1 / 52

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition. Chapter 7 Software Supporting Processes and Software Reuse. Objectives. Understand the role and functions of the supporting processes Understand the role and function of the reuse process

blair-gibbs
Télécharger la présentation

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Chapter 7 Software Supporting Processes and Software Reuse

  2. Objectives • Understand the role and functions of the supporting processes • Understand the role and function of the reuse process • Successfully plan and implement a management architecture of supporting processes • Successfully implement and manage a reuse process Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  3. Overview of the Software Supporting Process Group • The supporting processes apply to: • Agreement • Systems qualification testing • Software acceptance support • Software operation • Software maintenance Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  4. Software Document Management • Software document management is the first of the supporting processes • Focuses on managing the documents that contain the information rather than the information itself • Activities involved in document management: • The planning, design, development, production, editing, distribution, and maintenance steps needed to keep proper records • Maintains all formal authorizations of the document format and helps produce and sustain documents that have been approved for use Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  5. Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  6. Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  7. Software Configuration Management • Configuration management (CM): defines and enforces control over an organization’s assets • Specifies methods for controlling changes to assets throughout their useful lifecycle • CM objective: to control changes to items in a way that preserves their integrity • Advantages of CM: • Maintains the integrity of configurations • Allows changes to be evaluated and made rationally • Gives managers and policy makers direct input into the evolution of the ICT asset base Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  8. Software Configuration Management • CM involves three major elements in the software lifecycle: • Development - supports the identification process • Maintenance - supports authorization and configuration control • Assurance - supports verification Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  9. Who Participates in Configuration Management? • Three roles involved in CM: • The customer, the producer, and any associated subcontractors • CM incorporates the two process of configuration control and verification control, which are implemented through three activities: • Change process management • Baseline control • Configuration verification Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  10. What are the Roles? • Configuration manager - ensures the requirements of change management are carried out • Baseline manager - ensures that all configuration items in the project configuration management plan are identified, accounted for, and maintained • Verification manager - ensures that product integrity is maintained during the change process • To confirm that all items in the change management ledger (CML) conform to the identification scheme, verify that changes have been carried out, and conduct milestone reviews Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  11. What is the Process? • The cornerstone of configuration management is the configuration identification scheme • Usually established during the requirements analysis phase of the specification process • All components are given a unique identifying label • Typically referred to as product identification numbers (PINs) • If items in the evolving structure represent a new baseline: • The identifying labels are modified to reflect it Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  12. What is the Process? • The organization must explicitly define the management level authorized to approve changes to each baseline • The configuration control board (CCB) operates at defined levels of authorization • An ICT organization has three control boards: • One composed of top-level policy makers and one for each of the major system components (a software CCB and hardware CCB) Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  13. The Configuration Management Plan • Configuration management is specifically defined and formally implemented through a configuration management plan (CMP) • The plan should specify roles for change management, baseline management, and verification management • The plan should also: • Help define the configuration identification scheme • Provide the basic structure of the PIN and how it will be assigned and formatted Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  14. Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  15. Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  16. Software Quality Assurance • Software quality assurance (SQA): to ensure that software products and processes comply with predefined provisions and plans • SQA provides oversight to the software manager • SQA ensures that: • Appropriate development methods are in place • Standards are employed and independently audited • Necessary documentation is available • Change management mechanisms are in place to deal with any deviations from standards Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  17. Organization of SQA Operations • SQA is based on a strategy and plan that • Maintains software quality • Identifies and records any problems conforming to requirements • Verifies that products, processes, and activities adhere to applicable standards, procedures, and requirements • Most operational problems encountered by SQA involve staffing, authority, and control • SQA must have an independent reporting line Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  18. SQA: Overall Operation • The organization’s basic framework must include a set of defined quality assurance practices • Which are based on systematic development methods and standards for reviews • Each SQA process must be planned to meet a project’s unique needs • SQA must have the mandate to conduct in-process evaluations of project management and the organization’s governance control system Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  19. SQA Reporting • SQA should not report to the project manager • But to local management • No more than one position should separate SQA and the senior site manager • SQA should have an advisory relationship with a senior quality executive Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  20. Starting the SQA Program • Eight steps required to start an SQA program: • 1. Initiation • 2. Identification • 3. Writing the plan • 4. Integration • 5. Defining procedures • 6. Establishment • 7. Implementation • 8. Auditing • Common SQA standard is IEEE STD-730 Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  21. Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  22. Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  23. Verification • Purpose of verification: to confirm that each work product or service of a process properly reflects the specified requirements • It tests each transitional product from every phase as it is completed • Involves: • Reviewing, inspecting, testing, checking, auditing, establishing and documenting • Verification also assesses risk and feasibility concerns Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  24. Verification In the development phase, verification seeks to catch and correct small errors before they spread Verification outcomes are based on evidence obtained through assessment The most powerful verification processes normally involve a third party that performs the assessments The verification process is formalized by a plan that should be defined early and refined as a project moves downstream Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  25. Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  26. Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  27. Verification • The process begins with a determination that verification is worthwhile • The next step is to identify the organization that will execute the verification process • And decide which lifecycle elements will be verified • Then, the required verification activities are performed as scheduled • Any resulting defects are identified and recorded • Results are made available to the customer and other involved parties Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  28. Validation Validation assess the product to ensure that it complies with its purpose It is an ongoing process used to stay on top of meaningful changes to any element of the system, software product, or service Validation guarantees the software performs as it was designed or programmed to do The validation process begins prior to any actual planning It is almost always conducted by a third party Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  29. Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  30. Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  31. Software Review • The purpose of the software review process: • To maintain a common understanding with stakeholders that the software is making progress against the contract • To help ensure development of a product that satisfies the stakeholders • The review process uses a team approach to define, design, and evaluate work products • The team can establish a common set of evaluation criteria, assess progress, and identify critical issues and recommendations Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  32. Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  33. Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  34. The Audit Process • Purpose of software audits: • To independently determine the compliance of selected products and processes with appropriate requirements, plans, and agreements • Audits are conducted by an appropriate independent party based on the audit plan • Problems detected during an audit are identified and communicated to the parties responsible for corrective action and resolution • Audits are usually performed at the end of a project Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  35. Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  36. Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  37. Problem Resolution The purpose of problem resolution is to ensure that all problems in a process are identified, analyzed, managed, and controlled to resolution Requires a management strategy that allows problems to be recorded, identified, and classified Ensures maintenance of the integrity of the system software, product, or service throughout the lifecycle Acts in conjunction with other supporting processes to ensure the product and process meets standards Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  38. Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  39. Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  40. Reuse • Reuse: the construction of new software from existing components • Reuse processes were not included in the original version of the standard • They have been added in the 2008 version • Having a library of prewritten functions, templates, and procedures saves time and reduces cost • Reusable code modules ensure higher levels of quality, security, and capability Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  41. Reuse • Domain engineering - used to ensure that products are built with a high level of integrity • Necessary to allow managers to understand how to reintegrate abstract components into other useful applications • Goal is to characterize the application domain, its architectures, and assets • Process Implementation - first step is to create and execute a domain engineering plan • Domain engineer selects and formalizes the standard form of representation Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  42. Reuse • Domain Analysis - to define the conceptual boundaries of the domain and the relationships between it and other domains • To develop the domain model, the engineer carries out a domain review with all stakeholders, including software developers, asset managers, domain experts, and users • When the review is complete and the results are accepted, the domain engineer passes the domain model along to the architectural design stage Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  43. Reuse • Domain Design - the domain engineer develops and documents an architectural design that incorporates all assets designated for reuse • Asset Provisioning - the domain engineer acquires or develops the necessary assets • Each asset is documented, classified and evaluated in accordance with the organization’s asset acceptance procedures • Asset Maintenance - a responsibility of configuration management Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  44. Reuse • Reuse Asset Management - to manage the life of reusable assets from conception to retirement • Uses a documented asset classification scheme • Specifies the criteria for accepting and eventually retiring an asset • Defines an asset storage and retrieval mechanism that tracks and records asset use • Process Implementation - First step is to create an asset management plan • This plan defines the resources and operational procedures for managing assets Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  45. Reuse • Asset Storage and Retrieval Definition - reusable assets are typically kept in an archive until they are used • The asset manager must implement and maintain a formal mechanism for asset storage and retrieval • Asset Management and Control - ensures the correctness and integrity of the assets in the reuse archive • All assets submitted for reuse must be evaluated to ensure it is acceptable for reuse Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  46. Reuse • Reuse Program Management - to plan, establish, control, and monitor an organization’s overall reuse program • To systematically exploit opportunities for reuse • Reuse program is monitored and evaluated on an ongoing basis • Initiation - a reuse strategy is necessary to being developing a reuse program • Strategy includes setting goals for reuse and defining the program’s purposes, objectives, and scope Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  47. Reuse • Domain Identification - A group is formed to identify the domains in which the organization can practice reuse • Group consists of program administrator, domain engineers, users, and software developers • The group evaluates each domain to ensure that it accurately fits with the reuse strategy • Reuse Assessment - a function that constantly ensures the organization’s reuse capability • Program administrator assesses each domain to determine its potential for reuse Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  48. Reuse • Planning - requires the creation of a plan to implement the program • The plan is maintained to ensure the organization understands all requirements for implementing the reuse program • The plan has to be reviewed and evaluated by members of the reuse steering committee for completeness, feasibility, and ability to execute • Execution and Control - Activities in the plan are executed in accordance with its requirements • Program is monitored by program administrator Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  49. Reuse • Review and Evaluation - the program administrator provides assessment results and lessons learned to the reuse steering committee and to appropriate managers • Administrator also recommends and makes changes to the program • Administrator expands and improves it in accordance with the plan’s stipulations Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  50. Summary • The supporting processes in the 12207-2008 standard represent the value-added elements that guarantee the quality and security of ICT products • To develop a successful, defect-free piece of software, an organization must adopt and follow a disciplined set of supporting processes • The outcome of the documentation management process is an explicit understanding and formal description of every lifecycle record • Configuration management defines and enforces management control over ICT assets Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

More Related