Chapter 3 Information Systems Acquisition, Development and Implementation
implementation process begins as a result of one of the following situations
-a new opportunity that relates to a new or existing business process - a problem that relates to an existing business process -a new opportunity that will enable the organization to take advantage of technology -a problem with the current technology
steps for a successful data conversion
-determining what data should be converted using programs and what should be converted manually -scheduling the sequence of conversion tasks -designing audit trail reports to document the conversion, including data mapping and conversion -designing exception reports -developing and testing conversion programs, including functionality and performance -performing one or more conversion dress rehearsals to familiarize persons with the sequence of events and their roles -outsourcing the conversion process should be controlled with a proper agreement covering non disclosure, data privacy, data destruction and other warranties
feasibility study (phase 1)
-study in concerned with the analyzing the benefits and solutions for the identified problem area -determine the strategic benefits of implementing the system either in productivity gains or in future cost avoidance -identify the quantity the cost savings of a new system, and estimate a payback schedule for costs incurred in implementing the system -further, intangible factors such as readiness of the business case provides the justification for proceeding to the next phase -includes development of a business case, which states the strategic benefits of implementing the system
traditional SDLC phases
1) feasibility study 2) requirements definition 3a) software selection and acquisition (purchased systems) 3b) design (in house development) 4a) development (in house development) 4b) configuration (purchased systems) 5) final testing and implementation 6) postimplementation
5 risk management process steps
1) identify risk- brainstorming session 2) assess and evaluate risk - quantify the likelihood (as a percentage) and impact of the risk (as an amount of money) 3) manage risk- create a risk management plan 4) monitor risk -discover risk that materializes and act accordingly 5) evaluate the risk management process-review and evaluate the effectiveness and costs of your risk management process
three major forms of organizational alignment
1) influence project organization 2)pure project organization 3) matrix project organization
two types of components should be considered as part of a fallback contingency plan
1) the first consists of: (i) unload components to execute the unloading of the data from the new data structures, (ii) transfer components for the data conversion, and (iii)components to execute the loading of the data into the legacy data structures 2) the second consists of: (i) a log component to log the data modifications within the new data model during runtime within the service layer, (ii) transfer components for the data conversion, (iii) load components to execute the load of the data into the legacy data structures
two main categories of project risk
1)the category that impacts the business benefits (and therefore endangers the reasons for the project's very existence) (project sponsor is responsible for mitigating this) 2) the category that impacts the project itself (project manager is responsible for mitigating this)
Total Resources (TR)
=RXD (resources assigned *duration)
SMART
a project needs clearly defined results that are: Specific Measurable Attainable Realistic Timely
system testing
a series of tests designed to ensure that modified programs, objects, database schema, etc, which collectively constitute a new or modified system, function properly specific analyses may be done during this: recovery testing load testing volume testing stress testing performance testing
project portfolio
all the projects being carried out in an organization at a given point in time (snapshot) in contrast to program management in which all relevant projects are closely coupled, this is not a requirement in a project portfolio
integrated development environment (IDE)
allows programmers to code and compile programs interactively with a remote computer or server from a terminal or a client's PC workstation through this facility programmers can enter, modify and delete programming codes as well as compile store and list programs on the development computer
SDLC (systems development life cycle)
also referred to as the waterfall technique this lifecycle approach is the oldest and most widely used for developing business applications the approach is based on systematic, sequential approach to software development that begins with a feasibility study and progresses through requirements definition, design, development, implementation and postimplementation works best when a project's requirements are likely to be stable and well defined
black box testing
an integrity bases form of testing associated with testing components of an information systems "functional" operating effectiveness without regard to any specific internal program structure
request for proposal (RFP)
an invitation to respond to this should be widely distributed to appropriate vendors and if possible posted via a public procurement medium (internet or newspaper) this allows you to determine if the responding vendors offer the best price solution at the most cost effective price project team needs to carefully examine and compare the vendor's responses to this comparison should be done using a objective method such as scoring and ranking methodology
function points (FPs)
are computed by first completing a table to determine whether a particular entry is simple, average, or complex five count values are defined, including the number of user inputs, user outputs, user inquiries, files and external interfaces
entities
are groupings of like data elements or instances that may represent actual physical objects or logical constructs is described by attributes
project schedules
are living documents and should indicate the tasks for a WP, the start and finish dates, percentage completed, task dependencies, and resource names of individuals planned to work on those tasks will also indicate the stage boundaries
white box testing
assesses the effectiveness of software program logic
user management
assumes ownership of the project and resulting system, allocates qualified representatives to the team, and actively participates in business process redesign, system requirements definition, test case development, acceptance testing and user training answers questions like: are the required functions available in the software? how reliable is the software? how efficient is the software? is the software easy to use? does it meet regulatory requirements?
key business drivers
attributes of a business function that drive the behavior and implementation of that business function to achieve the strategic business goals of the company
bottom up test approach
begin testing of atomic units, such as programs or models, and work upward until a complete system testing has taken place advantages: no need for stubs or drivers can be started before all programs are complete errors in critical models are found early most application testing of large systems follow this approach
gantt charts
can be constructed to aid in scheduling the activities (tasks) needed to complete a project shows when an activity should begin and when it should end along a timeline show which activities can be in progress concurrently and which activities must be completed sequentially can also reflect the resources assigned to each task and by what percent allocation
project context
can be divided into a time and a social context following must be taken into account: -importance of the project to the organization -connection between the organization's organization strategy and the project -relationship between the project and other projects -connection between the project to the underlying business case
key points to be taken into consideration in a data conversion project are to ensure:
completeness of data conversion integrity of data storage and security of data under conversion consistency of data continuity the last copy of the data before conversion from the old platform and the first copy of data after conversion to the new platform should be maintained separately in the archive for any future reference
requirements definition (phase 2)
concerned with identifying and specifying the business requirements of the system chosen for development during the feasibility study requirements include descriptions of what a system should do, how users will interact with a system, conditions under which the system will operate, and the information criteria the systems should meet the COBIT framework defines information criteria that should be incorporated in system requirements to address associated with effectiveness, efficiency, confidentiality, integrity, availability, compliance and reliability IS auditors: determine whether adequate security requirements have been defined to address, at a minimum, the confidentiality, integrity, and availability requirements of the system.
earned value analysis (EVA)
consists of comparing the following metrics at regular intervals during the project: budget to date, actual spending to date, estimate to complete and estimate at completion
configuration (phase 4b)
consists of defining, tracking and controlling changes in a purchased system to meet the needs of the business for ERP systems, the task often involves the modification of configuration tables as well as some development primarily to ensure that the ERP is integrated into the existing IT architecture
things addressed in the feasibility study
define time frame for the implementation of the required solution determine an optimum alternative risk based solution for meeting business needs and general information resource requirments determine whether an existing system can correct the situation with slight or no modification determine whether a vendor product offers a solution to the problem determine the approximate cost to develop the system to correct the situation determine whether the solution fits the business strategy results should be some type of a comparative report
project management should pay attention to three key intertwining elements
deliverables duration budget there will be a positive correlation between highly demanding deliverables, a long duration and a high budget
senior management
demonstrates commitment to the project and approves the necessary resources to complete the project
entity relationship diagrams
depicts a system's data and how these data interrelate can be used as a requirements analysis tool to obtain an understanding of the data a system needs to capture and manage (it represents a logical data model) can also be used later in the development cycle as a design tool that helps document the actual database schema (represents a data model)
conduct and report test results
describe resources implied in testing, including personnel involved and information resources/facilities used during the test as well as actual vs expected test results
benefits management (or benefits realization) requires
describing benefits management or benefits realization assigning a measure and target establishing a tracking/measuring regimen documenting the assumption establishing key responsibilities for realization validating the benefits predicted in the business planning the benefit that is to be realized
WP(individual work packages)
detailed specifications regarding the WBS can be found in this must have a distinct owner and a list of main objectives, and may have a list of additional objectives and non objectives
gap analysis
determine the gap--the differences between the current support organization and the future one should be based on the results on workshops and on the data that can be gathered from self assessment where representatives of all present support units will take part
IS auditors role in software aquisition
determine whether an adequate level of security controls have been considered prior to any agreement being reached risk involved with the software package include inadequate audit trails, password controls and overall security of the application because of these risks, they should ensure that these controls are built into the software application
test plan
developed early in the life cycle and refined until the actual testing phase, test plans identify the specific portions of the systems to be tested may include a categorization of types of deficiencies that can be found during the test categories of deficiencies may be system defects, incomplete requirements, designs, specifications, or errors in the test case itself
top down testing approach
either in depth first or breadth first search order advantages: tests of major functions and processing are conducted early interface errors can be detected sooner confidence is raised in the system since programmers and users actually see a working system
verification and validation model (v-model)
emphasizes the relationship between development phases and testing levels provides the following advantages: the IS auditor's influence is significantly increased when there are formal procedures and guidelines identifying each phase in the business application life cycle the is auditor can review all relevant areas and phases of the system development project the is auditor can identify selected parts of the system and become involved in the technical aspects on the basis of his/her skills and abilities the is auditor can provide an evaluation of the methods and techniques applied through the development phases of the business application life cycle
comprehensive project view
ensures the consideration and consolidation of all closely coupled objectives these objectives are broken down into main objectives, additional objectives and non objectives
specific objectives of the QA function include
ensuring the active coordinated participation by all relevant parties in the revision, evaluation, and dissemination, and application of standards, management guidelines and procedures ensuring compliance with the agreed on systems development methodology reviewing and evaluating large system projects at significant development milestones, and making appropriate recommendations for improvement reporting to management on systems that are not performing as defined or designed defining, establishing and maintaining a standard, consistent and well defined testing methodology for computer systems
testing
essential part of the development process that verifies and validates that a program, subsystem or application performs the functions for which it has been designed also determines whether the units being tested operate without any malfunction or adverse effect on other components of the system
Design (phase 3b)
generally a programming and analyst team is assigned the tasks of defining the software architecture depicting a general blueprint of the system and then detailing or decomposing the system into its constituent parts such as modules and components key activities: developing system flowcharts and Entity relationship models determining the use of structured design techniques that show various relationships from the top level down to the details describing inputs and ouputs determining processing steps and computation rules determining data file or database system file design preparing program specifications developing test plans for: unit (program), subsystem (module), integration (system), interfaces, loading and initializing files developing data conversion plans to convert data and manual procedures from the old system to the new
function point analysis (FPA)
has evolved over the years to become a multiple-point technique widely used for estimating complexity in developing large business applications the results are a measure of the size of an information system based on the number and complexity of the inputs, outputs, files, interfaces, and queries with which a user sees and interacts this is an indirect measure of software size and the process by which it is developed vs direct size oriented measures such as SLOC counts
output analyzers
help check results of program execution for accuracy. this is achieved by comparing expected results with the actual results
tasks to accomplish in requirements definition phase
identify and consult stakeholders to determine their requirements analyze requirements to detect and correct conflicts (mainly, differences between requirements and expectation) and determine priorities identify system bounds and how the system should interact with its environment convert user requirements into system requirements record requirements in a structured format verify that requirements are complete, consistent, unambiguous, verifiable, modifiable, testable and traceable resolve conflicts between stakeholders resolve conflicts between the requirements set and the resources that are available
software selection and acquisition (phase 3a)
if the result of the decision is to buy a vendor supplied software package, the user must be actively involved in the package evaluation and selection process depending on the software required there could be 4 cases: 1. software is required for a generic business process for which vendors are available and software can be implemented without customization 2. the vendor's software needs to be customized to suit business processes 3. software needs need to be developed by the vendor 4. software is available as a service through the cloud, software as a service (saaS) based on the requirements defined, prepare an RFP from suppliers of purchased systems after the RFP responses have been examined, the project team may be able to identify a single vendor whose product satisfies most or all the stated requirements in the RFP
program evaluation review technique (PERT)
is a critical path metholodgy (CPM) technique which uses three different estimates of each activity duration in lieu of using a single number for each activity duration (as used by CPM) the three estimates are reduced to a single number and then the classic CPM algorithm is applied three estimates: most optimistic, most likely, pessimistic [optimistic+pessimistic+4(mostlikely)]/6
task list
is a list of actions to be carried out in relation to work packages and includes assigned responsibilities and deadlines aids the individual project team members in operations planning and in making agreements
timebox management
is a project management technique for defining and deploying software deliverables within a relatively short and fixed period of time, and with predetermined specific resources
project management general aspects
is always a time bound effect has specific objectives, deliverables, and start and end dates is a business process in a project-oriented organization the process begins with the project charter and ends with the completion of the project
work breakdown structure (WBS)
is designed to structure all the task that are necessary to build up the elements of the OBS (object breakdown structure) during the project represents the project in terms of manageable and controllable units of work, serves as a central communications toll in the project, and forms the baseline for cost and resource planning -structuring is process oriented and in phases
function/validation testing
is similar to system testing but is often used to test the functionality of the system against detailed requirements to ensure that the software that has been built is traceable to customer requirements
project management
is the application of knowledge, skills, tools and techniques to a broad range of activities to achieve a stated objective such as meeting the defined user requirements, budget and deadlines for an IS project their component processes: initiating, planning, executing, controlling and closing a project
resource usage
is the process by which the project by which the project budget is being spent it must be measured and reported so you can determine whether actual spending is in line with planned spending
overall characteristics of a successful project planning
it is a risk based management process and iterative in nature
compliers three main categories
logic path monitors memory dumps output analyzers
types of objectives
main: will always be directly coupled with business success additional: not directly related to the main results but may contribute to the project success nonobjectives: add clarity to the scope and project boundaries become clearer (shape the contours of the deliverable)
matrix project organization
management authority is shared between the project manager and the department heads
the controlling activities of a project include
management of scope resource usage and risk new requirements are documented, and if approved allocated appropriate resources
objective of program management
management of: program scope, program financials (costs, resource, case flow, etc), program schedules, and program objectives and deliverables program context and environment program communication and culture program organization (very similar to project management but must not be combined and must be carried out separately)
software basline
means the cutoff point in the design and is also refereed to as design freeze relates to the point when formal establishment of the software configuration management process occurs
data conversion
objective is to convert existing data into the new required format, coding and structure while preserving the meaning and integrity of the data must provide some means, such as audit trails and logs, which allow for the verification and accuracy and completeness of the converted data
benefits realization
objective is to ensure that IA and the business fulfill their value management responsibilities, particularly that: -IT enabled business investments achieve the promised benefits and deliver measurable business value -required capabilities (solutions and services) are delivered on time and within budget -IT services and other IT assets continue to contribute to business value
end user centric application
objective is to provide views of data for their performance optimization the objectives include DSS, Geographic information systems (GIS), techniques, etc must of these applications are developed using alternative development approaches
final acceptance testing
occurs during the implementation phase the defined methods of testing to apply should be incorporated into the organizations QA methodology has two major parts: quality assurance testing (QAT) focusing on technical aspects user acceptance testing (UAT) focusing on functional aspects
communication when initiating the project management project process may be achieved by
one on one meetings kick off meetings project start workshops a combination of the three
objectives of project portfolio management are
optimization of the results of the project portfolio (not of the individual projects) prioritizing and scheduling projects resource coordination (internal and external) knowledge transfer throughout the projects (a portfolio database is mandatory for project portfolio management and it must include data such as owner, schedules, objectives, project type, status, cost, etc)
IS auditor in design phase
primarily focused on whether an adequate system of controls is incorporated into system specifications and test plans, and whether continuous auditing functions are built into the system (particularly for ecommerce applications and other types of paperless environments) they are interested in evaluating the effectiveness of the design process itself (such as the use of structured design techniques, prototyping, and test plans, and software baseline) to establish a formal software change process that effectively freezes the inclusion of any changes to system requirements without a formal review and approval process
RFP contents
product vs system requirements customer references vendor viability/financial stability availability of complete and reliable documentation vendor support source code availability number of years of experience in offering the product a list of recent or planned enhancements to the product, with dates number of client sites using the product with a list of current users acceptance testing of the product
critical success factors (CSFs) for SDLC
productivity quality economic value customer service
memory dumps
provide a picture of the internal memory's content at one point in time often produced at the point where the program fails or is aborted, providing the programmer with clues on inconsistencies in data or parameter values a variant, called a trace, will do the same at different stages in the program execution to show changes in machine level structures such as counters and registers
business case
provides the information required for an organization to decide whether a project should proceed. depending on the organization and the size it is often the first step in a project or a precursor to the commencement of a project should be of sufficient detail to describe the justification for setting up and continuing a project should answer the question why should this project be undertaken?
sociability testing
purpose is to confirm that the new or modified system can operate in its target environment without adversely impacting existing systems
software size estimation
relates to methods of determining the relative physical size of the application software to be developed traditionally: been performed using single point estimations based on a single parameter such as source lines of code (SLOC) current technologies use multiple point estimations and now take the form of more abstract representations such as diagrams, objects, spreadsheet cells, database queries and graphical user interface (GUI) widgets are more closely related to "functionality" deliverables than "work" or lines to be created
logic path monitors
report on the sequence of events performed by the program, thus providing the programmer with clues on logic errors
object breakdown structure (OBS)
represents the individual components of the solution and their relationships to each other in a hierarchical manner, either graphically or in a table. can help, especially when dealing with non tangible project results such as organizational development, to ensure that a material deliverable was not overlooked
minimum and recommended requirements to use a software
requirement hardware such as memory, disk space, and server or client characteristics operating system versions and patch level supported additional tools such as import and export tools databases supported
key stakeholders who should be involved in the system's design
senior management user management project steering committee project sponsor project manager systems development management systems development project team user project management user project team security officer quality assurance
system main components
source code language execution time constraits main storage constraints data storage constraints computer access the target machine used for development the security enviornment staff experience
software contract should include
specific description of deliverables and their costs commitment dates for deliverables commitments for delivery of documentation, fixes, upgrades, new release notifications and training commitments for data migration allowance for a software escrow agreement, if the deliverables do not include source code description of the support to be provided during installation/customization criteria for user acceptance provision for reasonable acceptance testing period, before the commitment to purchase is made allowance for changes to be made by the purchasing company maintenance agreement allowance for copying software for use in business continuity efforts and for test purposes payment schedule linked to actual delivery dates confidentiality clauses data protection clauses
change management process
starts with a formal change request that contains a clear description of the requested change and the reasons for that change change requests must be submitted to the project manager only stakeholders are allowed to submit change requests copies of all change requests should be archived in the project file
final testing and implementation (phase 5)
the actual operation of the new information systems is established and tested final UAT is conducted in this environment the system may also go through a certification and accreditation process to assess the effectiveness of the business application at mitigating risk to an appropriate level, and provide management accountability over the effectiveness of the system in meeting its intended objectives and establishing an appropriate level of internal control
factors impacting whether to develop or acquire a system
the date the system needs to be functional the cost to develop the system as opposed to buying it the resources, staff, and hardware required to develop the system or implement a vendor solution in a vendor system, the license characteristics and maintenance costs the other systems needing to supply information to or use information from the vendor system that will need the ability to interface with the system compatability with strategic business plans compatibility with the organization's IT infrastructure likely future requirements for changes to functionality offered by the system
time slack
the difference between the latest possible completion time of each activity that will not delay the completion of the overall project and the earliest possible completion time based on all the predecessor activities activities on a critical path have no time slack
methods for developing a project culture
the establishment of a project mission statement, project name, and logo, project office or meeting place, project intranet, project team meeting rules and communication protocol, and project specific events
regression testing
the process of rerunning a portion of a test scenario or test plan to ensure that changes or corrections have not introduced new errors
scope creep
the process through which requirements change during development
pure project organization
the project manager has formal authority over those taking part in the project often this is blostered by providing a special working area for the project team that is separated from the normal office space
influence project organization
the project manager has only a staff function without formal management authority the project manager is only allowed to advise peers and team members as to which activities should be completed
critical path
the sequence of activities whos sum of the activity time is longer than that for any other path through the network are important because if everything goes according to schedule, their duration gives the shortest possible completion time for the overall project activities which are not in the critical path have time slack
unit testing
the testing of an individual program or model
project manager needs to determine
the various tasks that need to be performed to produce the expected business application system -the sequence of the order in which these tasks need to be performed -the duration or the time window for each task -the priority of each task -the IT resources, which are available and required to perform these tasks -budget or costing for each of these tasks source and means of funding
parallel testing
this is the process of feeding test data into two systems--the modified system and an alternative system and comparing the results
decision on which method to use for data conversion should be based on:
transaction volume change degree of the data model
development (phase 4a)
uses the detail design to begin coding, moving the system on step closer to the final software product key activities: coding and developing program and system level documents debugging and testing the programs developed developing programs to convert data from the old system for the use on the new system creating user procedures to handle transition to the new system training selected users on the new system since their participation will be needed ensuring modifications are documented, and applied accurately and completely to vendor acquired software to ensure that future updated versions of the vendor code can be applied
organizationcentric application
usually use the SDLC approach objective is to collect, collate, store, archive, and share information with business users and various applicable support functions on a need to know basis ex. sales are made available to accounts, administration, governmental levey payment dapartments, etc
iterative approach
where business requirements are developed and tested in iterations until the entire application is designed, built and tested is useful in web applications in which prototypes of screens are necessary to aid in the completion of requirements and design