it 305 management of technology
TRANSCRIPT
-
8/16/2019 IT 305 Management of Technology
1/17
IT 305
Management of Technology
(T-TH 1-2:30)
Professor Dean:
Maria Teresa ! Pancho
"t#$ent:
Hanson %! Pe&ano
'"-IT
0-00*0
-
8/16/2019 IT 305 Management of Technology
2/17
Ty+es of IT Pro,ect:
The project types for which a standardized pre-tailoring exists at present will be described next.Characteristics described in the next section are used as the basis for the type definition.
General Assumptions
When selecting activities and products, the following assumptions are made for all project types
• !o criticality classification exists in the planned project. i. e., all software parts are handled
e"ually with respect to construction and assessment.
• !o database development is planned.
#f these assumptions are not true in a planned project then additional activities and products must beselected by using the implementing conditions of the tailoring forms $section T.%.& Tailoring 'orms(.
The implementing conditions must also be observed when for the characteristics
• complexity of functions,
• complexity of data, or
• maintenance re"uirements
The characteristic value defined in the corresponding project type deviates from the characteristic value of a planned concrete project.
T.3.1 Characteristics with Corresponding Quantifications
#n order to define project types, characteristics with corresponding "uantifications are re"uired. Thecharacteristics )*roject +ize), )Complexity), and )aintenance e"uirements) are described in categorieslie )low/small), )medium), and )high/large).
T.3.1.1 Project Size Classification
#T projects are of different sizes. This must be considered during the selection of activities and products.The cost/effort for a project $in man years, project years( and the number of project members are used todefine the project size.
The size of a project is classified according to the following schema
ProjectSize
Cost!ffortin "an #ears
$um%er of Project "em%ers
small 01 2,3 or 01 4
medium 01 3 or 01 3
large 5 3 or 5 3
Table T.4: Project Size Classification
http://www.informatik.uni-bremen.de/gdpa/part3/p3t2.htm#TAIL_FORMShttp://www.informatik.uni-bremen.de/gdpa/part3/p3t2.htm#TAIL_FORMS
-
8/16/2019 IT 305 Management of Technology
3/17
#n cases where the project size is not defined according to the above shown schema, the larger projectsize has to be selected. 6. g., in a project with 4 project members $results in class )small)( and % projectyears $results in class )medium)(, class )medium) has to be selected.
T.3.1.& Comple'it( Classification of )unctions and *ata
'unctions and data are described structured in the products 7ser e"uirements and Technicale"uirements. The functions and data described in these documentations have to be classified withregard to its complexity, on the basis of the professional structuring. The evaluation of the complexity is
realized by the statistical evaluation of appropriate indicators.
+ince the classification of the complexity with justifiable mathematical methods can only be realized withthe help of a software tool, a simplified method is suggested for the classification of complexity offunctions and data. #n that case, the structuring of functions and data mentioned in the above listedre"uirement documents will be used.
• 8n system, segment, and +W unit level, the complexity is classified on the basis of the expected
number of sub functions and the number of the internal interfaces.
• The classification of complexity on components and module level is realized on the basis of the
code length.
• The complexity of data that can be represented in a se"uential or entity-relationship structure is
classified by means of the number of entities and the number of internal relations $hierarchylevels(.
The indicators for the three complexity classes are listed next.
)unctionsComple'it(
$um%er of Su% functions
$um%er of +nterfaces
$um%er of Program ,ines
small 0 92 and 0 92 and 0 922
medium 0 %2 and 0%2 and 0%22
large 51%2 or 51%2 or 51%22
Table T.5: Function Complexity Classification
*ataComple'it(
$um%er of !ntities
$um%er of -elations
$um%er of *ata )ields
low 0 92 and 0 92 and 0 42
medium 0 :2 and 0 :2 and 0 922
large 51 :2 or 51 :2 or 51 922
Table T.6: Data Complexity Classification
T.%.9.% ;uantification of the aintenance e"uirements
aintenance re"uirements are "uantified as follows
*egree of -euirement +mpact on the Changea%ilit(
low only minimum changes are to be expected
medium adjustments $regularly( are expected, locally, though
high essential changes are very probable
Table T.: !aintenance "e#uirements $uantification
T.3.& Administrati/e +T Projects
http://www.informatik.uni-bremen.de/gdpa/vmodel/d-ureq.htmhttp://www.informatik.uni-bremen.de/gdpa/vmodel/d-treq.htmhttp://www.informatik.uni-bremen.de/gdpa/vmodel/d-treq.htmhttp://www.informatik.uni-bremen.de/gdpa/vmodel/d-treq.htmhttp://www.informatik.uni-bremen.de/gdpa/vmodel/d-ureq.htmhttp://www.informatik.uni-bremen.de/gdpa/vmodel/d-treq.htmhttp://www.informatik.uni-bremen.de/gdpa/vmodel/d-treq.htm
-
8/16/2019 IT 305 Management of Technology
4/17
T.3.&.1 Small Administrati/e +T Projects
9. Project *escriptionThe project is mostly realized by one or two project members. 're"uently, the software developeris the software user as well. The software often runs on a *C.
4. Project Sizenot more than 2.3 man years with 9 to 4 project members.
%. Comple'it(The complexity of functions and data is low.
:. "aintenance -euirements
-
8/16/2019 IT 305 Management of Technology
5/17
%. Comple'it(The complexity of functions and data is considered medium.
:. "aintenance -euirementsmedium
3. !'amples for large administrati/e +T projects0
o 'ederal 8ffice for otor Traffic $motor vehicle data(
o 'ederal 8ffice of >dministration $central register for foreigners, about 422 monitors(
o ##+ environmental project
o *atent #nformation +ystem of the ?erman *atent 8ffice $@eutsches *atentamt *>T#+(
T.3.3 TechnicalScientific +T Projects
T.3.3.1 Small"edium TechnicalScientific +T Projects
9. Project *escriptiona small to medium size project concentrating on technical-scientific data processing. These mightbe, e. g., model and simulation processing, graphics, image processing, statistics, calculation ofstability/strength, etc.. The project is realized by not more than 3 staff members.
4. Project Size!ot more than 3 man years or not more than 3 project members.
%. Comple'it(The complexity of the functions is mediumA the complexity of the data is low.
:. "aintenance -euirements
-
8/16/2019 IT 305 Management of Technology
6/17
:. "aintenance -euirementslow
3. 3 !'amples0
o weather forecast
o air safety applications $radar data presentation(
T.3.2 Selection Procurement and Adjustment of 4fftheShelf Products
1 Project *escription8nly a few B-odel activities and products are re"uired for this project type, since a large part of thefunctionality already exists because of the off-the-shelf product.
& Project SizeThe effort is not more than 2.3 man years and not more than 4 staff members.
3 Comple'it(The complexity of both functions and of the data of updates or modifications is low.
2 "aintenance -euirementsmedium
5 !'amples0
• office communication systems
• telecommunication systems
T.%.3 epresentation of the *roject Types-8verview
The following matrix offers an overview of the relationships of project types and characteristic values.
Cost!ffort
in "an #ears
$um%er
of Staff
Comple'it(
of )unctions
Comple'it(
of *ata
"aintenance
-euirements
Administrati/e
+T Projects
low 01 2,3 01 4 low low low
medium 01 3 01 3 medium medium medium
large 5 3 5 3 medium medium medium
Techn.Scient.
+T Projects
low 01 3 01 3 medium low low
large 5 3 5 3 medium low low
!/al.Procurm.Adjustment
of 4fftheShelf Products
01 2,3 01 4 low low medium
Table T.%: Project Types an& C'aracteristic (alues
T.%.& Tailoring 'orms
$>ccess next html pages(
T.%.&.9 7sing the 'orms
$>ccess next html pages(
T.%.&.4 Collection of 'orms
http://www.informatik.uni-bremen.de/gdpa/part3/p3t3.htmhttp://www.informatik.uni-bremen.de/gdpa/part3/p3t3.htm#USINGhttp://www.informatik.uni-bremen.de/gdpa/part3/p3t3.htm#COLLECTIONhttp://www.informatik.uni-bremen.de/gdpa/part3/p3t3.htmhttp://www.informatik.uni-bremen.de/gdpa/part3/p3t3.htm#USINGhttp://www.informatik.uni-bremen.de/gdpa/part3/p3t3.htm#COLLECTION
-
8/16/2019 IT 305 Management of Technology
7/17
$>ccess next html pages(
IT is. Management:
The +T ris6 management is the application of ris management to #nformation technology context in
order to manage #T ris, i.e.
The business risk associated with the use, ownership, operation, involvement, influence andadoption of IT within an enterprise
#T ris management can be considered a component of a wider 6nterprise ris management system.
The establishment, maintenance and continuous update of an #++ provide a strong indication that a
company is using a systematic approach for the identification, assessment and management of
information security riss.
@ifferent methodologies have been proposed to manage #T riss, each of them divided in processes
and steps.
>ccording to is #T, it encompasses not just only the negative impact of operations and service
delivery which can bring destruction or reduction of the value of the organization, but also thebenefitvalue enabling ris associated to missing opportunities to use technology to enable or
enhance business or the #T project management for aspects lie overspending or late delivery with
adverse business impact.
=ecause ris is strictly tied to uncertainty, @ecision theory should be applied to manage ris as a
science, i.e. rationally maing choices under uncertainty.
?enerally speaing, ris is the product of lielihood times impact $is 1 eview anual 422& provides the following definition of ris management "Risk management
is the process of identifying vulnerabilities and threats to the information resources used by an
organization in achieving business objectives, and deciding what countermeasures, if any, to take in
reducing risk to an acceptable level, based on the value of the information resource to the organization."
There are two things in this definition that may need some clarification. 'irst, the process of ris
management is an on-going iterative process. #t must be repeated indefinitely. The business environment
is constantly changing and new threats and vulnerability emerge every day. +econd, the choice
of countermeasures $controls( used to manage riss must strie a balance between productivity, cost,effectiveness of the countermeasure, and the value of the informational asset being protected.
Risk management is the process that allows IT managers to balance the operational and economic costs
of protective measures and achieve gains in mission capability by protecting the IT systems and data that
support their organizations missions. This process is not uni!ue to the IT environment indeed it
pervades decision#making in all areas of our daily lives.
The head of an organizational unit must ensure that the organization has the capabilities needed to
accomplish its mission. These mission owners must determine the security capabilities that their #T
systems must have to provide the desired level of mission support in the face of real world threats. ost
http://en.wikipedia.org/wiki/Risk_managementhttp://en.wikipedia.org/wiki/Information_technologyhttp://en.wikipedia.org/wiki/IT_riskhttp://en.wikipedia.org/wiki/IT_riskhttp://en.wikipedia.org/wiki/Enterprise_risk_managementhttp://en.wikipedia.org/wiki/Enterprise_risk_managementhttp://en.wikipedia.org/wiki/Information_security_management_systemhttp://en.wikipedia.org/wiki/Information_security_management_systemhttp://en.wikipedia.org/wiki/Risk_IThttp://en.wikipedia.org/wiki/Risk_IThttp://en.wikipedia.org/wiki/Risk#Risk_as_a_vector_quantityhttp://en.wikipedia.org/wiki/Risk#Risk_as_a_vector_quantityhttp://en.wikipedia.org/wiki/Decision_theoryhttp://en.wikipedia.org/wiki/Riskhttp://en.wikipedia.org/wiki/Riskhttp://en.wikipedia.org/wiki/Resulthttp://en.wikipedia.org/wiki/Resulthttp://en.wikipedia.org/wiki/Asset_(computing)http://en.wikipedia.org/wiki/Asset_(computing)http://en.wikipedia.org/wiki/Certified_Information_Systems_Auditorhttp://en.wikipedia.org/wiki/Certified_Information_Systems_Auditorhttp://en.wikipedia.org/wiki/Vulnerability_(computing)http://en.wikipedia.org/wiki/Vulnerability_(computing)http://en.wikipedia.org/wiki/Threat_(computer)http://en.wikipedia.org/wiki/Countermeasure_(computer)http://en.wikipedia.org/wiki/Countermeasure_(computer)http://en.wikipedia.org/wiki/Business_processhttp://en.wikipedia.org/wiki/Business_processhttp://en.wikipedia.org/wiki/Business_processhttp://en.wikipedia.org/wiki/Vulnerability_(computing)http://en.wikipedia.org/wiki/Vulnerability_(computing)http://en.wikipedia.org/wiki/Vulnerability_(computing)http://en.wikipedia.org/wiki/Countermeasure_(computer)http://en.wikipedia.org/wiki/Countermeasure_(computer)http://en.wikipedia.org/wiki/Security_controlshttp://en.wikipedia.org/wiki/Risk_managementhttp://en.wikipedia.org/wiki/Threat_(computer)http://en.wikipedia.org/wiki/Threat_(computer)http://en.wikipedia.org/wiki/Risk_managementhttp://en.wikipedia.org/wiki/Information_technologyhttp://en.wikipedia.org/wiki/IT_riskhttp://en.wikipedia.org/wiki/Enterprise_risk_managementhttp://en.wikipedia.org/wiki/Information_security_management_systemhttp://en.wikipedia.org/wiki/Risk_IThttp://en.wikipedia.org/wiki/Risk#Risk_as_a_vector_quantityhttp://en.wikipedia.org/wiki/Decision_theoryhttp://en.wikipedia.org/wiki/Riskhttp://en.wikipedia.org/wiki/Resulthttp://en.wikipedia.org/wiki/Asset_(computing)http://en.wikipedia.org/wiki/Certified_Information_Systems_Auditorhttp://en.wikipedia.org/wiki/Vulnerability_(computing)http://en.wikipedia.org/wiki/Threat_(computer)http://en.wikipedia.org/wiki/Countermeasure_(computer)http://en.wikipedia.org/wiki/Business_processhttp://en.wikipedia.org/wiki/Vulnerability_(computing)http://en.wikipedia.org/wiki/Countermeasure_(computer)http://en.wikipedia.org/wiki/Security_controlshttp://en.wikipedia.org/wiki/Risk_managementhttp://en.wikipedia.org/wiki/Threat_(computer)
-
8/16/2019 IT 305 Management of Technology
8/17
organizations have tight budgets for #T securityA therefore, #T security spending must be reviewed as
thoroughly as other management decisions. > well-structured ris management methodology, when used
effectively, can help management identify appropriate controls for providing the mission-essential security
capabilities.
is management in the #T world is "uite a complex, multi faced activity, with a lot of relations with other
complex activities. The picture shows the relationships between different related terms.
!ational #nformation >ssurance Training and 6ducation Center defines ris in the #T field as
9. The total processes to identify, control, and minimize the impact of uncertain events. The
objective of the risk management program is to reduce risk and obtain and maintain $%%
approval. The process facilitates the management of security risks by each level of management
throughout the system life cycle. The approval process consists of three elements& risk analysis,
certification, and approval.
4. %n element of managerial science concerned with the identification, measurement, control, and
minimization of uncertain events. %n effective risk management program encompasses the
following four phases&
9. > Risk assessment, as derived from an evaluation of threats and vulnerabilities.
4. 'anagement decision.
%. (ontrol implementation.
:. )ffectiveness review.
%. The total process of identifying, measuring, and minimizing uncertain events affecting %I*
resources. It includes risk analysis, cost benefit analysis, safeguard selection, security test andevaluation, safeguard implementation, and systems review.
:. The total process of identifying, controlling, and eliminating or minimizing uncertain events that
may affect system resources. lt induces risk analysis, cost benefit analysis, selection,
implementation and test, security evaluation of safeguards, and overall security review.
is. Management Metho$ology:
The term methodology means an organized set of principles and rules that drive action in a particular fieldof nowledge. > methodology does not describe specific methodsA nevertheless it does specify severalprocesses that need to be followed. These processes constitute a generic framewor. They may be
broen down in sub-processes, they may be combined, or their se"uence may change. Eowever, any rismanagement exercise must carry out these processes in one form or anotherA the following tablecompare the processes foreseen by three leading standards. #+>C> is #T framewor is more recent.The is #T *ractitioner-?uide compares is #T and #+8 4F223. The overall comparison is illustrated inthe following table.
-is6 management constituent processes
+S4+!C 7S 889930&::; SP
-
8/16/2019 IT 305 Management of Technology
9/17
&8::50&::<
Context
establishment8rganizational context
? and 6 @omains more precisely
?9.4 *ropose #T ris tolerance,
?4.9 6stablish and maintain
accountability for #T ris management
?4.% >dapt #T ris practices to
enterprise ris practices,
?4.: *rovide ade"uate resources
for #T ris management,
64.9 @efine #T ris analysis scope.
is assessment is assessment
is
assessment
64 process includes
64.9 @efine #T ris analysis scope.
64.4 6stimate #T ris.
64.% #dentify ris response options.
64.: *erform a peer review of #T
ris analysis.
#n general, the elements as described in the
#+8 4F223 process are all included in is
#TA however, some are structured and named
differently.
is treatment
is treatment and
management decision
maing
is mitigation
6 4.% #dentify ris response options
4.% espond to discovered ris
exposure and opportunity
is acceptance ?%.: >ccept #T ris
is
communication
8ngoing ris
management activities ?9.3 *romote #T ris-aware culture
-
8/16/2019 IT 305 Management of Technology
10/17
?9.& 6ncourage effective
communication of #T ris
6%.& @evelop #T ris indicators.
is monitoring
and review
6valuation and
assessment
?4 #ntegrate with 6.
64.: *erform a peer review of #T
ris analysis.
?4.3 *rovide independent
assurance over #T ris management
@ue to the probabilistic nature and the need of cost benefit analysis, the #T riss are managed following a
process that accordingly to !#+T +* G22-%2 can be divided in the following steps
9. ris assessment,
4. ris mitigation, and
%. 6valuation and assessment.
6ffective ris management must be totally integrated into the +ystems @evelopment nother area of application can be the certification of a product.
Criteria include the ris evaluation, ris acceptance and impact evaluation criteria. These are conditioned
by
legal and regulatory re"uirements
the strategic value for the business of information processes
staeholder expectations
http://en.wikipedia.org/wiki/NISThttp://en.wikipedia.org/wiki/NISThttp://en.wikipedia.org/wiki/Risk_assessmenthttp://en.wikipedia.org/wiki/IT_risk_management#IT_Risk_mitigationhttp://en.wikipedia.org/wiki/Evaluationhttp://en.wiktionary.org/wiki/assessmenthttp://en.wiktionary.org/wiki/assessmenthttp://en.wikipedia.org/wiki/Systems_Development_Life_Cyclehttp://en.wikipedia.org/wiki/Systems_Development_Life_Cyclehttp://en.wikipedia.org/wiki/Systems_Development_Life_Cyclehttp://en.wikipedia.org/wiki/Risk_analysis_(engineering)http://en.wikipedia.org/wiki/Risk_analysis_(engineering)http://en.wikipedia.org/wiki/ISOhttp://en.wikipedia.org/wiki/ISO/IEC_27005http://en.wikipedia.org/wiki/NISThttp://en.wikipedia.org/wiki/ISMShttp://en.wikipedia.org/wiki/Business_continuity_planhttp://en.wikipedia.org/wiki/Business_continuity_planhttp://en.wikipedia.org/wiki/Stakeholder_(corporate)http://en.wikipedia.org/wiki/NISThttp://en.wikipedia.org/wiki/Risk_assessmenthttp://en.wikipedia.org/wiki/IT_risk_management#IT_Risk_mitigationhttp://en.wikipedia.org/wiki/Evaluationhttp://en.wiktionary.org/wiki/assessmenthttp://en.wikipedia.org/wiki/Systems_Development_Life_Cyclehttp://en.wikipedia.org/wiki/Risk_analysis_(engineering)http://en.wikipedia.org/wiki/ISOhttp://en.wikipedia.org/wiki/ISO/IEC_27005http://en.wikipedia.org/wiki/NISThttp://en.wikipedia.org/wiki/ISMShttp://en.wikipedia.org/wiki/Business_continuity_planhttp://en.wikipedia.org/wiki/Stakeholder_(corporate)
-
8/16/2019 IT 305 Management of Technology
11/17
negative conse"uences for the reputation of the organization
6stablishing the scope and boundaries, the organization should be studied its mission, its values, its
structureA its strategy, its locations and cultural environment. The constraints $budgetary, cultural, political,
and technical( of the organization are to be collected and documented as guide for next steps.
4rganization for securit( management
The set-up of the organization in charge of ris management is foreseen as partially fulfilling the
re"uirement to provide the resources needed to establish, implement, operate, monitor, review, maintain
and improve #++. The main roles inside this organization are
+enior anagement
Chief information officer $C#8(
+ystem and #nformation owners
the business and functional managers
the #nformation +ystem +ecurity 8fficer $#++8( or Chief information security officer $C#+8(
#T +ecurity *ractitioners
+ecurity >wareness Trainers
is. ssessment:
is anagement is a recurrent activity that deals with the analysis, planning, implementation, control
and monitoring of implemented measurements and the enforced security policy. 8n the contrary, is >ssessment is executed at discrete time points $e.g. once a year, on demand, etc.( and H until the
performance of the next assessment - provides a temporary view of assessed riss and while
parameterizing the entire is anagement process. This view of the relationship of is anagement to
is >ssessment is depicted in figure as adopted from 8CT>B6.
is assessment is often conducted in more than one iteration, the first being a high-level assessment to
identify high riss, while the other iterations detailed the analysis of the major riss and other riss.
>ccording to !ational #nformation >ssurance Training and 6ducation Center ris assessment in the #T
field is
9. % study of the vulnerabilities, threats, likelihood, loss or impact, and theoretical effectiveness ofsecurity measures. 'anagers use the results of a risk assessment to develop security
re!uirements and specifications.
4. The process of evaluating threats and vulnerabilities, known and postulated, to determine
e+pected loss and establish the degree of acceptability to system operations.
%. %n identification of a specific %$ facility-s assets, the threats to these assets, and the %$
facility-s vulnerability to those threats.
http://en.wikipedia.org/wiki/Chief_information_officerhttp://en.wikipedia.org/w/index.php?title=ISSO_(IT)&action=edit&redlink=1http://en.wikipedia.org/wiki/Chief_information_security_officerhttp://en.wikipedia.org/wiki/National_Information_Assurance_Training_and_Education_Centerhttp://en.wikipedia.org/wiki/National_Information_Assurance_Training_and_Education_Centerhttp://en.wikipedia.org/wiki/Chief_information_officerhttp://en.wikipedia.org/w/index.php?title=ISSO_(IT)&action=edit&redlink=1http://en.wikipedia.org/wiki/Chief_information_security_officerhttp://en.wikipedia.org/wiki/National_Information_Assurance_Training_and_Education_Center
-
8/16/2019 IT 305 Management of Technology
12/17
:. >n analysis of system assets and vulnerabilities to establish an expected loss from certain events
based on estimated probabilities of the occurrence of those events. The purpose of a ris
assessment is to determine if countermeasures are ade"uate to reduce the probability of loss or
the impact of loss to an acceptable level.
3. % management tool which provides a systematic approach for determining the relative value and
sensitivity of computer installation assets, assessing vulnerabilities, assessing loss e+pectancy
or perceived risk e+posure levels, assessing e+isting protection features and additional
protection alternatives or acceptance of risks and documenting management decisions.
$ecisions for implementing additional protection features are normally based on the e+istence of
a reasonable ratio between costbenefit of the safeguard and sensitivityvalue of the assets to be
protected. Risk assessments may vary from an informal review of a small scale microcomputer
installation to a more formal and fully documented analysis /i. e., risk analysis0 of a large scale
computer installation. Risk assessment methodologies may vary from !ualitative or !uantitative
approaches to any combination of these two approaches.
+S4 &8::5 framewor6
is assessment receives as input the output of the previous step Context establishmentA the output isthe list of assessed riss prioritized according to ris evaluation criteria. The process can divided in the
following steps
is analysis, further divided in
is identification
is estimation
is evaluation
The following table compare these #+8 4F223 processes with is #T framewor processes
The #+8/#6C 4F2244223 Code of practice for information security management recommends the
following be examined during a ris assessment
security policy,
organization of information security,
asset management,
human resources security,
physical and environmental security,
communications and operations management,
access control,
http://en.wikipedia.org/wiki/IT_risk_management#Context_establishmenthttp://en.wikipedia.org/wiki/IT_risk_management#Context_establishmenthttp://en.wikipedia.org/wiki/IT_risk_management#Context_establishmenthttp://en.wikipedia.org/wiki/Risk_analysis_(engineering)http://en.wikipedia.org/wiki/Risk_analysis_(engineering)http://en.wikipedia.org/wiki/IT_risk_management#Risk_identificationhttp://en.wikipedia.org/wiki/IT_risk_management#Risk_estimationhttp://en.wikipedia.org/wiki/IT_risk_management#Risk_evaluationhttp://en.wikipedia.org/wiki/Risk_IThttp://en.wikipedia.org/wiki/ISO/IEC_17799http://en.wikipedia.org/wiki/ISO/IEC_17799http://en.wikipedia.org/wiki/Security_policyhttp://en.wikipedia.org/wiki/Organizationhttp://en.wikipedia.org/wiki/Organizationhttp://en.wikipedia.org/wiki/Asset_managementhttp://en.wikipedia.org/wiki/Human_resourceshttp://en.wikipedia.org/wiki/Human_resourceshttp://en.wikipedia.org/wiki/Physical_securityhttp://en.wikipedia.org/wiki/Environmental_securityhttp://en.wikipedia.org/wiki/Environmental_securityhttp://en.wikipedia.org/wiki/Environmental_securityhttp://en.wikipedia.org/wiki/Communicationshttp://en.wikipedia.org/wiki/Communicationshttp://en.wikipedia.org/wiki/Access_controlhttp://en.wikipedia.org/wiki/IT_risk_management#Context_establishmenthttp://en.wikipedia.org/wiki/Risk_analysis_(engineering)http://en.wikipedia.org/wiki/IT_risk_management#Risk_identificationhttp://en.wikipedia.org/wiki/IT_risk_management#Risk_estimationhttp://en.wikipedia.org/wiki/IT_risk_management#Risk_evaluationhttp://en.wikipedia.org/wiki/Risk_IThttp://en.wikipedia.org/wiki/ISO/IEC_17799http://en.wikipedia.org/wiki/Security_policyhttp://en.wikipedia.org/wiki/Organizationhttp://en.wikipedia.org/wiki/Asset_managementhttp://en.wikipedia.org/wiki/Human_resourceshttp://en.wikipedia.org/wiki/Physical_securityhttp://en.wikipedia.org/wiki/Environmental_securityhttp://en.wikipedia.org/wiki/Communicationshttp://en.wikipedia.org/wiki/Access_control
-
8/16/2019 IT 305 Management of Technology
13/17
information systems ac"uisition, development and maintenance
information security incident management,
business continuity management, and
egulatory compliance.
is. I$entification:
is identification states what could cause a potential lossA the following are to be identified
assets, primary $i.e. =usiness processes and related information( and supporting $i.e. hardware,
software, personnel, site, organization structure(
threats
existing and planned security measures
vulnerabilities
conse"uences
related business processes
The output of sub process is made up of
list of asset and related business processes to be ris managed with associated list of threats,
existing and planned security measures
list of vulnerabilities unrelated to any identified threats
-
8/16/2019 IT 305 Management of Technology
14/17
resources at ris $the laptop hardware in the example(. #ntangible asset value can be huge, but is not
easy to evaluate this can be a consideration against a pure "uantitative approach.
;ualitative ris assessment $three to five steps evaluation, from Bery Eigh to llocation of limited resources is based on the priority given to each of the project activities. Their priority
is calculated using the Critical path method and heuristic analysis. 'or a case with a constraint on thenumber of resources, the objective is to create the most efficient schedule possible - minimising project
duration and maximising the use of the resources available.
IT Pro,ect "che$#ling:
+chedule #nputs
Kou need several types of inputs to create a project schedule
http://en.wikipedia.org/wiki/Risk_registerhttp://en.wikipedia.org/wiki/Project_managementhttp://en.wikipedia.org/wiki/Projecthttp://en.wikipedia.org/wiki/Task_(project_management)http://en.wikipedia.org/wiki/Task_(project_management)http://en.wikipedia.org/wiki/Fundinghttp://en.wikipedia.org/wiki/Labour_(economics)http://en.wikipedia.org/wiki/Labour_(economics)http://en.wikipedia.org/wiki/Labour_(economics)http://en.wikipedia.org/wiki/Scheduling_(production_processes)http://en.wikipedia.org/wiki/Scheduling_(production_processes)http://en.wikipedia.org/wiki/Scheduling_(production_processes)http://en.wikipedia.org/wiki/Critical_path_methodhttp://en.wikipedia.org/wiki/Risk_registerhttp://en.wikipedia.org/wiki/Project_managementhttp://en.wikipedia.org/wiki/Projecthttp://en.wikipedia.org/wiki/Task_(project_management)http://en.wikipedia.org/wiki/Fundinghttp://en.wikipedia.org/wiki/Labour_(economics)http://en.wikipedia.org/wiki/Scheduling_(production_processes)http://en.wikipedia.org/wiki/Critical_path_method
-
8/16/2019 IT 305 Management of Technology
15/17
• Personal and project calendars H 7nderstanding woring days, shifts, and resource
availability is critical to completing a project schedule.
• *escription of project scope H 'rom this, you can determine ey start and end dates, major
assumptions behind the plan, and ey constraints and restrictions. Kou can also includestaeholder expectations, which will often determine project milestones.
• Project ris6s H Kou need to understand these to mae sure thereJs enough extra time to deal
with identified riss H and with unidentified riss $riss are identified with thorough is >nalysis(.
• ,ists of acti/ities and resource reuirements H >gain, itJs important to determine if there
are other constraints to consider when developing the schedule. 7nderstanding the resourcecapabilities and experience you have available H as well as company holidays and staffvacations H will affect the schedule.
> project manager should be aware of deadlines and resource availability issues that may mae the
schedule less flexible.
+cheduling Tools
Eere are some tools and techni"ues for combining these inputs to develop the schedule
• Schedule $etwor6 Anal(sis H This is a graphic representation of the projectJs activities, the
time it taes to complete them, and the se"uence in which they must be done. *rojectmanagement software is typically used to create these analyses H Gantt charts and P!-TCharts are common formats.
• Critical Path Anal(sis H This is the process of looing at all of the activities that must be
completed, and calculating the Jbest lineJ H or critical path H to tae so that youJll complete theproject in the minimum amount of time. The method calculates the earliest and latest possiblestart and finish times for project activities, and it estimates the dependencies among them tocreate a schedule of critical activities and dates. hat if= scenario anal(sis H This method compares and measures the effects of differentscenarios on a project. Kou use simulations to determine the effects of various adverse, orharmful, assumptions H such as resources not being available on time, or delays in otherareas of the project. Kou can then measure and plan for the riss posed in these scenarios.
• -esource le/elling H Eere, you rearrange the se"uence of activities to address the possibility
of unavailable resources, and to mae sure that excessive demand is not put on resources atany point in time. #f resources are available only in limited "uantities, then you change thetiming of activities so that the most critical activities have enough resources.
• Critical chain method H This also addresses resource availability. Kou plan activities using
their latest possible start and finish dates. This adds extra time between activities, which youcan then use to manage wor disruptions.
http://www.mindtools.com/pages/article/newPPM_03.htmhttp://www.mindtools.com/critpath.htmlhttp://www.mindtools.com/critpath.htmlhttp://www.mindtools.com/critpath.htmlhttp://www.mindtools.com/pages/article/newPPM_03.htmhttp://www.mindtools.com/critpath.htmlhttp://www.mindtools.com/critpath.htmlhttp://www.mindtools.com/critpath.html
-
8/16/2019 IT 305 Management of Technology
16/17
• -is6 multipliers H is is inevitable, so you need to prepare for its impact. >dding extra time
to high-ris activities is one strategy. >nother is to add a time multiplier to certain tass orcertain resources to offset overly optimistic time estimation.
>fter the initial schedule has been reviewed, and adjustments made, itJs a good idea to have other
members of the team review it as well. #nclude people who will be doing the wor H their insights and
assumptions are liely to be particularly accurate and relevant.
IT Pro,ect Monitoring:
>hat do we mean %( project monitoring?
#t means to eep a careful chec of project activities over a period of time.
>h( should we monitor a project?
+urely if everyone is doing their best, things will go wellL
To wor to its full potential, any ind of project needs to set out proposals and objectives. Then amonitoring system should be wored out to eep a chec on all the various activities, including finances.This will help project staff to now how things are going, as well as giving early warning of possibleproblems and difficulties.
@ow can a project %e monitored?
9. eep it simple ememberM monitoring is meant to be a help to good project management and not a burden.
4. 4%jecti/es Wor out clearly at the beginning the objectives of the project, including a budget of the liely cost$expenditure(.
%. Plan the acti/ities- what needs to be done- when it should be done- who will be involved in doing it- what resources are needed to do it- how long it will tae to do
- how much it will cost.:. "onitoring
Wor out the most appropriate way of monitoring the wor - again, eep it simple- meetings- diaries- reports on progress- accounts, reports on finances.
"onitoring methods
• -eports
These do not have to be very long. Their purpose needs to be clear - to report on activities andachievements. >bove is an example of the records ept by >+E> in #ndia. They give a clear andhelpful record of exactly what has been achieved. They are short and to the point. This ind of
report will help them in future planning and would clearly inform the ?overnment or a donor agencyof what has taen place.The ideal report - lie this one below written by >+E> in #ndia - is short and to the point.
Objectives Outcome Evaluation
Consciousness raising 1
Conduct 18 courses.(average size 18)
19 courses held: 10 for men, 9
for women.Total articiants !!"#verage size 1$.%Course &ength ! da's
These courses are ver'
effective in motivating groumemers. rous have eentransformed when memershave received this training
-
8/16/2019 IT 305 Management of Technology
17/17