chapter 7faculty.scf.edu/bodej/ism3324/powerpoin… · ppt file · web view ·...
TRANSCRIPT
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
Chapter 7Software Supporting Processes and
Software Reuse
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
2© Cengage Learning 2015
Objectives
• Understand the role and functions of the supporting processes
• Understand the role and function of the reuse process
• Successfully plan and implement a management architecture of supporting processes
• Successfully implement and manage a reuse process
3© Cengage Learning 2015
Overview of the Software Supporting Process Group
• The supporting processes apply to:– Agreement– Systems qualification testing– Software acceptance support– Software operation– Software maintenance
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
4© Cengage Learning 2015
Software Document Management
• Software document management is the first of the supporting processes– Focuses on managing the documents that contain
the information rather than the information itself• Activities involved in document management:
– The planning, design, development, production, editing, distribution, and maintenance steps needed to keep proper records
• Maintains all formal authorizations of the document format and helps produce and sustain documents that have been approved for use
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
5© Cengage Learning 2015Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
6© Cengage Learning 2014
7© Cengage Learning 2015
Software Configuration Management
• Configuration management (CM): defines and enforces control over an organization’s assets– Specifies methods for controlling changes to assets
throughout their useful lifecycle• CM objective: to control changes to items in a way
that preserves their integrity• Advantages of CM:
– Maintains the integrity of configurations– Allows changes to be evaluated and made rationally– Gives managers and policy makers direct input into
the evolution of the ICT asset baseCybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
8© Cengage Learning 2015
Software Configuration Management
• CM involves three major elements in the software lifecycle:– Development - supports the identification process– Maintenance - supports authorization and
configuration control– Assurance - supports verification
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
9© Cengage Learning 2015
Who Participates in Configuration Management?
• Three roles involved in CM:– The customer, the producer, and any associated
subcontractors• CM incorporates the two process of configuration
control and verification control, which are implemented through three activities:– Change process management– Baseline control– Configuration verification
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
10© Cengage Learning 2015
What are the Roles?
• Configuration manager - ensures the requirements of change management are carried out
• Baseline manager - ensures that all configuration items in the project configuration management plan are identified, accounted for, and maintained
• Verification manager - ensures that product integrity is maintained during the change process– To confirm that all items in the change management
ledger (CML) conform to the identification scheme, verify that changes have been carried out, and conduct milestone reviews
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
11© Cengage Learning 2015
What is the Process?
• The cornerstone of configuration management is the configuration identification scheme– Usually established during the requirements analysis
phase of the specification process• All components are given a unique identifying label
– Typically referred to as product identification numbers (PINs)
• If items in the evolving structure represent a new baseline:– The identifying labels are modified to reflect it
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
12© Cengage Learning 2015
What is the Process?
• The organization must explicitly define the management level authorized to approve changes to each baseline
• The configuration control board (CCB) operates at defined levels of authorization
• An ICT organization has three control boards:– One composed of top-level policy makers and one
for each of the major system components (a software CCB and hardware CCB)
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
13© Cengage Learning 2015
The Configuration Management Plan
• Configuration management is specifically defined and formally implemented through a configuration management plan (CMP)
• The plan should specify roles for change management, baseline management, and verification management
• The plan should also: – Help define the configuration identification scheme– Provide the basic structure of the PIN and how it will
be assigned and formatted
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
14© Cengage Learning 2014
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
15© Cengage Learning 2014
16© Cengage Learning 2015
Software Quality Assurance
• Software quality assurance (SQA): to ensure that software products and processes comply with predefined provisions and plans
• SQA provides oversight to the software manager • SQA ensures that:
– Appropriate development methods are in place – Standards are employed and independently audited– Necessary documentation is available– Change management mechanisms are in place to
deal with any deviations from standards
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
17© Cengage Learning 2015
Organization of SQA Operations
• SQA is based on a strategy and plan that – Maintains software quality– Identifies and records any problems conforming to
requirements– Verifies that products, processes, and activities
adhere to applicable standards, procedures, and requirements
• Most operational problems encountered by SQA involve staffing, authority, and control
• SQA must have an independent reporting line
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
18© Cengage Learning 2015
SQA: Overall Operation
• The organization’s basic framework must include a set of defined quality assurance practices– Which are based on systematic development
methods and standards for reviews• Each SQA process must be planned to meet a
project’s unique needs• SQA must have the mandate to conduct in-process
evaluations of project management and the organization’s governance control system
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
19© Cengage Learning 2015
SQA Reporting
• SQA should not report to the project manager– But to local management
• No more than one position should separate SQA and the senior site manager
• SQA should have an advisory relationship with a senior quality executive
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
20© Cengage Learning 2015
Starting the SQA Program
• Eight steps required to start an SQA program:– 1. Initiation– 2. Identification– 3. Writing the plan– 4. Integration– 5. Defining procedures– 6. Establishment– 7. Implementation– 8. Auditing
• Common SQA standard is IEEE STD-730
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
21© Cengage Learning 2014
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
22© Cengage Learning 2014
23© Cengage Learning 2015
Verification
• Purpose of verification: to confirm that each work product or service of a process properly reflects the specified requirements– It tests each transitional product from every phase
as it is completed• Involves:
– Reviewing, inspecting, testing, checking, auditing, establishing and documenting
• Verification also assesses risk and feasibility concerns
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
24© Cengage Learning 2015
Verification
• In the development phase, verification seeks to catch and correct small errors before they spread
• Verification outcomes are based on evidence obtained through assessment
• The most powerful verification processes normally involve a third party that performs the assessments
• The verification process is formalized by a plan that should be defined early and refined as a project moves downstream
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
25© Cengage Learning 2014
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
26© Cengage Learning 2014
27© Cengage Learning 2015
Verification
• The process begins with a determination that verification is worthwhile
• The next step is to identify the organization that will execute the verification process – And decide which lifecycle elements will be verified
• Then, the required verification activities are performed as scheduled
• Any resulting defects are identified and recorded– Results are made available to the customer and
other involved parties
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
28© Cengage Learning 2015
Validation
• Validation assess the product to ensure that it complies with its purpose
• It is an ongoing process used to stay on top of meaningful changes to any element of the system, software product, or service
• Validation guarantees the software performs as it was designed or programmed to do
• The validation process begins prior to any actual planning
• It is almost always conducted by a third party
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
29© Cengage Learning 2014
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
30© Cengage Learning 2014
31© Cengage Learning 2015
Software Review
• The purpose of the software review process:– To maintain a common understanding with
stakeholders that the software is making progress against the contract
– To help ensure development of a product that satisfies the stakeholders
• The review process uses a team approach to define, design, and evaluate work products
• The team can establish a common set of evaluation criteria, assess progress, and identify critical issues and recommendations
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
32© Cengage Learning 2014
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
33© Cengage Learning 2014
34© Cengage Learning 2015
The Audit Process
• Purpose of software audits:– To independently determine the compliance of
selected products and processes with appropriate requirements, plans, and agreements
• Audits are conducted by an appropriate independent party based on the audit plan
• Problems detected during an audit are identified and communicated to the parties responsible for corrective action and resolution
• Audits are usually performed at the end of a project
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
35© Cengage Learning 2014
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
36© Cengage Learning 2014
37© Cengage Learning 2015
Problem Resolution
• The purpose of problem resolution is to ensure that all problems in a process are identified, analyzed, managed, and controlled to resolution
• Requires a management strategy that allows problems to be recorded, identified, and classified
• Ensures maintenance of the integrity of the system software, product, or service throughout the lifecycle
• Acts in conjunction with other supporting processes to ensure the product and process meets standards
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
38© Cengage Learning 2014
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
39© Cengage Learning 2014
40© Cengage Learning 2015
Reuse
• Reuse: the construction of new software from existing components
• Reuse processes were not included in the original version of the standard– They have been added in the 2008 version
• Having a library of prewritten functions, templates, and procedures saves time and reduces cost
• Reusable code modules ensure higher levels of quality, security, and capability
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
41© Cengage Learning 2015
Reuse
• Domain engineering - used to ensure that products are built with a high level of integrity– Necessary to allow managers to understand how to
reintegrate abstract components into other useful applications
– Goal is to characterize the application domain, its architectures, and assets
• Process Implementation - first step is to create and execute a domain engineering plan– Domain engineer selects and formalizes the
standard form of representationCybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
42© Cengage Learning 2015
Reuse
• Domain Analysis - to define the conceptual boundaries of the domain and the relationships between it and other domains– To develop the domain model, the engineer carries
out a domain review with all stakeholders, including software developers, asset managers, domain experts, and users
– When the review is complete and the results are accepted, the domain engineer passes the domain model along to the architectural design stage
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
43© Cengage Learning 2015
Reuse
• Domain Design - the domain engineer develops and documents an architectural design that incorporates all assets designated for reuse
• Asset Provisioning - the domain engineer acquires or develops the necessary assets– Each asset is documented, classified and evaluated
in accordance with the organization’s asset acceptance procedures
• Asset Maintenance - a responsibility of configuration management
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
44© Cengage Learning 2015
Reuse
• Reuse Asset Management - to manage the life of reusable assets from conception to retirement– Uses a documented asset classification scheme– Specifies the criteria for accepting and eventually
retiring an asset– Defines an asset storage and retrieval mechanism
that tracks and records asset use• Process Implementation - First step is to create
an asset management plan– This plan defines the resources and operational
procedures for managing assetsCybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
45© Cengage Learning 2015
Reuse
• Asset Storage and Retrieval Definition - reusable assets are typically kept in an archive until they are used– The asset manager must implement and maintain a
formal mechanism for asset storage and retrieval• Asset Management and Control - ensures the
correctness and integrity of the assets in the reuse archive– All assets submitted for reuse must be evaluated to
ensure it is acceptable for reuse
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
46© Cengage Learning 2015
Reuse
• Reuse Program Management - to plan, establish, control, and monitor an organization’s overall reuse program – To systematically exploit opportunities for reuse– Reuse program is monitored and evaluated on an
ongoing basis• Initiation - a reuse strategy is necessary to being
developing a reuse program– Strategy includes setting goals for reuse and
defining the program’s purposes, objectives, and scope
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
47© Cengage Learning 2015
Reuse
• Domain Identification - A group is formed to identify the domains in which the organization can practice reuse– Group consists of program administrator, domain
engineers, users, and software developers– The group evaluates each domain to ensure that it
accurately fits with the reuse strategy• Reuse Assessment - a function that constantly
ensures the organization’s reuse capability– Program administrator assesses each domain to
determine its potential for reuseCybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
48© Cengage Learning 2015
Reuse
• Planning - requires the creation of a plan to implement the program– The plan is maintained to ensure the organization
understands all requirements for implementing the reuse program
– The plan has to be reviewed and evaluated by members of the reuse steering committee for completeness, feasibility, and ability to execute
• Execution and Control - Activities in the plan are executed in accordance with its requirements– Program is monitored by program administrator
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
49© Cengage Learning 2015
Reuse
• Review and Evaluation - the program administrator provides assessment results and lessons learned to the reuse steering committee and to appropriate managers– Administrator also recommends and makes changes
to the program– Administrator expands and improves it in
accordance with the plan’s stipulations
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
50© Cengage Learning 2015
Summary• The supporting processes in the 12207-2008
standard represent the value-added elements that guarantee the quality and security of ICT products
• To develop a successful, defect-free piece of software, an organization must adopt and follow a disciplined set of supporting processes
• The outcome of the documentation management process is an explicit understanding and formal description of every lifecycle record
• Configuration management defines and enforces management control over ICT assets
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
51© Cengage Learning 2015
Summary• SQA monitors the actions of software operations and
brings any deviations to management’s attention• The verification process confirms that products
properly reflect specified requirements• The validation process assesses products to ensure
that they comply with their intended purpose• Joint reviews of software help maintain a common
understanding of progress• Audits determine compliance with requirements,
plans, and agreements
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
52© Cengage Learning 2015
Summary• Problem resolution ensures that integrity is
maintained throughout the lifecycle• Software reuse allows new code to use existing
modules as a means of leveraging production