|
Booklet:
Development
and Acquisition Section: Project Management Subsection: |
|||||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||||
Action Summary
Project
management in its basic form involves planning and completing a task.
Technology-related tasks include ongoing operational activities and one-time
projects. A project’s impact on operations must be a key consideration
when assessing development, acquisition, and maintenance activities.
Detailed project plans, clearly defined expectations, experienced project
managers, realistic budgets, and effective communication significantly
enhance an organization’s ability to manage projects successfully.
Ineffectively managed projects often result in late deliveries, cost overruns,
or poor quality applications.
Inferior applications can result in underused, insecure, or unreliable
systems. Retrofitting functional, security, or automated-control features
into applications is expensive, time consuming, and often results in less
effective features. Therefore organizations must manage projects carefully
to ensure they obtain products that meet organizational needs on time
and within budget.
Financial institutions use various methods to manage technology projects.
The systems development life cycle (SDLC) is the primary project management
methodology described in this booklet. The SDLC is used for illustrative
purposes because it provides a systematic way to describe the numerous
tasks associated with software development projects. Organizations may
employ an SDLC model or alternative methodology when managing any project,
including software development, or hardware, software, or service acquisition
projects. Regardless of the method used, it should be tailored to match
a project’s characteristics and risks. Boards, or board-designated
committees, should formally approve project methodologies, and management
should approve and document significant deviations from approved procedures.
SYSTEM DEVELOPMENT LIFE CYCLE
Structured project management techniques (such as an SDLC) enhance management’s
control over projects by dividing complex tasks into manageable sections.
Segmenting projects into logical control points (phases) allows managers
to review project phases for successful completion before allocating resources
to subsequent phases.
The number of phases within a project’s life cycle is based on the
characteristics of a project and the employed project management methodology.
A five-step process may only include broadly defined phases such as prepare,
acquire, test, implement, and maintain. Typical software development projects
include initiation, planning, design, development, testing, implementation,
and maintenance phases. Some organizations include a final, disposal phase
in their project life cycles.
The activities completed within each project phase are also based on the
project type and project management methodology. All projects should follow
well-structured plans that clearly define the requirements of each project
phase.
ALTERNATIVE DEVELOPMENT METHODOLOGIES
The SDLC provides a logical approach to managing a sequential series of
tasks. However, a drawback to using a traditional SDLC is that project
risks may not be adequately controlled if tasks are completed in a strictly
sequential manner. For example, using a traditional SDLC methodology,
users define functional requirements and pass them to system designers.
Designers complete the designs and pass them to programmers. If programmers
subsequently discover improved ways to provide the functional requirements,
the designers must redo their work. However, if programmers are involved
in the planning and design phases, they may be able to identify improvements
earlier in the process. Therefore, to enhance the effectiveness of project
activities, organizations should employ methodologies that involve all
parties in each project phase.
Development techniques such as spiral, iterative, and modified SDLC methodologies
address many of the shortcomings of a traditional SDLC. Full descriptions
of the newer methodologies are beyond the scope of this document. However,
examiners should be aware that the newer methodologies are more risk focused
and involve the completion of project phases in repetitive (iterative)
cycles. Iteration enhances a project manager’s ability to efficiently
address the requirements of each party (end users, security administrators,
designers, developers, system technicians, etc.) throughout a project’s
life cycle. Iteration also allows project managers to complete, review,
and revise phase activities until they produce satisfactory results (phase
deliverables).
ROLES AND RESPONSIBILITIES
The size and complexity of a project dictates the required number and
qualifications of project personnel. Duties may overlap in smaller organizations
or lower-risk projects; however, all projects should include appropriate
segregation of duties or compensating controls.
Primary roles and responsibilities include:
|
|
Corporate Management – Corporate managers are responsible for approving major projects and ensuring projects support, not drive, business objectives. |
|
|
Senior Management – Senior managers are responsible for approving and promoting projects within their authority and ensuring adequate resources are available to complete projects. |
|
|
Technology Steering Committee – Technology steering committees are responsible for establishing and approving major project deliverables and coordinating interdepartmental activities. The committees often include the project manager, a board member, and executives from all organizational departments. Large organizations often establish project management offices to coordinate multiple projects. |
|
|
Project Manager – Project managers are responsible for ensuring projects support business objectives, project goals and expectations are clearly defined, and project tasks are identified, scheduled, and completed. Project managers are also responsible for monitoring and reporting a project’s status to senior management. |
|
|
Project Sponsor – Project sponsors are responsible for developing support within user departments, defining deliverables, and providing end users for testing purposes. Project sponsors often provide financial resources to a project. |
|
|
Technology Department – The technology department is responsible for maintaining the technology resources used by project teams and assisting in the testing and implementation phases. Department members should assist in defining the scope of a project by identifying database and network resources and constraints |
|
|
Quality Assurance – Quality assurance personnel are responsible for validating project assumptions and ensuring the quality of phase deliverables. Quality assurance personnel should be independent of the development process and use predefined standards and procedures to assess deliverables throughout project life cycles. |
|
|
User Departments – User departments assist project managers, designers, and programmers in defining and testing functional requirements (system features). End-user involvement throughout a project is critical to ensuring accurate definitions and adequate tests. Large projects may include a subject matter expert or data analyst responsible for communicating user information and functional requirements to project teams. |
|
|
Auditors – Auditors assist user departments, project managers, and system designers in identifying system control requirements and testing the controls during development and after implementation |
|
|
Security Managers – Security managers assist user departments, project managers, and system designers in identifying security requirements and testing the features during development and after implementation. |
