Software Process Improvement Through CMMI & ISO

Imran Hashim

Introduction to CMMI CMMI Representations Key Stats CMMI Adoptions CMMI Appraisals SCAMPI Phases ISO 9001:2008 Quality Management System ISO 27001:2005 Information Security Management System

CMMI Capability Maturity Model Integration

A process improvement technique for evaluating how efficiently a company is able to deliver technology products to its customers.

The CMMI is a merger of process improvement models for :

Systems engineering Software engineering Integrated product development Software acquisition

Used in process improvement activities as a collection of best practices A community developed guide A model for organizational improvement

CMMI: Integrates systems and software disciplines into one process improvement framework. Provides a framework for introducing new disciplines as needs arise.

Sponsored by Dept of Defense Operated by SEI

Four CMMI constellations:

CMMI for Development
CMMI-DEV addresses the development of product and service systems

CMMI for Acquisition

Designed to aid organizations that are acquiring products & services or outsourcing the development or delivery of products & services

CMMI for Services

To establish, manage, and deliver services that meet or exceed customer needs

People CMM
Provides guidance to organizations for managing and developing their workforce

2010 Version 1.3 of CMMI for Acquisition, CMMI for Development, and CMMI for Services is released. 2006 CMMI for Development, V1.2 is released 2002 CMMI V1.1 is released. 1995 Systems Engineering CMM, V1.1 is released. 1993 CMM for Software, V1.1 is released.

Staged Representation
A systematic, structured way to approach process improvement one step at a time. Achieving each step is a foundation for the next step. There are five levels of maturity.

Continuous Representation
A flexible approach to improve process performance. The organization may choose to improve a single PA or a group of PAs. Organization may improve each PA at different rates. There are six levels of process capability.

Process Area: PP SG1 SP1:

Estimates of project planning parameters are established and maintained. Establish a top-level work breakdown structure (WBS) to estimate the scope of the project.

Optimizing
Focus on process improvement

Process measured and controlled Process characterized for the organization and is proactive

Quantitatively Managed Defined

2 1

Process characterized for projects and is often reactive Process unpredictable, poorly controlled and reactive

Managed

Initial

Category
Project Management

Process Area
Project Planning Project Monitoring and Control Supplier Agreement Management Integrated Project Management Risk Management Quantitative Project Management
Configuration Management Process and Product Quality Assurance Measurement and Analysis Causal Analysis and Resolution Decision Analysis and Resolution Requirements Management Requirements Development Technical Solution Product Integration Verification Validation Organizational Organizational Organizational Organizational Organizational Process Focus Process Definition Training Process Performance Innovation and Deployment

Support

Engineering

Process Management

In software and systems engineering, it is a benchmarking tool widely used by industry and government, both in the US and abroad. CMMI acts as a roadmap for process improvement activities. It provides criteria for reviews and appraisals. It provides a reference point to establish present state of processes. CMMI addresses practices that are the framework for process improvement.

The performance results in the following table are from different organizations that achieved percentage change in one or more of the six categories of performance measures below: Performance Category Median Improvement Cost Schedule 34 % 50 %

Productivity
Quality Customer satisfaction Return on investment

61 %
48 % 14 % 4:1

Percentage Improvement

40 35 30 25 20 15 10 5 0

39% 35%
Productivity (increase)

19%

Time to market (reduction) Post-release defect reports (reduction)

Annual Medians
18

Since 2006, 4846 SCAMPI v1.2/1.3 appraisals have been reported to the SEI. Appraisals report from China, Spain, Brazil, Argentina, and India are increasing at a rapid rate. The number of appraisals in the USA and China represent more than 55% of the total number of appraisals.

China is now reporting more appraisals than USA

Few of the market leaders who have been obtaining various benefits from CMMI

DAEWOO DELOITTE HONEYWELL HSBC MITSUBISHI NCR US Army ACER IBM HEWLETTE PACKARD

SAMSUNG JOHN HOPKIN UNIVERSITY NATIONAL NUCLEAR SOCIETY INFOSYS LOCKHEAD MARTIN ARAMCO US Navy HYUNDAI

Below list shows the overall adoption of CMMI at various levels

CMMI LEVEL 5

CMMI LEVEL 2 (cont.d)

CMMI LEVEL 3

Netsol Technologies Pvt. Ltd. NCR Pakistan

CMMI LEVEL 2

KalSoft (Pvt.) Ltd. Systems (Pvt.) Ltd. Digital Processing Units Interactive Convergence (Pvt.) Ltd. NADRA Pakistan ZTE Pakistan E-worx International Pvt. Ltd. Techlogix Pakistan (Pvt.) Ltd. Si3 System Innovations (Pvt.) Ltd. Abacus Consulting (Pvt.) Ltd.

LMKR Pakistan (Pvt.) Ltd. E-Dev Technologies CARE Pvt. Ltd. Prosol (Pvt.) Ltd. PrisLogix (Pvt.) Ltd. Shaukat Khanam Memorial Cancer Hospital Innovative Pvt. Ltd. GeoPaq Technologies (Pvt.) Ltd. Avanza Solutions (Pvt.) Ltd. ACES Technosoft (Pvt.) Ltd. Matrix Systems (Pvt.) Ltd. ESOL PK (Pvt.) Ltd. i-engineering Paksitan Pvt. Ltd. infoTech Pakistan (Pvt.) Ltd. Information Architects Pvt. Ltd.

The CMMI Appraisal is an examination of one or more processes by a trained team of professionals using an appraisal reference model as the basis for determining strengths and weaknesses of an organization.

Appraisals consider three categories of model components as defined in the CMMI: Required: specific and generic goals only. Expected: specific and generic practices only. Informative: includes sub practices and typical work products.

Three types of SCAMPI Appraisals:

Class C Appraisal Class B Appraisal Class A Appraisal

Initial assessment Provide a quick gap analysis of an organization's process relative to the CMMI. Assess the adequacy of a new process before it is implemented. Monitor the implementation of a process. Determine an organization's readiness for Class B Appraisal.

Assess progress towards a targeted CMMI Maturity Level Lower cost than a SCAMPI A Provides detailed findings then Class C Determine an organization's readiness for Class A Appraisal

Most rigorous method The only method resulting in ratings Findings that describe the strengths and weaknesses of your organization's process relative to the CMMI. Consensus regarding the organization's key process issues

Phase I
Phase II Phase III

Plan and Prepare For Appraisal

Conduct Appraisal Report Appraisal Results

Practice implementation indicators are footprints which are evidence of the implementation of a practice. SCAMPI appraisals use practice implementation indicators as the focus to verify practice implementation. Verifying practice implementation is the review of Objective Evidence to determine whether a practice is implemented within a project and/or organization.

Artifacts:
Tangible output's resulting directly from implementation of a specific or generic practice.

Affirmations:
Oral (interviews) or written statements confirming or supporting implementation of a specific or generic practice.

Process Area: PP SG1 SP1:

Estimates of project planning parameters are established and maintained. Establish a top-level work breakdown structure (WBS) to estimate the scope of the project.

Artifact

Work Break Down Structure

CMMI Appraisal A Interviews Schedule

Date
DD-MM-YY

Activity
Quality Assurance Testing Process Engineering Group Project Project Project Project Manager - 1 Coordinator - 1 Manager - 2 Coordinator - 2

Timings
2:00 3:00 pm 3:30 4:30 pm 5:00 6:00 pm 09:30 10:30 am 10:45 11:45 am 12:00 1:00 pm 2:00 3:00 pm 3:00 4:00 pm 4:00 5:00 pm 5:00-6:00 pm 09:30 10:30 am 10:45 -11:45 am 12:00 1:00 pm 2:00 3:00 pm 3:00 4:00 pm 4:45-5:00 pm

Participants
QA Team Testing Team QA Team PM-1 PC-1 PM-2 PC-2 CM Admin Manager HR Manager PM-3 PC-3 PM-4 PC-4 Development Team Mr. ABC

DD-MM-YY

Configuration Management Procurement Organizational Trainings Project Manager - 3

DD-MM-YY

Project Coordinator - 3 Project Manager - 4 Project Coordinator - 4 Technical Managers & Developers Sponsor

ISO (International Organization for Standardization) is the world's largest developer and publisher of International Standards. ISO is a network of the national standards institutes of 163 countries, one member per country, with a Central Secretariat in Geneva, Switzerland, that coordinates the system. ISO published more then19, 000 International Standards

 The complete set of quality standards, procedures and responsibilities for an organization. The formalized system that documents the structure, responsibilities and procedures required to achieve effective quality management A quality management system is a web of interconnected processes.

QMS consists of :

Policies Manuals Responsibilities Procedures Work Instructions Forms/Templates

To achieve Quality Consistency Traceability Resource Independence Continual Improvement

ISO: The official title for the International Organization for Standardization. ISO 9001:2008 is an international standard for implementing a quality management system

57

ISO 9000: Quality management systems Fundamentals and vocabulary ISO 9001: Quality management systems Requirements

ISO 9004: Quality management systems Guidance for improvements

ISO 10011: Guidelines for Auditing Quality

58

9001 is series 2008 is version

ISO 9000 provides a framework and systematic approach to managing business processes to produce a product/service that conforms to customer expectations.

59

Customer focused organization Leadership Involvement of people Process approach Systematic approach to management Continual improvement Realistic approach to decision making Mutually beneficial supplier relationship

Major Clauses

1. Scope 2. Normative reference 3. Terms and definitions 4. Quality Management System 5. Management Responsibility 6. Resource Management 7. Product Realization 8. Measurement, Analysis and Improvement

61

ISO 9001:2008 Model

CONTINUAL IMPROVEMENT OF THE QUALITY MANAGEMENT SYSTEM

Management responsibility
Customers Clause 5

Customers

Resource Management

Clause 6

Clause 8

Measurement, analysis and improvement

Satisfaction

Clause 7
Requirements

Input

Service/Product realization

Service Product

Output

Value adding activities Information flow

62

An Information Security Management System (ISMS) is a systematic approach to managing sensitive company information so that it remains secure. It covers people, processes and systems. ISMS is a set of policies, procedures & processes concerned with information security.

Information Security describes efforts to protect computer and non computer equipment, data, and information from misuse by unauthorized parties.

Information security means protecting information and information systems from following common threats:
Unauthorized access Misuse of authorized access Improper handling of information Physical theft of information or information systems Environmental hazards (flood, fire, etc.) Malicious software programs (viruses/worms/trojans) Utility failure (power, water, heat, etc.)

Information security is intended to achieve three main objectives: Confidentiality: protecting data and information from disclosure to unauthorized persons Availability: making sure that the data and information is only available to those who are authorized to use it Integrity: information systems should provide an accurate representation of the physical systems that they represent

Today, Organizations core business processes are supported by information and communication systems.
Any interruption in the information quality, distribution relevance puts business at risk. quantity,

So organizations need to actively manage the security of information & communication systems.

ISMS consists of following steps:

Identifying the threats that can attack the organizational information resources Defining the risks that the threats can impose Establishing an information security policy

Implementing controls that address the risks

ISO 27001 is specification for an Information Security Management Systems (ISMS) ISO 27001 defines 133 security controls under 11 main security categories. Covers all forms of information including voice & graphics, media such as mobile phones etc. . .

 Security Policy Information security policy document Review of the information security policy
Organization of information security Internal organization External parties Asset Management Responsibility for assets Human Resource Security Prior to employment During employment After Employment

Physical and environmental security

Secure areas Equipment security

Communication & Operation Management

Operational procedures and responsibilities Media handling

Access Control
Access control policy User access management Network access control

Information system development and maintenance

Security of system files Cryptographic controls

 Information security incident management

Reporting information security events and weaknesses Management of information security incidents and improvements

Business continuity management

Business continuity planning framework Business continuity and risk assessment

Compliance
Compliance with legal requirements Compliance with security policies and standards, and technical compliance

A structured process approach, to identify your own individual Information Security issues. Find the appropriate ways and methods, to reduce- or eliminate the identified Information security risks. ISMS Certification brings confidence, that there is a systematic approach in place, assuring the confidentiality, integrity and availability of information.

Thank You