Development and Acquisition Booklet

From HORSE - Holistic Operational Readiness Security Evaluation.
Jump to navigation Jump to search

Development and Acquisition

Development and acquisition is defined as “an organization’s ability to identify, acquire, install, and maintain appropriate information technology systems.” The process includes the internal development of software applications or systems and the purchase of hardware, software, or services from third parties.

The development, acquisition, and maintenance process includes numerous risks. Effective project management influences operational risks (also referred to as transactional risks). These risks include the possibility of loss resulting from inadequate processes, personnel, or systems. Losses can result from errors; fraud; or an inability to deliver products or services, maintain a competitive position, or manage information.

The Development and Acquisition guidance section describes common project management activities and emphasizes the benefits of using well-structured project management techniques. The section details general project management standards, procedures, and controls and discusses various development, acquisition, and maintenance project risks. Action summaries highlight the primary considerations within each section. Examiners should use the summaries to identify primary issues within each section, but should be aware the summaries are not substitutes for reading the entire document.

Examiniation Objectives

The objectives of reviewing development, acquisition, and maintenance activities are to identify weaknesses or risks that could negatively impact an organization, to identify entities whose condition or performance requires special supervisory attention, and to subsequently effect corrective action.

Examiners should conduct risk-focused reviews that assess the overall effectiveness of an organization’s project management standards, procedures, and controls. Examiners should not expect organizations to employ elaborate project management techniques in all situations. However, organizations should employ project management standards, procedures, and controls commensurate with the characteristics and risks of their development, acquisition, and maintenance projects.

Standards

The critical importance technology plays in financial institutions dictates the use of appropriate development, acquisition, and maintenance standards. Standards do not guarantee that organizations will appropriately develop, acquire, and maintain technology systems. However, standards do enhance management’s control over projects, thereby decreasing project risks. Well-defined standards help ensure systems are obtained in an efficient manner, operate in a secure and reliable environment, and meet organizational and end-user needs. Therefore organizations that routinely complete projects should establish comprehensive standards, policies, and procedures that meet project and organizational needs and reduce project risks.

Accounting for Software Costs

Organizations must correctly account for the costs associated with the acquisition and development of software for internal use. The American Institute of Certified Public Accountants’ Statement of Position (SOP) 98-1 Media:0031.pdf requires organizations to capitalize or expense various costs associated with obtaining and developing internally used software. Management should become familiar with SOP 98-1 and other applicable accounting standards and discuss specific capitalization and expense issues with its accountants.

Information Security

Information security is a critical part of internally and externally developed software. Institutions should consider information security requirements and incorporate automated controls into internally developed programs, or ensure the controls are incorporated into acquired software, before the software is implemented.

Development and Acquisition Project Management

Project management in its basic form involves planning and completing a task. Technology-related tasks include ongoing operational activities and one-time projects. A project’s impact on operations must be a key consideration when assessing development, acquisition, and maintenance activities.

Detailed project plans, clearly defined expectations, experienced project managers, realistic budgets, and effective communication significantly enhance an organization’s ability to manage projects successfully. Ineffectively managed projects often result in late deliveries, cost overruns, or poor quality applications.

Inferior applications can result in underused, insecure, or unreliable systems. Retrofitting functional, security, or automated-control features into applications is expensive, time consuming, and often results in less effective features. Therefore organizations must manage projects carefully to ensure they obtain products that meet organizational needs on time and within budget.

Organizations use various methods to manage technology projects. The systems development life cycle (SDLC) is the primary project management methodology described in this booklet. The SDLC is used for illustrative purposes because it provides a systematic way to describe the numerous tasks associated with software development projects. Organizations may employ an SDLC model or alternative methodology when managing any project, including software development, or hardware, software, or service acquisition projects. Regardless of the method used, it should be tailored to match a project’s characteristics and risks. Boards, or board-designated committees, should formally approve project methodologies, and management should approve and document significant deviations from approved procedures.

System Development Life Cycle

Structured project management techniques (such as an SDLC) enhance management’s control over projects by dividing complex tasks into manageable sections. Segmenting projects into logical control points (phases) allows managers to review project phases for successful completion before allocating resources to subsequent phases.

The number of phases within a project’s life cycle is based on the characteristics of a project and the employed project management methodology. A five-step process may only include broadly defined phases such as prepare, acquire, test, implement, and maintain. Typical software development projects include initiation, planning, design, development, testing, implementation, and maintenance phases. Some organizations include a final, disposal phase in their project life cycles.

The activities completed within each project phase are also based on the project type and project management methodology. All projects should follow well-structured plans that clearly define the requirements of each project phase.

Alternative Development Methodoligies

The SDLC provides a logical approach to managing a sequential series of tasks. However, a drawback to using a traditional SDLC is that project risks may not be adequately controlled if tasks are completed in a strictly sequential manner. For example, using a traditional SDLC methodology, users define functional requirements and pass them to system designers. Designers complete the designs and pass them to programmers. If programmers subsequently discover improved ways to provide the functional requirements, the designers must redo their work. However, if programmers are involved in the planning and design phases, they may be able to identify improvements earlier in the process. Therefore, to enhance the effectiveness of project activities, organizations should employ methodologies that involve all parties in each project phase.

Development techniques such as spiral, iterative, and modified SDLC methodologies address many of the shortcomings of a traditional SDLC. Full descriptions of the newer methodologies are beyond the scope of this document. However, examiners should be aware that the newer methodologies are more risk focused and involve the completion of project phases in repetitive (iterative) cycles. Iteration enhances a project manager’s ability to efficiently address the requirements of each party (end users, security administrators, designers, developers, system technicians, etc.) throughout a project’s life cycle. Iteration also allows project managers to complete, review, and revise phase activities until they produce satisfactory results (phase deliverables).

Roles and Responsibilities

The size and complexity of a project dictates the required number and qualifications of project personnel. Duties may overlap in smaller organizations or lower-risk projects; however, all projects should include appropriate segregation of duties or compensating controls.

Primary roles and responsibilities include:

  • Corporate Management – Corporate managers are responsible for approving major projects and ensuring projects support, not drive, business objectives.
  • Senior Management – Senior managers are responsible for approving and promoting projects within their authority and ensuring adequate resources are available to complete projects.
  • Technology Steering Committee – Technology steering committees are responsible for establishing and approving major project deliverables and coordinating interdepartmental activities. The committees often include the project manager, a board member, and executives from all organizational departments. Large organizations often establish project management offices to coordinate multiple projects.
  • Project Manager – Project managers are responsible for ensuring projects support business objectives, project goals and expectations are clearly defined, and project tasks are identified, scheduled, and completed. Project managers are also responsible for monitoring and reporting a project’s status to senior management.
  • Project Sponsor – Project sponsors are responsible for developing support within user departments, defining deliverables, and providing end users for testing purposes. Project sponsors often provide financial resources to a project.
  • Technology Department – The technology department is responsible for maintaining the technology resources used by project teams and assisting in the testing and implementation phases. Department members should assist in defining the scope of a project by identifying database and network resources and constraints
  • Quality Assurance – Quality assurance personnel are responsible for validating project assumptions and ensuring the quality of phase deliverables. Quality assurance personnel should be independent of the development process and use predefined standards and procedures to assess deliverables throughout project life cycles.
  • User Departments – User departments assist project managers, designers, and programmers in defining and testing functional requirements (system features). End-user involvement throughout a project is critical to ensuring accurate definitions and adequate tests. Large projects may include a subject matter expert or data analyst responsible for communicating user information and functional requirements to project teams.
  • Auditors – Auditors assist user departments, project managers, and system designers in identifying system control requirements and testing the controls during development and after implementation
  • Security Managers – Security managers assist user departments, project managers, and system designers in identifying security requirements and testing the features during development and after implementation.