1. Project Success Factors when using System Development Life Cycle IT Symposium October 2015 By Edward M. Dennis

2. Project Success Factors when using System Development Life Cycle  Introduction (slide 3-6)  Thank You

3. What IT costs  In the mid-1960s, less than five percent of American capital expenditures. (Carr, 2003)  At the turn of the century nearly 50 percent of capital expenditures went to IT (Carr, 2003)  2012 and 2013 IT expenditures totaled 3.5 trillion world wide (Gartner, 2013)  Over the next five years this will go up 2.1, 3.7, 3.8, 3.4, and 3.2 percent respectively (Gartner, 2013).

4. Zachman  John Zachman - relationship between following a lifecycle framework and success (Zachman, 1987)  Classical engineering – construction of buildings, roads and bridges (Zachman 1987)  Classic Engineering Lifecycle process  Requirements  Design w/innovation  Reliability (testing)  Implementation  Use and eventual destruction (Spector, A. and D. Gifford, 1986).

5. Bridges to nowhere

6. The Standish Group and CHAOS  1994 - 69 percent reached O&M  2012 – 82 percent reached O&M  Success = on time within budget and met requirements

7. Standish Report 1994Standish Report 20132015 Survey of Participants 1 User involvementExecutive management supportSkilled resources 2 Executive management supportUser involvementUser, customer involvement 3 Clear statement of requirementsClear business objectivesAgile process 4 Proper planningEmotional maturityTools and infrastructure 5 Realistic expectationsOptimizing scopeClear business objectives 6 Smaller project milestonesAgile processProject management expertise 7 Competent staffProject management expertiseTeam member maturity 8 OwnershipSkilled resourcesProject execution based plan 9 Clear vision and objectivesExecutionExecutive management support 10 hard-Working, focused staffTools and infrastructureOptimization of scope

8. All respondents results

9. Survey  Role in IT  Level in education  Certifications  Experience in IT and in this position  Experience on team  Types of projects  Use of life cycle, lifecycles used, and project Management training  Number of projects, on time, within budget, success, met requirements, and scope creep

10. Success from development life cycle and Project Management training

11. Conclusions Success factors Development Lifecycle and training in Project Management  These two aspects ranked in the top 2 in every category  Lifecycles and project management do effect project success

12. Life cycles Troubleshooting  Defining the problem  Testing and research  Gather information  Analysis  Implement fix  Did it resolve problem Quality  Brainstorm possible problems  Define problem to resolve  Brainstorm solutions  Analyze solutions  Implement solution  Did it resolve problem

13. System or Software Development Lifecycle  Planning  Requirements  Design  Implementation  Test  Deployment  Operations and Maintenance

14. SDLC and NIST

15. Zachman Model

16. Waterfall  Project planning – overview of project – determining goals  System analysis – requirements, goals of project  System Design – features, detailed operation, business case, process  Implementation – writing code  Integrate and test – testing environment – test interoperability resolve issues  Acceptance and deployment – production  Maintenance  Decommission

17. Secure development life cycle  Planning  Requirements  Design  Implementation  Test  Deployment  Operations and Maintenance

18. Planning  Who – representatives from all stakeholders  What business strategies take priority  Budget  When is the deadline for the project to be accomplished  Where in my network architecture will this reside  Developing a system by analyzing and meeting mission or business need of the information system using available and cost–effective technologies  Security requirements dictate technologies needed to protect system information  Assess risk of project planned  Define scope  Present to stakeholders/management for concurrence

19. Requirements  Defining system requirements  Defining security requirements  Account management and access control  Information flow  System use parameters  Verify requirement fall within scope (scope creep)  Information input and output restrictions  Estimated cost of implementation  Compliance with regulations and policies  Keep stakeholders/management informed (concurrence)

20. Scope Creep  Process by which the project grows beyond its original requirements, function or feature  Proper documented and agreed upon requirements  Can cost and time overruns  Need for good stakeholder communications  Clearly defined scope of work  Work process breakdown  Written agreement on scope (requirements, function, and features)  Understood, collaborated, defined, agreed upon, and cost effective

21. Design  Necessary documentation  Hardware and software redundancy  Risk assessment and analysis  Mitigating security controls documented  Data requirements and protection  Planning and basic testing of code and applications  Open source or COTS  Application and Operating system hardening  Keep stakeholders/management informed (concurrence)  Beware of scope creep

22. Implementation  System builds and software installation  Vulnerability Management  System and application scanning  Penetration testing where applicable  Verify requirements are met  Verify compliance with regulations and policies  Contingency planning  Risk assessment and Privacy Impact  Documentation of Standard operating Procedures and Processes  Keep stakeholders/management informed (concurrence)

23. Test  User testing  Functionality  Test backup and restore processes  Update documentation  User training  Vulnerability Management  System and application scanning  Penetration testing where applicable

24. Deployment  Set up Change management process  Set up configuration management process  System and user monitoring plan  Auditing of security logs  Security Event and Incident Management  Vulnerability Management Plan  Risk Management  Stakeholder acceptance/Authorization to proceed  Feedback/concerns, requirements met, Communications Plan

25. Operations and Maintenance  Periodic Change Control Board Meetings  Change and configuration Control Plan  Periodic Vulnerability Scanning  Vulnerability Management Plan  Contingency Plan updates and periodic test  Maintenance of Standard operating proceedures

26. SANS Critical Top 20 Security Controls Controls of Interest (Top 4+): 1. Inventory of Authorized and Unauthorized Devices 2. Inventory of Authorized and Unauthorized Software 3. Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers 4. Continuous Vulnerability Assessment and Remediation 5. Malware Defenses 12. Controlled Use of Administrative Privileges

27. Software Development Best practices  Development test and production on separate systems and networks  VM’s, NAT, ACL’s  Software Development library  Retrieve to update  Update and put back in library  Don not hold on developer system  Restrict access to production  Software release Process (controlled)  Application Scanning  Test and scan before release  Mitigate vulnerabilities

28. Industry Standards and Best Practices Source: http://www.servicecatalog.dts.ca.gov/services/professional/security/docs/3117_network_architecture_s tandard.pdf http://www.servicecatalog.dts.ca.gov/services/professional/security/docs/3117_network_architecture_s tandard.pdf Source: OWASP Cheat Sheets

29. Secure Development Lifecycle Source: http://www.microsoft.com/en-us/SDL/adopt/tools.aspxhttp://www.microsoft.com/en-us/SDL/adopt/tools.aspx

30. Building Security in SDLC  DHS Guidance – Improve Security and Software Assurance  https://buildsecurityin.us-cert.gov/ https://buildsecurityin.us-cert.gov/  DHS Guidance – Secure Coding Sites and Training  https://buildsecurityin.us-cert.gov/resources/secure-coding-sites https://buildsecurityin.us-cert.gov/resources/secure-coding-sites  Microsoft Trustworthily Computing Initiative  http://www.microsoft.com/en-us/twc/ http://www.microsoft.com/en-us/twc/  Open Web Application Security Project (OWASP)  https://www.owasp.org/index.php/Main_Page https://www.owasp.org/index.php/Main_Page  (ISC) 2® – Top 10 Best Practices for Secure Software Development  https://www.isc2.org/uploadedfiles/%28isc%292_public_content/certification_programs/csslp/is c2_wpiv.pdf https://www.isc2.org/uploadedfiles/%28isc%292_public_content/certification_programs/csslp/is c2_wpiv.pdf  University of California Berkley Security  https://security.berkeley.edu/content/application-software-security-guidelines https://security.berkeley.edu/content/application-software-security-guidelines

31. Best Practices - Takes planning

32. Project Success Factors when using System Development Life Cycle  Q & A Session

33. Project Success Factors when using System Development Life Cycle IT Sec Architecture Design Vulnerability Management Secure Development Lifecycle Risk Assessments Drive All IT Security and Risk Management Activities