Introduction to Project Risk Management and SDLC Reviews

5,849 views
5,527 views

Published on

Published in: Business, Economy & Finance
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
5,849
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
184
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Introduction to Project Risk Management and SDLC Reviews

  1. 1. ISACA Fall eXciting Seminar 2003 Introduction to Project Risk Management and SDLC Reviews Greg Thomas Deloitte & Touche LLP October 2004
  2. 2. Objectives Upon completion of this presentation, participants will: ! Understand the principals of Project Risk Management and Systems Development Life Cycle reviews ! Be able to identify the key risk areas associated with projects
  3. 3. Key Concepts IT Risk Management The policies, procedures and processes used to mitigate risk in the IT environment. Project Risk Management (PRM) Project Risk Management is a function of IT Risk Management. PRM policies, procedures and processes help ensure projects are delivered on schedule within budget and meet business objectives. Systems Development Life Cycle (SDLC) The Systems Development Life Cycle is a set of PRM policies and procedures that help guide a project from concept to implementation.
  4. 4. Defining IT Risk Management and Project Risk Management
  5. 5. The IT Risk Pyramid Strategy IT Governance IT Functions Policies and Procedures Execution
  6. 6. IT Functions, Systems Development & PRM PRM falls within the Strategy IT Governance Systems Development IT Function. Systems Development IT Functions Operations Architecture
  7. 7. PRM Policies and Procedures within Systems Development PRM falls within the Strategy IT Governance Systems Development IT Function. Systems Development IT Functions Operations Architecture • Project Mgt PRM Policies & • SDLC Procedures are • Chg Mgt • Quality Mgt Policies & applied throughout • Management & a project. Oversight Procedures
  8. 8. Process & System Integrity within PRM Policies & Procedures PRM falls within the Strategy IT Governance Systems Development IT Function. Systems Development IT Functions Operations Architecture • Project Mgt PRM Policies & • SDLC Procedures are • Change Mgt • Quality Mgt applied throughout a Policies & project . • Management & Oversight Procedures The Project Team • Security implements process & • Business Process Project system integrity controls as Controls • Conversion Execution it executes policies & • Data Integrity procedures. • IT Infrastructure
  9. 9. Process & System Integrity within PRM Policies & Procedures PRM falls within the Strategy IT Governance Systems Summary: Development IT Assess Policies and Procedures Assess PSI Controls Function. Systems Development IT Functions Operations Architecture • Project Mgt PRM Policies & • SDLC Procedures are • Change Mgt • Quality Mgt applied throughout a Policies & project . • Management & Oversight Procedures The Project Team • Security implements process & • Business Process Project system integrity controls as Controls • Conversion Execution it executes policies & • Data Integrity procedures. • IT Infrastructure
  10. 10. Auditing for Project Risk Management
  11. 11. PRM: Policies & Procedures 1. Project Management: The process by which projects are managed. 2. Systems Development Life Cycle: The process through which projects move from concept to implementation. 3. IT Change Management: The process by which change in the IT organization is managed. 4. Quality Management: Independent oversight built into the SDLC to ensure PRM is occurring. 5. Management & Oversight: The organizational structure & controls supporting PRM.
  12. 12. Auditing for PRM Policies & Procedures
  13. 13. IT Risk Mgt Project Risk Mgt IT Strategy Steering Governance Committee IT Functions Project Risk Systems Management Development • Project Mgt Project Mgt • SDLC Policies & SDLC • Change Mgt Procedures • Quality Mgt Change Management • Management & Quality Management Oversight Management & Oversight Security • Security Process & • Business Process System Business Process Controls Controls • Conversion Integrity Conversion • Data Integrity • IT Infrastructure Data Integrity IT Infrastructure
  14. 14. Project Management Life Cycle Steering Committee 1/ Project Leadership Project Management and Change Leadership Teams 2/ Project Management Monitoring & Life Cycle Controlling Executing Planning Closing Initiate 3/ Process & Security Systems Integrity Business Process Controls Controls Conversion Data Integrity IT Infrastructure
  15. 15. Project Management Controls Initiate Phase: Project recognition, scope definition and project team organization. Steering Committee Planning Phase: Create a high level work plan, confirm scope, identify resources, establish a budget, establish Project Mgt and reporting structure and define escalation Change Leadership Teams procedures. Executing Phase: Execute the plan, Monitoring & coordinate communication, ensure Controlling Executing consistent use of methodology, initiate Planning Closure Initiate reporting procedures. Monitoring & Controlling Phase: Monitor and measure progress regularly, Security implement project change control procedures, control scope creep, ensure Business Process Controls training plans exist, identify and resolve Conversion problems. Data Integrity Closure Phase: Formalize acceptance of IT Infrastructure the project, conduct post-project reviews.
  16. 16. System Development Life Cycle Steering Committee 1/ Project Leadership Project Management and Change Leadership Teams 2/ System Development Requirements Life Cycle Test & Train Implement Construct Design & Maintain Develop Initiate 3/ Process & Systems Security Integrity Controls Business Process Controls Conversion Data Integrity IT Infrastructure
  17. 17. System Development Life Cycle Controls Initiate Phase: Controls are defined to align project interpretation to business Steering Committee imperative. Develop Requirements Phase: Project Mgt and Controls are defined to ensure project Change Leadership requirements meet business needs. Teams Design & Customize Phase: Controls Requirements are defined to ensure design meets Test & Train Implement requirements. Customize Design & Maintain Develop Initiate Test & Train Phase: Controls are defined to ensure all developed objects meet requirements and design. Personnel are trained in use of project deliverables. Security Business Process Controls Implement Phase: Controls are defined to ensure smooth and timely Conversion implementation of project deliverables. Data Integrity Maintain Phase: Controls are defined to IT Infrastructure ensure continued maintenance.
  18. 18. Change Management Steering Committee 1/ Project Leadership Project Management and Change Leadership Teams 2/ Change Management Configuration * Library Mgt * Version Ctl Management Management * Reviews Software Request Release Mgt 3/ Process & Security Systems Integrity Business Process Controls Controls Conversion Data Integrity IT Infrastructure
  19. 19. Change Management Controls Request Management: The process for identifying, tracking, documenting and Steering approving change requests. Includes Committee impact assessments and feasibility studies. Project Mgt and Change Leadership Software Configuration Management: Teams Technical change management comprised of three components: Configuration * Library Mgt * Version Ctl Management Management • Version Control – controlling * Reviews Software Request multiple releases of changes Release Mgt • Library Management – object storage and retrieval procedures, parallel development procedures Security Business Process Controls • Reviews – practices for ensuring adherence to SCM protocols Conversion Data Integrity Release Management: The process for communicating, scheduling and releasing IT Infrastructure changes into production.
  20. 20. Quality Mgt & Management Oversight Steering Committee 1/ Project Leadership Project Management and Change Leadership Teams 2/ Quality Management & Management Oversight Quality Management Management Oversight in the Organizational Structure 3/ Process & Security Systems Integrity Business Process Controls Controls Conversion Data Integrity IT Infrastructure
  21. 21. Quality Mgt & Management Oversight Quality Management: Procedures built into each set of PRM policies and Steering Committee procedures to ensure all quality checkpoints are met during system development. Project Managers are Project Mgt and responsible for ensuring that all Quality Change Leadership Teams Management gateways are completed before signing off on deliverables. Quality Management Management and Oversight: The organization structures that supports the Management Oversight in the Organizational Structure entire PRM process. Organizational structure may include: • Software Control Boards Security • Production Control Boards Business Process Controls • Change Review Boards Conversion Data Integrity • Change Approval Boards IT Infrastructure
  22. 22. Auditing for SDLC Process System Integrity Controls
  23. 23. SDLC Process & System Integrity Controls - Security Security controls are built into the Steering design, development, and testing Committee areas of the project. Controls include: Project Mgt and • Application security roles to Change Leadership enforce segregation of duties Teams • Security over Application Configuration Requirements Test & Train Implement Customize • Security over the Database Design & Maintain Develop Initiate used by the Application • Application security testing Security Business Process Controls Conversion Data Integrity IT Infrastructure Process and system integrity controls are applied to every phase of the System Development Life Cycle
  24. 24. SDLC Process & System Integrity Controls – Business Process Business Process Controls are designed, developed and tested along Steering with technical requirements throughout Committee the SDLC. Controls include: • “As-Is” and “To-Be” business Project Mgt and Change Leadership processes Teams • Manual and Automated Requirements • Design, Development, and Test & Train Implement Customize Testing Processes Design & Maintain Develop Initiate Security Business Process Controls Conversion Data Integrity IT Infrastructure Process and system integrity controls are applied to every phase of the System Development Life Cycle
  25. 25. Process & System Integrity Controls - Conversion Conversion Controls are initiated, Steering developed, designed, tested and Committee implemented parallel to application development efforts if the project includes a data conversion. Controls Project Mgt and include: Change Leadership Teams • Conversion planning • Business process mapping Requirements Test & Train Implement Customize • User involvement in data Design & Maintain Develop Initiate mapping and data validation activities • Data analysis and cleansing Security • Exceptions handling Business Process Controls Conversion • Balancing reports Data Integrity IT Infrastructure Process and system integrity controls are applied to every phase of the System Development Life Cycle
  26. 26. Process & System Integrity Controls – Data Integrity Data Integrity Controls are built into Steering application, interface and conversion Committee design. All data integrity controls should be tested as part of routine Test procedures. Controls include: Project Mgt and Change Leadership • Field edit checks Teams • Exception reports on key fields in applications and interfaces Requirements Test & Train Implement Customize • Suspended transactions checks Design & Maintain Develop Initiate and reports • Duplicate record / data checks Security Business Process Controls Conversion Data Integrity IT Infrastructure Process and system integrity controls are applied to every phase of the System Development Life Cycle
  27. 27. Process & System Integrity Controls – IT Infrastructure Steering Committee IT Infrastructure Controls should be built into the overall business process through very phase of the SDLC. Project Mgt and Controls include: Change Leadership • Data & backup recovery Teams processes for all environments • System monitoring procedures Requirements Test & Train • Job scheduling procedures in Implement Customize Design & Maintain the mainframe environment Develop Initiate • Application change control procedures • Help Desk support protocols Security • Database configuration control Business Process Controls and support Conversion • Capacity planning Data Integrity IT Infrastructure Process and system integrity controls are applied to every phase of the System Development Life Cycle
  28. 28. In Conclusion…
  29. 29. In Review IT Risk Management is the process whereby risk is mitigated in the IT environment. Project Risk Management is an IT Risk function and includes policies and procedures for: • Project Management • System Development Life Cycle • IT Change Management • Quality Management • Management & Oversight Process and System Integrity Controls are implemented with each PRM policy and procedure. Controls include: • Security • Business Processes • Conversion / Data Integrity • IT Infrastructure
  30. 30. In Review Cont. IT Auditors audit for both PRM Policies and Procedures and for the Process and System Integrity controls built into policies and procedures. The System Development Life Cycle is a Project Risk Management policy and includes procedures for controlling projects through the Project Life Cycle: • Initiate • Develop Requirements • Design and Customize • Test & Train • Implement • Maintain Process and system integrity controls are built into each phase of the SDLC.
  31. 31. Questions

×