Upload
cee-secr
View
223
Download
1
Embed Size (px)
Citation preview
WHO NEEDS DOCUMENTATION ANYWAY?Ales Zivkovic
Agenda Why, who and how much
documentation? Documentation in different SDLCs Documentation from the QA perspective
IT Audits, security audit ISO, CMMI appraisals
Documentation best practices ground rule policy documentation throughout the
project/product lifecycle
Why we need documentation? to support communication
make informed decisions
to minimize risk of staff rotation
enable traceability
Who needs documentation? to support communication
Team (internal, partners, subcontractors) Management (team lead, project manager) Client (technical team, users)
make informed decisions PM, IT director, CEO client's management (project level & company
level) to minimize risk of staff rotation
development team enable traceability
QA team, internal auditors, external auditors
How much documentation? depends on many factors
domain, project (size, type, risks, no. of participants), SDLC, regulatory requirements, organization, etc.
start with more and trim down if not useful
understand the purpose of every document or information container
understand the risks of not having documentation
don't produce documents to justify spending
documentation might be time dependent (during the project, after completion)
SDLC & documentation good process will define project artifacts
provide guidelines on how to tailor (mandatory vs. optional)
different templates for more formal and lean projects
required by the SDLC, but not used not defined in SDLC, but would be useful documentation can be in different form
is burn down chart documentation? information in Jira, Confluence, Trello, etc.
Examples – IBM RUP 9 domains 76 work products
Examples - OpenUP 7 disciplines 29 (only) work products
Examples - SCRUM
Source: Essential SCRUM: A Practical Guide to Most Popular Agile Process
Traditional vs. Agile
Source: http://www.agilemodeling.com/essays/agileDocumentationBestPractices.htm
Documentation & QA Can we do quality assurance without
documentation?
How can we do IT audit without documentation? example: outsourced government project
that went bad
Can we replace team member or vendor without documentation?
Example: IT audit Typical documentation (depends on audit
goals) software requirements specification high level architecture description of the SDLC quality plan, test plan, test data, test
reports change management & configuration
management If efficiency and costs are also evaluated
project plan project data – plan vs. actual quality – technical depth
1205 Evidence
Source: ISACA, ITAF 2nd edition
Example: security audit Typical documentation (depends on the
goals) penetration testing
no documentation required security audit
user manual software requirements specification risk evaluation technical documentation (key security concepts
– encryption, implementation of Access Control List, access controls, etc.)
network schema SDLC
ISO 27001
ISO 27002
CMMI & documentation Model does not specify documents, it
defines goals and practices (specific and generic) specific goal (SG 2) Develop a project plan
A project plan is established and maintained as the basis for managing the project.
Fulfilling goals without any documentation might be difficult.
In some cases CMMI is more specific about the expectations SP 1.1-1 Estimate the scope of the project
Establish a top-level work breakdown structure (WBS) to estimate the scope of the project.
Documentation best practices Documentation is necessary!
How much and when, depends on many factors.
Every company/group should tailor the documentation.
Have a clear policy what can be changed and how.
QUESTIONS?e-mail: [email protected]