|
IsecT's services relating to the management/governance of IT development projects cover two main aspects: governance of the projects themselves (including project management controls) and information security controls within the IT systems being developed. Our ‘independent quality assurance’ (audit) and consultancy services span the whole system lifecycle from cradle to grave:
-
Project management - all aspects of project management and governance including organization structure, planning, progress tracking, risk management (determining the key risks and thus key control requirements from business and IT perspectives), financial management and change management - not just the management of project and program changes, we consider the broader aspects of organizational changes relating to the introduction of new IT systems
-
Conceptual design and architecture - preparing information security elements of the system design, aligned with project, IT and business strategies, and incorporating baseline and/or special information security controls to address the key control requirements ( e.g. controls against fraud)
-
Development - developing appropriate technical, physical and procedural controls, configuring software etc., in parallel with the conventional development activities - security controls are best developed as an integral part of software development
-
Testing - confirming, in particular, that information security controls work as designed and that key control requirements are satisfied
-
Implementation - secure configuration, change management, user training and data transfer from legacy systems
-
Operation - working the controls, including management reporting, systematic reviews and audits
-
Maintenance and support - updating the controls to keep pace with ever-changing risks
-
Decommissioning - secure archival and erasure of old data, and usually specification of the phoenix that will arise to replace a retired system.
A few organizations face serious problems managing any development projects but more often we find that large, cutting-edge and/or time-critical projects cause the most grief - in other words, inherently risky projects are harder to manage (a truism!). The computer press reports runaway projects, projects that have been cancelled or have run millions over budget, and sometimes systems which are completely rejected by users.
A study of 1,500 IT project managers by a team from Oxford University made fascinating reading e.g. “Business case development only falls within the scope of just under 50% of projects [in other words more than half have no explicit business case]. And only 45% of projects include business process change [we believe all projects should proactively manage changes and very few IT implementations result in no discernible difference to the users]. We find that despite warnings aplenty of the difficulty of managing large IT, programmes and projects, a third of all projects have budgets greater than 1m and a third have schedules exceeding 12 months. 4% are mega-projects with budgets in excess of 50m. Moreover, there are indications that, if anything, organizations are tending to take on larger rather than smaller projects. [Why is it so difficult to see that huge monolithic projects create huge risks, whereas those which deliver in smaller bite-sized chunks are far more flexible and easier to control?]. Change of budget, schedule or scope appears to be commonplace.” [Surprise surprise!].
We have been in situations where just about everybody associated with a failing project recognises that it is doomed yet the organization is unable to pull the plug for months, sometimes years, finding itself locked to a path of despair. The problem is much more profound than poor development methods or a lack of quality assurance: governance failure is the real issue.
We certainly cannot claim to be able to rescue every runaway project but IsecT consultants can quickly recognise the symptoms of impending doom and diagnose governance issues, based on our wide experience of reviewing IT projects in trouble and, of course, a rational and objective assessment of the present situation. We apply well-tried best-practice techniques for identifying and correcting systematic failures in project management and, in most cases, can facilitate the rebuilding of productive working relationships between IT and The Business through bridging.
For more information on how best-practice project governance controls will help you manage and control your development projects in a more professional manner, contact IsecT.
|
