Project Success Factors when using System Development Life Cycle IT Symposium October 2015 By Edward M. Dennis

Project Success Factors when using System Development Life Cycle  Introduction (slide 3-6)  Thank You

What IT costs  In the mid-1960s, less than five percent of American capital expenditures. (Carr, 2003)  At the turn of the century nearly 50 percent of capital expenditures went to IT (Carr, 2003)  2012 and 2013 IT expenditures totaled 3.5 trillion world wide (Gartner, 2013)  Over the next five years this will go up 2.1, 3.7, 3.8, 3.4, and 3.2 percent respectively (Gartner, 2013).

Zachman  John Zachman - relationship between following a lifecycle framework and success (Zachman, 1987)  Classical engineering – construction of buildings, roads and bridges (Zachman 1987)  Classic Engineering Lifecycle process  Requirements  Design w/innovation  Reliability (testing)  Implementation  Use and eventual destruction (Spector, A. and D. Gifford, 1986).

Bridges to nowhere

The Standish Group and CHAOS  percent reached O&M  2012 – 82 percent reached O&M  Success = on time within budget and met requirements

Standish Report 1994Standish Report Survey of Participants 1 User involvementExecutive management supportSkilled resources 2 Executive management supportUser involvementUser, customer involvement 3 Clear statement of requirementsClear business objectivesAgile process 4 Proper planningEmotional maturityTools and infrastructure 5 Realistic expectationsOptimizing scopeClear business objectives 6 Smaller project milestonesAgile processProject management expertise 7 Competent staffProject management expertiseTeam member maturity 8 OwnershipSkilled resourcesProject execution based plan 9 Clear vision and objectivesExecutionExecutive management support 10 hard-Working, focused staffTools and infrastructureOptimization of scope

All respondents results

Survey  Role in IT  Level in education  Certifications  Experience in IT and in this position  Experience on team  Types of projects  Use of life cycle, lifecycles used, and project Management training  Number of projects, on time, within budget, success, met requirements, and scope creep

Success from development life cycle and Project Management training

Conclusions Success factors Development Lifecycle and training in Project Management  These two aspects ranked in the top 2 in every category  Lifecycles and project management do effect project success

Life cycles Troubleshooting  Defining the problem  Testing and research  Gather information  Analysis  Implement fix  Did it resolve problem Quality  Brainstorm possible problems  Define problem to resolve  Brainstorm solutions  Analyze solutions  Implement solution  Did it resolve problem

System or Software Development Lifecycle  Planning  Requirements  Design  Implementation  Test  Deployment  Operations and Maintenance

SDLC and NIST

Zachman Model

Waterfall  Project planning – overview of project – determining goals  System analysis – requirements, goals of project  System Design – features, detailed operation, business case, process  Implementation – writing code  Integrate and test – testing environment – test interoperability resolve issues  Acceptance and deployment – production  Maintenance  Decommission

Secure development life cycle  Planning  Requirements  Design  Implementation  Test  Deployment  Operations and Maintenance

Planning  Who – representatives from all stakeholders  What business strategies take priority  Budget  When is the deadline for the project to be accomplished  Where in my network architecture will this reside  Developing a system by analyzing and meeting mission or business need of the information system using available and cost–effective technologies  Security requirements dictate technologies needed to protect system information  Assess risk of project planned  Define scope  Present to stakeholders/management for concurrence

Requirements  Defining system requirements  Defining security requirements  Account management and access control  Information flow  System use parameters  Verify requirement fall within scope (scope creep)  Information input and output restrictions  Estimated cost of implementation  Compliance with regulations and policies  Keep stakeholders/management informed (concurrence)

Scope Creep  Process by which the project grows beyond its original requirements, function or feature  Proper documented and agreed upon requirements  Can cost and time overruns  Need for good stakeholder communications  Clearly defined scope of work  Work process breakdown  Written agreement on scope (requirements, function, and features)  Understood, collaborated, defined, agreed upon, and cost effective

Design  Necessary documentation  Hardware and software redundancy  Risk assessment and analysis  Mitigating security controls documented  Data requirements and protection  Planning and basic testing of code and applications  Open source or COTS  Application and Operating system hardening  Keep stakeholders/management informed (concurrence)  Beware of scope creep

Implementation  System builds and software installation  Vulnerability Management  System and application scanning  Penetration testing where applicable  Verify requirements are met  Verify compliance with regulations and policies  Contingency planning  Risk assessment and Privacy Impact  Documentation of Standard operating Procedures and Processes  Keep stakeholders/management informed (concurrence)

Test  User testing  Functionality  Test backup and restore processes  Update documentation  User training  Vulnerability Management  System and application scanning  Penetration testing where applicable

Deployment  Set up Change management process  Set up configuration management process  System and user monitoring plan  Auditing of security logs  Security Event and Incident Management  Vulnerability Management Plan  Risk Management  Stakeholder acceptance/Authorization to proceed  Feedback/concerns, requirements met, Communications Plan

Operations and Maintenance  Periodic Change Control Board Meetings  Change and configuration Control Plan  Periodic Vulnerability Scanning  Vulnerability Management Plan  Contingency Plan updates and periodic test  Maintenance of Standard operating proceedures

SANS Critical Top 20 Security Controls Controls of Interest (Top 4+): 1. Inventory of Authorized and Unauthorized Devices 2. Inventory of Authorized and Unauthorized Software 3. Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers 4. Continuous Vulnerability Assessment and Remediation 5. Malware Defenses 12. Controlled Use of Administrative Privileges

Software Development Best practices  Development test and production on separate systems and networks  VM’s, NAT, ACL’s  Software Development library  Retrieve to update  Update and put back in library  Don not hold on developer system  Restrict access to production  Software release Process (controlled)  Application Scanning  Test and scan before release  Mitigate vulnerabilities

Industry Standards and Best Practices Source: tandard.pdf tandard.pdf Source: OWASP Cheat Sheets

Secure Development Lifecycle Source:

Building Security in SDLC  DHS Guidance – Improve Security and Software Assurance   DHS Guidance – Secure Coding Sites and Training   Microsoft Trustworthily Computing Initiative   Open Web Application Security Project (OWASP)   (ISC) 2® – Top 10 Best Practices for Secure Software Development  c2_wpiv.pdf c2_wpiv.pdf  University of California Berkley Security 

Best Practices - Takes planning

Project Success Factors when using System Development Life Cycle  Q & A Session

Project Success Factors when using System Development Life Cycle IT Sec Architecture Design Vulnerability Management Secure Development Lifecycle Risk Assessments Drive All IT Security and Risk Management Activities