SlideShare a Scribd company logo

Agile/Scrum for IT Risk Professionals

Download as PPT, PDF
Dave Friesen
Dave Friesen
TechnologyBusiness
1 of 30
Agile Software Development for IT Risk Control Professionals Dave Friesen, CISA, CMA, CISSP ISACA Willamette Valley Chapter January 2014
Today Walk through Agile  Scrum Key practice and risk+control considerations Dave Friesen 2
Agile Deliver early and continuously Adapt to changes Produce working software often Collaborate (tech teams, +business) Simplicity is essential Self-organizing teams excel source: agilemanifesto.org Dave Friesen 3
Why Agile? Deliver systems faster Respond to changes Create competitive advantage Increase transparency Improve quality Dave Friesen 4
Scrum Dave Friesen 5
Scrum has been used by Microsoft Yahoo Google Electronic Arts IBM Lockheed Martin Philips Siemens Nokia Capital One BBC Intuit Nielsen Media BMC Software Ipswitch John Deere Lexis Nexis Sabre Salesforce.com source: mountaingoatsoftware.com Dave Friesen 6
Scrum has been used for Commercial software Video game development In-house development FDA-approved, life-critical systems Contract development Satellite-control software Fixed-price projects Websites Financial applications Handheld software ISO 9001-certified applications Mobile phones Embedded systems Network switching applications 24x7 systems (3 9’s) ISV applications the Joint Strike Fighter source: mountaingoatsoftware.com Dave Friesen 7
Scrum roles: the Product Owner Drives Product vision, roadmap and business case Expertise? Defines and prioritizes Product requirements Experience? Determines releases, sequencing “Owns” budget Accepts (rejects) results Dave Friesen 8
the Team Delivers Product Cross-functional Self-organizing Small Expertise mix? (+nimble) Skill+ mix? Collaborative Committed? Dave Friesen 9
the ScrumMaster Drives Scrum process Removes “roadblocks” (Not resource or project manager) Goal: Make Team successful Dave Friesen 10
Scrum approach: work in Sprints Iterative design, code/configure, test Typically 2-4 weeks Fixed duration (never extended) No changes! Goal: Working software Dave Friesen 11
Sprints vs. Releases Dave Friesen 12
Context: Product Planning Product vision, roadmap Business drivers, goals Business case Product “ownership?” Strategic? (business, tech) Dependencies? Dave Friesen Needs, features Financial, people Portfolio, release views Sizing. . . 13
the Product Backlog All expected Product work Functional requirements Operational requirements Known issues Sized as possible Prioritized by Product Owner Dave Friesen 14
User Stories Discrete pieces of functionality Written from user perspective (human or technical) Enough detail for estimating, designing, testing Dave Friesen 15
Sprint Planning Product Owner and Team (ScrumMaster facilitates) Sprint Goal Prioritized User Stories Technical Tasks 16 Dave Friesen
the Sprint Backlog All expected Sprint work Technical to-do’s Team’s commitment Focused on Sprint Goal Dave Friesen 17
Tasks Operational coverage? Performance, capacity, availability? Process considerations? Coding, configuring, testing, design, R&D, + Interface controls? Typically n:1 with User Stories Security features? Estimates Regulatory/ compliance considerations? Sprint Task Board Dave Friesen 18
Sprint: Building the Product Design/Coding/ Configuring Consistent architecture and approach? Integrating Planned feature Development? Refactoring Secure development practices? Writing tests Frequent builds and integration? Security analysis (+action)? Usual controls: Source management; environments; + Dave Friesen 19
Sprint: Testing Speed of Agile Iterative throughout Sprint Scenario coverage? Unit testing? Frequent build:test ➝ rapid feedback Validates Stories and Tasks Goal: Build quality in Dave Friesen More than functional “Enough” documentation? Defect/issue management? User acceptance? Usual controls: independence, environments, + 20
Daily Scrums ScrumMaster and Team (others observe) Daily stand-up (15 minutes) Did yesterday? Doing today? Roadblocks? (risk management) Dave Friesen 21
Tracking Sprint Burndown How’s the work coming? Dave Friesen 22
Sprint Reviews Team, ScrumMaster, Product Owner; +”the world” Team demo’s (feedback) Informal; time-boxed Product Owner accepts (rejects) (Product Backlog updated) Dave Friesen 23
Working Software and Releases Business readiness? Operational readiness? Usual controls: approvals; contingency plans; environment/access; smoke test Dave Friesen 24
Sprint Retrospectives Team, ScrumMaster, Product Owner What is/isn’t working Accurate estimates? Complete Sprints? Release quality? Release effectiveness? Goal: Continuous improvement Dave Friesen 25
and iterate Dave Friesen 26
Agile Values Individuals and interactions over Processes and tools Working software over Comprehensive documentation Customer collaboration over Contract negotiation over Following a plan Responding to change source: agilemanifesto.org (mountaingoatsoftware.com) Dave Friesen 27
Questions?
Resources www.scrumalliance.org www.mountaingoatsoftware.com Dave Friesen 29
Agile/Scrum for IT Risk Professionals

Recommended

Risk Management in an Agile Environment
Risk Management in an Agile EnvironmentRisk Management in an Agile Environment
Risk Management in an Agile Environment
Intland Software GmbH
 
Agile and Risk Management: How Agile Becomes Risky Business
Agile and Risk Management: How Agile Becomes Risky BusinessAgile and Risk Management: How Agile Becomes Risky Business
Agile and Risk Management: How Agile Becomes Risky Business
ITpreneurs
 
Agile IS Risk Management - Agile 2014 - Antifragile
Agile IS Risk Management - Agile 2014 - AntifragileAgile IS Risk Management - Agile 2014 - Antifragile
Agile IS Risk Management - Agile 2014 - Antifragile
Ken Rubin
 
Risk management in an Agile way - presented at Agile Testing Days 2013
Risk management in an Agile way - presented at Agile Testing Days 2013Risk management in an Agile way - presented at Agile Testing Days 2013
Risk management in an Agile way - presented at Agile Testing Days 2013
Edwin Loon, van
 
Using JIRA to Manage Project Management Risks and Issues
Using JIRA to Manage Project Management Risks and Issues Using JIRA to Manage Project Management Risks and Issues
Using JIRA to Manage Project Management Risks and Issues
Michael J Geiser
 
Create Agile confidence for better application security
Create Agile confidence for better application securityCreate Agile confidence for better application security
Create Agile confidence for better application security
Rogue Wave Software
 
Managing Application Security Risk in Enterprises - Thoughts and recommendations
Managing Application Security Risk in Enterprises - Thoughts and recommendationsManaging Application Security Risk in Enterprises - Thoughts and recommendations
Managing Application Security Risk in Enterprises - Thoughts and recommendations
Thierry Zoller
 
Using JIRA for Risk Based Testing - QASymphony Webinar
Using JIRA for Risk Based Testing - QASymphony WebinarUsing JIRA for Risk Based Testing - QASymphony Webinar
Using JIRA for Risk Based Testing - QASymphony Webinar
QASymphony
 

Recommended

Risk Management in an Agile Environment
Risk Management in an Agile EnvironmentRisk Management in an Agile Environment
Risk Management in an Agile Environment
Intland Software GmbH
 
Agile and Risk Management: How Agile Becomes Risky Business
Agile and Risk Management: How Agile Becomes Risky BusinessAgile and Risk Management: How Agile Becomes Risky Business
Agile and Risk Management: How Agile Becomes Risky Business
ITpreneurs
 
Agile IS Risk Management - Agile 2014 - Antifragile
Agile IS Risk Management - Agile 2014 - AntifragileAgile IS Risk Management - Agile 2014 - Antifragile
Agile IS Risk Management - Agile 2014 - Antifragile
Ken Rubin
 
Risk management in an Agile way - presented at Agile Testing Days 2013
Risk management in an Agile way - presented at Agile Testing Days 2013Risk management in an Agile way - presented at Agile Testing Days 2013
Risk management in an Agile way - presented at Agile Testing Days 2013
Edwin Loon, van
 
Using JIRA to Manage Project Management Risks and Issues
Using JIRA to Manage Project Management Risks and Issues Using JIRA to Manage Project Management Risks and Issues
Using JIRA to Manage Project Management Risks and Issues
Michael J Geiser
 
Create Agile confidence for better application security
Create Agile confidence for better application securityCreate Agile confidence for better application security
Create Agile confidence for better application security
Rogue Wave Software
 
Managing Application Security Risk in Enterprises - Thoughts and recommendations
Managing Application Security Risk in Enterprises - Thoughts and recommendationsManaging Application Security Risk in Enterprises - Thoughts and recommendations
Managing Application Security Risk in Enterprises - Thoughts and recommendations
Thierry Zoller
 
Using JIRA for Risk Based Testing - QASymphony Webinar
Using JIRA for Risk Based Testing - QASymphony WebinarUsing JIRA for Risk Based Testing - QASymphony Webinar
Using JIRA for Risk Based Testing - QASymphony Webinar
QASymphony
 
2018 State Of DevOps Report Key Findings
2018 State Of DevOps Report Key Findings2018 State Of DevOps Report Key Findings
2018 State Of DevOps Report Key Findings
Eficode
 
Terry Johns: Uncertainty - understanding the impact and the importance of rec...
Terry Johns: Uncertainty - understanding the impact and the importance of rec...Terry Johns: Uncertainty - understanding the impact and the importance of rec...
Terry Johns: Uncertainty - understanding the impact and the importance of rec...
Association for Project Management
 
Integration Of Prince2® And M O R® 1 John Fisher
Integration Of Prince2® And M O R® 1 John FisherIntegration Of Prince2® And M O R® 1 John Fisher
Integration Of Prince2® And M O R® 1 John Fisher
BPUG Congress
 
Enterprise risk management presentation to APM SWWE branch
Enterprise risk management presentation to APM SWWE branchEnterprise risk management presentation to APM SWWE branch
Enterprise risk management presentation to APM SWWE branch
Association for Project Management
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
Brian Levine
 
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
Simone Onofri
 
Derek Wright: risk v uncertainty case study
Derek Wright: risk v uncertainty case studyDerek Wright: risk v uncertainty case study
Derek Wright: risk v uncertainty case study
Association for Project Management
 
ClickSoftware Agile Tranistion by Meny Duek
ClickSoftware Agile Tranistion by Meny DuekClickSoftware Agile Tranistion by Meny Duek
ClickSoftware Agile Tranistion by Meny Duek
AgileSparks
 
Basic risk management presentation 17th june 2015
Basic risk management presentation 17th june 2015Basic risk management presentation 17th june 2015
Basic risk management presentation 17th june 2015
Association for Project Management
 
Procept Risk Workshop 2007
Procept Risk Workshop 2007Procept Risk Workshop 2007
Procept Risk Workshop 2007
Procept Associates
 
Security Champions - Introduce them in your Organisation
Security Champions - Introduce them in your OrganisationSecurity Champions - Introduce them in your Organisation
Security Champions - Introduce them in your Organisation
Ives Laaf
 
Lean Software Development
Lean Software DevelopmentLean Software Development
Lean Software Development
Saqib Raza
 
Augury's Journey Towards CD by Assaf Mizrachi
Augury's Journey Towards CD by Assaf Mizrachi Augury's Journey Towards CD by Assaf Mizrachi
Augury's Journey Towards CD by Assaf Mizrachi
AgileSparks
 
SDLC Smashup
SDLC SmashupSDLC Smashup
SDLC Smashup
Lester Martin
 
[Agile Portugal 2014] - Agile Decision Support System for Upper Management - ...
[Agile Portugal 2014] - Agile Decision Support System for Upper Management - ...[Agile Portugal 2014] - Agile Decision Support System for Upper Management - ...
[Agile Portugal 2014] - Agile Decision Support System for Upper Management - ...
Pedro Henriques
 
How should we build that? Evolving a development environment that's suitable ...
How should we build that? Evolving a development environment that's suitable ...How should we build that? Evolving a development environment that's suitable ...
How should we build that? Evolving a development environment that's suitable ...
AdaCore
 
Agile Software Development With SCRUM
Agile Software Development With SCRUMAgile Software Development With SCRUM
Agile Software Development With SCRUM
Alexey Krivitsky
 
Project Management Uncertainty, Presented by upul chanaka from Sri Lanka
Project Management Uncertainty, Presented by upul chanaka from Sri Lanka Project Management Uncertainty, Presented by upul chanaka from Sri Lanka
Project Management Uncertainty, Presented by upul chanaka from Sri Lanka
Upul Chanaka
 
What is Agile Methodology?
What is Agile Methodology?What is Agile Methodology?
What is Agile Methodology?
QA InfoTech
 
Agile Methodology
Agile MethodologyAgile Methodology
Agile Methodology
Suresh Krishna Madhuvarsu
 
Testing and DevOps Culture: Lessons Learned
Testing and DevOps Culture: Lessons LearnedTesting and DevOps Culture: Lessons Learned
Testing and DevOps Culture: Lessons Learned
LB Denker
 
case analysis 2.1.docxby Urusha PandeySubmission date 2.docx
case analysis 2.1.docxby Urusha PandeySubmission date 2.docxcase analysis 2.1.docxby Urusha PandeySubmission date 2.docx
case analysis 2.1.docxby Urusha PandeySubmission date 2.docx
cowinhelen
 

More Related Content

What's hot

Integration Of Prince2® And M O R® 1 John Fisher
Integration Of Prince2® And M O R® 1 John FisherIntegration Of Prince2® And M O R® 1 John Fisher
Integration Of Prince2® And M O R® 1 John Fisher
BPUG Congress
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
Brian Levine
 
[Agile Portugal 2014] - Agile Decision Support System for Upper Management - ...
[Agile Portugal 2014] - Agile Decision Support System for Upper Management - ...[Agile Portugal 2014] - Agile Decision Support System for Upper Management - ...
[Agile Portugal 2014] - Agile Decision Support System for Upper Management - ...
Pedro Henriques
 
How should we build that? Evolving a development environment that's suitable ...
How should we build that? Evolving a development environment that's suitable ...How should we build that? Evolving a development environment that's suitable ...
How should we build that? Evolving a development environment that's suitable ...
AdaCore
 

What's hot (20)

2018 State Of DevOps Report Key Findings
2018 State Of DevOps Report Key Findings2018 State Of DevOps Report Key Findings
2018 State Of DevOps Report Key Findings
 
Terry Johns: Uncertainty - understanding the impact and the importance of rec...
Terry Johns: Uncertainty - understanding the impact and the importance of rec...Terry Johns: Uncertainty - understanding the impact and the importance of rec...
Terry Johns: Uncertainty - understanding the impact and the importance of rec...
 
Integration Of Prince2® And M O R® 1 John Fisher
Integration Of Prince2® And M O R® 1 John FisherIntegration Of Prince2® And M O R® 1 John Fisher
Integration Of Prince2® And M O R® 1 John Fisher
 
Enterprise risk management presentation to APM SWWE branch
Enterprise risk management presentation to APM SWWE branchEnterprise risk management presentation to APM SWWE branch
Enterprise risk management presentation to APM SWWE branch
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
 
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
 
Derek Wright: risk v uncertainty case study
Derek Wright: risk v uncertainty case studyDerek Wright: risk v uncertainty case study
Derek Wright: risk v uncertainty case study
 
ClickSoftware Agile Tranistion by Meny Duek
ClickSoftware Agile Tranistion by Meny DuekClickSoftware Agile Tranistion by Meny Duek
ClickSoftware Agile Tranistion by Meny Duek
 
Basic risk management presentation 17th june 2015
Basic risk management presentation 17th june 2015Basic risk management presentation 17th june 2015
Basic risk management presentation 17th june 2015
 
Procept Risk Workshop 2007
Procept Risk Workshop 2007Procept Risk Workshop 2007
Procept Risk Workshop 2007
 
Security Champions - Introduce them in your Organisation
Security Champions - Introduce them in your OrganisationSecurity Champions - Introduce them in your Organisation
Security Champions - Introduce them in your Organisation
 
Lean Software Development
Lean Software DevelopmentLean Software Development
Lean Software Development
 
Augury's Journey Towards CD by Assaf Mizrachi
Augury's Journey Towards CD by Assaf Mizrachi Augury's Journey Towards CD by Assaf Mizrachi
Augury's Journey Towards CD by Assaf Mizrachi
 
SDLC Smashup
SDLC SmashupSDLC Smashup
SDLC Smashup
 
[Agile Portugal 2014] - Agile Decision Support System for Upper Management - ...
[Agile Portugal 2014] - Agile Decision Support System for Upper Management - ...[Agile Portugal 2014] - Agile Decision Support System for Upper Management - ...
[Agile Portugal 2014] - Agile Decision Support System for Upper Management - ...
 
How should we build that? Evolving a development environment that's suitable ...
How should we build that? Evolving a development environment that's suitable ...How should we build that? Evolving a development environment that's suitable ...
How should we build that? Evolving a development environment that's suitable ...
 
Agile Software Development With SCRUM
Agile Software Development With SCRUMAgile Software Development With SCRUM
Agile Software Development With SCRUM
 
Project Management Uncertainty, Presented by upul chanaka from Sri Lanka
Project Management Uncertainty, Presented by upul chanaka from Sri Lanka Project Management Uncertainty, Presented by upul chanaka from Sri Lanka
Project Management Uncertainty, Presented by upul chanaka from Sri Lanka
 
What is Agile Methodology?
What is Agile Methodology?What is Agile Methodology?
What is Agile Methodology?
 
Agile Methodology
Agile MethodologyAgile Methodology
Agile Methodology
 

Similar to Agile/Scrum for IT Risk Professionals

Testing and DevOps Culture: Lessons Learned
Testing and DevOps Culture: Lessons LearnedTesting and DevOps Culture: Lessons Learned
Testing and DevOps Culture: Lessons Learned
LB Denker
 
case analysis 2.1.docxby Urusha PandeySubmission date 2.docx
case analysis 2.1.docxby Urusha PandeySubmission date 2.docxcase analysis 2.1.docxby Urusha PandeySubmission date 2.docx
case analysis 2.1.docxby Urusha PandeySubmission date 2.docx
cowinhelen
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps final
rkadayam
 
PIRATEs of the Software Supply Chain.pdf
PIRATEs of the Software Supply Chain.pdfPIRATEs of the Software Supply Chain.pdf
PIRATEs of the Software Supply Chain.pdf
TAURUSEER
 
First Line Of Defense: How contractors can become software factories to suppo...
First Line Of Defense: How contractors can become software factories to suppo...First Line Of Defense: How contractors can become software factories to suppo...
First Line Of Defense: How contractors can become software factories to suppo...
Tasktop
 

Similar to Agile/Scrum for IT Risk Professionals (20)

Testing and DevOps Culture: Lessons Learned
Testing and DevOps Culture: Lessons LearnedTesting and DevOps Culture: Lessons Learned
Testing and DevOps Culture: Lessons Learned
 
case analysis 2.1.docxby Urusha PandeySubmission date 2.docx
case analysis 2.1.docxby Urusha PandeySubmission date 2.docxcase analysis 2.1.docxby Urusha PandeySubmission date 2.docx
case analysis 2.1.docxby Urusha PandeySubmission date 2.docx
 
Automated Deployment in Support of Continuous Integration to Transform SDLC
Automated Deployment in Support of Continuous Integration to Transform SDLCAutomated Deployment in Support of Continuous Integration to Transform SDLC
Automated Deployment in Support of Continuous Integration to Transform SDLC
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps final
 
Kim Carter (BinaryMist)
Kim Carter (BinaryMist)Kim Carter (BinaryMist)
Kim Carter (BinaryMist)
 
The Journey to Continuous Delivery
The Journey to Continuous DeliveryThe Journey to Continuous Delivery
The Journey to Continuous Delivery
 
Agile & DevOps - It's all about project success
Agile & DevOps - It's all about project successAgile & DevOps - It's all about project success
Agile & DevOps - It's all about project success
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLC
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
 
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"
 
Secure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Secure Agile SDLC BSides 14 - 2017 - Raphael DenipottiSecure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Secure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
 
IBM Rational AppScan Product Overview
IBM Rational AppScan Product OverviewIBM Rational AppScan Product Overview
IBM Rational AppScan Product Overview
 
PIRATEs of the Software Supply Chain.pdf
PIRATEs of the Software Supply Chain.pdfPIRATEs of the Software Supply Chain.pdf
PIRATEs of the Software Supply Chain.pdf
 
Agile-plus-DevOps Testing for Packaged Applications
Agile-plus-DevOps Testing for Packaged ApplicationsAgile-plus-DevOps Testing for Packaged Applications
Agile-plus-DevOps Testing for Packaged Applications
 
Appsec Agility: A Brief Tour
Appsec Agility: A Brief TourAppsec Agility: A Brief Tour
Appsec Agility: A Brief Tour
 
The Continuous delivery value - Funaro
The Continuous delivery value - FunaroThe Continuous delivery value - Funaro
The Continuous delivery value - Funaro
 
The Continuous delivery Value @ codemotion 2014
The Continuous delivery Value @ codemotion 2014The Continuous delivery Value @ codemotion 2014
The Continuous delivery Value @ codemotion 2014
 
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
 
First Line Of Defense: How contractors can become software factories to suppo...
First Line Of Defense: How contractors can become software factories to suppo...First Line Of Defense: How contractors can become software factories to suppo...
First Line Of Defense: How contractors can become software factories to suppo...
 
How can you deliver a secure product
How can you deliver a secure productHow can you deliver a secure product
How can you deliver a secure product
 

Recently uploaded

The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Malak Abu Hammad
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 

Recently uploaded (20)

[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 

Agile/Scrum for IT Risk Professionals

  • 1. Agile Software Development for IT Risk Control Professionals Dave Friesen, CISA, CMA, CISSP ISACA Willamette Valley Chapter January 2014
  • 2. Today Walk through Agile  Scrum Key practice and risk+control considerations Dave Friesen 2
  • 3. Agile Deliver early and continuously Adapt to changes Produce working software often Collaborate (tech teams, +business) Simplicity is essential Self-organizing teams excel source: agilemanifesto.org Dave Friesen 3
  • 4. Why Agile? Deliver systems faster Respond to changes Create competitive advantage Increase transparency Improve quality Dave Friesen 4
  • 6. Scrum has been used by Microsoft Yahoo Google Electronic Arts IBM Lockheed Martin Philips Siemens Nokia Capital One BBC Intuit Nielsen Media BMC Software Ipswitch John Deere Lexis Nexis Sabre Salesforce.com source: mountaingoatsoftware.com Dave Friesen 6
  • 7. Scrum has been used for Commercial software Video game development In-house development FDA-approved, life-critical systems Contract development Satellite-control software Fixed-price projects Websites Financial applications Handheld software ISO 9001-certified applications Mobile phones Embedded systems Network switching applications 24x7 systems (3 9’s) ISV applications the Joint Strike Fighter source: mountaingoatsoftware.com Dave Friesen 7
  • 8. Scrum roles: the Product Owner Drives Product vision, roadmap and business case Expertise? Defines and prioritizes Product requirements Experience? Determines releases, sequencing “Owns” budget Accepts (rejects) results Dave Friesen 8
  • 9. the Team Delivers Product Cross-functional Self-organizing Small Expertise mix? (+nimble) Skill+ mix? Collaborative Committed? Dave Friesen 9
  • 10. the ScrumMaster Drives Scrum process Removes “roadblocks” (Not resource or project manager) Goal: Make Team successful Dave Friesen 10
  • 11. Scrum approach: work in Sprints Iterative design, code/configure, test Typically 2-4 weeks Fixed duration (never extended) No changes! Goal: Working software Dave Friesen 11
  • 13. Context: Product Planning Product vision, roadmap Business drivers, goals Business case Product “ownership?” Strategic? (business, tech) Dependencies? Dave Friesen Needs, features Financial, people Portfolio, release views Sizing. . . 13
  • 14. the Product Backlog All expected Product work Functional requirements Operational requirements Known issues Sized as possible Prioritized by Product Owner Dave Friesen 14
  • 15. User Stories Discrete pieces of functionality Written from user perspective (human or technical) Enough detail for estimating, designing, testing Dave Friesen 15
  • 16. Sprint Planning Product Owner and Team (ScrumMaster facilitates) Sprint Goal Prioritized User Stories Technical Tasks 16 Dave Friesen
  • 17. the Sprint Backlog All expected Sprint work Technical to-do’s Team’s commitment Focused on Sprint Goal Dave Friesen 17
  • 18. Tasks Operational coverage? Performance, capacity, availability? Process considerations? Coding, configuring, testing, design, R&D, + Interface controls? Typically n:1 with User Stories Security features? Estimates Regulatory/ compliance considerations? Sprint Task Board Dave Friesen 18
  • 19. Sprint: Building the Product Design/Coding/ Configuring Consistent architecture and approach? Integrating Planned feature Development? Refactoring Secure development practices? Writing tests Frequent builds and integration? Security analysis (+action)? Usual controls: Source management; environments; + Dave Friesen 19
  • 20. Sprint: Testing Speed of Agile Iterative throughout Sprint Scenario coverage? Unit testing? Frequent build:test ➝ rapid feedback Validates Stories and Tasks Goal: Build quality in Dave Friesen More than functional “Enough” documentation? Defect/issue management? User acceptance? Usual controls: independence, environments, + 20
  • 21. Daily Scrums ScrumMaster and Team (others observe) Daily stand-up (15 minutes) Did yesterday? Doing today? Roadblocks? (risk management) Dave Friesen 21
  • 22. Tracking Sprint Burndown How’s the work coming? Dave Friesen 22
  • 23. Sprint Reviews Team, ScrumMaster, Product Owner; +”the world” Team demo’s (feedback) Informal; time-boxed Product Owner accepts (rejects) (Product Backlog updated) Dave Friesen 23
  • 24. Working Software and Releases Business readiness? Operational readiness? Usual controls: approvals; contingency plans; environment/access; smoke test Dave Friesen 24
  • 25. Sprint Retrospectives Team, ScrumMaster, Product Owner What is/isn’t working Accurate estimates? Complete Sprints? Release quality? Release effectiveness? Goal: Continuous improvement Dave Friesen 25
  • 27. Agile Values Individuals and interactions over Processes and tools Working software over Comprehensive documentation Customer collaboration over Contract negotiation over Following a plan Responding to change source: agilemanifesto.org (mountaingoatsoftware.com) Dave Friesen 27