Chapter 7

Chapter 7

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Chapter 7 Software Supporting Processes and Software Reuse Objectives Understand the role and functions of the supporting processes Understand the role and function of the reuse process Successfully plan and implement a management architecture of supporting processes Successfully implement and manage a reuse process

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 2 Overview of the Software Supporting Process Group The supporting processes apply to:

Agreement Systems qualification testing Software acceptance support Software operation Software maintenance Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 3 Software Document Management Software document management is the first of the

supporting processes Focuses on managing the documents that contain the information rather than the information itself Activities involved in document management: The planning, design, development, production, editing, distribution, and maintenance steps needed to keep proper records Maintains all formal authorizations of the document format and helps produce and sustain documents that have been approved for use Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015

4 Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 5 Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2014 6

Software Configuration Management Configuration management (CM): defines and enforces control over an organizations assets Specifies methods for controlling changes to assets throughout their useful lifecycle CM objective: to control changes to items in a way that preserves their integrity Advantages of CM: Maintains the integrity of configurations Allows changes to be evaluated and made rationally Gives managers and policy makers direct input into the evolution of the ICT asset base Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

Cengage Learning 2015 7 Software Configuration Management CM involves three major elements in the software lifecycle: Development - supports the identification process Maintenance - supports authorization and configuration control Assurance - supports verification Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

Cengage Learning 2015 8 Who Participates in Configuration Management? Three roles involved in CM: The customer, the producer, and any associated subcontractors CM incorporates the two process of configuration control and verification control, which are implemented through three activities: Change process management Baseline control Configuration verification

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 9 What are the Roles? Configuration manager - ensures the requirements of change management are carried out Baseline manager - ensures that all configuration items in the project configuration management plan are identified, accounted for, and maintained Verification manager - ensures that product integrity is maintained during the change process

To confirm that all items in the change management ledger (CML) conform to the identification scheme, verify that changes have been carried out, and conduct milestone reviews Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 10 What is the Process? The cornerstone of configuration management is the configuration identification scheme Usually established during the requirements analysis phase of the specification process

All components are given a unique identifying label Typically referred to as product identification numbers (PINs) If items in the evolving structure represent a new baseline: The identifying labels are modified to reflect it Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 11 What is the Process?

The organization must explicitly define the management level authorized to approve changes to each baseline The configuration control board (CCB) operates at defined levels of authorization An ICT organization has three control boards: One composed of top-level policy makers and one for each of the major system components (a software CCB and hardware CCB) Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 12

The Configuration Management Plan Configuration management is specifically defined and formally implemented through a configuration management plan (CMP) The plan should specify roles for change management, baseline management, and verification management The plan should also: Help define the configuration identification scheme Provide the basic structure of the PIN and how it will be assigned and formatted Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015

13 Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2014 14 Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2014 15

Software Quality Assurance Software quality assurance (SQA): to ensure that software products and processes comply with predefined provisions and plans SQA provides oversight to the software manager SQA ensures that: Appropriate development methods are in place Standards are employed and independently audited Necessary documentation is available Change management mechanisms are in place to

deal with any deviations from standards Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 16 Organization of SQA Operations SQA is based on a strategy and plan that Maintains software quality Identifies and records any problems conforming to requirements Verifies that products, processes, and activities adhere to applicable standards, procedures, and

requirements Most operational problems encountered by SQA involve staffing, authority, and control SQA must have an independent reporting line Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 17 SQA: Overall Operation The organizations basic framework must include a set of defined quality assurance practices Which are based on systematic development

methods and standards for reviews Each SQA process must be planned to meet a projects unique needs SQA must have the mandate to conduct in-process evaluations of project management and the organizations governance control system Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 18 SQA Reporting

SQA should not report to the project manager But to local management No more than one position should separate SQA and the senior site manager SQA should have an advisory relationship with a senior quality executive Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 19 Starting the SQA Program

Eight steps required to start an SQA program: 1. Initiation 2. Identification 3. Writing the plan 4. Integration 5. Defining procedures 6. Establishment

7. Implementation 8. Auditing Common SQA standard is IEEE STD-730 Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 20 Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2014

21 Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2014 22 Verification Purpose of verification: to confirm that each work product or service of a process properly reflects the specified requirements It tests each transitional product from every phase as it is completed

Involves: Reviewing, inspecting, testing, checking, auditing, establishing and documenting Verification also assesses risk and feasibility concerns Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 23 Verification In the development phase, verification seeks to catch and correct small errors before they spread

Verification outcomes are based on evidence obtained through assessment The most powerful verification processes normally involve a third party that performs the assessments The verification process is formalized by a plan that should be defined early and refined as a project moves downstream Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 24 Cybersecurity: Engineering a Secure Information

Technology Organization, 1st Edition Cengage Learning 2014 25 Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2014 26 Verification The process begins with a determination that verification is worthwhile

The next step is to identify the organization that will execute the verification process And decide which lifecycle elements will be verified Then, the required verification activities are performed as scheduled Any resulting defects are identified and recorded Results are made available to the customer and other involved parties Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 27

Validation Validation assess the product to ensure that it complies with its purpose It is an ongoing process used to stay on top of meaningful changes to any element of the system, software product, or service Validation guarantees the software performs as it was designed or programmed to do The validation process begins prior to any actual planning It is almost always conducted by a third party Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015

28 Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2014 29 Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2014 30

Software Review The purpose of the software review process: To maintain a common understanding with stakeholders that the software is making progress against the contract To help ensure development of a product that satisfies the stakeholders The review process uses a team approach to define, design, and evaluate work products The team can establish a common set of evaluation criteria, assess progress, and identify critical issues and recommendations Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

Cengage Learning 2015 31 Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2014 32 Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2014

33 The Audit Process Purpose of software audits: To independently determine the compliance of selected products and processes with appropriate requirements, plans, and agreements Audits are conducted by an appropriate independent party based on the audit plan Problems detected during an audit are identified and communicated to the parties responsible for corrective action and resolution Audits are usually performed at the end of a project Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

Cengage Learning 2015 34 Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2014 35 Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2014

36 Problem Resolution The purpose of problem resolution is to ensure that all problems in a process are identified, analyzed, managed, and controlled to resolution Requires a management strategy that allows problems to be recorded, identified, and classified Ensures maintenance of the integrity of the system software, product, or service throughout the lifecycle Acts in conjunction with other supporting processes to ensure the product and process meets standards Cybersecurity: Engineering a Secure Information Technology

Organization, 1st Edition Cengage Learning 2015 37 Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2014 38 Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

Cengage Learning 2014 39 Reuse Reuse: the construction of new software from existing components Reuse processes were not included in the original version of the standard They have been added in the 2008 version Having a library of prewritten functions, templates, and procedures saves time and reduces cost Reusable code modules ensure higher levels of quality, security, and capability

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 40 Reuse Domain engineering - used to ensure that products are built with a high level of integrity Necessary to allow managers to understand how to reintegrate abstract components into other useful applications Goal is to characterize the application domain, its architectures, and assets

Process Implementation - first step is to create and execute a domain engineering plan Domain engineer selects and formalizes the standard form of representation Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 41 Reuse Domain Analysis - to define the conceptual boundaries of the domain and the relationships between it and other domains To develop the domain model, the engineer carries

out a domain review with all stakeholders, including software developers, asset managers, domain experts, and users When the review is complete and the results are accepted, the domain engineer passes the domain model along to the architectural design stage Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 42 Reuse Domain Design - the domain engineer develops

and documents an architectural design that incorporates all assets designated for reuse Asset Provisioning - the domain engineer acquires or develops the necessary assets Each asset is documented, classified and evaluated in accordance with the organizations asset acceptance procedures Asset Maintenance - a responsibility of configuration management Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 43

Reuse Reuse Asset Management - to manage the life of reusable assets from conception to retirement Uses a documented asset classification scheme Specifies the criteria for accepting and eventually retiring an asset Defines an asset storage and retrieval mechanism that tracks and records asset use Process Implementation - First step is to create an asset management plan This plan defines the resources and operational procedures for managing assets Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

Cengage Learning 2015 44 Reuse Asset Storage and Retrieval Definition reusable assets are typically kept in an archive until they are used The asset manager must implement and maintain a formal mechanism for asset storage and retrieval Asset Management and Control - ensures the correctness and integrity of the assets in the reuse archive All assets submitted for reuse must be evaluated to ensure it is acceptable for reuse

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 45 Reuse Reuse Program Management - to plan, establish, control, and monitor an organizations overall reuse program To systematically exploit opportunities for reuse Reuse program is monitored and evaluated on an ongoing basis Initiation - a reuse strategy is necessary to being

developing a reuse program Strategy includes setting goals for reuse and defining the programs purposes, objectives, and scope Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 46 Reuse Domain Identification - A group is formed to identify the domains in which the organization can practice reuse Group consists of program administrator, domain

engineers, users, and software developers The group evaluates each domain to ensure that it accurately fits with the reuse strategy Reuse Assessment - a function that constantly ensures the organizations reuse capability Program administrator assesses each domain to determine its potential for reuse Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 47 Reuse

Planning - requires the creation of a plan to implement the program The plan is maintained to ensure the organization understands all requirements for implementing the reuse program The plan has to be reviewed and evaluated by members of the reuse steering committee for completeness, feasibility, and ability to execute Execution and Control - Activities in the plan are executed in accordance with its requirements Program is monitored by program administrator Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015

48 Reuse Review and Evaluation - the program administrator provides assessment results and lessons learned to the reuse steering committee and to appropriate managers Administrator also recommends and makes changes to the program Administrator expands and improves it in accordance with the plans stipulations Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

Cengage Learning 2015 49 Summary The supporting processes in the 12207-2008 standard represent the value-added elements that guarantee the quality and security of ICT products To develop a successful, defect-free piece of software, an organization must adopt and follow a disciplined set of supporting processes The outcome of the documentation management process is an explicit understanding and formal description of every lifecycle record Configuration management defines and enforces management control over ICT assets

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 50 Summary SQA monitors the actions of software operations and brings any deviations to managements attention The verification process confirms that products properly reflect specified requirements The validation process assesses products to ensure that they comply with their intended purpose Joint reviews of software help maintain a common understanding of progress

Audits determine compliance with requirements, plans, and agreements Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Cengage Learning 2015 51 Summary Problem resolution ensures that integrity is maintained throughout the lifecycle Software reuse allows new code to use existing modules as a means of leveraging production Cybersecurity: Engineering a Secure Information Technology

Organization, 1st Edition Cengage Learning 2015 52

Recently Viewed Presentations

  • Introductory Chemistry Fifth Edition Nivaldo J. Tro Chapter

    Introductory Chemistry Fifth Edition Nivaldo J. Tro Chapter

    Compound: A pure substance composed of two or more elements in fixed definite proportions . Compounds are more common than pure elements. Most elements are chemically reactive and combine with other elements to form compounds. Water, table salt, and sugar...
  • Working together to manage urban flooding

    Working together to manage urban flooding

    Safe routes for urban flooding. ... as we have various design standards for new development and the typical area you might be draining (or protecting) in existing areas. ... Completed attenuation pond near Pool Innovation Centre. What makes a success...
  • Recombinant Inbred Strains: Step 1: Initial Mendelian Cross

    Recombinant Inbred Strains: Step 1: Initial Mendelian Cross

    After a large number of generations (20 is close to "large"), one creates inbred strains that are identical at all loci. × × × × F3 × × × × FA Lot Common Sense Explanation: Recombination breaks up the red...
  • Essentials of Sociology, 7th Edition

    Essentials of Sociology, 7th Edition

    Essentials of Sociology 9th Edition Chapter 2: Culture This multimedia product and its contents are protected under copyright law. The following are prohibited by law: ... Norms - Expectations or rules for behavior Informal and Formal Norms Norms will change...
  • V. Urban Governance

    V. Urban Governance

    Ask probing questions about each circle, its size and relationship to the other circles. If the diagrams are similar, produce a combined one. If the diagrams are very different and there is no agreement on a common one, keep all...
  • Middle Ages - SCCS

    Middle Ages - SCCS

    The Middle Ages 500 -1500 Western and northern Europe "Medieval"- Latin : medius Key word Urbanization for the first time Early Middle Ages, the High Middle Ages, and the Late Middle Ages Hi, my name is Crispin. Remember me? I...
  • A View of Life - Bloomsburg University of Pennsylvania

    A View of Life - Bloomsburg University of Pennsylvania

    Primate Characteristics Opposable thumb Nails instead of claws. Single births Binocular vision Expanded, complex brain. Emphasis on learned behavior. Evolution of Primates Prosimians were the first type of primate to diverge from the human line. Surviving anthropoids are classified into...
  • Lecture Presentation Chapter 1 Introduction to Chemistry John

    Lecture Presentation Chapter 1 Introduction to Chemistry John

    The Scientific Method Science is the methodical exploration of nature followed by a logical explanation of the observations. The scientific method is a systematic investigation of nature and requires proposing an explanation for the results of an experiment in the...