TickITplus – what it can do for you Talk to BCS Hants March 2012 Graham Gee Quality & InfoSec Manager

Graham Gee BSc in Astrophysics and PhD in Submillimetre Astronomy at Queen Mary College, University of London 26+ years in IT industry Wide range of employers, clients, market sectors Previously 10 years in mainland Europe (NL, CH, B, D) 20+ years in quality assurance, consultancy and management Last 4.5 years Quality & InfoSec Manager at IPL in Bath 20 years as MBCS, <1 as FBCS BCS Council member/trustee in early 00’s – change programme

Use this layout for text on top of a vertically striped picture. IPL background Trusted, independent consulting & solutions house 30 year track record 260 staff, £28m+ turnover Business/mission critical contexts Consistently exceed expectations Multiple market sectors Re-defined strategy (MBO April ‘08) Intelligent Business Four service offerings Business and technical consulting Solution delivery, managed services Raising our profile Official Business Partner

IPL Differentiators Quality & adaptability of staff Depth of business & technical knowledge Execution & delivery Quality of output Value for money Long term business relationships Commercial flexibility Transparency & trust Size & scale

Aerospace & Defence Ministry of Defence Flight Refuelling EADS Thales Logica GE Aviation Avionics systems Mission planning Crypto key management Secure communications Network management In-flight refuelling

Banking & Finance Nationwide Clydesdale Bank Bank of England Barclays Bristol & West Investments Online financial product applications Core banking systems Asset & unit pricing control Liquidity reporting Data migration & integration Pensions policy administration

Emergency Services EADS FiReControl Hertfordshire Constabulary Kent Police Northamptonshire Police NPIA Wiltshire Police Core policing systems ISS4PS compliance Collision recording ANPR data analysis GIS & crime mapping Mobile data solutions

Government Local Authorities Audit Commission Met Office Government Ombudsmen Technology Strategy Board Web portals Web-enabled Information Complaints handling “Digital Britain” testing GIS & mapping applications

Industry A Global Energy Company Imperial Tobacco Group IBM GlaxoSmithKline Fertility Focus Data warehouse & applications Management information systems Information management & SOA Clinical drug trials data archive Medical devices

Telecoms, Broadcast & Media Nokia Music Ericsson NSN Aepona O 2 Orange Ubiquisys GSM core network systems Transmission and QoS management Intelligent Networks Multimedia services Network/Service Management Systems Technical Launch Services

Transport Amey Atkins Highways Agency Mouchel TfL Wincanton Traffic control centre systems Managed motorways Intelligent transport systems Transport logistics Asset management

IPL’s origins more than 30 years ago in UK Aerospace and Defence Range of market sectors/customers, business/mission critical contexts Objective since 1979 “to provide customers with high quality, high reliability software within timescale, budget and specification” “Quality is the responsibility of all individuals within the Company” More than 20 years ago (before SEI’s CMM existed) By 1988 IPL’s QMS and processes were aligned to the international standard ISO 9001 and a few years later the TickIT software sector-specific scheme TickIT was largely adopted by the UK software development industry Especially in IPL’s core market sector with high quality requirements IPL’s Focus on Quality

TickIT Built into certification to ISO 9001 with regular external assessment by specially qualified auditors (in IPL’s case this is six-monthly by BSI and now LRQA) Was mandatory for many years for software companies working directly or indirectly for MoD Is a best practice guide aligned with international standards ISO 9001, ISO and ISO 12207

QMS Pressures Wide range of market sectors, systems, applications and technologies Increasing emphasis on business processes rather than detailed technical procedures QMS not kept pace with changing world – needs modern approach, flexible, responsive, look-and-feel Process-based approach and measurement: Services Business Manual, TickITplus Managed services: Application take-on, support, ITIL, ISO20000? IP generation: Product development

Accreditations & Affiliations ISO 9001:2008/TickIT ISO 27001:2005 ISO 14001:2004

Was due to launch in January year “clock” to migrate from TickIT started ticking in Dec 2011 Adds process capability assessment, with levels mapped to international standard ISO/IEC 15504, similar to CMMI So moves TickIT to same basis as CMMI but also Backed by UK plc (including BSI, BCS, Intellect, MoD) Integral part of certification to international standard ISO 9001 by certification bodies such as BSI, LRQA and DNV Requires mapping of project, technical, organisational, IT-specific, agreement and maturity processes to the Base Processes Library TickITplus

IPL’s 1 st plan v. TickITplus levels ISO process levelsTickITplusTarget 1. PerformedFoundation ManagedBronze EstablishedSilver PredictableGold OptimizingPlatinum2013

TickIT lead auditor course in 2006: Declining interest in the scheme; only one accredited trainer in the UK; Auditor and company registrations dropping; only ever good practice guidance; CMMI stolen march in India and elsewhere from its US origins Joined IPL in Oct 2007 aiming to bring QMS into 21 st century Long experience in Quality/TickIT and with BCS TickITplus coming “soon” as UK alternative to CMMI… Occasionally we get pressure around our plans w.r.t. CMMI in questionnaires and responses Happened again at end of 2010 around Thales preferred supplier selection TickITplus was a long time coming – chronic lack of communication Steps to TickITplus:

Transition of Certification Body to LRQA – December 2010 Kept the faith –> information sessions hosted at Intellect, early 2011 Speculative gap analysis cf. list of process titles – March/April 2011 Assessor/practitioner training by Dave Wynn for IT Governance – June Base Process Library (BPL) finally published – also June 2011 Confirmed gap analysis (cf. BPL) –> 1 st draft PRM – July year “clock” to migrate from TickIT started ticking in Dec 2011 LRQA Stage 1 assessment – end Sept > 3 Minor N/Cs LRQA Stage 2 assessment – Dec > certification but 7 new Minor N/Cs (just before Christmas!) and Corrective Action Plan Steps to TickITplus: during 2011

Eight scope profiles (currently two) 40 processes (currently 22): organizational, project and technical Mapped to four international standards (currently one and a half) ISO 9001 ISO and ISO – resp. Q2/Q ISO – basis laid but rest later, possibly 2013 Combined assessor/practitioner training – overseen by gasq Currently three UK Certification Bodies (BSI, DNV, LRQA) Run by Joint TickIT Industry Steering Committee (JTISC) What does TickITplus involve?

What does TickITplus look like?

Currently Systems and Software Development and Support Product Validation, Quality and Measurement To come Information Management and Security Service Management Project and Programme Management Corporate Strategy Planning and Management Legal and Compliance IT Systems Engineering and Infrastructure Scope profiles

Human Resource Management Management Framework Corporate Management and Legal Infrastructure and Work Environment Management Improvement Measurement and Analysis Customer Focus Risk Management Lifecycle Model Management Organizational processes

Measurement and Analysis

Currently Project Management Configuration and Change Management Problem and Incident Management To come Decision Management Information Management IT Finance Management Management Reporting Project processes

Project Management

Data and Record Management Integration Management Verification Validation Transition and Release Management Maintenance Management Stakeholder Requirement Definition Requirements Analysis Architectural Design Development Implementation Technical processes

Architectural Design

What has TickITplus done for us?

Modern, pragmatic, detailed process/practice requirements NOT good practice guidance (cf. TickIT) Based on international standards - ISO 9001 and ISO (aka. SPICE) Scheme to be extended to allow combined assessment with ISO and ISO Regular, professional and independently assured assessments by certification bodies - currently BSI, DNV and LRQA in the UK cf. CMMI Much less bureaucratic than CMMI BUT TickITplus Foundation level (currently 22 processes) is only equivalent to CMMI Levels 2/3 (resp. 7/11 processes) with capability maturity dimension based on ISO to be added TickITplus lessons/benefits

LRQA surveillance visit – end March 2012 Some processes clearly need improving/redefining Configuration/change managementIntegration management Lifecycle model managementImprovement LRQA’s recertification visit at end of August 2012 Extension to cover ISO later in 2012? Could consider adding additional scope profiles? Move up to Bronze (OK) and Silver (difficult) when available Share the good news with the UK IT community via BCS, LRQA, Intellect, with Omniprove and Nexor IPL – where next with TickITplus?

Questions? Dr Graham Gee FBCS CITP TSSF Quality & InfoSec Manager Eveleigh House Grove Street Bath BA1 5LR

Additional slides To be used as required

Customers Government Aerospace & Defence Banking & Finance Emergency Services

Customers Transport Telecoms, Broadcast & Media Industry A Global Energy Company A Global Energy Company

Engagement Models Managing risk Time-boxed Risk/reward Fixed price Flexibility Time & materials Gain share IPR ownership Partnership Bid-stage engagement Teaming agreement Long term relationship via a range of engagement models Staffing Single consultant Managed team of >50 Location Your premises IPL’s offices Availability Quick commercial response Start within days

Business Consulting Identifying the business need Information management Business analysis Business process management Business case preparation IS strategy Programme management

Technical Consulting Analysing the technical options Client-side - procurement support, technical project management, design authority Project specific - rapid prototyping, requirements capture, architecture design Subject matter expertise – eg telecoms technologies, secure communications, geospatial technologies Bid support - expert advice and technology recommendations

Solution Delivery Delivering the solution Full life-cycle implementation Software development Systems integration Mitigating risk and sharing development burden Reducing development timescales 3rd party product expertise Accredited quality methodology Predictable, reliable, transparent delivery

Managed Services Supporting commercial solutions On-going support and maintenance services 3 rd party application support System hosting Reducing overall cost of ownership Freeing organisation to focus on core skills and strategic projects Secure, modern premises UK facilities & staff

Working with IPL “IPL is our strategic software partner...track record of delivering high quality, leading edge software...” Commercial Director “IPL brought a fresh and independent look at the way we develop systems...helped us to take a valuable step back from the day-to-day detail...together, we will develop more successful solutions...” CIO “...a first class and dependable software development service... contributed value at many levels in the design and development cycle” CTO

Working with IPL “Actually appear to live the culture of customer support and commitment. Deliver what they say they are going to deliver when they say they are going to deliver” Programme Manager “They are a reliable, professional outfit...work hard to understand the clients requirements and deliver against them” Application Support Manager “Very competent, very proactive, willing to assist, reliable and effective.” Programme Manager