and optimization of cost• Reduced operational risk• Clear policy development• More efficient and successful audits• Clear ownership and responsibilities, based on process
orientation• as a tool for Sarbanes-Oxley Act Compliance
Certification Institution
• http://www.iiiedu.org.tw/ites/COBIT.htm
• http://edu.uuu.com.tw/
• http://www.isaca.org/
The Picture Of COBIT License
ITIL Information Technology
Infrastructure Library
961633 謝彥敏
What is ITIL
• ITIL is a set of concepts and practices for Information Technology Services Management (ITSM), Information Technology (IT) development and IT operations.
• Developed by the Office for Government Commerce (OGC) in England
• ITIL gives detailed descriptions of a number of important IT practices and provides comprehensive checklists, tasks and procedures that any IT organization can tailor to its needs.
ITIL
• Information flow modularization For manage IT Infrastructure including
hardware, software, organization communicating, process, documents and employee.– Help Desk– 10 management process modules
• IT Service Support• IT Service Delivery
ITIL v3 library
• Five volumes comprise the ITIL v3, published in May 2007:– ITIL Service Strategy– ITIL Service Design– ITIL Service Transition– ITIL Service Operation– ITIL Continual Service Improvement
ITIL v3 process model
ITIL v3 library
Service Strategy • Providing guidance on clarification and
prioritization of service-provider investments in services.
• Key topics covered include service value definition, business-case development, service assets, market analysis, and service provider types.
ITIL v3 library
Service Design • Providing good-practice guidance on the
design of IT services, processes, and other aspects of the service management effort.
ITIL v3 library
Service Transition
• Related to the delivery of services required by a business into live/operational use, and often encompasses the "project" side of IT rather than "BAU" (Business as usual).
ITIL v3 library
Service Operation • The part of the lifecycle where the services
and value is actually directly delivered.
• The monitoring of problems and balance between service reliability and cost etc are considered.
ITIL v3 library
Service Improvement • Service Improvement aims to align and
realign IT Services to changing business needs by identifying and implementing improvements to the IT services that support the Business Processes.
ITIL v3 Life Cycle
Certification Institutions
• ITIL Certification Management Board (ICMB)
- EXIN
- ISEB
Payment Card Industry Data Security Standard( PCI DSS )
961742 謝泓廷
What is PCI DSS? 1. The standard was created to help
organizations that process card payments prevent credit card fraud through increased controls around data and its exposure to compromise.
2. PCI DSS is a standard that all organizations, including online retailers, must follow when storing, processing and transmitting their customer's credit card data.
It include six principles and twelve requirements
1.Build and Maintain a Secure Network
a. Install and maintain a firewall configuration to protect cardholder data b. Do not use vendor-supplied defaults for system passwords and other security parameters
2.Protect Cardholder Data
c. Protect stored cardholder data d. Encrypt transmission of cardholder data across open, public networks
3.Regularly Monitor and Test Networks
e. Track and monitor all access to network resources and cardholder data f. Regularly test security systems and processes
4.Maintain an Information Security Policy
g. Define information security responsibilitiesh. Maintain a policy that addresses information security
5.Maintain a Vulnerability Management Program
i.Use and regularly update anti-virus software j.Develop and maintain secure systems and applications
6.Implement Strong Access Control Measures
k. Restrict access to cardholder data by business need-to-know l. Assign a unique ID to each person with computer access
Steps to reach the standard
1. QSA: Qualified Security Assessor(third-party validator)
1. ASV: Approved Scanning Vendor (third-party scanning service provider)
1. SAQ:Self-Assessment Questionnaire
Self-Assessment Questionnaire
• 1. A validation tool intended to assist merchants and service providers in self-evaluating their compliance .
TÜV Rheinland Group is a QSA
Qualys is an Approved Scanning Vendor (ASV)
Certification Level1.PCI DSS include four levels. Different organizations reach the standard according to the transaction volume.
Certification Institutions
• 1. Payment Card Industry Security Standards Council. (PCI SSC).
• 2. The PCI SSC is also responsible for the training and QSA and ASV that validate merchant and service provider.
Certified Information Systems Security
Professional(CISSP)
961716 陳冠嘉
What is CISSP?
1. CISSP is a certification for a information security professionals. Certified Information Security Professional is offered by the International Information Systems Security Certification Consortium.
What is CISSP?
2. A certification reflecting the qualifications of information systems security practitioners. The CISSP covering topics such as Access Control Systems, Cryptography, and Security Management Practices.
What is CISSP?
3. Employers feel the need to protect their assets and their networks. Hackers had evolved a group of specialized malicious code writers and spread their code over the internet.
CISSP ten domains
CISSP include ten domains1.Access Control
– For access control on a highway, see limited-access highway. For standardised forms of names in a library catalog, see authority control
2. Application Development Security – Application security encompasses measures taken
throughout the application's life-cycle to prevent exceptions in the security policy of an application or the underlying system (vulnerabilities) through flaws in the design, development, maintenance of the application
3. Business Continuity and Disaster Recovery Planning– After a disaster , Enterprises can continue to operate &
Expected to shorten the impact on business interruption time after disaster
CISSP include ten domains4. Cryptography
– Modern cryptography intersects the disciplines of mathematics, computer science, and engineering. Applications of cryptography include ATM cards, computer passwords, and electronic commerce.
5. Information Security Governance & Risk Management– The information used by an organization to implement
comprehensive management, in order to properly protect the information.
– Risks can come from uncertainty in financial markets, project failures credit risk, accidents, natural causes and disasters as well as deliberate attacks from an adversary.
CISSP include ten domains6.Legal, Regulations, Investigations and Compliance
– Laws, regulations and other legal obligations the company advice and staff training.
Include (1)Major Legal Systems
(2)Common and Civil Law
(3)Regulations, Laws and Information Security
7.Operations Security
– Operations security is a process that identifies critical information to eliminate or reduce adversary exploitation of friendly critical information.
CISSP include ten domains8.Physical (Environmental) Security
– Physical security can be as simple as a locked door or as elaborate as multiple layers of armed Security guards and Guardhouse placement.
9.Security Architecture and Design– A computer security model is a scheme for specifying
and enforcing security policies. A security model may be founded upon a formal model of access rights, a model of computation, a model of distribute computing, or no particular theoretical grounding at all.
10. Telecommunications and Network Security– Include (1)The concept of network security and risk (2)Business goals and network security
CISSP information security develop cycle
Five processes to become a certified CISSP
1. Examination 2. Certification3. Endorsement 4. Audit5. Maintenance Requirements
Certified Organization
(ISC) 2 is the top information security certification organizations, was founded in 1989, and now has more than 120 countries to more than 50,000 security experts awarded the relevant certificates. (ISC) 2 now offers the following six kinds of authentication
Certified Organization1. SSCP (Systems Security Certified Practitioner)
2. CAP (certification and evaluation experts)
3. CISSP (Certified Information Systems Security Professional)
4. CISSP upgrade version of the CISSP-ISSAP (Information Systems Security Architecture Expert)
5. CISSP-ISSMP (Information Systems Security Management Specialist)
6. CISSP-ISSEP (Information Systems Security Engineering Expert)
ISO 27000-series--Information security
management systems (ISMS) 961748 許逸民
What is ISO 27000-series
• The ISO/IEC 27000-series comprises information security standards published jointly by the International Organization for Standardization(ISO) and the International Electrotechnical Commission (IEC).
• The series provides best practice recommendations on information security management, risks and controls within the context of an overall Information Security Management System (ISMS).
ISMS implementation and certification process flowchart
ISO/IEC 27003
• Full name:ISO/IEC 27003 — Information security management system implementation guidance
• The purpose of ISO/IEC 27003 is to provide help and guidance in implementing an ISMS (Information Security Management System).
How to Implementing an ISMS
1. Obtaining management approval for initiating an ISMS project. (Chapter 5 in ISO/IEC 27003)
2. Defining ISMS scope, boundaries and ISMS policy. (Chapter 6)
3. Conducting information security requirements analysis. (Chapter 7)
4. Conducting risk assessment and planning risk treatment. (Chapter 8)
5. Design the ISMS. (Chapter 9)
1.Obtaining management approval for initiating an ISMS project
• Clarify the organization’s priorities to develop an ISMS.
• Define the preliminary ISMS scope.
• Create the business case and the project plan for management approval.
2.Defining ISMS scope, boundaries and ISMS policy
• Define organizational scope and boundaries.
• Define information communication technology (ICT) scope and boundaries.
• Define physical scope and boundaries.• Integrate each scope and boundaries to
obtain the ISMS scope and boundaries • Develop the ISMS policy and obtain
approval from management
3.Conducting information security requirements analysis
• Define information security requirements for the ISMS process.
• Identify assets within the ISMS scope.
• Conduct an information security assessment.
4.Conducting risk assessment and planning risk treatment
• Conduct risk assessment.
• Select the control objectives and controls .
• Obtain management authorization for implementing and operating an ISMS.
5.Design the ISMS
• Design organizational information security.
• Design ICT and physical information security.
• Design ISMS specific information security.
• Produce the final ISMS project plan.
ISO/IEC 27001
• Full name: ISO/IEC 27001 — Information security management systems — Requirements
ISO 27001 Audit Process
Stage1Informal Review
of ISMS
Stage2Formal
ComplianceAudit
Stage3Follow-upReviews
Audit Process: Stage1
• Stage 1 is a preliminary review of the ISMS.
• This stage serves to familiarize the auditors with the organization.
Audit Process: Stage2
• Stage 2 is a more detailed and formal compliance audit, independently testing the ISMS against the requirements specified in ISO/IEC 27001.
• Passing this stage results in the ISMS being certified compliant with ISO/IEC 27001.
Audit Process: Stage3
• Stage 3 involves follow-up reviews or audits to confirm that the organization remains in compliance with the standard.
• Certification maintenance requires periodic re-assessment audits to confirm that the ISMS continues to operate as specified and intended. These should happen at least annually.
ISMS Certification/Consulting
• Certification:Bureau of Standard, Metrology & Inspection, M.O.E.A., R.O.C.
• Consulting:– CHYUN-HUNG INTERNATIONAL BUSINESS
CO., LTD.– ETBEST INTERNATIONAL Co. Ltd.
BS 25999 Business Continuity
ManagementReference numberBS 25999-2:2007
©BSI 2007961717 蕭宇婷
What is BS 25999?
Definition:
BS 25999 is British Standards Institution's standard in the field of Business Continuity Management. The standard establishes the process, principles and terminology of BCM.
BS 25999(I)
1. BS 25999 aims to achieve:① Provides a basis for understanding business
continuity management.
② Provides a means of measurement that is consistent and recognized.
③ Provides a system based on established good practice.
BS 25999(II)
2. BS 25999 comprises two parts.① The first part of BS 25999 (BS 25999-
1:2006) was published by the British Standards Institution in December 2006.
② The second part of BS 25999 (BS 25999-2:2007) was published in November 2007.
BS 25999-1:2006
a. The first, "BS 25999-1:2006 Business Continuity Management. Code of Practice", takes the form of general guidance and seeks to establish processes, principles and terminology for Business Continuity Management.
BS 25999-2:2007
b. The second, "BS 25999-2:2007 Specification for Business Continuity Management", specifies requirements for implementing, operating and improving a documented Business Continuity Management System (BCMS), describing only requirements that can be objectively and independently audited.
PLAN-DO-CHECK-ACT model
The Process of BS 25999-2:2007(I)
1. Planning the Business Continuity Management System.(PLAN)
• The first step requires that the organization defines its business continuity requirements in terms of its overall objectives and that the scope of the BCMS is clearly defined.
• Also establish business targets, controls, processes and procedures.
The Process of BS 25999-2:2007(II)
2. Implementing and Operating the BCMS. (DO)
a. Internal Audit• If the organization already has an internal
audit function it may make sense to utilize the processes and procedures already being used.
• Even personnel not specifically trained in business continuity may be used as internal audit should be an objective process.
The Process of BS 25999-2:2007(III)
b. Management Review• Management review would ordinarily be an
annual exercise involving review of internal and external audit activity, resources and other inputs and outputs.
• The overall objective of the management review is to determine if the BCMS continues to meet the organizations needs.
• A management review may also take place in light of significant organizational change.
The Process of BS 25999-2:2007(IV)
3. Monitoring and Reviewing the BCMS.(CHECK)
• To ensure that the BCMS is continually monitored the Check stage covers internal audit and management review of the BCMS.
• Developing and implementing a BCM response. Include incident management structures, incident management and business continuity plans.
The Process of BS 25999-2:2007(V)
4. Maintaining and Improving the BCMS.(ACT)• To ensure that the BCMS is both maintained
and improved on an ongoing basis this step looks at preventative and corrective action.
• The standard requires that organizations continually improve the general effectiveness of the BCMS with a mixture of both preventative and corrective actions.
The Process of BS 25999-2:2007(VI)
• Preventative and corrective actions are identified by a range of activities such as audits, event analysis or management reviews.
• They have to be formally recorded and acted upon and these records held for inspection.
The Process of BS 25999-2:2007(VII)
• Exercising, maintenance, audit and self-assessment of the BCM culture.
• Without testing the BCM response an organization cannot be certain that they will meet their requirements.
• Exercise, maintenance and review processes will enable the business continuity capability to continue to meet the organizations goals.
The Process of BS 25999-2:2007(VIII)
Conclusion:
The general requirement of the standard is that the organization, fairly obviously, develops, implements, maintains and improves a business continuity management system in line with familiar the PLAN-DO-CHECK-ACT model.
ISO/IEC 12207software lifecycle processes
961741 江柏緯
Reference Number :ISO/IEC 12207:2008
©ISO 2008
What is ISO/IEC 12207?
Definition
ISO 12207 is an ISO standard for software lifecycle processes. It aims to be the standard that defines all the tasks required for developing and maintaining software.
Five Processes of ISO/IEC 12207
1. Acquisition Process
2. Supply Process
3. Development Process
4. Operation Process
5. Maintenance Process
Acquisition Process (I)① Start acquisition :
The need is described why to acquire,
develop, or enhance a product; System requirements are defined and approved if applicable Evaluation of other options, like a purchase of an off-the-shelf product or enhancement of an existing
product; ……
Acquisition Process (II)
② Request for proposal preparation:
③ Prepare Contract Selection procedure for suppliers are developed; Suppliers, based on the developed selection
procedure, are selected; The tailor-made ISO/IEC 12207 standard must be
included in the contract;
Acquisition Process (III)
④ Negotiate changes Negotiations are held with the selected suppliers
⑤ Update contract Contract is updated with the result from the
negotiations in the previous activity.
⑥ Supplier monitoring Activities of the suppliers according to the agreements made are
monitored
⑦ Acceptance and completion
Supply Process
① The supply phase a project management plan is developed.
② This plan contains information about the project such as different milestones that need to be reached.
③ This project management plan is needed during the next phase which is the development phase.
Development Process (I)
① Define software requirements: Gather the software requirements, or demands, for the product that is to be created.
② Create High level design: A basic layout of the product is created
③ Create Module design:
Development Process (II)④ Coding
The code is created according to the high level design and the module design.
⑤ Execute Module test The different modules are tested for correct functioning.
⑥ Execute Integration test The communication between modules is tested for correct functioning.
⑦ Execute System test This test checks whether all software requirements are present in the product.
Operation & Maintenance Process
① The operation-phase consists of activities like assisting users in working with the created software product
② The maintenance-phase consists of maintenance-tasks to keep the product up and running.
ISO 20000- Information Technology Service
Management
961720 顏伯旭
What is ISO/IEC 20000?
ISO / IEC 20000 is the first worldwide standard specifically aimed at IT Service Management. It describes an integrated set of management processes for the effective delivery of services to the business and its customers.
ISO / IEC 20000 is aligned with and complementary to the process approach defined within ITIL from the Office of Government Commerce (OGC).
ISO/IEC 20000 consists of two parts: ISO / IEC 20000 consists of two parts:
1. ISO / IEC 20000-1:2005
2. ISO / IEC 20000-2:2005
ISO / IEC 20000-1:2005
ISO / IEC 20000-1:2005 is the formal Specification and defines the requirements for an organisation to deliver managed services of an acceptable quality for its customers. The scope includes:
• Requirements for a management system; • Planning and implementing service management; • Planning and implementing new or changed services; • Service delivery process; • Relationship processes; • Resolution processes; • Control processes; and Release processes
ISO / IEC 20000-2:2005
ISO / IEC 20000-2:2005 is the Code of Practice and describes the best practices for Service Management processes within the scope of ISO / IEC 20000-1. The code of Practice will be of particular use to organisations preparing to be audited against ISO / IEC 20000 or planning service improvements.
ISO 20000 Service Management Processes
ISO 20000 Service Management Processes(2)
ISO 20000 include 13 process. emphasizing on continuous improvement process
Service delivery
- Service level management -To negotiate Service Level Agreements with the customers and to design services in accordance with the agreed service level targets. Service Level Management is also responsible for ensuring that all Operational Level Agreements and Underpinning Contracts are appropriate, and to monitor and report on service levels.
- Capacity management-To ensure that the capacity of IT services and the IT infrastructure is able to deliver the agreed service level targets in a cost effective and timely manner. Capacity Management considers all resources required to deliver the IT service, and plans for short, medium and long term business requirements.
ISO 20000 Service Management Processes(3)
- Continuous Service Improvement- Service management system plan, implement and improve the optimization should follow the "planning, implementation, inspection and improvement," a continuously loop, spiral process to continuously improve the effectiveness of monitoring and management system, the PDCA process of continuous improvement consistent with the principles of Quality Control .
- Security Management -includes the security controls that are implemented and maintained to address the impact and likelihood of incidents at various stages. Services are planned to identify, control, and protect assets used in connection with the storage, transmission, and processing of information.
-Budgeting & Accounting- To manage the service provider's budgeting, accounting and charging requirements
ISO 20000 Service Management Processes(4)
-Service reporting-
Central -Change Management-One of ITIL processes, change
management through control and management of IT related change, so change may impact the production environment and minimize risk, thereby enhancing the overall stability of the IT environment.
-Configuration Management One of ITIL processes, configuration management is responsible for description, tracking
and reporting of all IT infrastructure for each device or system management processes. These devices and systems are called configuration items (CI). Each CI to effective management, tracking and control to support the company's IT infrastructure services and run successfully
ause.
ISO 20000 Service Management Processes(5)
Release
-Release Management One of ITIL processes, release management through standardized
methods and procedures, planning and monitoring of new services (including software and hardware) of the deployment and release process, improve the success rate of on-line and reduce the possible problems and risks.
Resolution
-Incident Management One of ITIL processes, Incident Management is responsible for handling
IT incidents and user requests. It is designed to quickly restore the interrupted or affected by IT services, is to meet for the purpose of characterization of the phenomenon, rather than find the root c
ISO 20000 Service Management Processes(6)
-Problem Management One of ITIL processes, problem management is responsible for resolving major
emergency or with the same symptoms in a group event. Its purpose is to identify the root causes of the incident, and by lifting the root causes to prevent similar incidents from happening again. At the same time the problem management process is also responsible for preventing incidents.
Relationship-supplier management To ensure that all contracts with suppliers support the needs of the business, and
that all suppliers meet their contractual commitments.
-Business Relationship Management To decide on a strategy to serve customers, and to develop the service provider's offerings
and capabilities.
ISO 20000 Verification process
ISO 20000 Verification process (step1)
Step1- prepare• know the meaning of the Certification• Determine the scope of IT Service Management Certification • Establish the vision , decide the respect and the order of the Service Management
Improvement• Determine the expect earning from each parts.• Understand the content of certification Comprehensive and the affect to the individual and the
organization• Access to information : Exchange of experiences with the similar organization and
Consulting with
the Consultant 、 Training providers and Forums• Get the support from Senior managers• Get the knowledge of ITIL 、 ISO20000• Choose a Verification Agency , Confirm the scope of audit
ISO 20000 Verification process (step2)
Step2- Initial assessment and plan development
• Preliminary assessment and do the gap analysis ; determine the Areas of
improvement ; manage the risk in the process of Certification 。 • Formulate an overall plan , get the Support and commitment from related
respect
ISO 20000 Verification process (step3)
Step3- Narrow the gap• Establish Management Service Improvement Plan(use PDCA)• Basic on ISO 20000 :《服務管理規範》 to do the Assess ; • use ISO 20000 、 ITIL to develop the service management policies,
processes,
procedures • Implement the service management processes • Periodic inspection and review 。 WHAT is PDCA?
P ( Plan ) D ( Do )
C ( Check )A ( Action )
ISO 20000 Verification process (step4)
Step4- prepare to Legalize the Audit • If necessary , contact Certification agency to do the Internal Audit
and order the schedule for the Formal review• Full exchange the opinion with Certification Agency to establish the
common understanding of scope of the audit and the content of the
audit • Prepare the ” evidence” for the audit : For example:
Documentation 、 Record
ISO 20000 Verification process (step5)
Step5- Legalize the Audit Typical certification audit include : • The Provision of the Reference and the scope of audit. • The assess to the documentation and process –(not in Scene)• The audit to staff and process(in Scene)• The statement of the audit results
If the system achieve ISO 200000 System requirement, ISO 20000 will do the Certification statement and Award the Certificate.
ISO 20000 Verification process (step6)
Step6- Maintain
The expiration date of Certification is three years.So , the Comprehensive Certification audit is needed every three years. The Certification Agency do the “Supervise Audit” to ensure the quality certification and Continuous improvement of service management every year.
ISO 20000 Certification Award
Certification Institutions
BSI
BSI is a leading global provider of standards, management systems, business improvement and regulatory approval information.
ISO/IEC 38500
Corporate Governance of Information Technology standard
961747游原丞
Reference numberISO/IEC 38500:2008(E)
© ISO/IEC 2008
What is ISO/IEC 38500Corporate governance of information
technology standardProvides a framework for effective
governance of IT to assist organizations to understand and fulfill their legal, regulatory, and ethical obligations in respect of their organizations’ use of IT.
Objectives Provide a framework of principles for Directors to use
when evaluating, directing and monitoring the use of IT in their organizations.
Assuring stakeholders that they can have confidence in the organization's corporate governance of IT
Informing/guiding Directors in governing the use of IT in their organization
Providing a basis for objective evaluation of the corporate governance of IT
Also intended to guide those involved in designing and implementing the management system of those policies and processes that support governance.
Framework for Good Corporate Governance of IT
Principles Guide decision making what should happen 6 principles for good corporate governance of IT
1. Responsibility
2. Strategy
3. Acquisition
4. Performance
5. Conformance
6. Human Behavior
The six principles (1)
Principle 1: Responsibility
Individuals and groups within the organization understand and accept their responsibilities in respect of both supply of, and demand for IT.
Principle 2: Strategy
The organization’s business strategy takes into account the current and future capabilities of IT.
Principle 3: Acquisition
IT acquisitions are made for valid reasons, on the basis of appropriate and ongoing analysis, with clear and transparent decision making.
The six principles (2)
Principle 4: Performance
IT is fit for purpose in supporting the organization, providing the services, levels of service and service quality required to meet current and future business requirements.
Principle 5: Conformance
IT complies with all mandatory legislation and regulations.
Principle 6: Human Behavior
IT policies, practices and decisions demonstrate respect for Human Behavior, including the current and evolving needs of all the ‘people in the process’.
Model
Model for Corporate Governance of IT
Directors should govern IT through three main tasks:
a) Evaluate the current and future use of IT.
b) Direct preparation and implementation of plans and policies to ensure that use of IT meets business objectives.
c) Monitor conformance to policies, and performance against the plans.
Evaluate Directors should examine and make judgment on the current and
future use of IT.
Directors should consider the external or internal pressures acting upon the business, such as technological change, economic and social trends, and political influences.
Directors should undertake evaluation continually, as pressures change.
Directors should take account of both current and future business needs.
Direct
Directors should assign responsibility for, and direct preparation and implementation of plans and policies.
Directors should ensure that the transition of projects to operational status is properly planned and managed.
Directors should encourage a culture of good governance of IT in their organization by requiring managers to provide timely information, to comply with direction and to conform with the six principles of good governance.
If necessary, directors should direct the submission of proposals for approval to address identified needs.
Monitor
Directors should monitor, through appropriate measurement systems, the performance of IT. They should reassure themselves that performance is in accordance with plans, particularly with regard to business objectives.
Directors should also make sure that IT conforms with external obligations (regulatory, legislation, common law, contractual) and internal work practices.
Guidance for the corporate governance of IT
Principle 1: Responsibilitya. Evaluate
Directors should evaluate the options for assigning responsibilities in respect of the organization’s current and future use of IT.
b. Direct
Directors should direct that plans be carried out according to the assigned IT responsibilities.
c. Monitor
Directors should monitor that appropriate IT governance mechanisms are established.
Guidance for the corporate governance of IT (cont.)
Principle 2: Strategya. Evaluate
Directors should evaluate developments in IT and business processes to ensure that IT will provide support for future business needs.
b. DirectDirectors should direct the preparation and use of plans and policies that ensure the organization does benefit from developments in IT.
c. MonitorDirectors should monitor the progress of approved IT proposals to ensure that they are achieving objectives in required timeframes using allocated resources.
Guidance for the corporate governance of IT (cont.)
Principle 3: Acquisitiona. Evaluate
Directors should evaluate options for providing IT to realize approved proposals, balancing risks and value for money of proposed investments.
b. DirectDirectors should direct that IT assets (systems and infrastructure) be acquired in an appropriate manner.
c. Monitor
Directors should monitor IT investments to ensure that they provide the required capabilities.
Guidance for the corporate governance of IT (cont.)
Principle 4: Performancea. Evaluate
Directors should evaluate the risks to continued operation of the business arising from IT activities.
b. Direct
Directors should ensure allocation of sufficient resources so that IT meets the needs of the organization, according to the agreed priorities and budgetary constraints.
c. Monitor
Directors should monitor the extent to which IT does support the business.
Guidance for the corporate governance of IT (cont.)
Principle 5: Conformancea. Evaluate
Directors should regularly evaluate the organization’s internal conformance to its system for Governance of IT.
b. Direct
Directors should direct that all actions relating to IT be ethical.
c. Monitor
Directors should monitor IT compliance and conformance through appropriate reporting and audit practices, ensuring that reviews are timely, comprehensive, and suitable for the evaluation of the extent of satisfaction of the business.
Guidance for the corporate governance of IT (cont.)
Principle 6: Human Behaviora. Evaluate
Directors should evaluate IT activities to ensure that human behaviors are identified and appropriately considered.
b. Direct
Directors should direct that IT activities are consistent with identified human behavior.
c. Monitor
Directors should monitor IT activities to ensure that identified human behaviors remain relevant and that proper attention is given to them.
ISO 15288
The System Life Cycle Process standard for the 21 st century 21st
S971715 范雋彥
Key business domains
• Aerospace
• Telecommunications
• Transportation systems
• Military systems
• Ship building
• Finance and Administrative systems
• Information Technology systems
ISO 15288 Scope
• ISO/IEC 15288 establishes a common framework for describing the life cycle of systems created by humans. It defines a set of processes and associated terminology. These processes can be applied at any level in the hierarchy of a system’s development.
Use of ISO 15288
• Acquisition model • Supplier management • Supply model • Development • Risk reduction • Organizational development • Professional development • Process improvement program
Example of life cycle stages, objectives and decisions
Concept
• The outcomes of the concept stage should provide:1. identification of new system concepts;2. assessment of system concepts and solutions
(including enabling systems);3. stakeholder requirements preparation and baselining
(technical and usability4. specifications for the selected system concept);5. identification of the enabling systems infrastructure.
Development
• The Development stage is based on the refined objectives and requirements from the previous stage. During this stage the system soft- and hardware, computers,personnel, production capability, training, support and facilities are determined,analysed, designed, fabricated, integrated, tested and evaluated.
Production
• During this stage the system product will be (individually or mass) produced. The product may go through redesigns and enhancements
• The Production stage starts with the approval to produce the system product for the acquirer or the market. It may continue through the remainder of the life cycle. The purpose is to produce the system product(s) and the enabling system products. In addition, it aims to store, deliver, and install the product(s) as needed by acquirer /market.
Utilization.
• This stage includes the processes involved in the use of the system's products in order to provide services, monitor performance and identify and report anomalies. The response to the problems may range from no action through to minor changes, major (permanent) modifications, and end-of-life retirement.
• The purpose of this stage is to operate and use the system products and services within specified environments and to ensure constant operational effectiveness.
Support
• This stage includes operating the support system and providing support services to users of the operational system, monitoring performance of the support system and services and reporting of anomalies, failures and deficiencies.
• The purpose of this stage is to provide logistics, maintenance and support services to ensure sustained system operation and suitable service.
Retirement
• The purpose is to remove the system and related operational and support services and to operate and support the retirement system.
CMMICapability Maturity Model
Integration
971704 黃馨儀Date: 2010/05/30
What is Capability Maturity Model Integration? (CMMI)
Definition• A process improvement approach
• Helping organizations improve their performance.
• Guiding process improvement across a project, a division, or an entire organization.
CMMI Staged Maturity Levels
• Level 1 – Initial. – The software process is characterized as ad
hoc, and occasionally even chaotic.
• Level 2 – Repeatable. – Basic project management processes are
established to track cost, schedule, and functionality.
CMMI Staged Maturity Levels
• Level 3 – Defined. – Use an approved, tailored version of the
organization's standard software process for developing and maintaining software.
• Level 4 – Managed. – Detailed measures of the software process
and product quality are collected.
CMMI Staged Maturity Levels
• Level 5 – Optimizing. – Continuous process improvement is enabled
by quantitative feedback from the process and from innovative ideas and technologies.
The Model of CMMI Staged
• The model has several nested components.
• It described below with the help of an example from Requirement Management process area.
CMMI Staged Model
CMMI Implementation Steps
• 1. Secure Sponsorship and Funding. – Ensure that your process improvement
program has a senior management sponsor and funding.
• 2. Take Core Training. – To understand basic concepts of the CMMI
Product Suite, attend the appropriate CMMI, Version 1.2 course.
CMMI Implementation Steps
• 3. Prepare Your Organization for Change. – Treat process improvement as a project.
Establish the business reasons and the business goals for the effort.
• 4. Form a Process Group. – This group coordinates process improvement
activities across the enterprise and exists for the duration of the process improvement activity.
CMMI Implementation Steps
• 5. Know Where You Are. – Determine how your processes compare to
CMMI model practices using an ARC Class C compliant appraisal method.
• 6. Know Where You Are Going. – Using the same format as the picture of where
you are, create a picture of where you want to be.
CMMI Implementation Steps
• 7. Communicate and Coordinate. – Share the plan with everyone who will be
affected and listen to their comments.
• 8. Track Your Progress. – Compare the picture of where you are to the
one of where you want to be. The difference is the focus of your process improvement program.
• 1.
http://www.sei.cmu.edu/cmmi/start/index.cfm
• 2. Process area (CMMI)
http://en.wikipedia.org/wiki/Process_area_(CMMI)
• 3. CMMI Appraisal
http://www.cmmiconsulting.co.uk/cmmi-appraisal
• 4. Parker SCITech Group - CMMI Implementation
http://www.parkerscitech.com/CMMI.htm
Reference Website
Reference Website
• 5. Achieving CMMI Levels
http://zone.ni.com/devzone/cda/tut/p/id/6026
• 6. What? CMMI Processes ways than one
http://w3.cyu.edu.tw/kwsheng/20050204.pdf
• 7. Capability Maturity Model Integration – Wikipedia
http://en.wikipedia.org/wiki/Capability_Maturity_Model_Integration