chapter 7faculty.scf.edu/bodej/ism3324/powerpoin… · ppt file · web view ·...

Cybersecurity: Engineering a Secure Information Technology

Organization, 1st Edition

Chapter 7Software Supporting Processes and

Software Reuse

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

2© Cengage Learning 2015

Objectives

• Understand the role and functions of the supporting processes

• Understand the role and function of the reuse process

• Successfully plan and implement a management architecture of supporting processes

• Successfully implement and manage a reuse process


Overview of the Software Supporting Process Group

• The supporting processes apply to:– Agreement– Systems qualification testing– Software acceptance support– Software operation– Software maintenance



Software Document Management

• Software document management is the first of the supporting processes– Focuses on managing the documents that contain

the information rather than the information itself• Activities involved in document management:

– The planning, design, development, production, editing, distribution, and maintenance steps needed to keep proper records

• Maintains all formal authorizations of the document format and helps produce and sustain documents that have been approved for use


5© Cengage Learning 2015Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


Software Configuration Management

• Configuration management (CM): defines and enforces control over an organization’s assets– Specifies methods for controlling changes to assets

throughout their useful lifecycle• CM objective: to control changes to items in a way

that preserves their integrity• Advantages of CM:

– Maintains the integrity of configurations– Allows changes to be evaluated and made rationally– Gives managers and policy makers direct input into

the evolution of the ICT asset baseCybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


Software Configuration Management

• CM involves three major elements in the software lifecycle:– Development - supports the identification process– Maintenance - supports authorization and

configuration control– Assurance - supports verification



Who Participates in Configuration Management?

• Three roles involved in CM:– The customer, the producer, and any associated

subcontractors• CM incorporates the two process of configuration

control and verification control, which are implemented through three activities:– Change process management– Baseline control– Configuration verification



What are the Roles?

• Configuration manager - ensures the requirements of change management are carried out

• Baseline manager - ensures that all configuration items in the project configuration management plan are identified, accounted for, and maintained

• Verification manager - ensures that product integrity is maintained during the change process– To confirm that all items in the change management

ledger (CML) conform to the identification scheme, verify that changes have been carried out, and conduct milestone reviews



What is the Process?

• The cornerstone of configuration management is the configuration identification scheme– Usually established during the requirements analysis

phase of the specification process• All components are given a unique identifying label

– Typically referred to as product identification numbers (PINs)

• If items in the evolving structure represent a new baseline:– The identifying labels are modified to reflect it



What is the Process?

• The organization must explicitly define the management level authorized to approve changes to each baseline

• The configuration control board (CCB) operates at defined levels of authorization

• An ICT organization has three control boards:– One composed of top-level policy makers and one

for each of the major system components (a software CCB and hardware CCB)



The Configuration Management Plan

• Configuration management is specifically defined and formally implemented through a configuration management plan (CMP)

• The plan should specify roles for change management, baseline management, and verification management

• The plan should also: – Help define the configuration identification scheme– Provide the basic structure of the PIN and how it will

be assigned and formatted



Software Quality Assurance

• Software quality assurance (SQA): to ensure that software products and processes comply with predefined provisions and plans

• SQA provides oversight to the software manager • SQA ensures that:

– Appropriate development methods are in place – Standards are employed and independently audited– Necessary documentation is available– Change management mechanisms are in place to

deal with any deviations from standards



Organization of SQA Operations

• SQA is based on a strategy and plan that – Maintains software quality– Identifies and records any problems conforming to

requirements– Verifies that products, processes, and activities

adhere to applicable standards, procedures, and requirements

• Most operational problems encountered by SQA involve staffing, authority, and control

• SQA must have an independent reporting line



SQA: Overall Operation

• The organization’s basic framework must include a set of defined quality assurance practices– Which are based on systematic development

methods and standards for reviews• Each SQA process must be planned to meet a

project’s unique needs• SQA must have the mandate to conduct in-process

evaluations of project management and the organization’s governance control system



SQA Reporting

• SQA should not report to the project manager– But to local management

• No more than one position should separate SQA and the senior site manager

• SQA should have an advisory relationship with a senior quality executive



Starting the SQA Program

• Eight steps required to start an SQA program:– 1. Initiation– 2. Identification– 3. Writing the plan– 4. Integration– 5. Defining procedures– 6. Establishment– 7. Implementation– 8. Auditing

• Common SQA standard is IEEE STD-730



Verification

• Purpose of verification: to confirm that each work product or service of a process properly reflects the specified requirements– It tests each transitional product from every phase

as it is completed• Involves:

– Reviewing, inspecting, testing, checking, auditing, establishing and documenting

• Verification also assesses risk and feasibility concerns



Verification

• In the development phase, verification seeks to catch and correct small errors before they spread

• Verification outcomes are based on evidence obtained through assessment

• The most powerful verification processes normally involve a third party that performs the assessments

• The verification process is formalized by a plan that should be defined early and refined as a project moves downstream



Verification

• The process begins with a determination that verification is worthwhile

• The next step is to identify the organization that will execute the verification process – And decide which lifecycle elements will be verified

• Then, the required verification activities are performed as scheduled

• Any resulting defects are identified and recorded– Results are made available to the customer and

other involved parties



Validation

• Validation assess the product to ensure that it complies with its purpose

• It is an ongoing process used to stay on top of meaningful changes to any element of the system, software product, or service

• Validation guarantees the software performs as it was designed or programmed to do

• The validation process begins prior to any actual planning

• It is almost always conducted by a third party



Software Review

• The purpose of the software review process:– To maintain a common understanding with

stakeholders that the software is making progress against the contract

– To help ensure development of a product that satisfies the stakeholders

• The review process uses a team approach to define, design, and evaluate work products

• The team can establish a common set of evaluation criteria, assess progress, and identify critical issues and recommendations



The Audit Process

• Purpose of software audits:– To independently determine the compliance of

selected products and processes with appropriate requirements, plans, and agreements

• Audits are conducted by an appropriate independent party based on the audit plan

• Problems detected during an audit are identified and communicated to the parties responsible for corrective action and resolution

• Audits are usually performed at the end of a project



Problem Resolution

• The purpose of problem resolution is to ensure that all problems in a process are identified, analyzed, managed, and controlled to resolution

• Requires a management strategy that allows problems to be recorded, identified, and classified

• Ensures maintenance of the integrity of the system software, product, or service throughout the lifecycle

• Acts in conjunction with other supporting processes to ensure the product and process meets standards



Reuse

• Reuse: the construction of new software from existing components

• Reuse processes were not included in the original version of the standard– They have been added in the 2008 version

• Having a library of prewritten functions, templates, and procedures saves time and reduces cost

• Reusable code modules ensure higher levels of quality, security, and capability



Reuse

• Domain engineering - used to ensure that products are built with a high level of integrity– Necessary to allow managers to understand how to

reintegrate abstract components into other useful applications

– Goal is to characterize the application domain, its architectures, and assets

• Process Implementation - first step is to create and execute a domain engineering plan– Domain engineer selects and formalizes the

standard form of representationCybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


Reuse

• Domain Analysis - to define the conceptual boundaries of the domain and the relationships between it and other domains– To develop the domain model, the engineer carries

out a domain review with all stakeholders, including software developers, asset managers, domain experts, and users

– When the review is complete and the results are accepted, the domain engineer passes the domain model along to the architectural design stage



Reuse

• Domain Design - the domain engineer develops and documents an architectural design that incorporates all assets designated for reuse

• Asset Provisioning - the domain engineer acquires or develops the necessary assets– Each asset is documented, classified and evaluated

in accordance with the organization’s asset acceptance procedures

• Asset Maintenance - a responsibility of configuration management



Reuse

• Reuse Asset Management - to manage the life of reusable assets from conception to retirement– Uses a documented asset classification scheme– Specifies the criteria for accepting and eventually

retiring an asset– Defines an asset storage and retrieval mechanism

that tracks and records asset use• Process Implementation - First step is to create

an asset management plan– This plan defines the resources and operational

procedures for managing assetsCybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


Reuse

• Asset Storage and Retrieval Definition - reusable assets are typically kept in an archive until they are used– The asset manager must implement and maintain a

formal mechanism for asset storage and retrieval• Asset Management and Control - ensures the

correctness and integrity of the assets in the reuse archive– All assets submitted for reuse must be evaluated to

ensure it is acceptable for reuse



Reuse

• Reuse Program Management - to plan, establish, control, and monitor an organization’s overall reuse program – To systematically exploit opportunities for reuse– Reuse program is monitored and evaluated on an

ongoing basis• Initiation - a reuse strategy is necessary to being

developing a reuse program– Strategy includes setting goals for reuse and

defining the program’s purposes, objectives, and scope



Reuse

• Domain Identification - A group is formed to identify the domains in which the organization can practice reuse– Group consists of program administrator, domain

engineers, users, and software developers– The group evaluates each domain to ensure that it

accurately fits with the reuse strategy• Reuse Assessment - a function that constantly

ensures the organization’s reuse capability– Program administrator assesses each domain to

determine its potential for reuseCybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


Reuse

• Planning - requires the creation of a plan to implement the program– The plan is maintained to ensure the organization

understands all requirements for implementing the reuse program

– The plan has to be reviewed and evaluated by members of the reuse steering committee for completeness, feasibility, and ability to execute

• Execution and Control - Activities in the plan are executed in accordance with its requirements– Program is monitored by program administrator



Reuse

• Review and Evaluation - the program administrator provides assessment results and lessons learned to the reuse steering committee and to appropriate managers– Administrator also recommends and makes changes

to the program– Administrator expands and improves it in

accordance with the plan’s stipulations




Summary• The supporting processes in the 12207-2008

standard represent the value-added elements that guarantee the quality and security of ICT products

• To develop a successful, defect-free piece of software, an organization must adopt and follow a disciplined set of supporting processes

• The outcome of the documentation management process is an explicit understanding and formal description of every lifecycle record

• Configuration management defines and enforces management control over ICT assets



Summary• SQA monitors the actions of software operations and

brings any deviations to management’s attention• The verification process confirms that products

properly reflect specified requirements• The validation process assesses products to ensure

that they comply with their intended purpose• Joint reviews of software help maintain a common

understanding of progress• Audits determine compliance with requirements,

plans, and agreements



Summary• Problem resolution ensures that integrity is

maintained throughout the lifecycle• Software reuse allows new code to use existing

modules as a means of leveraging production

chapter 7faculty.scf.edu/bodej/ism3324/powerpoin… · ppt file · web view ·...

Documents