Agile/Scrum for IT Risk Professionals


Published on

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Agile/Scrum for IT Risk Professionals

  1. 1. Agile Software Development for IT Risk Control Professionals Dave Friesen, CISA, CMA, CISSP ISACA Willamette Valley Chapter January 2014
  2. 2. Today Walk through Agile  Scrum Key practice and risk+control considerations Dave Friesen 2
  3. 3. Agile Deliver early and continuously Adapt to changes Produce working software often Collaborate (tech teams, +business) Simplicity is essential Self-organizing teams excel source: Dave Friesen 3
  4. 4. Why Agile? Deliver systems faster Respond to changes Create competitive advantage Increase transparency Improve quality Dave Friesen 4
  5. 5. Scrum Dave Friesen 5
  6. 6. Scrum has been used by Microsoft Yahoo Google Electronic Arts IBM Lockheed Martin Philips Siemens Nokia Capital One BBC Intuit Nielsen Media BMC Software Ipswitch John Deere Lexis Nexis Sabre source: Dave Friesen 6
  7. 7. Scrum has been used for Commercial software Video game development In-house development FDA-approved, life-critical systems Contract development Satellite-control software Fixed-price projects Websites Financial applications Handheld software ISO 9001-certified applications Mobile phones Embedded systems Network switching applications 24x7 systems (3 9’s) ISV applications the Joint Strike Fighter source: Dave Friesen 7
  8. 8. Scrum roles: the Product Owner Drives Product vision, roadmap and business case Expertise? Defines and prioritizes Product requirements Experience? Determines releases, sequencing “Owns” budget Accepts (rejects) results Dave Friesen 8
  9. 9. the Team Delivers Product Cross-functional Self-organizing Small Expertise mix? (+nimble) Skill+ mix? Collaborative Committed? Dave Friesen 9
  10. 10. the ScrumMaster Drives Scrum process Removes “roadblocks” (Not resource or project manager) Goal: Make Team successful Dave Friesen 10
  11. 11. Scrum approach: work in Sprints Iterative design, code/configure, test Typically 2-4 weeks Fixed duration (never extended) No changes! Goal: Working software Dave Friesen 11
  12. 12. Sprints vs. Releases Dave Friesen 12
  13. 13. Context: Product Planning Product vision, roadmap Business drivers, goals Business case Product “ownership?” Strategic? (business, tech) Dependencies? Dave Friesen Needs, features Financial, people Portfolio, release views Sizing. . . 13
  14. 14. the Product Backlog All expected Product work Functional requirements Operational requirements Known issues Sized as possible Prioritized by Product Owner Dave Friesen 14
  15. 15. User Stories Discrete pieces of functionality Written from user perspective (human or technical) Enough detail for estimating, designing, testing Dave Friesen 15
  16. 16. Sprint Planning Product Owner and Team (ScrumMaster facilitates) Sprint Goal Prioritized User Stories Technical Tasks 16 Dave Friesen
  17. 17. the Sprint Backlog All expected Sprint work Technical to-do’s Team’s commitment Focused on Sprint Goal Dave Friesen 17
  18. 18. Tasks Operational coverage? Performance, capacity, availability? Process considerations? Coding, configuring, testing, design, R&D, + Interface controls? Typically n:1 with User Stories Security features? Estimates Regulatory/ compliance considerations? Sprint Task Board Dave Friesen 18
  19. 19. Sprint: Building the Product Design/Coding/ Configuring Consistent architecture and approach? Integrating Planned feature Development? Refactoring Secure development practices? Writing tests Frequent builds and integration? Security analysis (+action)? Usual controls: Source management; environments; + Dave Friesen 19
  20. 20. Sprint: Testing Speed of Agile Iterative throughout Sprint Scenario coverage? Unit testing? Frequent build:test ➝ rapid feedback Validates Stories and Tasks Goal: Build quality in Dave Friesen More than functional “Enough” documentation? Defect/issue management? User acceptance? Usual controls: independence, environments, + 20
  21. 21. Daily Scrums ScrumMaster and Team (others observe) Daily stand-up (15 minutes) Did yesterday? Doing today? Roadblocks? (risk management) Dave Friesen 21
  22. 22. Tracking Sprint Burndown How’s the work coming? Dave Friesen 22
  23. 23. Sprint Reviews Team, ScrumMaster, Product Owner; +”the world” Team demo’s (feedback) Informal; time-boxed Product Owner accepts (rejects) (Product Backlog updated) Dave Friesen 23
  24. 24. Working Software and Releases Business readiness? Operational readiness? Usual controls: approvals; contingency plans; environment/access; smoke test Dave Friesen 24
  25. 25. Sprint Retrospectives Team, ScrumMaster, Product Owner What is/isn’t working Accurate estimates? Complete Sprints? Release quality? Release effectiveness? Goal: Continuous improvement Dave Friesen 25
  26. 26. and iterate Dave Friesen 26
  27. 27. Agile Values Individuals and interactions over Processes and tools Working software over Comprehensive documentation Customer collaboration over Contract negotiation over Following a plan Responding to change source: ( Dave Friesen 27
  28. 28. Questions?
  29. 29. Resources Dave Friesen 29