Development and Acquisition Booklet

Development and Acquisition Project Management

Project management in its basic form involves planning and completing a task. Technology-related tasks include ongoing operational activities and one-time projects. A project’s impact on operations must be a key consideration when assessing development, acquisition, and maintenance activities.

Detailed project plans, clearly defined expectations, experienced project managers, realistic budgets, and effective communication significantly enhance an organization’s ability to manage projects successfully. Ineffectively managed projects often result in late deliveries, cost overruns, or poor quality applications.

Inferior applications can result in underused, insecure, or unreliable systems. Retrofitting functional, security, or automated-control features into applications is expensive, time consuming, and often results in less effective features. Therefore organizations must manage projects carefully to ensure they obtain products that meet organizational needs on time and within budget.

Financial institutions use various methods to manage technology projects. The systems development life cycle (SDLC) is the primary project management methodology described in this booklet. The SDLC is used for illustrative purposes because it provides a systematic way to describe the numerous tasks associated with software development projects. Organizations may employ an SDLC model or alternative methodology when managing any project, including software development, or hardware, software, or service acquisition projects. Regardless of the method used, it should be tailored to match a project’s characteristics and risks. Boards, or board-designated committees, should formally approve project methodologies, and management should approve and document significant deviations from approved procedures.

System Development Life Cycle

Structured project management techniques (such as an SDLC) enhance management’s control over projects by dividing complex tasks into manageable sections. Segmenting projects into logical control points (phases) allows managers to review project phases for successful completion before allocating resources to subsequent phases.

The number of phases within a project’s life cycle is based on the characteristics of a project and the employed project management methodology. A five-step process may only include broadly defined phases such as prepare, acquire, test, implement, and maintain. Typical software development projects include initiation, planning, design, development, testing, implementation, and maintenance phases. Some organizations include a final, disposal phase in their project life cycles.

The activities completed within each project phase are also based on the project type and project management methodology. All projects should follow well-structured plans that clearly define the requirements of each project phase.

Alternative Development Methodoligies

The SDLC provides a logical approach to managing a sequential series of tasks. However, a drawback to using a traditional SDLC is that project risks may not be adequately controlled if tasks are completed in a strictly sequential manner. For example, using a traditional SDLC methodology, users define functional requirements and pass them to system designers. Designers complete the designs and pass them to programmers. If programmers subsequently discover improved ways to provide the functional requirements, the designers must redo their work. However, if programmers are involved in the planning and design phases, they may be able to identify improvements earlier in the process. Therefore, to enhance the effectiveness of project activities, organizations should employ methodologies that involve all parties in each project phase.

Development techniques such as spiral, iterative, and modified SDLC methodologies address many of the shortcomings of a traditional SDLC. Full descriptions of the newer methodologies are beyond the scope of this document. However, examiners should be aware that the newer methodologies are more risk focused and involve the completion of project phases in repetitive (iterative) cycles. Iteration enhances a project manager’s ability to efficiently address the requirements of each party (end users, security administrators, designers, developers, system technicians, etc.) throughout a project’s life cycle. Iteration also allows project managers to complete, review, and revise phase activities until they produce satisfactory results (phase deliverables).

Roles and Responsibilities

The size and complexity of a project dictates the required number and qualifications of project personnel. Duties may overlap in smaller organizations or lower-risk projects; however, all projects should include appropriate segregation of duties or compensating controls.

Primary roles and responsibilities include:

• Corporate Management – Corporate managers are responsible for approving major projects and ensuring projects support, not drive, business objectives.
• Senior Management – Senior managers are responsible for approving and promoting projects within their authority and ensuring adequate resources are available to complete projects.
• Technology Steering Committee – Technology steering committees are responsible for establishing and approving major project deliverables and coordinating interdepartmental activities. The committees often include the project manager, a board member, and executives from all organizational departments. Large organizations often establish project management offices to coordinate multiple projects.
• Project Manager – Project managers are responsible for ensuring projects support business objectives, project goals and expectations are clearly defined, and project tasks are identified, scheduled, and completed. Project managers are also responsible for monitoring and reporting a project’s status to senior management.
• Project Sponsor – Project sponsors are responsible for developing support within user departments, defining deliverables, and providing end users for testing purposes. Project sponsors often provide financial resources to a project.
• Technology Department – The technology department is responsible for maintaining the technology resources used by project teams and assisting in the testing and implementation phases. Department members should assist in defining the scope of a project by identifying database and network resources and constraints
• Quality Assurance – Quality assurance personnel are responsible for validating project assumptions and ensuring the quality of phase deliverables. Quality assurance personnel should be independent of the development process and use predefined standards and procedures to assess deliverables throughout project life cycles.
• User Departments – User departments assist project managers, designers, and programmers in defining and testing functional requirements (system features). End-user involvement throughout a project is critical to ensuring accurate definitions and adequate tests. Large projects may include a subject matter expert or data analyst responsible for communicating user information and functional requirements to project teams.
• Auditors – Auditors assist user departments, project managers, and system designers in identifying system control requirements and testing the controls during development and after implementation
• Security Managers – Security managers assist user departments, project managers, and system designers in identifying security requirements and testing the features during development and after implementation.