Upload
samuel90
View
5.115
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Citation preview
ISACA Fall eXciting Seminar 2003
Introduction to Project Risk Management and SDLC Reviews
Greg Thomas
Deloitte & Touche LLP
October 2004
Objectives
Upon completion of this presentation, participants will:
!Understand the principals of Project Risk Management and Systems Development Life Cycle reviews
!Be able to identify the key risk areas associated with projects
Key Concepts
IT Risk Management
The policies, procedures and processes used to mitigate risk in the IT environment.
Project Risk Management (PRM)
Project Risk Management is a function of IT Risk Management. PRM policies, procedures and processes help ensure projects are delivered on schedule within budget and meet business objectives.
Systems Development Life Cycle (SDLC)
The Systems Development Life Cycle is a set of PRM policies and procedures that help guide a project from concept to implementation.
Defining IT Risk Managementand Project Risk Management
The IT Risk Pyramid
Strategy IT Governance
IT Functions
Policies and Procedures
Execution
IT Functions, Systems Development & PRM
Strategy
ArchitectureOperations
IT Governance
IT FunctionsSystemsDevelopment
PRM falls within the Systems Development IT Function.
PRM Policies and Procedures within Systems Development
Strategy
ArchitectureOperations
IT Governance
IT Functions
Policies & Procedures
SystemsDevelopment
PRM Policies & Procedures are applied throughout a project.
PRM falls within the Systems Development IT Function.
� Project Mgt� SDLC� Chg Mgt� Quality Mgt� Management &
Oversight
Process & System Integrity within PRM Policies & Procedures
Strategy
ArchitectureOperations
IT Governance
IT Functions
Policies & Procedures
Project Execution
SystemsDevelopment
� Security� Business Process
Controls� Conversion � Data Integrity� IT Infrastructure
The Project Team implements process & system integrity controls as it executes policies & procedures.
PRM Policies & Procedures are applied throughout a project .
� Project Mgt� SDLC� Change Mgt� Quality Mgt� Management &
Oversight
PRM falls within the Systems Development IT Function.
Process & System Integrity within PRM Policies & Procedures
Strategy
ArchitectureOperations
IT Governance
IT Functions
Policies & Procedures
Project Execution
SystemsDevelopment
� Security� Business Process
Controls� Conversion � Data Integrity� IT Infrastructure
The Project Team implements process & system integrity controls as it executes policies & procedures.
PRM Policies & Procedures are applied throughout a project .
� Project Mgt� SDLC� Change Mgt� Quality Mgt� Management &
Oversight
PRM falls within the Systems Development IT Function.
Summary:Assess Policies and ProceduresAssess PSI Controls
Auditing for Project Risk Management
PRM: Policies & Procedures
1. Project Management: The process by which projects are managed.
2. Systems Development Life Cycle: The process through which projects move from concept to implementation.
3. IT Change Management: The process by which change in the IT organization is managed.
4. Quality Management: Independent oversight built into the SDLC to ensure PRM is occurring.
5. Management & Oversight: The organizational structure & controls supporting PRM.
Auditing for PRM Policies & Procedures
StrategyIT
Governance
IT FunctionsSystemsDevelopment
Policies & Procedures
� Security� Business Process
Controls� Conversion � Data Integrity� IT Infrastructure
Process & System
Integrity
� Project Mgt� SDLC� Change Mgt� Quality Mgt� Management &
Oversight
Steering Committee
Security
Business Process Controls
Conversion
Data Integrity
IT Infrastructure
Project Risk Management
IT Risk Mgt Project Risk Mgt
Project MgtSDLC
Change ManagementQuality Management
Management & Oversight
Project Management Life Cycle
Steering Committee
Security
Business Process Controls
Conversion
Data Integrity
IT Infrastructure
Project Management and Change
Leadership Teams
3/ Process & Systems Integrity Controls
1/ Project Leadership
2/ Project Management Life Cycle
Init
iate
Pla
nn
ing
Execu
tin
g
Mo
nit
ori
ng
&
Co
ntr
oll
ing
Clo
sin
g
Project Management ControlsInitiate Phase: Project recognition, scope definition and project team organization.
Planning Phase: Create a high level work plan, confirm scope, identify resources, establish a budget, establish reporting structure and define escalation procedures.
Executing Phase: Execute the plan, coordinate communication, ensure consistent use of methodology, initiate reporting procedures.
Monitoring & Controlling Phase:Monitor and measure progress regularly, implement project change control procedures, control scope creep, ensure training plans exist, identify and resolve problems.
Closure Phase: Formalize acceptance of the project, conduct post-project reviews.
Steering Committee
Security
Business Process Controls
Conversion
Data Integrity
IT Infrastructure
Init
iate
Mo
nit
ori
ng
&
Co
ntr
ollin
g
Pla
nn
ing
Execu
tin
g
Clo
sure
Project Mgt and Change
Leadership Teams
System Development Life Cycle
Steering Committee
Security
Business Process Controls
Conversion
Data Integrity
IT Infrastructure
Project Management and Change
Leadership Teams
Init
iate
Develo
p
Req
uir
em
en
ts
Desi
gn
&
Co
nst
ruct
Test
& T
rain
Imp
lem
en
t
Main
tain
3/ Process & Systems Integrity Controls
1/ Project Leadership
2/ System Development Life Cycle
System Development Life Cycle Controls
Steering Committee
Security
Business Process Controls
Conversion
Data Integrity
IT Infrastructure
Init
iate
Develo
p
Req
uir
em
en
ts
Desi
gn
&
Cu
sto
miz
e
Test
& T
rain
Imp
lem
en
t
Main
tain
Project Mgt and Change Leadership
Teams
Initiate Phase: Controls are defined to align project interpretation to business imperative.
Develop Requirements Phase:Controls are defined to ensure project requirements meet business needs.
Design & Customize Phase: Controls are defined to ensure design meets requirements.
Test & Train Phase: Controls are defined to ensure all developed objects meet requirements and design. Personnel are trained in use of project deliverables.
Implement Phase: Controls are defined to ensure smooth and timely implementation of project deliverables.
Maintain Phase: Controls are defined to ensure continued maintenance.
Change Management
Steering Committee
Security
Business Process Controls
Conversion
Data Integrity
IT Infrastructure
Project Management and Change
Leadership Teams
3/ Process & Systems Integrity Controls
1/ Project Leadership
2/ Change Management
Req
uest
M
an
ag
em
en
t
So
ftw
are
C
on
fig
ura
tio
n
Mg
t
* V
ers
ion
Ctl
* L
ibra
ry M
gt
* R
evie
ws
Rele
ase
M
an
ag
em
en
t
Change Management Controls
Steering Committee
Security
Business Process Controls
Conversion
Data Integrity
IT Infrastructure
Project Mgt and Change Leadership
Teams
Req
uest
M
an
ag
em
en
t
So
ftw
are
C
on
fig
ura
tio
n
Mg
t
* V
ers
ion
Ctl
* L
ibra
ry M
gt
* R
evie
ws
Rele
ase
M
an
ag
em
en
t
Request Management: The process for identifying, tracking, documenting and approving change requests. Includes impact assessments and feasibility studies.
Software Configuration Management: Technical change management comprised of three components:
� Version Control � controlling multiple releases of changes
� Library Management � object storage and retrieval procedures, parallel development procedures
� Reviews � practices for ensuring adherence to SCM protocols
Release Management: The process for communicating, scheduling and releasing changes into production.
Quality Mgt & Management Oversight
Steering Committee
Security
Business Process Controls
Conversion
Data Integrity
IT Infrastructure
Project Management and Change
Leadership Teams
3/ Process & Systems Integrity Controls
1/ Project Leadership
2/ Quality Management & Management Oversight
Quality Management
Management Oversight in the
Organizational Structure
Quality Mgt & Management Oversight
Steering Committee
Security
Business Process Controls
Conversion
Data Integrity
IT Infrastructure
Project Mgt and Change Leadership
Teams
Quality Management
Management Oversight in the Organizational Structure
Quality Management: Procedures built into each set of PRM policies and procedures to ensure all quality checkpoints are met during system development. Project Managers are responsible for ensuring that all Quality Management gateways are completed before signing off on deliverables.
Management and Oversight: The organization structures that supports the entire PRM process. Organizational structure may include:
� Software Control Boards
� Production Control Boards
� Change Review Boards
� Change Approval Boards
Auditing for SDLC Process System Integrity Controls
SDLC Process & System Integrity Controls - Security
Steering Committee
Security
Business Process Controls
Conversion
Data Integrity
IT Infrastructure
Initia
teD
evel
op
Req
uirem
ents
Des
ign &
Cust
om
ize
Tes
t &
Tra
in
Imple
men
t
Mai
nta
in
Project Mgt and Change Leadership
Teams
Security controls are built into the design, development, and testing areas of the project. Controls include:
� Application security roles to enforce segregation of duties
� Security over Application Configuration
� Security over the Database used by the Application
� Application security testing
Process and system integrity controls are applied to every phase of the System Development Life Cycle
SDLC Process & System IntegrityControls � Business Process
Steering Committee
Security
Business Process Controls
Conversion
Data Integrity
IT Infrastructure
Initia
teD
evel
op
Req
uirem
ents
Des
ign &
Cust
om
ize
Tes
t &
Tra
in
Imple
men
t
Mai
nta
in
Project Mgt and Change Leadership
Teams
Business Process Controls are designed, developed and tested along with technical requirements throughout the SDLC. Controls include:
� �As-Is� and �To-Be� business processes
� Manual and Automated
� Design, Development, and Testing Processes
Process and system integrity controls are applied to every phase of the System Development Life Cycle
Process & System Integrity Controls -Conversion
Steering Committee
Security
Business Process Controls
Conversion
Data Integrity
IT Infrastructure
Initia
teD
evel
op
Req
uirem
ents
Des
ign &
Cust
om
ize
Tes
t &
Tra
in
Imple
men
t
Mai
nta
in
Project Mgt and Change Leadership
Teams
Conversion Controls are initiated, developed, designed, tested and implemented parallel to application development efforts if the project includes a data conversion. Controls include:
� Conversion planning
� Business process mapping
� User involvement in data mapping and data validation activities
� Data analysis and cleansing
� Exceptions handling
� Balancing reports
Process and system integrity controls are applied to every phase of the System Development Life Cycle
Process & System Integrity Controls �Data Integrity
Steering Committee
Security
Business Process Controls
Conversion
Data Integrity
IT Infrastructure
Initia
teD
evel
op
Req
uirem
ents
Des
ign &
Cust
om
ize
Tes
t &
Tra
in
Imple
men
t
Mai
nta
in
Project Mgt and Change Leadership
Teams
Data Integrity Controls are built into application, interface and conversion design. All data integrity controls should be tested as part of routine Test procedures. Controls include:
� Field edit checks
� Exception reports on key fields in applications and interfaces
� Suspended transactions checks and reports
� Duplicate record / data checks
Process and system integrity controls are applied to every phase of the System Development Life Cycle
Process & System Integrity Controls �IT Infrastructure
Steering Committee
Security
Business Process Controls
Conversion
Data Integrity
IT Infrastructure
Initia
teD
evel
op
Req
uirem
ents
Des
ign &
Cust
om
ize
Tes
t &
Tra
in
Imple
men
t
Mai
nta
in
Project Mgt and Change Leadership
Teams
IT Infrastructure Controls should be built into the overall business process through very phase of the SDLC. Controls include:
� Data & backup recovery processes for all environments
� System monitoring procedures� Job scheduling procedures in
the mainframe environment� Application change control
procedures� Help Desk support protocols� Database configuration control
and support� Capacity planning
Process and system integrity controls are applied to every phase of the System Development Life Cycle
In Conclusion�
In Review
IT Risk Management is the process whereby risk is mitigated in the IT environment.
Project Risk Management is an IT Risk function and includes policies and procedures for:
� Project Management � System Development Life Cycle� IT Change Management � Quality Management� Management & Oversight
Process and System Integrity Controls are implemented with each PRM policy and procedure. Controls include:
� Security� Business Processes� Conversion / Data Integrity� IT Infrastructure
In Review Cont.
IT Auditors audit for both PRM Policies and Procedures and for the Process and System Integrity controls built into policies and procedures.
The System Development Life Cycle is a Project Risk Management policy and includes procedures for controlling projects through the Project Life Cycle:
� Initiate� Develop Requirements� Design and Customize� Test & Train� Implement� Maintain
Process and system integrity controls are built into each phase of the SDLC.
Questions