it 305 management of technology

8/16/2019 IT 305 Management of Technology

1/17

IT 305

Management of Technology

(T-TH 1-2:30)

Professor Dean:

Maria Teresa ! Pancho

"t#$ent:

Hanson %! Pe&ano

'"-IT

0-00*0


2/17

Ty+es of IT Pro,ect:

The project types for which a standardized pre-tailoring exists at present will be described next.Characteristics described in the next section are used as the basis for the type definition.

General Assumptions

When selecting activities and products, the following assumptions are made for all project types

• !o criticality classification exists in the planned project. i. e., all software parts are handled

e"ually with respect to construction and assessment.

• !o database development is planned.

#f these assumptions are not true in a planned project then additional activities and products must beselected by using the implementing conditions of the tailoring forms $section T.%.& Tailoring 'orms(.

The implementing conditions must also be observed when for the characteristics

• complexity of functions,

• complexity of data, or

• maintenance re"uirements

The characteristic value defined in the corresponding project type deviates from the characteristic value of a planned concrete project.

T.3.1 Characteristics with Corresponding Quantifications

#n order to define project types, characteristics with corresponding "uantifications are re"uired. Thecharacteristics )*roject +ize), )Complexity), and )aintenance e"uirements) are described in categorieslie )low/small), )medium), and )high/large).

T.3.1.1 Project Size Classification

#T projects are of different sizes. This must be considered during the selection of activities and products.The cost/effort for a project $in man years, project years( and the number of project members are used todefine the project size.

The size of a project is classified according to the following schema

ProjectSize

Cost!ffortin "an #ears

$um%er of Project "em%ers

small 01 2,3 or 01 4

medium 01 3 or 01 3

large 5 3 or 5 3

Table T.4: Project Size Classification

http://www.informatik.uni-bremen.de/gdpa/part3/p3t2.htm#TAIL_FORMShttp://www.informatik.uni-bremen.de/gdpa/part3/p3t2.htm#TAIL_FORMS


3/17

#n cases where the project size is not defined according to the above shown schema, the larger projectsize has to be selected. 6. g., in a project with 4 project members $results in class )small)( and % projectyears $results in class )medium)(, class )medium) has to be selected.

T.3.1.& Comple'it( Classification of )unctions and *ata

'unctions and data are described structured in the products 7ser e"uirements and Technicale"uirements. The functions and data described in these documentations have to be classified withregard to its complexity, on the basis of the professional structuring. The evaluation of the complexity is

realized by the statistical evaluation of appropriate indicators.

+ince the classification of the complexity with justifiable mathematical methods can only be realized withthe help of a software tool, a simplified method is suggested for the classification of complexity offunctions and data. #n that case, the structuring of functions and data mentioned in the above listedre"uirement documents will be used.

• 8n system, segment, and +W unit level, the complexity is classified on the basis of the expected

number of sub functions and the number of the internal interfaces.

• The classification of complexity on components and module level is realized on the basis of the

code length.

• The complexity of data that can be represented in a se"uential or entity-relationship structure is

classified by means of the number of entities and the number of internal relations $hierarchylevels(.

The indicators for the three complexity classes are listed next.

)unctionsComple'it(

$um%er of Su% functions

$um%er of +nterfaces

$um%er of Program ,ines

small 0 92 and 0 92 and 0 922

medium 0 %2 and 0%2 and 0%22

large 51%2 or 51%2 or 51%22

Table T.5: Function Complexity Classification

*ataComple'it(

$um%er of !ntities

$um%er of -elations

$um%er of *ata )ields

low 0 92 and 0 92 and 0 42

medium 0 :2 and 0 :2 and 0 922

large 51 :2 or 51 :2 or 51 922

Table T.6: Data Complexity Classification

T.%.9.% ;uantification of the aintenance e"uirements

aintenance re"uirements are "uantified as follows

*egree of -euirement +mpact on the Changea%ilit(

low only minimum changes are to be expected

medium adjustments $regularly( are expected, locally, though

high essential changes are very probable

Table T.: !aintenance "e#uirements $uantification

T.3.& Administrati/e +T Projects

http://www.informatik.uni-bremen.de/gdpa/vmodel/d-ureq.htmhttp://www.informatik.uni-bremen.de/gdpa/vmodel/d-treq.htmhttp://www.informatik.uni-bremen.de/gdpa/vmodel/d-treq.htmhttp://www.informatik.uni-bremen.de/gdpa/vmodel/d-treq.htmhttp://www.informatik.uni-bremen.de/gdpa/vmodel/d-ureq.htmhttp://www.informatik.uni-bremen.de/gdpa/vmodel/d-treq.htmhttp://www.informatik.uni-bremen.de/gdpa/vmodel/d-treq.htm


4/17

T.3.&.1 Small Administrati/e +T Projects

9. Project *escriptionThe project is mostly realized by one or two project members. 're"uently, the software developeris the software user as well. The software often runs on a *C.

4. Project Sizenot more than 2.3 man years with 9 to 4 project members.

%. Comple'it(The complexity of functions and data is low.

:. "aintenance -euirements


5/17

%. Comple'it(The complexity of functions and data is considered medium.

:. "aintenance -euirementsmedium

3. !'amples for large administrati/e +T projects0

o 'ederal 8ffice for otor Traffic $motor vehicle data(

o 'ederal 8ffice of >dministration $central register for foreigners, about 422 monitors(

o ##+ environmental project

o *atent #nformation +ystem of the ?erman *atent 8ffice $@eutsches *atentamt *>T#+(

T.3.3 TechnicalScientific +T Projects

T.3.3.1 Small"edium TechnicalScientific +T Projects

9. Project *escriptiona small to medium size project concentrating on technical-scientific data processing. These mightbe, e. g., model and simulation processing, graphics, image processing, statistics, calculation ofstability/strength, etc.. The project is realized by not more than 3 staff members.

4. Project Size!ot more than 3 man years or not more than 3 project members.

%. Comple'it(The complexity of the functions is mediumA the complexity of the data is low.

:. "aintenance -euirements


6/17

:. "aintenance -euirementslow

3. 3 !'amples0

o weather forecast

o air safety applications $radar data presentation(

T.3.2 Selection Procurement and Adjustment of 4fftheShelf Products

1 Project *escription8nly a few B-odel activities and products are re"uired for this project type, since a large part of thefunctionality already exists because of the off-the-shelf product.

& Project SizeThe effort is not more than 2.3 man years and not more than 4 staff members.

3 Comple'it(The complexity of both functions and of the data of updates or modifications is low.

2 "aintenance -euirementsmedium

5 !'amples0

• office communication systems

• telecommunication systems

T.%.3 epresentation of the *roject Types-8verview

The following matrix offers an overview of the relationships of project types and characteristic values.

Cost!ffort

in "an #ears

$um%er

of Staff

Comple'it(

of )unctions

Comple'it(

of *ata

"aintenance

-euirements

Administrati/e

+T Projects

low 01 2,3 01 4 low low low

medium 01 3 01 3 medium medium medium

large 5 3 5 3 medium medium medium

Techn.Scient.

+T Projects

low 01 3 01 3 medium low low

large 5 3 5 3 medium low low

!/al.Procurm.Adjustment

of 4fftheShelf Products

01 2,3 01 4 low low medium

Table T.%: Project Types an& C'aracteristic (alues

T.%.& Tailoring 'orms

$>ccess next html pages(

T.%.&.9 7sing the 'orms


T.%.&.4 Collection of 'orms

http://www.informatik.uni-bremen.de/gdpa/part3/p3t3.htmhttp://www.informatik.uni-bremen.de/gdpa/part3/p3t3.htm#USINGhttp://www.informatik.uni-bremen.de/gdpa/part3/p3t3.htm#COLLECTIONhttp://www.informatik.uni-bremen.de/gdpa/part3/p3t3.htmhttp://www.informatik.uni-bremen.de/gdpa/part3/p3t3.htm#USINGhttp://www.informatik.uni-bremen.de/gdpa/part3/p3t3.htm#COLLECTION


7/17


IT is. Management:

The +T ris6 management is the application of ris management to #nformation technology context in

order to manage #T ris, i.e.

The business risk associated with the use, ownership, operation, involvement, influence andadoption of IT within an enterprise

#T ris management can be considered a component of a wider 6nterprise ris management system.

The establishment, maintenance and continuous update of an #++ provide a strong indication that a

company is using a systematic approach for the identification, assessment and management of

information security riss.

@ifferent methodologies have been proposed to manage #T riss, each of them divided in processes

and steps.

>ccording to is #T, it encompasses not just only the negative impact of operations and service

delivery which can bring destruction or reduction of the value of the organization, but also thebenefitvalue enabling ris associated to missing opportunities to use technology to enable or

enhance business or the #T project management for aspects lie overspending or late delivery with

adverse business impact.

=ecause ris is strictly tied to uncertainty, @ecision theory should be applied to manage ris as a

science, i.e. rationally maing choices under uncertainty.

?enerally speaing, ris is the product of lielihood times impact $is 1 eview anual 422& provides the following definition of ris management "Risk management

is the process of identifying vulnerabilities and threats to the information resources used by an

organization in achieving business objectives, and deciding what countermeasures, if any, to take in

reducing risk to an acceptable level, based on the value of the information resource to the organization."

There are two things in this definition that may need some clarification. 'irst, the process of ris

management is an on-going iterative process. #t must be repeated indefinitely. The business environment

is constantly changing and new threats and vulnerability emerge every day. +econd, the choice

of countermeasures $controls( used to manage riss must strie a balance between productivity, cost,effectiveness of the countermeasure, and the value of the informational asset being protected.

Risk management is the process that allows IT managers to balance the operational and economic costs

of protective measures and achieve gains in mission capability by protecting the IT systems and data that

support their organizations missions. This process is not uni!ue to the IT environment indeed it

pervades decision#making in all areas of our daily lives.

The head of an organizational unit must ensure that the organization has the capabilities needed to

accomplish its mission. These mission owners must determine the security capabilities that their #T

systems must have to provide the desired level of mission support in the face of real world threats. ost

http://en.wikipedia.org/wiki/Risk_managementhttp://en.wikipedia.org/wiki/Information_technologyhttp://en.wikipedia.org/wiki/IT_riskhttp://en.wikipedia.org/wiki/IT_riskhttp://en.wikipedia.org/wiki/Enterprise_risk_managementhttp://en.wikipedia.org/wiki/Enterprise_risk_managementhttp://en.wikipedia.org/wiki/Information_security_management_systemhttp://en.wikipedia.org/wiki/Information_security_management_systemhttp://en.wikipedia.org/wiki/Risk_IThttp://en.wikipedia.org/wiki/Risk_IThttp://en.wikipedia.org/wiki/Risk#Risk_as_a_vector_quantityhttp://en.wikipedia.org/wiki/Risk#Risk_as_a_vector_quantityhttp://en.wikipedia.org/wiki/Decision_theoryhttp://en.wikipedia.org/wiki/Riskhttp://en.wikipedia.org/wiki/Riskhttp://en.wikipedia.org/wiki/Resulthttp://en.wikipedia.org/wiki/Resulthttp://en.wikipedia.org/wiki/Asset_(computing)http://en.wikipedia.org/wiki/Asset_(computing)http://en.wikipedia.org/wiki/Certified_Information_Systems_Auditorhttp://en.wikipedia.org/wiki/Certified_Information_Systems_Auditorhttp://en.wikipedia.org/wiki/Vulnerability_(computing)http://en.wikipedia.org/wiki/Vulnerability_(computing)http://en.wikipedia.org/wiki/Threat_(computer)http://en.wikipedia.org/wiki/Countermeasure_(computer)http://en.wikipedia.org/wiki/Countermeasure_(computer)http://en.wikipedia.org/wiki/Business_processhttp://en.wikipedia.org/wiki/Business_processhttp://en.wikipedia.org/wiki/Business_processhttp://en.wikipedia.org/wiki/Vulnerability_(computing)http://en.wikipedia.org/wiki/Vulnerability_(computing)http://en.wikipedia.org/wiki/Vulnerability_(computing)http://en.wikipedia.org/wiki/Countermeasure_(computer)http://en.wikipedia.org/wiki/Countermeasure_(computer)http://en.wikipedia.org/wiki/Security_controlshttp://en.wikipedia.org/wiki/Risk_managementhttp://en.wikipedia.org/wiki/Threat_(computer)http://en.wikipedia.org/wiki/Threat_(computer)http://en.wikipedia.org/wiki/Risk_managementhttp://en.wikipedia.org/wiki/Information_technologyhttp://en.wikipedia.org/wiki/IT_riskhttp://en.wikipedia.org/wiki/Enterprise_risk_managementhttp://en.wikipedia.org/wiki/Information_security_management_systemhttp://en.wikipedia.org/wiki/Risk_IThttp://en.wikipedia.org/wiki/Risk#Risk_as_a_vector_quantityhttp://en.wikipedia.org/wiki/Decision_theoryhttp://en.wikipedia.org/wiki/Riskhttp://en.wikipedia.org/wiki/Resulthttp://en.wikipedia.org/wiki/Asset_(computing)http://en.wikipedia.org/wiki/Certified_Information_Systems_Auditorhttp://en.wikipedia.org/wiki/Vulnerability_(computing)http://en.wikipedia.org/wiki/Threat_(computer)http://en.wikipedia.org/wiki/Countermeasure_(computer)http://en.wikipedia.org/wiki/Business_processhttp://en.wikipedia.org/wiki/Vulnerability_(computing)http://en.wikipedia.org/wiki/Countermeasure_(computer)http://en.wikipedia.org/wiki/Security_controlshttp://en.wikipedia.org/wiki/Risk_managementhttp://en.wikipedia.org/wiki/Threat_(computer)


8/17

organizations have tight budgets for #T securityA therefore, #T security spending must be reviewed as

thoroughly as other management decisions. > well-structured ris management methodology, when used

effectively, can help management identify appropriate controls for providing the mission-essential security

capabilities.

is management in the #T world is "uite a complex, multi faced activity, with a lot of relations with other

complex activities. The picture shows the relationships between different related terms.

!ational #nformation >ssurance Training and 6ducation Center defines ris in the #T field as

9. The total processes to identify, control, and minimize the impact of uncertain events. The

objective of the risk management program is to reduce risk and obtain and maintain $%%

approval. The process facilitates the management of security risks by each level of management

throughout the system life cycle. The approval process consists of three elements& risk analysis,

certification, and approval.

4. %n element of managerial science concerned with the identification, measurement, control, and

minimization of uncertain events. %n effective risk management program encompasses the

following four phases&

9. > Risk assessment, as derived from an evaluation of threats and vulnerabilities.

4. 'anagement decision.

%. (ontrol implementation.

:. )ffectiveness review.

%. The total process of identifying, measuring, and minimizing uncertain events affecting %I*

resources. It includes risk analysis, cost benefit analysis, safeguard selection, security test andevaluation, safeguard implementation, and systems review.

:. The total process of identifying, controlling, and eliminating or minimizing uncertain events that

may affect system resources. lt induces risk analysis, cost benefit analysis, selection,

implementation and test, security evaluation of safeguards, and overall security review.

is. Management Metho$ology:

The term methodology means an organized set of principles and rules that drive action in a particular fieldof nowledge. > methodology does not describe specific methodsA nevertheless it does specify severalprocesses that need to be followed. These processes constitute a generic framewor. They may be

broen down in sub-processes, they may be combined, or their se"uence may change. Eowever, any rismanagement exercise must carry out these processes in one form or anotherA the following tablecompare the processes foreseen by three leading standards. #+>C> is #T framewor is more recent.The is #T *ractitioner-?uide compares is #T and #+8 4F223. The overall comparison is illustrated inthe following table.

-is6 management constituent processes

+S4+!C 7S 889930&::; SP


9/17

&8::50&::<

Context

establishment8rganizational context

? and 6 @omains more precisely

?9.4 *ropose #T ris tolerance,

?4.9 6stablish and maintain

accountability for #T ris management

?4.% >dapt #T ris practices to

enterprise ris practices,

?4.: *rovide ade"uate resources

for #T ris management,

64.9 @efine #T ris analysis scope.

is assessment is assessment

is

assessment

64 process includes

64.9 @efine #T ris analysis scope.

64.4 6stimate #T ris.

64.% #dentify ris response options.

64.: *erform a peer review of #T

ris analysis.

#n general, the elements as described in the

#+8 4F223 process are all included in is

#TA however, some are structured and named

differently.

is treatment

is treatment and

management decision

maing

is mitigation

6 4.% #dentify ris response options

4.% espond to discovered ris

exposure and opportunity

is acceptance ?%.: >ccept #T ris

is

communication

8ngoing ris

management activities ?9.3 *romote #T ris-aware culture


10/17

?9.& 6ncourage effective

communication of #T ris

6%.& @evelop #T ris indicators.

is monitoring

and review

6valuation and

assessment

?4 #ntegrate with 6.

64.: *erform a peer review of #T

ris analysis.

?4.3 *rovide independent

assurance over #T ris management

@ue to the probabilistic nature and the need of cost benefit analysis, the #T riss are managed following a

process that accordingly to !#+T +* G22-%2 can be divided in the following steps

9. ris assessment,

4. ris mitigation, and

%. 6valuation and assessment.

6ffective ris management must be totally integrated into the +ystems @evelopment nother area of application can be the certification of a product.

Criteria include the ris evaluation, ris acceptance and impact evaluation criteria. These are conditioned

by

legal and regulatory re"uirements

the strategic value for the business of information processes

staeholder expectations

http://en.wikipedia.org/wiki/NISThttp://en.wikipedia.org/wiki/NISThttp://en.wikipedia.org/wiki/Risk_assessmenthttp://en.wikipedia.org/wiki/IT_risk_management#IT_Risk_mitigationhttp://en.wikipedia.org/wiki/Evaluationhttp://en.wiktionary.org/wiki/assessmenthttp://en.wiktionary.org/wiki/assessmenthttp://en.wikipedia.org/wiki/Systems_Development_Life_Cyclehttp://en.wikipedia.org/wiki/Systems_Development_Life_Cyclehttp://en.wikipedia.org/wiki/Systems_Development_Life_Cyclehttp://en.wikipedia.org/wiki/Risk_analysis_(engineering)http://en.wikipedia.org/wiki/Risk_analysis_(engineering)http://en.wikipedia.org/wiki/ISOhttp://en.wikipedia.org/wiki/ISO/IEC_27005http://en.wikipedia.org/wiki/NISThttp://en.wikipedia.org/wiki/ISMShttp://en.wikipedia.org/wiki/Business_continuity_planhttp://en.wikipedia.org/wiki/Business_continuity_planhttp://en.wikipedia.org/wiki/Stakeholder_(corporate)http://en.wikipedia.org/wiki/NISThttp://en.wikipedia.org/wiki/Risk_assessmenthttp://en.wikipedia.org/wiki/IT_risk_management#IT_Risk_mitigationhttp://en.wikipedia.org/wiki/Evaluationhttp://en.wiktionary.org/wiki/assessmenthttp://en.wikipedia.org/wiki/Systems_Development_Life_Cyclehttp://en.wikipedia.org/wiki/Risk_analysis_(engineering)http://en.wikipedia.org/wiki/ISOhttp://en.wikipedia.org/wiki/ISO/IEC_27005http://en.wikipedia.org/wiki/NISThttp://en.wikipedia.org/wiki/ISMShttp://en.wikipedia.org/wiki/Business_continuity_planhttp://en.wikipedia.org/wiki/Stakeholder_(corporate)


11/17

negative conse"uences for the reputation of the organization

6stablishing the scope and boundaries, the organization should be studied its mission, its values, its

structureA its strategy, its locations and cultural environment. The constraints $budgetary, cultural, political,

and technical( of the organization are to be collected and documented as guide for next steps.

4rganization for securit( management

The set-up of the organization in charge of ris management is foreseen as partially fulfilling the

re"uirement to provide the resources needed to establish, implement, operate, monitor, review, maintain

and improve #++. The main roles inside this organization are

+enior anagement

Chief information officer $C#8(

+ystem and #nformation owners

the business and functional managers

the #nformation +ystem +ecurity 8fficer $#++8( or Chief information security officer $C#+8(

#T +ecurity *ractitioners

+ecurity >wareness Trainers

is. ssessment:

is anagement is a recurrent activity that deals with the analysis, planning, implementation, control

and monitoring of implemented measurements and the enforced security policy. 8n the contrary, is >ssessment is executed at discrete time points $e.g. once a year, on demand, etc.( and H until the

performance of the next assessment - provides a temporary view of assessed riss and while

parameterizing the entire is anagement process. This view of the relationship of is anagement to

is >ssessment is depicted in figure as adopted from 8CT>B6.

is assessment is often conducted in more than one iteration, the first being a high-level assessment to

identify high riss, while the other iterations detailed the analysis of the major riss and other riss.

>ccording to !ational #nformation >ssurance Training and 6ducation Center ris assessment in the #T

field is

9. % study of the vulnerabilities, threats, likelihood, loss or impact, and theoretical effectiveness ofsecurity measures. 'anagers use the results of a risk assessment to develop security

re!uirements and specifications.

4. The process of evaluating threats and vulnerabilities, known and postulated, to determine

e+pected loss and establish the degree of acceptability to system operations.

%. %n identification of a specific %$ facility-s assets, the threats to these assets, and the %$

facility-s vulnerability to those threats.

http://en.wikipedia.org/wiki/Chief_information_officerhttp://en.wikipedia.org/w/index.php?title=ISSO_(IT)&action=edit&redlink=1http://en.wikipedia.org/wiki/Chief_information_security_officerhttp://en.wikipedia.org/wiki/National_Information_Assurance_Training_and_Education_Centerhttp://en.wikipedia.org/wiki/National_Information_Assurance_Training_and_Education_Centerhttp://en.wikipedia.org/wiki/Chief_information_officerhttp://en.wikipedia.org/w/index.php?title=ISSO_(IT)&action=edit&redlink=1http://en.wikipedia.org/wiki/Chief_information_security_officerhttp://en.wikipedia.org/wiki/National_Information_Assurance_Training_and_Education_Center


12/17

:. >n analysis of system assets and vulnerabilities to establish an expected loss from certain events

based on estimated probabilities of the occurrence of those events. The purpose of a ris

assessment is to determine if countermeasures are ade"uate to reduce the probability of loss or

the impact of loss to an acceptable level.

3. % management tool which provides a systematic approach for determining the relative value and

sensitivity of computer installation assets, assessing vulnerabilities, assessing loss e+pectancy

or perceived risk e+posure levels, assessing e+isting protection features and additional

protection alternatives or acceptance of risks and documenting management decisions.

$ecisions for implementing additional protection features are normally based on the e+istence of

a reasonable ratio between costbenefit of the safeguard and sensitivityvalue of the assets to be

protected. Risk assessments may vary from an informal review of a small scale microcomputer

installation to a more formal and fully documented analysis /i. e., risk analysis0 of a large scale

computer installation. Risk assessment methodologies may vary from !ualitative or !uantitative

approaches to any combination of these two approaches.

+S4 &8::5 framewor6

is assessment receives as input the output of the previous step Context establishmentA the output isthe list of assessed riss prioritized according to ris evaluation criteria. The process can divided in the

following steps

is analysis, further divided in

is identification

is estimation

is evaluation

The following table compare these #+8 4F223 processes with is #T framewor processes

The #+8/#6C 4F2244223 Code of practice for information security management recommends the

following be examined during a ris assessment

security policy,

organization of information security,

asset management,

human resources security,

physical and environmental security,

communications and operations management,

access control,

http://en.wikipedia.org/wiki/IT_risk_management#Context_establishmenthttp://en.wikipedia.org/wiki/IT_risk_management#Context_establishmenthttp://en.wikipedia.org/wiki/IT_risk_management#Context_establishmenthttp://en.wikipedia.org/wiki/Risk_analysis_(engineering)http://en.wikipedia.org/wiki/Risk_analysis_(engineering)http://en.wikipedia.org/wiki/IT_risk_management#Risk_identificationhttp://en.wikipedia.org/wiki/IT_risk_management#Risk_estimationhttp://en.wikipedia.org/wiki/IT_risk_management#Risk_evaluationhttp://en.wikipedia.org/wiki/Risk_IThttp://en.wikipedia.org/wiki/ISO/IEC_17799http://en.wikipedia.org/wiki/ISO/IEC_17799http://en.wikipedia.org/wiki/Security_policyhttp://en.wikipedia.org/wiki/Organizationhttp://en.wikipedia.org/wiki/Organizationhttp://en.wikipedia.org/wiki/Asset_managementhttp://en.wikipedia.org/wiki/Human_resourceshttp://en.wikipedia.org/wiki/Human_resourceshttp://en.wikipedia.org/wiki/Physical_securityhttp://en.wikipedia.org/wiki/Environmental_securityhttp://en.wikipedia.org/wiki/Environmental_securityhttp://en.wikipedia.org/wiki/Environmental_securityhttp://en.wikipedia.org/wiki/Communicationshttp://en.wikipedia.org/wiki/Communicationshttp://en.wikipedia.org/wiki/Access_controlhttp://en.wikipedia.org/wiki/IT_risk_management#Context_establishmenthttp://en.wikipedia.org/wiki/Risk_analysis_(engineering)http://en.wikipedia.org/wiki/IT_risk_management#Risk_identificationhttp://en.wikipedia.org/wiki/IT_risk_management#Risk_estimationhttp://en.wikipedia.org/wiki/IT_risk_management#Risk_evaluationhttp://en.wikipedia.org/wiki/Risk_IThttp://en.wikipedia.org/wiki/ISO/IEC_17799http://en.wikipedia.org/wiki/Security_policyhttp://en.wikipedia.org/wiki/Organizationhttp://en.wikipedia.org/wiki/Asset_managementhttp://en.wikipedia.org/wiki/Human_resourceshttp://en.wikipedia.org/wiki/Physical_securityhttp://en.wikipedia.org/wiki/Environmental_securityhttp://en.wikipedia.org/wiki/Communicationshttp://en.wikipedia.org/wiki/Access_control


13/17

information systems ac"uisition, development and maintenance

information security incident management,

business continuity management, and

egulatory compliance.

is. I$entification:

is identification states what could cause a potential lossA the following are to be identified

assets, primary $i.e. =usiness processes and related information( and supporting $i.e. hardware,

software, personnel, site, organization structure(

threats

existing and planned security measures

vulnerabilities

conse"uences

related business processes

The output of sub process is made up of

list of asset and related business processes to be ris managed with associated list of threats,

existing and planned security measures

list of vulnerabilities unrelated to any identified threats


14/17

resources at ris $the laptop hardware in the example(. #ntangible asset value can be huge, but is not

easy to evaluate this can be a consideration against a pure "uantitative approach.

;ualitative ris assessment $three to five steps evaluation, from Bery Eigh to llocation of limited resources is based on the priority given to each of the project activities. Their priority

is calculated using the Critical path method and heuristic analysis. 'or a case with a constraint on thenumber of resources, the objective is to create the most efficient schedule possible - minimising project

duration and maximising the use of the resources available.

IT Pro,ect "che$#ling:

+chedule #nputs

Kou need several types of inputs to create a project schedule

http://en.wikipedia.org/wiki/Risk_registerhttp://en.wikipedia.org/wiki/Project_managementhttp://en.wikipedia.org/wiki/Projecthttp://en.wikipedia.org/wiki/Task_(project_management)http://en.wikipedia.org/wiki/Task_(project_management)http://en.wikipedia.org/wiki/Fundinghttp://en.wikipedia.org/wiki/Labour_(economics)http://en.wikipedia.org/wiki/Labour_(economics)http://en.wikipedia.org/wiki/Labour_(economics)http://en.wikipedia.org/wiki/Scheduling_(production_processes)http://en.wikipedia.org/wiki/Scheduling_(production_processes)http://en.wikipedia.org/wiki/Scheduling_(production_processes)http://en.wikipedia.org/wiki/Critical_path_methodhttp://en.wikipedia.org/wiki/Risk_registerhttp://en.wikipedia.org/wiki/Project_managementhttp://en.wikipedia.org/wiki/Projecthttp://en.wikipedia.org/wiki/Task_(project_management)http://en.wikipedia.org/wiki/Fundinghttp://en.wikipedia.org/wiki/Labour_(economics)http://en.wikipedia.org/wiki/Scheduling_(production_processes)http://en.wikipedia.org/wiki/Critical_path_method


15/17

• Personal and project calendars H 7nderstanding woring days, shifts, and resource

availability is critical to completing a project schedule.

• *escription of project scope H 'rom this, you can determine ey start and end dates, major

assumptions behind the plan, and ey constraints and restrictions. Kou can also includestaeholder expectations, which will often determine project milestones.

• Project ris6s H Kou need to understand these to mae sure thereJs enough extra time to deal

with identified riss H and with unidentified riss $riss are identified with thorough is >nalysis(.

• ,ists of acti/ities and resource reuirements H >gain, itJs important to determine if there

are other constraints to consider when developing the schedule. 7nderstanding the resourcecapabilities and experience you have available H as well as company holidays and staffvacations H will affect the schedule.

> project manager should be aware of deadlines and resource availability issues that may mae the

schedule less flexible.

+cheduling Tools

Eere are some tools and techni"ues for combining these inputs to develop the schedule

• Schedule $etwor6 Anal(sis H This is a graphic representation of the projectJs activities, the

time it taes to complete them, and the se"uence in which they must be done. *rojectmanagement software is typically used to create these analyses H Gantt charts and P!-TCharts are common formats.

• Critical Path Anal(sis H This is the process of looing at all of the activities that must be

completed, and calculating the Jbest lineJ H or critical path H to tae so that youJll complete theproject in the minimum amount of time. The method calculates the earliest and latest possiblestart and finish times for project activities, and it estimates the dependencies among them tocreate a schedule of critical activities and dates. hat if= scenario anal(sis H This method compares and measures the effects of differentscenarios on a project. Kou use simulations to determine the effects of various adverse, orharmful, assumptions H such as resources not being available on time, or delays in otherareas of the project. Kou can then measure and plan for the riss posed in these scenarios.

• -esource le/elling H Eere, you rearrange the se"uence of activities to address the possibility

of unavailable resources, and to mae sure that excessive demand is not put on resources atany point in time. #f resources are available only in limited "uantities, then you change thetiming of activities so that the most critical activities have enough resources.

• Critical chain method H This also addresses resource availability. Kou plan activities using

their latest possible start and finish dates. This adds extra time between activities, which youcan then use to manage wor disruptions.

http://www.mindtools.com/pages/article/newPPM_03.htmhttp://www.mindtools.com/critpath.htmlhttp://www.mindtools.com/critpath.htmlhttp://www.mindtools.com/critpath.htmlhttp://www.mindtools.com/pages/article/newPPM_03.htmhttp://www.mindtools.com/critpath.htmlhttp://www.mindtools.com/critpath.htmlhttp://www.mindtools.com/critpath.html


16/17

• -is6 multipliers H is is inevitable, so you need to prepare for its impact. >dding extra time

to high-ris activities is one strategy. >nother is to add a time multiplier to certain tass orcertain resources to offset overly optimistic time estimation.

>fter the initial schedule has been reviewed, and adjustments made, itJs a good idea to have other

members of the team review it as well. #nclude people who will be doing the wor H their insights and

assumptions are liely to be particularly accurate and relevant.

IT Pro,ect Monitoring:

>hat do we mean %( project monitoring?

#t means to eep a careful chec of project activities over a period of time.

>h( should we monitor a project?

+urely if everyone is doing their best, things will go wellL

To wor to its full potential, any ind of project needs to set out proposals and objectives. Then amonitoring system should be wored out to eep a chec on all the various activities, including finances.This will help project staff to now how things are going, as well as giving early warning of possibleproblems and difficulties.

@ow can a project %e monitored?

9. eep it simple ememberM monitoring is meant to be a help to good project management and not a burden.

4. 4%jecti/es Wor out clearly at the beginning the objectives of the project, including a budget of the liely cost$expenditure(.

%. Plan the acti/ities- what needs to be done- when it should be done- who will be involved in doing it- what resources are needed to do it- how long it will tae to do

- how much it will cost.:. "onitoring

Wor out the most appropriate way of monitoring the wor - again, eep it simple- meetings- diaries- reports on progress- accounts, reports on finances.

"onitoring methods

• -eports

These do not have to be very long. Their purpose needs to be clear - to report on activities andachievements. >bove is an example of the records ept by >+E> in #ndia. They give a clear andhelpful record of exactly what has been achieved. They are short and to the point. This ind of

report will help them in future planning and would clearly inform the ?overnment or a donor agencyof what has taen place.The ideal report - lie this one below written by >+E> in #ndia - is short and to the point.

Objectives Outcome Evaluation

Consciousness raising 1

Conduct 18 courses.(average size 18)

19 courses held: 10 for men, 9

for women.Total articiants !!"#verage size 1$.%Course &ength ! da's

These courses are ver'

effective in motivating groumemers. rous have eentransformed when memershave received this training


17/17

it 305 management of technology

Documents