You are on page 1of 50

About the Presentations

The presentations cover the objectives found in the


opening of each chapter.
All chapter objectives are listed in the beginning of
each presentation.
You may customize the presentations to fit your
class needs.
Some figures from the chapters are included. A
complete set of images from the book can be found
on the Instructor Resources disc.

Cybersecurity: Engineering a
Secure Information Technology
Organization, 1st Edition
Chapter 1
Lifecycle Management

Objectives
Understand the role of lifecycle management in the
production of secure ICT products
Understand the status of the ICT industry and why it
is not always trustworthy
Understand the role of common standards in the
definition of reliable organizational processes
Understand the role and application of ISO 122072008 in shaping enterprise architecture

Cybersecurity: Engineering a Secure Information Technology


Organization, 1st Edition

Cengage Learning 2015

Lifecycle Management
Failure to manage an information and
communications technology (ICT) operation using
a rational lifecycle:
Leads to unreliable and insecure products

ICT systems have become globally connected


through layers of software
A security breakdown in any of these layers might
lead to personal tragedy or disaster

Primary contributor to rise in cybercrime:


Vulnerability of Americas ICT system to exploitation
through defects in their construction
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition

Cengage Learning 2015

Lifecycle Management
ICT development and sustainment processes are
complex
Managers find it difficult to oversee and control the
work

Managers must create a reliable monitoring


capability enabling them to understand the status
of projects they supervise
The first section of this textbook explains standard
practices for ensuring visibility and control over ICT
processes
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition

Cengage Learning 2015

Why ICT Companies Need to Change


the Way They Do Business
Results of annual Chaos surveys conducted by
the Standish Group over the past decade:
32% of all projects were delivered on time, on
budget, with required features and functions
44% of all projects were late, over budget, or
delivered with less than the required features and
functions
24% were cancelled prior to completion or delivered
and never used

Capers Jones has consistently found that between


25-60% of all projects fail
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition

Cengage Learning 2015

Why ICT Companies Need to Change


the Way They Do Business
ICT products must be able to resist deliberate
attacks and exploitations
The right kind of defect in an ICT system that is
exploited by the wrong type of adversary can lead
to a disastrous outcome
Excuses for ICT product defects are no longer
acceptable

Cybersecurity: Engineering a Secure Information Technology


Organization, 1st Edition

Cengage Learning 2015

The ICT Industry is Significantly


Profitable and Globally Influential
Common causes of project failure (based on a
2008 study published in CIO magazine):
The project lacked the right staff with the right skills
The project lacked experienced project managers
The project did not follow a standard, repeatable
project management process
The staff was inflexible in dealing with customers
The project did not track changes to scope
The project lacked up-to-date data about its status
Problems were not resolved when identified
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition

Cengage Learning 2015

The ICT Industry is Significantly


Profitable and Globally Influential
Common causes of project failure (based on a
2008 study published in CIO magazine) - contd:
Project team members did not take the time to
define the scope
Management failed to see the dependencies
between projects

Cybersecurity: Engineering a Secure Information Technology


Organization, 1st Edition

Cengage Learning 2015

The ICT Industry is Significantly


Profitable and Globally Influential
TechRepublic divides ICT organizational failures
into six categories:

Failure to satisfy intent


Sponsor failure
Design and definition/scope failure
Communications failure
Project discipline failure
Supplier/vendor failure

Cybersecurity: Engineering a Secure Information Technology


Organization, 1st Edition

Cengage Learning 2015

10

The ICT Industry is Significantly


Profitable and Globally Influential
The overall purpose of lifecycle management is to
manage people, equipment, and financial
resources in a coordinated and systematic way
It is critical that lifecycle processes provide direct
support for business goals

The most common cause of failure:


A lack of project management (execution) and the
project managers lack of skill or inability to monitor
project activity

Cybersecurity: Engineering a Secure Information Technology


Organization, 1st Edition

Cengage Learning 2015

11

Business Realities versus Due Care


Basic problem with producing an ICT system:
Human actions must be captured and mirrored in
program code and then embodied in hardware in a
way that is appropriate and correct for the user
Unpredictability of human behavior makes absolute
correctness impossible to achieve

Creativity is required to make the product


responsive to a reasonable set of conditions and
requirements

Cybersecurity: Engineering a Secure Information Technology


Organization, 1st Edition

Cengage Learning 2015

12

Business Realities versus Due Care


Systematic assurance of best practice throughout
the lifecycle yields two benefits:
Production is more cost efficient
Overall product quality is better

Increasing the general capability of the


organizations development, sustainment, and
acquisition processes:
Leads to fewer original mistakes and less costly
rework
Rework represents the predominant cost of an ICT
product
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition

Cengage Learning 2015

13

Business Realities versus Due Care


A company that ensures all workers function at a
basic level of competence is likely to develop
trustworthy products
Floor capability: a minimum level of acceptable
performance
Process entropy: a tendency toward
disorganization that causes breakdowns in correct
practice
Generally the consequence of overly rapid advances
in hardware and ICT functionality and intensely
competitive business pressure
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition

Cengage Learning 2015

14

Business Realities versus Due Care


Standards: comprehensive and coherent
documentation of accepted best practices
The organization that follows a disciplined set of
best practices can duplicate its successes as well
as learn from its failures
Enterprise architecture: a specific array of
tailored practices designed to accomplish a
particular task or fulfill a requirement for the entire
organization

Cybersecurity: Engineering a Secure Information Technology


Organization, 1st Edition

Cengage Learning 2015

15

The ICT Lifecycle: a Definition


The continuing presence of a large number of
defects in ICT products reinforces the idea that the
industry needs a better-organized approach to ICT
process management
The definition and documentation processes are
labor intensive and difficult to carry out
Standardizing an undefined and ad hoc process
leads to decreased costs of production

Cybersecurity: Engineering a Secure Information Technology


Organization, 1st Edition

Cengage Learning 2015

16

Cybersecurity: Engineering a Secure Information


Technology Organization, 1st Edition

Cengage Learning 2014

17

Implementing Best Practice using a


Single Framework
Given the range of activities embodied in ICT work:
An accepted model has to be broad and
comprehensive

Umbrella framework: a large-scale standard set of


recommendations for a comprehensive area of
interest
Named after their intent, which is to cover the field

Waterfall: the conventional development lifecycle


model that incorporates five stages into a process
to produce ICT
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition

Cengage Learning 2015

18

Cybersecurity: Engineering a Secure Information


Technology Organization, 1st Edition

Cengage Learning 2014

19

Implementing Best Practice using a


Single Framework
In the umbrella model of lifecycle activity:
A single framework defines all aspects of the
functional and supporting processes for every ICT
project

The process defined by umbrella models


incorporates a set of fundamental steps or phases
that advance the development project to its
eventual completion
Umbrella models are oriented toward describing a
total process rather than just the development
aspects
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition

Cengage Learning 2015

20

The Benefit of Standards


Standards formalize how a product is made and
evaluated
They provide a tangible and practical basis for
continuously developing and improving the way a
large organization carries out its ICT work

A standardized framework clarifies the requisite


policies and procedures for defining and relating all
of the components
Provides the stable point of reference that lets a
manager develop necessary information to oversee
a project
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition

Cengage Learning 2015

21

Cybersecurity: Engineering a Secure Information


Technology Organization, 1st Edition

Cengage Learning 2014

22

The People Factor: The Role of


Disciplined and Properly Motivated
Performance

A business must take steps to that ensure a


consistent understanding of what a best practice
means to workers

Best practices are developed and documented by an


organization to ensure common understanding for
how a task should be carried out

Importance of motivation:
Initiates, directs, and sustains all forms of behavior
Ensures a persons willingness to consistently
execute a given task or achieve a specific goal
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition

Cengage Learning 2015

23

Maintaining a Floor Capability


Critical ICT requirement:
Defining and enforcing best practices that maintain a
basic level of lifecycle capability

These procedures should become the blueprint for


maintaining a fundamental level of consistency in
employees work
A single set of lifecycle activities that attempt to
ensure a floor level of capability is the best way to
counteract varying individual skills and abilities

Cybersecurity: Engineering a Secure Information Technology


Organization, 1st Edition

Cengage Learning 2015

24

Strategic Management of the Lifecycle


The role of strategic management:
To establish and sustain the proper long-term
functioning of a business process

Effective lifecycle management starts by:


Creating an enterprise-wide operation whose
purpose is to integrate all lifecycle components into a
single unified management function

ICT lifecycle: a formal series of steps designed to


produce a properly functioning product that meets
user requirements
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition

Cengage Learning 2015

25

Strategic Management of the Lifecycle


Strategic managements objective is to keep proper
alignment between overall goals of the organization
and the key activities that are carried out to achieve
those goals
A detailed level of planning is required to
implement and integrate the components of a
lifecycle management process
Conventional functions of everyday lifecycle
development and sustainment should operate
within the larger control framework
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition

Cengage Learning 2015

26

Aligning the ICT Lifecycle with the


Business Purpose
Tailoring: the process of adapting the generic
recommendations of a model or standard to the
specific situation it was meant to address
Is done by identifying the unique issues, problems,
and criteria associated with each activity for which
the manager is responsible

The outcome of the tailoring process is an explicit


set of practices that represent standard operating
procedure for the organization

Cybersecurity: Engineering a Secure Information Technology


Organization, 1st Edition

Cengage Learning 2015

27

Creating a Systematic Lifecycle


Management Process
Starting point for establishing a systematic lifecycle
management process:
To develop an overall approach to everyday work
across organization

The approach should:


Comprise major components of the ICT assurance
function as well as resource requirements
Define each major component in the process and
identifies resources needed to support function
Specify the actions that will be taken to ensure
management review and control
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition

Cengage Learning 2015

28

Creating a Systematic Lifecycle


Management Process
A strategic implementation plan must be created
Defines the entire set of activities in the lifecycle
Definition is general in scope but substantive in the
actions it recommends
Developed using a top-down process that runs from
general assurance requirements to explicit standard
tasks for each requirement

The aim of this overall process is to provide a


detailed description of the work to be done
Including a description of the relevant relationships
between components
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition

Cengage Learning 2015

29

Creating a Systematic Lifecycle


Management Process
Controls: activities built into an organizations
process that are designed to ensure a reliable and
repeatable state
The structure of the controls should flow naturally
from the overall goals of the businesss strategic
governance process
The controls are tangible mechanisms for enforcing
required behavior
All activities within the structure must achieve a
documented purpose within the organization
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition

Cengage Learning 2015

30

Making Concrete Arrangements for


Lifecycle Management
The lifecycle is composed of:
A concrete set of rationally derived and logically
interacting management and technical controls put
into place to achieve a defined outcome

The controls are typically expressed as a set of


policies, procedures, and work instructions that
work together to achieve the organizations goals
If work instructions are properly defined:
They provide specific direction to guide managers in
their day-to-day decision making
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition

Cengage Learning 2015

31

Implementing a Company-Wide
Process
Alignment: a provable relationship between an
organizations business goals and the underlying
process to achieve those goals
Efficient use of resources is the primary reason that
alignment is important
If lifecycle management activities are aligned with
its business goals:
None of the resources allotted to carry out these
processes are wasted
Represents a distinct competitive advantage
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition

Cengage Learning 2015

32

Factoring People into the Plan


A critical element to strategic lifecycle management
is the ability to ensure effective cooperation among
the people who execute it
The special talents and insights of people who
manage ICT development and sustainment should
not be excluded from the overall corporate strategy
ICT managers have had a long history of isolation
from corporate policy making

Cybersecurity: Engineering a Secure Information Technology


Organization, 1st Edition

Cengage Learning 2015

33

Oversight and Day-to-Day Lifecycle


Management
The comparison of performance against a stable
set of benchmarks gives managers the insight they
need to exercise control over their operation
Benchmarks provide the consistent point of
reference needed to assess the performance of
technical work
Allow managers to gauge its progress
Gives managers the insight they need to assure that
their operation is functioning properly

Cybersecurity: Engineering a Secure Information Technology


Organization, 1st Edition

Cengage Learning 2015

34

Lifecycle Management versus


Assurance: A Distinction
Generic ICT assurance models do not define the
structure of the ICT process as a whole
ICT assurance practices ensure that all instances
of and ICT product are developed, configured, and
maintained in a dependable manner
The goal of lifecycle management is to ensure that
an organizations lifecycle activities are fully
defined, understood, and reliably executed over
time
To maintain a consistent management process
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition

Cengage Learning 2015

35

Summing Up Lifecycle Management


The presence of well-defined processes that
embody a standard set of practices ensures that
the overall lifecycle management function is
operating properly
And is fully aligned with the overall strategic
purposes of the organization

A commonly accepted and implemented framework


enables all stakeholders to know what is expected
Risk mitigation: steps taken to reduce the impact
of a given event
A framework underwrites accountability
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition

Cengage Learning 2015

36

Adopting a Single Standard to


Minimize ICT Defects
The 12207-2008 standard from the International
Standards Organization (ISO) provides the generic
model that defines the ideal structure of the ICT
process
Serves as a stable basis for defining a lifecycle
management framework applicable to any form of
ICT operation
Provides a commonly recognized, worldwide basis
for standardizing terminology and processes to
manage any software or ICT development,
sustainment, or acquisition process
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition

Cengage Learning 2015

37

Adopting a Single Standard to


Minimize ICT Defects
Many ICT organizations favor technology solutions
over process
Generally described as the silver bullet mindset

Alternative to the silver-bullet approach is a fully


defined and standardized process
Standards serve as benchmarks for best practice
Used as a measuring stick to leverage management
control
Used to create and maintain the consistent policy
and procedure framework
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition

Cengage Learning 2015

38

Adopting a Single Standard to


Minimize ICT Defects
ISO 12207 documents the common elements in
the ICT lifecycle
From initial concept through retirement

ISO 12207 consists of processes for acquiring and


supplying ICT products and services
The U.S. version of the IEEE/EIA 12207 standard
provides detailed information about the form and
content of the documentation that makes up each
process

Cybersecurity: Engineering a Secure Information Technology


Organization, 1st Edition

Cengage Learning 2015

39

Cybersecurity: Engineering a Secure Information


Technology Organization, 1st Edition

Cengage Learning 2014

40

Adopting a Single Standard to


Minimize ICT Defects
Activities that may be performed during the
lifecycle are grouped into categories:

Agreement processes
Organizational project-enabling processes
Project processes
Technical processes
ICT-specific processes
ICT support processes
ICT reuse processes

Cybersecurity: Engineering a Secure Information Technology


Organization, 1st Edition

Cengage Learning 2015

41

Adopting a Single Standard to


Minimize ICT Defects
Organizations need to detail the work required to
achieve real-world goals:
Must adopt a unified process model as a foundation
for tailoring a specific application to the business (the
12207 standard)
Must establish specifications for each process
element
Specific policies and procedures are defined within a
detailed structure that fits the culture and goals of
the business
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition

Cengage Learning 2015

42

Cybersecurity: Engineering a Secure Information


Technology Organization, 1st Edition

Cengage Learning 2014

43

Tailoring a Solution
The ISO 12207 model along does not provide
sufficiently detailed guidance to make an
organization manageable
Processes within the framework still have to be
tailored to fit each given situation

The outcome of the tailoring process:


A set of activities that concretely represent the
standards ideal process recommendations

The task level


Should consist of a set of actions for each participant
in the process
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition

Cengage Learning 2015

44

Tailoring a Solution
Tasks are an explicitly defined set of work
instructions for a particular role in the process
Work instructions are project specific and generally
cannot be applied to another project
They represent an organizations current best
approach to executing the tasks required for a given
project

To ensure the production, sustainment, and


acquisition of defect-free ICT, an organization must
implement a framework of ideal processes
This framework is called an architecture
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition

Cengage Learning 2015

45

Tailoring a Solution
Goals of tailoring are achieved in three standard
steps:
A commonly accepted model for secure practice has
to be adopted as a best-practice foundation
Particular activities are specified for each process
Tasks are assigned in the form of explicit work
instructions

A formal process plan is an official document an


organization uses to ensure that the project follows
best practice
Documents details for executing each process
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition

Cengage Learning 2015

46

Summing up the ISO 12207 Standard


ISO 12207 provides the basis for defining the
systematic activities, roles, and tasks of the ICT
lifecycle
Is applicable to every ICT organization
Is useful in complex systems when the requirement
for integration places exceptional demands on
coordinating the process

Compliance to 12207 is defined as the


performance of all processes, activities, and tasks
identified as appropriate in the tailoring process
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition

Cengage Learning 2015

47

Summing up the ISO 12207 Standard


Two potential types of 12207 compliance:
Absolute compliance: processes, activities, and
tasks are specified as mandatory
Tailored compliance: alternative methods for some
processes are specified

The 12207 standard is best employed as a


classification hierarchy to guide use of the right set
of processes, activities, and tasks to a practical
definition of the lifecycle for everyday work

Cybersecurity: Engineering a Secure Information Technology


Organization, 1st Edition

Cengage Learning 2015

48

Summary
The ICT lifecycle is composed of a coherent set of
best practices, and is defined by policies
To develop a successful, defect-free ICT product, a
disciplined set of practices has to be adopted and
followed
Lifecycle management planning is strategic in focus; it
entails the design of the approach used to build,
acquire, or sustain ICT
Lifecycle management ensures alignment between
the organizations ICT process and its business goals
Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition

Cengage Learning 2015

49

Summary
Disciplined and repeatable processes involve less
rework and are therefore less costly and more
efficient than processes that are not properly
disciplined
Lifecycle management monitors the status of each
project
Status is determined by adherence to benchmarks

Cybersecurity: Engineering a Secure Information Technology


Organization, 1st Edition

Cengage Learning 2015

50