CISA Domain 3

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

Project Communication

Initiation may be communicated by: 1 on 1 meetings, kick-off meetings, project start workshops, A combination of the three. 1 on 1 meetings and project start workshops help to facilitate two way communication between the project team and PM. Project start workshop is used to obtain cooperation from all team members and buy-in from the stakeholders.

Analogous Estimating

1 of the 4 commonly used methodology to estimate the cost of a system development project. By using estimates from prior projects, the project manager can develop the estimated cost for a new project. This is the quickest estimation technique.

Bottom-up Estimating

1 of the 4 commonly used methodology to estimate the cost of a system development project. In this method, the cost of each activity in the project is estimated to the greatest detail and then all the costs are added to arrive at the cost estimate of the entire project. While the most accurate estimate, this is the most time consuming approach.

Actual Costs

1 of the 4 commonly used methodology to estimate the cost of a system development project. Like analogous estimation, this approach takes an extrapolation from the actual costs that were incurred on the same system during past projects.

Parametric Estimating

1 of the 4 commonly used methodology to estimate the cost of a system development project. The PM looks at the same past data that were used in analogous estimating and leverages statistical data to develop the estimate. This approach is more accurate than analogous estimation.

System Testing

A series of tests designed to ensure that modified programs, objects, database schema, etc. which collectively constitute a new or modified system, function properly. Includes: Recovery testing-systems ability to recover, security testing-ensure provisions for access controls and no security holes, load testing-test with large amounts of data, volume testing-test with an incremental volume of records, stress testing-impact by testing with incremental number of concurrent users/services and performance testing-Comparing system performance to other equivalent systems using benchmarking.

4 Stages of Rapid Application Development

1. The concept definition phase 2. The functional design stage 3. The development stage 4. The deployment stage

Postimplimentation Review should include

A cost-benefit analysis or return on investment (ROI) should be re-performed to verify that the original business case benefits are delivered. Also, it is done after a project has been in use for some time

Requirements definition phase

A key objective in any software development project is to ensure that the developed software will meet the business objectives and the requirements of the user. The users and concerned managers should be involved in the requirements definition phase of a development project and user acceptance test specification should be developed during this phase. Is where IT security weaknesses should be corrected.

Agile Software Development

A key tenet of the agile approach to software project management is ongoing team learning to refine project management and software development processes as the project progresses. One of the best ways to achieve this is that the team considers and documents what worked well and what could have worked better at the end of each iteration and identifies improvements to be implemented in subsequent iterations. Additionally, less importance is placed on formal paper-based deliverables, with the preference being effective informal communication within the team and with key outside contributors. Agile projects produce releasable software in short iterations, typically ranging from four to eight weeks. This, in itself, instills considerable performance discipline within the team. This, combined with short daily meetings to agree on what the team is doing and the identification of any impediments, renders task-level tracking against a schedule redundant. Scrum is a project management approach that moves planning and directing tasks from the project manager to the team. Agile development only plans for the next iteration of development in detail, rather than planning subsequent development phases far out in time. Does not emphasize managing a requirements baseline.

Rapid Application Development

A methodology that enables organizations to develop strategically important systems faster while reducing development costs and maintaining quality. Done by automating large portions of the SDLC. Techniques include the use of: Small, well trained development teams Evolutionary prototypes Integrated power tools that support modeling, prototyping and component reusability A central repository Interactive requirements and design workshops Rigid limits on development time frames

Enterprise Resource Planning - ERP

A packaged business software system that allows an organization to automate and integrate the majority of its business processes, share common data and practices across the entire organization and produce and access information in a real time environment.

Recalculations

A sample of transactions may be recalculated manually to ensure that processing is accomplishing the anticipated task. Recalculations are performed after the output phase.

Business Case

An important consideration in any IT project. Provides the information required for an organization to decide whether a project should proceed. Either the first step in a project or a precursor to the commencement of a project. If at any stage of the project the business case is thought to be no longer valid, through increased costs or reduction in the anticipated benefits, the project sponsor or IT steering committee should consider whether to continue. In a well planned project, there will be stage gates or kill points at which the business case is formally reviewed. If the business case is changed during the course of a project, the project should be reapproved through the departmental planning and approval process.

Project Roles - Information System Security Engineer

Applies scientific and engineering principles to identify security vulnerabilities and minimize or contain risk associated with these vulnerabilities.

Project Portfolio Reports

Are a project portfolio bar chart, a profit versus risk matrix, a project portfolio progress graph, etc.

Resource peaks and valleys

Are expensive due to management, hiring, firing and/or overtime and idle resource costs. A constant, base resource utilization is preferable.

Certification and Accredidation

Are systems that have had their security compliance technically evaluated for running in a specific environment and configuration. Performed after acceptance testing and after the system is implemented and in operation for some time. Includes evaluating program documentation and testing effectiveness. The goal is to determine the extent to which controls are implemented correctly, operating as intended, and producing the desired outcome.

System Owner

Are the information systems (project) sponsors or chief advocates. They normally are responsible for initiating and funding projects to develop, operate and maintain information systems.

White box testing

Assesses the effectiveness of software program logic. Specifically, test data are used in determining procedural accuracy or conditions of a program's logic paths.

Project Roles - User Management

Assumes ownership of the project and resulting system, allocates qualified representatives to the team and actively participates in business process redesign, system requirements definition, test case development, acceptance testing and user training. Should review and approve system deliverables as they are defined and implemented.

Release management software

Can prevent unauthorized changes by moving code into production without any manual intervention.

Project Roles - User Project Team

Completes assigned tasks, communicates effectively with the systems developers by actively involving themselves in the development process as subject matter experts, advises the PM of expected and actual project plan deviations.

Project Roles - Systems Development Project Team

Completes assigned tasks, communicates effectively with users by actively involving them in the development process, works according to local standards and advises the PM of necessary project plan deviations

Project Culture

Comprised of shared norms, beliefs, values and assumptions of the project team. Methods for developing this inculde the establishment of a project mission statement, project name and logo, project office or meeting place, project intranet, project team meeting rules, communication protocols and project social events.

Sociability Testing

Confirms that the new or modified system can operate in its target environment without adversely impacting existing systems, and does not specifically address the linkage between software modules.

Earned Value Analysis (EVA)

Consists of comparing the following metrics at regular intervals during the project: budget to date, actual spending to date, estimate to complete and estimate at completion. Determines progress in terms of time, budget and deliverables for early detection of possible overruns and for projecting estimates at completion (EACs)

Work Packages

Contain detailed specifications regarding the WBS. Each WP must have a distinct owner and a list of main objectives. WP specifications should include dependencies on other WPs and a definition of how to evaluate performance and goal achievement. WPs should not exceed a duration of 10 days. WPs need to be independent of eachother in the WBS. WPs are unique and should not be duplicated across the WBS.

Budget

Deduced from the resources required to carry out the project by multiplying fees or costs by the amount of each resource. Resources required are estimated at the beginning of the project using techniques of software/project size estimation.

Project Portfolio

Defined as all the projects being carried out in an organization at a given point in time(snapshot). Projects of a program belong to the company's project portfolio as do projects that are not associated with a program.

Project Roles - Senior Management

Demonstrates commitment to the project and approves the necessary resources to complete the project. The commitment from senior management helps ensure involvement by those needed to complete the project.

Work Breakdown Structure

Designed to structure all the tasks that are necessary to build up the elements of the OBS during the project. Represents the project in terms of manageable and controllable units of work, serves as a central communications tool in the project and forms the baseline for cost and resource planning. Structuring is process-oriented and in phases. The top WBS level represents the final deliverable or project.

Project Roles - Security Officer

Ensures that system controls and supporting processes provide an effective level of protection, based on data classification set in accordance with corporate security policies and procedures. Consults throughout the lifecycle on appropriate security measures that should be incorporated into the system.

Load Testing

Evaluates the performance of the software under normal and peak conditions.

Gap Analysis

Gap analysis would be the best method to identify issues that need to be addressed in the reengineering process. Gap analysis indicates which parts of current processes conform to good practices (desired state) and which do not.

Sequence Check

Involves increasing the order of numbering and would validate whether the vouchers are in sequence and, thus, prevent duplicates. For example, invoices are numbered sequentially. Any number outside a set sequence will be rejected.

Benefits realization

Is a continuous process that must be managed like any other business process and the business case should be a key element of benefits realization processes. Often includes a postimplementation review 6-18 months after the implementation of systems. Must be part of the governance and management of projects. COBIT 5 is often used as a framework for this.

Data Warehouse

Is a copy of transaction data specifically structured for query and analysis. Metadata describes the data in the warehouse and aims to provide a table of contents to the stored information. Companies that have built warehouses believe that metadata are the most important component of the warehouse.

Integration Testing

Is a hardware or software test that evaluates the connection of two or more components that pass information from one area to another. The objective is to take unit-tested modules and build an integrated structure dictated by design.

Function Point Analysis (FPA)

Is a technique for determining the size of a development task based on the number of function points. Used to estimate the complexity in developing large business applications. Function points are factors such as inputs, outputs, inquiries and logical internal files. Results are a measure of the size of an information system based on the number and complexity of the inputs, outputs, inquiries, etc. Works well in estimating business applications but not as well for OS, process control or other types.

Tracing

Is a transaction reconciliation effort that involves following the transaction from the original source to its final destination. In electronic funds transfer (EFT) transactions, the direction on tracing may start from the customer-printed copy of the receipt, checking the system audit trails and logs, and finally checking the master file records for daily transactions.

Feasibility Study

Is used to derive an initial business case. Includes: The project scope defines the business problem and/or opportunity to be addressed. The current analysis defines and establishes an understanding of a system, a software product, etc. At this point in the process, the strengths and weaknesses of the current system or software product are identified. Requirements are defined based upon stakeholder needs and constraints. The approach is the recommended system and/or software solution to satisfy the requirements. Evaluation is based upon the previously completed elements within the feasibility study. The final report addresses the cost-effectiveness of the approach selected. A formal review of the feasibility study report is conducted with all stakeholders. The feasibility study determines the strategic benefits of the project. Therefore, the result of the feasibility study determines the organizational impact—a comparison report of costs, benefits, risk, etc.

IS Auditor Review of Projects

It is essential for the IS auditor to understand the systems development, acquisition and maintenance methodology in use and to identify potential vulnerabilities and points requiring control. If controls are lacking or processes are disorderly, it is the IS auditors role to advise the project team and senior management on the deficiencies.

When dealing with offshore development of business applications

It is essential that detailed specifications be created. Language differences and a lack of interaction between developers and physically remote end users could create gaps in communication in which assumptions and modifications may not be adequately communicated. Inaccurate specifications cannot easily be corrected.

Examples of Programs

Large scale enterprise resource planning (ERP) system, organizational realignment, business process reengineering (BPR) and optimization, training and development.

Capability Maturity Models

Level 1 - Initial - processes are poorly controlled Level 2 - Managed - process is characterized for projects. Level 3 - Defined - documented process characterized for the organization and is proactive Level 4 - Quantitatively Managed - Process is measured and controlled. Quantitative quality goals can be reached. Level 5 - Optimizing - Focus is on process improvement

Programs

Like projects, they have a limited time frame and organizational boundaries. Differentiator is that programs are more complex, usually have a longer duration, a higher budget and higher risk associated with them.

Limit Checks

Limit checks are one type of input validation check that provides a preventive control to ensure that invalid data cannot be entered because values must fall within a predetermined limit.

Matrix Project Organization

Management authority is shared between the project manager and the department heads

Project Portfolio Database

Mandatory for project portfolio management. It must include project data such as owner, schedules, objectives, project type, status, cost, etc.

Component Based Development

Means assembling applications from cooperating packages of executable software that make their services available through defined interfaces. Can support multiple development environments. They can rely on reusable modules can increase the speed of development. Software developers can then focus on business logic. It reduces development time, improves quality, promotes modularity, simplifies reuse, reduces development cost, allows a satisfactory compromise between build and buy options. No matter how efficient component based development is, if system requirements are poorly defined or the system fails to adequately address business needs, the project will not be successful.

Gantt charts

Measures progress of a project. Helps with prioritization, but not as effective as PERT. The charts show when an activity should begin and when it should end along a timeline. They also show which activities must be in progress concurrently and which activities must be completed sequentially. Aid in identifying activities that have been completed early or late by comparison to a baseline. Can also be used to track the achievement of milestones or significant accomplishments such as the end of a project phase or completion of deliverable.

System Development Project Cost Estimation

Normally much larger in scope and size, the system development project focuses on a more complete and integrated solution (hardware,software,facilities,services). Therefore, these types of projects require much greater planning with regard to estimating and budgeting

Organizationcentric

Objective is to collect, collate, store, archive and share information with business users and various applicable support functions on a need-to-know basis.

Benefits Realization

Objective is to ensure that IT and the business fulfill their value management responsibilities, particularly that: IT-enabled business investments achieve the promised benefits and deliver measurable business value. Required capabilities are delivered on time, both with respect to schedule and time-sensitive market. Within budget. IT services and other IT assets continue to contribute to business value.

Unit Test

Occurs immediately after programs have been written. Is the most granular testing.

Objectives of project portfolio management

Optimization of the results of the project portfolio (not individual projects) Prioritizing and scheduling projects Resource coordination (internal and external) Knowledge transfer throughout the projects

Project Management Approaches

PMBOK Project Management Body of Knowledge PRINCE2 Projects in a controlled environment Are dependent on the size of the organization and complexity of business/operations. Role of the IS auditor is to ensure that rules of system development, as they relate to segregation of duties and responsibilities, are not compromised.

Timebox Management

Project Management technique for defining and deploying software deliverables within a relatively short and fixed period of time, and with predetermined specific resources. Can be used to accomplish prototyping or rapid application development-type approaches. It prevents project cost overruns and delays from scheduled delivery. The design and development phase is shortened due to the use of newer developmental tools and techniques. System test and UAT are normally performed together.

Initiation of a project

Project will be initiated by a PM or sponsor gathering the information required to gain approval for the project to be created. This will often be compiled into a project charter or terms of reference that states the objectives of the project, the stakeholders in the system to be produced, and the project manager and sponsor. An approval of a project initiation document PID or a project request documentation PRD is the authorization for a project to begin

Reasons for a stop or freezing point

Projects often have a tendency to expand, especially during the requirements definition phase. This expansion often grows to a point where the originally anticipated cost-benefits are diminished because the cost of the project has increased. When this occurs, it is recommended that the project be stopped or frozen to allow a review of all of the cost-benefits and the payback period.

Project Roles - Project Manager

Provides day-to-day management and leadership of the project, ensures that project activities remain inline with the overall direction, ensures appropriate representation of the affected departments, ensures that the project adheres to local standards, ensures that deliverables meet the quality expectations of key stakeholders. May also facilitate the definition of the scope of the project, manage the budget, and control the activities via a project schedule. This person can be an end user, a member of the systems development team or professional project manager.

Project Roles - Project Sponsor

Provides funding for the project and works closely with the project manager to define the critical success factors (CSF) and metrics for measuring the success of the project. Are usually the System Owner.

Project Roles - Project Steering Committee

Provides overall direction and ensures appropriate representation of the major stakeholders in the projects outcome. They are ultimately responsible for all deliverables, project costs and schedules. This committee should be comprised of a senior representative from each business area that will be significantly impacted by the proposed new system or modification. Each member must have the authority to make decisions related to system designs that will affect their respective departments. Generally, a project sponsor who would assume the overall ownership and accountability of the project will chair the steering committee. The PM should also be a member of this committee. They perform the following functions: Reviews project progress regularly and holds emergency meetings when required Serves as coordinator and advisor. Members of the committee should be available to answer questions and make usesr-related decisions about the system Takes corrective action. Committee should evaluate progress and take action or make recommendations regarding personnel changes.

Project Roles - Systems Development Management

Provides technical support for hardware and software environments by developing, installing and operating the requested system. Also provides assurance that the system is compatible with the organizations computing environment and strategic IT direction and assumes operating support and maintenance activities after installation

Reconciliations

Reconciliation of file totals should be performed on a routine basis. Reconciliations may be performed through the use of a manually maintained account, a file control record or an independent control file. Reconciliations are performed after the output phase.

Scope Creep

Refers to uncontrolled change within a project resulting from improperly managed requirements.

Software Size Estimation

Relates to methods of determining the relative physical size of the application software to be developed. Can be used to guide to the allocation of resources and to judge the time and cost required for development and to compare the total effort required by the resources.

Object Breakdown Structure

Represents the individual components of the solution and their relationship to each other in a hierarchical manner, either graphically or in a table. Can help, especially when dealing with nontangible project results such as organizational development, to ensure that a material deliverable is not overlooked

IT steering committee

Requests for major projects should be submitted to and prioritized by the IT steering committee. The IT steering committee should identify and appoint a PM. The PM should be given complete operational control over the project and be allocated the appropriate resources including staff. IS auditors can participate in the project in an advisory role and they may become ineligible to perform audits on the application when it becomes operational. Project Sponsor is in the IT steering committee.

Project Roles - Quality Assurance

Reviews results and deliverables within each phase and at the end of each phase and confirms compliance with requirements. The objective of this group is to ensure the quality of the project by measuring the adherence of the project staff to the organization's SDLC, advise on deviations, and propose recommendations for process improvements or greater control points.

Run-to-Run Totals

Run-to-run totals provide the ability to verify data values through the stages of application processing. Run-to-run total verification ensures that data read into the computer were accepted and then applied to the updating process. Run-to-run totals are performed after the output phase.

Starting a program

Some form of written assignment from the program sponsor(owner) to the program manager and the program team is required. Programs most often emerge from projects, such an assignment is important to set the program context and boundaries as well as formal management authority.

Stress Testing

Stress testing determines the capacity of the software to cope with an abnormal number of users or simultaneous operations.

Objective of Program Management

Successful execution of programs including: management of program scope, financials, schedules, objectives and deliverables. Program context and environment. Program communication and culture. Program organization.

Task List and Project Schedules

Support communications. Is a list of actions to be carried out in relation to work packages and includes assigned responsibilities and deadlines. Most typically will be complied into a project schedule at the planning phase of a project. Used to monitor and track the progress and completion of WPs. Project schedules are living documents and should indicate the tasks for a WP, the start and finish dates, percentage completed, task dependencies and resource names of individuals planned to work on those tasks.

Pure Project Organization

The PM has formal authority over those taking part in the project. Often, this is bolstered by providing a special working area for the project team that is separated from their normal office space

Influence Project Organization

The PM has only a staff function without the formal management authority. The PM is only allowed to advise peers and team members as to which activities should be completed

Project Management

The application of knowledge, skills, tools techniques to a broad range of activities to achieve a stated objective such as meeting the defined user requirements, budget and deadlines for an IS project. Use processes of initiating, planning, executing, controlling and closing a project.

Software Baselining

The cutoff point in the design phase, occurs after a rigorous review of user requirements. Any changes thereafter will undergo strict formal change control and approval procedures. Occurs in the software design phase. Also relates to the point when formal establishment of the software configuration management process occurs.

Identifying project risk

The majority of project risk can be identified before a project begins, allowing mitigation/avoidance plans to be put in place to deal with this risk. A project should have a clear link back to corporate strategy, enterprise risk management, and tactical plans to support this strategy. The process of setting corporate strategy, setting objectives and developing tactical plans should include the consideration of risk.

Postimplementation Review

The objective is to reveal whether the implementation of a system has achieved planned objectives (i.e., meets business objectives and risk acceptance criteria). Asses the adequacy of the system does it meet user requirements and business objectives? Evaluate the projected cost benefits or ROI Develop recommendations that address the systems inadequacies and deficiencies. Develop a plan for implementing the recommendations Assess the development project process. Were the chosen methodologies, standards and techniques followed?

Closing a Project

The project sponsor should be satisfied that the system produced is acceptable and ready for delivery. A postproject review may be done to go over lessons learned, assess PM process and document them to allow for future reference. Postimplementation review also may be conducted, but this is after the project has been in production for some time.

Return on Investment (ROI)

The proposed ROI benefits, along with targets or metrics that can be measured, are the most important aspects of a business case. While reviewing the business case, it should be verified that the proposed ROI is achievable, does not make unreasonable assumptions and can be measured for success. (Benefits realization should look beyond project cycles to longer-term cycles that consider the total benefits and total costs throughout the life of the new system.)

Business Process Reengineering - BPR

The thorough analysis and significant redesign of business processes and management systems to establish a better performing structure, more responsive to the customer base and market conditions, while yielding material cost savings.

Computer Aided Software Engineering (CASE)

The use of automated tools to aid in the software development process. Their use may include the application of software tools for software requirements capture and analysis, software design, code production, testing, document generation and other software development activities. Upper CASE - Products used to describe and document business and application requirements Middle CASE - Products used for developing the detailed designs. Lower CASE - Products involved with the generation of program code and database definitions.

Hash totals

The use of hash totals is an effective method to reliably detect errors in data processing. A hash total would indicate an error in data integrity.

Assessing Project Risk

There are 5 steps that are repeatedly executed during a project. Phase-end milestones are a good point in time to review and update the initial risk assessments and mitigations. Identify RIsk Assess and Evaluate Risk Manage Risk Monitor Risk Evaluate the risk management process

Project Risk

There are two types: Category that impacts the business benefits. The project sponsor is responsible for mitigating this. Category that impacts the project itself. The project manager is responsible for mitigating this. Also: Where the project activities to design and develop the system exceed the limits of the financial resources set aside for the project and the project may never be completed.

Atomicity

This principle requires that a transaction be completed in its entirety or not at all. If an error or interruption occurs, all changes made up to that point are backed out.

Project Management should pay attention to

Three key intertwining elements: deliverables, duration and budget Their relationship is very complex. There will be a positive correlation between highly demanding deliverable, a long duration and a high budget.

Project Performance Criteria

To identify deviations from the project plan, project performance criteria must be established as a baseline

Budgeting

Two Step Process: 1. Obtain a phase-by-phase estimate of human and machine effort by summing the expected effort for the tasks within each phase. 2. Multiply the effort expressed in hours by the appropriate hourly rate to obtain a phase-by-phase estimate of systems development expenditure.

Decision Tree

Use questionnaires to lead a user through a series of choices until a conclusion is reached.

Critical Path Methodology (CPM)

Used for project scheduling. The critical path is the sequence of activities whose sum of activity time is longer than that for any other path through the network. All project schedules have at least one critical path. Critical paths have no slack time. Activities that are not in the critical path have time slack. Critical paths and slack times are computes by working forward through the network (forward pass) computing the earliest possible completion time for each activity, until the earliest possible completion time for the total project is found. Then by working backward through the network, the latest completion time for each activity is found, the slack time computed and the critical path identified. Within limits, activities can be "crashed" (reduced in time by payment of a premium for early completion) In this way, the total duration and budget can be managed.

Program MGMT vs Project MGMT methodology

Very similar methodology and processes and run in parallel to each other. They must not be combined and have to be handled and carried out separately

Replay protection

When transmitting data, a sequence number and/or time stamp built into the message to make it unique can be checked by the recipient to ensure that the message was not intercepted and replayed. This is known as replay protection, and could be used to verify that a payment instruction was not duplicated.

Program evaluation review technique (PERT) chart

Will help determine project duration once all the activities and the work involved with those activities are known. Used for scheduling. Uses three different estimates of each activity duration in lieu of using a single number for each activity duration. The three estimates are then reduced to a single number, then the classic CPM algorithm is applied. Used in system development projects with uncertainty about the duration (pharmaceutical research or complex software development). [Optimistic + Pessimistic + 4(Most Likely)]/6 - calculation. Critical path is also derived. Advantage over CPM is that the formula is based on the reasonable assumption that the three time estimates follow a Beta statistical distribution and accordingly, probabilities can be associated with the total project duration.

Automated Systems Balancing

Would be the best way to ensure that no transactions are lost as any imbalance between total inputs and total outputs would be reported for investigation and correction.

Saas - Incident Handling

incident handling procedures between the organization and its provider are critical for the detection, communication and resolution of incidents, including effective lines of communication and escalation processes.


Kaugnay na mga set ng pag-aaral

Lecture 22: Classical Conditioning using the Air Puff Eye Model

View Set

Exam 1: Homeostasis and Metabolism

View Set

магнитная индукция

View Set

Small Business Chp IV - Franchises and Buyouts

View Set

ADV SYSTEMS DEVELOPMENT I Chapter 12

View Set

CoursePoint examples fluid balance, electrolytes, acid/base

View Set

Making Tough Choices: Writing for Your Audience

View Set