Part 1: IS Lifecycle Management
IS lifecycle Management in Context
IS development is a risky activity
IS not operating as expected: limited functionalities, bugs, etc
Objective of this CISA Job Practice Area: “CISA candidates understand and can provide assurance that the management practices for development / acquisition, testing, implementation, maintenance and disposal of IS and infrastructure will meet the organization’s objectives”
IS auditor’s role:
To reduce the risk of failure for IS development projects (risky activity):
Good project management practices
Good IS development, IS acquisition and IS maintenance practices
To ensure that controls designed during SDLC are sufficient and work as expected
To evaluate change control process during the maintenance of IS
To review the post‐implementation phase of IS to determine whether project deliverables and organization's requirements are met
Why does IT audit need to know this? Because he will have to audit this stuff and What should be practiced vs what is practiced. Report any discrepancies
Project Management basics
Every project is constrained in different ways by its
Scope goals: What is the project trying to accomplish?
Time goals: How long should it take to complete?
Cost goals: What should it cost?
Project manager’s duty: Balance these three often competing goals
Good, fast, and cheap. If it’s fast and cheap, not going to be good. If it’s good and cheap, not going to be fast. If it’s fast and good, not going to be cheap.
Standards and guidelines that help meet this triple constraint include:
PM Body Of Knowledge (PM BOK)
Project in controlled environment (Prince 2)
Project management: Application of knowledge, skills, tools and techniques applied to a broad range of activities to achieve a stated objective such as developing a new IS
PM: Roles, responsibilities & structure
Typical stakeholders include:
Senior management: Provides necessary resources (they give money)
Project steering committee: Project oversight board ultimately responsible
Project sponsor: Responsible for the project’s business case, works with project manager to ensure success and allocate funding
Project manager: Responsible for day‐to‐day management of the project team
Auditor: Reviews activities & ensures output meets quality standards (QA team)
Other: IS development project team, user project team, IT security officer, etc.
Project organizational forms: Define relationship between people involved in the project
Pure project: Project manager is given authority over project team members even though project team members do not report to project manager
Influencer: Functional manager has formal authority over project team members, project management can influence functional manager
Weak matrix: Project manager has no authority and is part of the sponsoring function
Balanced matrix: Project manager and functional manager share authority over team
Strong matrix: Project manager is given authority over project team members and project team members report to project manager
PM: Team & Objectives
Management needs to establish priorities for members who have other responsibilities
Kick‐off meeting that allows members to:
Get to know each other
Discuss goals of the project and required tasks and focus on the deliverables
Perform team‐building activities
4‐stage progress: Forming, Storming, Norming and Performing
Forming: Individuals are getting to know one another and identifying skills that are needed. Storming: Discussing what needs to be done. Storming often starts where there is a conflict between team members' natural working styles. Norming: Putting people in line with what needs to be done. Performing: Achieving the team’s goal.
First, specific, measurable and relevant (i.e., related to business objectives) objectives must be established. Ex: Reduce annual storage cost