tickitplus – what it can do for you talk to bcs hants march 2012 graham gee quality & infosec...
TRANSCRIPT
TickITplus – what it can do for you
Talk to BCS HantsMarch 2012
Graham GeeQuality & InfoSec Manager
Graham GeeBSc in Astrophysics and PhD in Submillimetre Astronomy at Queen Mary College, University of London26+ years in IT industryWide range of employers, clients, market sectorsPreviously 10 years in mainland Europe (NL, CH, B, D)20+ years in quality assurance, consultancy and managementLast 4.5 years Quality & InfoSec Manager at IPL in Bath20 years as MBCS, <1 as FBCSBCS Council member/trustee in early 00’s – change programme
Use this layout for text on top of a vertically striped picture.
IPL backgroundTrusted, independent consulting & solutions house• 30 year track record• 260 staff, £28m+ turnover• Business/mission critical contexts• Consistently exceed expectations• Multiple market sectors
Re-defined strategy (MBO April ‘08)
• Intelligent Business• Four service offerings
• Business and technical consulting• Solution delivery, managed services
• Raising our profile
Official Business Partner
IPL DifferentiatorsQuality & adaptability of staffDepth of business & technical knowledge Execution & deliveryQuality of outputValue for moneyLong term business relationshipsCommercial flexibilityTransparency & trustSize & scale
Aerospace & Defence
Ministry of DefenceFlight RefuellingEADSThalesLogicaGE Aviation
Avionics systemsMission planning
Crypto key managementSecure communications
Network managementIn-flight refuelling
Banking & Finance
NationwideClydesdale BankBank of EnglandBarclaysBristol & West Investments
Online financial product applicationsCore banking systems
Asset & unit pricing controlLiquidity reporting
Data migration & integrationPensions policy administration
Emergency Services
EADS FiReControlHertfordshire ConstabularyKent PoliceNorthamptonshire PoliceNPIAWiltshire Police
Core policing systemsISS4PS complianceCollision recordingANPR data analysis
GIS & crime mappingMobile data solutions
Government
Local AuthoritiesAudit CommissionMet OfficeGovernment OmbudsmenTechnology Strategy Board
Web portalsWeb-enabled Information
Complaints handling“Digital Britain” testing
GIS & mapping applications
Industry
A Global Energy CompanyImperial Tobacco GroupIBMGlaxoSmithKlineFertility Focus
Data warehouse & applicationsManagement information systems
Information management & SOAClinical drug trials data archive
Medical devices
Telecoms, Broadcast & Media
Nokia MusicEricssonNSNAeponaO2
OrangeUbiquisys
GSM core network systemsTransmission and QoS management
Intelligent NetworksMultimedia services
Network/Service Management SystemsTechnical Launch Services
Transport
AmeyAtkinsHighways AgencyMouchelTfLWincanton
Traffic control centre systemsManaged motorways
Intelligent transport systemsTransport logistics
Asset management
IPL’s origins more than 30 years ago in UK Aerospace and DefenceRange of market sectors/customers, business/mission critical contextsObjective since 1979 “to provide customers with high quality, high reliability software within timescale, budget and specification”“Quality is the responsibility of all individuals within the Company”More than 20 years ago (before SEI’s CMM existed)
By 1988 IPL’s QMS and processes were aligned to the international standard ISO 9001 and a few years later the TickIT software sector-specific schemeTickIT was largely adopted by the UK software development industryEspecially in IPL’s core market sector with high quality requirements
IPL’s Focus on Quality
TickITBuilt into certification to ISO 9001 with regular external assessment by specially qualified auditors (in IPL’s case this is six-monthly by BSI and now LRQA)Was mandatory for many years for software companies working directly or indirectly for MoDIs a best practice guide aligned with international standards ISO 9001, ISO 9000-3 and ISO 12207
QMS Pressures 2010-2012Wide range of market sectors, systems, applications and technologiesIncreasing emphasis on business processes rather than detailed technical proceduresQMS not kept pace with changing world – needs modern approach, flexible, responsive, look-and-feelProcess-based approach and measurement:
Services Business Manual, TickITplus
Managed services:Application take-on, support, ITIL, ISO20000?
IP generation: Product development
Accreditations & Affiliations
ISO 9001:2008/TickIT ISO 27001:2005 ISO 14001:2004
Was due to launch in January 20113-year “clock” to migrate from TickIT started ticking in Dec 2011Adds process capability assessment, with levels mapped to international standard ISO/IEC 15504, similar to CMMISo moves TickIT to same basis as CMMI but also
Backed by UK plc (including BSI, BCS, Intellect, MoD)Integral part of certification to international standard ISO 9001 by certification bodies such as BSI, LRQA and DNVRequires mapping of project, technical, organisational, IT-specific, agreement and maturity processes to the Base Processes Library
TickITplus
IPL’s 1st plan v. TickITplus levels
ISO 15504 process levels TickITplus Target1. Performed Foundation 20112. Managed Bronze 20113. Established Silver 20114. Predictable Gold 20125. Optimizing Platinum 2013
TickIT lead auditor course in 2006:Declining interest in the scheme; only one accredited trainer in the UK;Auditor and company registrations dropping; only ever good practice guidance;CMMI stolen march in India and elsewhere from its US origins
Joined IPL in Oct 2007 aiming to bring QMS into 21st centuryLong experience in Quality/TickIT and with BCS TickITplus coming “soon” as UK alternative to CMMI…Occasionally we get pressure around our plans w.r.t. CMMI in questionnaires and responses
Happened again at end of 2010 around Thales preferred supplier selection
TickITplus was a long time coming – chronic lack of communication
Steps to TickITplus: 2006-2010
Transition of Certification Body to LRQA – December 2010Kept the faith –> information sessions hosted at Intellect, early 2011Speculative gap analysis cf. list of process titles – March/April 2011Assessor/practitioner training by Dave Wynn for IT Governance – JuneBase Process Library (BPL) finally published – also June 2011 Confirmed gap analysis (cf. BPL) –> 1st draft PRM – July 20113-year “clock” to migrate from TickIT started ticking in Dec 2011LRQA Stage 1 assessment – end Sept 2011 -> 3 Minor N/CsLRQA Stage 2 assessment – Dec 2011 -> certification but 7 new Minor N/Cs (just before Christmas!) and Corrective Action Plan
Steps to TickITplus: during 2011
Eight scope profiles (currently two)40 processes (currently 22): organizational, project and technical
Mapped to four international standards (currently one and a half)
ISO 9001 ISO 20000 and ISO 27001 – resp. Q2/Q3 2012ISO 15504 – basis laid but rest later, possibly 2013
Combined assessor/practitioner training – overseen by gasqCurrently three UK Certification Bodies (BSI, DNV, LRQA)Run by Joint TickIT Industry Steering Committee (JTISC)
What does TickITplus involve?
What does TickITplus look like?
CurrentlySystems and Software Development and SupportProduct Validation, Quality and Measurement
To comeInformation Management and SecurityService ManagementProject and Programme ManagementCorporate Strategy Planning and ManagementLegal and ComplianceIT Systems Engineering and Infrastructure
Scope profiles
Human Resource ManagementManagement FrameworkCorporate Management and LegalInfrastructure and Work Environment ManagementImprovementMeasurement and AnalysisCustomer FocusRisk ManagementLifecycle Model Management
Organizational processes
Measurement and AnalysisProcess ID ORG.6 Process Name Measurement and Analysis Category Organizational Processes Type A
Process Purpose To provide information to enable better decision making. Version v1r0
Process Outcome Process Base Practices Input Work Products Output Work Products ISO 9001
OU.1
Measurements are used to demonstrate achievement of business objectives, to support decisions and identify improvement.
BP.1 Define Measurement and Analysis Policy and Procedures
Policies are established, approved and communicated to ensure that measures are identified, collected, analysed, reported and used, to support the achievement of the business plan.
Procedures are established for developing measures against key business objectives, to understand performance. The procedures define the method for identifying, collecting, storing, analysing and using measures.
Policies and procedures are periodically reviewed and updated in line with the business plan.
The policies and procedures are maintained under the management framework.
Business Plan Measurement Policy
Measurement Procedures
4.2.1d)
4.2.3
Measurement is embedded in the top-level documents for each management system.
There is a specific Integrated Management Procedure (IMP02) focussed on audit and improvement
[Business Needs]
Strategy, Objectives, Targets, Key Performance Measures
Quality Policy
IS and ISMS Policies
IMP02, Audit and Improvement
BP.2 Identify Measurement Objectives and Data
The organization establishes where measures are necessary and identifies the objectives and data sources necessary to achieve them.
The objectives and data sources are reviewed and agreed by stakeholders.
Business Plan
Stakeholder Requirements
Measurement Objectives
Measurement Data Sources
5.4.1
Company-level measurement objectives are defined for each management system. The top-level objectives for the services business are in the SBM. There are more detailed measurement objectives in a document for Operations which informs the specific objectives for each software project.
These are reviewed and agreed by the Quality Review Board (QRB, comprising COO, CTO and Quality Manager) for Quality, and the IS Forum for InfoSec.
Strategy, Objectives, Targets, Key Performance Measures
Quality Policy
IS and ISMS Policies
Quality Objectives
Services Business Manual
Operations Quality Objectives
Quality Plan: Quality Objectives
ISMS Overview
BP.3 Collect and Analyse Measurement Data
Measurement data is collected and stored in line with the collection method.
The measurement data is validated and any need for additional measurement is identified
The measurement data is analysed to provide indicators and recommendations to stakeholders.
Measurement Objectives
Measurement Data Sources
Measurement and Analysis Data
Measurement And Analysis Report
8.2.3
8.2.4
8.4
CurrentlyProject ManagementConfiguration and Change ManagementProblem and Incident Management
To comeDecision ManagementInformation ManagementIT Finance ManagementManagement Reporting
Project processes
Project ManagementProcess ID PRJ.1 Process Name Project Management Category Project Procedures Type B/C
Process Purpose To ensure that the projects meet their objectives. Version v1r0
Process Outcome Process Base Practices Input Work Products Output Work Products ISO 9001
OU.1
The organization achieves project objectives in a controlled manner, and delivery is on time, in budget and to quality.
BP.1 Establish Project Management Policies and Procedures
Policies are established, approved and communicated that govern the project management methodology and the delivery of projects.
Procedures are defined, approved and made available for use, to implement the project management policies. The procedures cover project planning, tailoring, estimating, monitoring and control, resourcing, reporting, escalation, together with supplier, stakeholder, risk and issue management
The policies and procedures are maintained under the management framework.
Business Plan Project Management Policies
Project Management Procedures
4.2.1d)
4.2.3
The Delivery Manual contains the processes related to project management. It was reviewed and approved by a subset of the Board and Exec Committee. Supporting documents provide additional procedures. They are made available via the intranet.
Strategy
Annual Business Plan
Services Business Manual
Delivery Manual
SCOP-R: Project Control
Quality Objectives
Management Procedure 2: Progress Reporting
SCOP-P 9001, Risk Management
BP.2 Scope the Project
A scope statement is defined for the project with deliverables agreed by stakeholders. The quality objectives and the requirements for the project are established and documented.
Objectives, constraints and assumptions are recorded and agreed before project initiation
Projects select and tailor the appropriate lifecycle model, and the rationale is documented.
Estimates are produced against the agreed scope, including any necessary contingency. A budget for the work to be undertaken is prepared.
The scope, objectives, constraints, selected approach, estimates and budget are reviewed by stakeholders and approved by management.
Stakeholder Requirements Scope Statement 7.2.1
7.2.2
Project scope and estimates will have been defined as part of the proposal process.
The Delivery Manual and SCOP-R describe how to initiate a project.
The Project Plan and Quality Plan set out the key aspects for the project to be delivered.
Invitation to Tender/Request for Proposal
Proposal
Delivery Manual: Initiate Project
SCOP-R: Project Control
Operations Quality Objectives
Project Plan
Quality Plan: Project Lifecycle
Data and Record ManagementIntegration ManagementVerificationValidationTransition and Release ManagementMaintenance ManagementStakeholder Requirement DefinitionRequirements AnalysisArchitectural DesignDevelopment Implementation
Technical processes
Architectural DesignProcess ID TEC.13 Process Name Architectural Design Category Technical Processes Type B/C
Process Purpose To produce a top-level design that identifies the major components and interfaces of the product. Version v1r0
Process Outcome Process Base Practices Input Work Products Output Work Products ISO 9001
OU.1
The top-level design addresses all the system requirements, with no defects found in development.
BP.1 Establish Development Approach
Different development approaches are considered in formulating the architecture design, and an approach is selected that best meets the system requirements.
The selection decision and supporting rationale is documented, reviewed and approved.
Lifecycle Model Description and Assets
Selected Lifecycle 7.1
7.3.1
Initial development approach is captured in quality plan. Refined during requirements and design stages. SCOP-P 800x, Software Development Methods
ETC Agile Framework
Quality Plan
BP.2 Create Architectural Design
The top-level design is created taking into account the architectural standards of the organization.
The major components and interfaces necessary to meet the system requirements are identified. System requirements are traceable to the major components.
Interfaces include interactions between system components, and between the system and the external environment.
Design constraints, assumptions and dependencies are documented.
System Requirements Top Level Design
Traceability Report
4.2.1d)
4.2.3
7.3.3
7.5.3
The system is designed to ensure that it meets the system requirements, external interfaces and selected design standards.
Design specifications are produced in line with the design methodology selected. SCOP-P 2001 provides the default format and content for design specs.
The approach to traceability depends upon customer requirements, the nature of system under development and any applicable standards (e.g. higher levels of DO-178B) plus the design methodology and modelling tools being used.
System Requirements Spec
Quality Plan: Design Process
SCOP-P 200x, design standards
High Level Design
Traceability Matrix
BP.3 Review Architectural Design
The top-level design is reviewed by stakeholders to ensure all system requirements have been adequately addressed.
The customer is advised of any adverse impact on cost, schedule and customer needs arising from the proposed top-level design, along with possible alternatives.
Top Level Design Review Records
Top Level Design
Customer Notifications
7.2.3
7.3.4
7.3.5
7.3.6
The review approach is defined in the Quality Plan. Detailed reviews can include Preliminary and Critical Design Reviews with customer involvement.
High Level Design
Quality Plan: Review Process
SCOP-P 4001, Review Standards
High Level Design
Review Records
BP.4 Manage Architecture Changes
Changes to the top-level design are formally controlled through the change control process.
Changes to the top-level design are reviewed by stakeholders for their impact on cost, schedule and customer needs.
The results of the review are communicated to stakeholders, and records maintained.
Change Request Change Record 4.2.4
7.2.3b)
7.3.7
What has TickITplus done for us?
Modern, pragmatic, detailed process/practice requirements NOT good practice guidance (cf. TickIT)Based on international standards - ISO 9001 and ISO 15504 (aka. SPICE)Scheme to be extended to allow combined assessment with ISO 20000 and ISO 27001Regular, professional and independently assured assessments by certification bodies - currently BSI, DNV and LRQA in the UK cf. CMMIMuch less bureaucratic than CMMIBUT TickITplus Foundation level (currently 22 processes) is only equivalent to CMMI Levels 2/3 (resp. 7/11 processes) with capability maturity dimension based on ISO 15504 to be added
TickITplus lessons/benefits
LRQA surveillance visit – end March 2012Some processes clearly need improving/redefining
Configuration/change management Integration managementLifecycle model management Improvement
LRQA’s recertification visit at end of August 2012Extension to cover ISO 27001 later in 2012?Could consider adding additional scope profiles?Move up to Bronze (OK) and Silver (difficult) when availableShare the good news with the UK IT community via BCS, LRQA, Intellect, with Omniprove and Nexor
IPL – where next with TickITplus?
Questions?
Dr Graham Gee FBCS CITP TSSFQuality & InfoSec [email protected] 475287
Eveleigh HouseGrove StreetBath BA1 5LR01225 475000
Additional slides
To be used as required
Customers
Government
Aerospace & Defence
Banking & Finance
Emergency Services
Customers
Transport
Telecoms, Broadcast &
Media
Industry A Global EnergyCompany
Engagement Models
Managing risk• Time-boxed• Risk/reward• Fixed price
Flexibility• Time & materials• Gain share• IPR ownership
Partnership• Bid-stage engagement• Teaming agreement
Long term relationship via a range of engagement models
Staffing• Single consultant• Managed team of >50
Location• Your premises• IPL’s offices
Availability• Quick commercial response• Start within days
Business ConsultingIdentifying the business need
• Information management• Business analysis• Business process management• Business case preparation• IS strategy• Programme management
Technical ConsultingAnalysing the technical options
• Client-side - procurement support, technical project management, design authority
• Project specific - rapid prototyping, requirements capture, architecture design
• Subject matter expertise – eg telecoms technologies, secure communications, geospatial technologies
• Bid support - expert advice and technology recommendations
Solution DeliveryDelivering the solution
• Full life-cycle implementation• Software development• Systems integration• Mitigating risk and sharing development burden• Reducing development timescales
• 3rd party product expertise• Accredited quality methodology• Predictable, reliable, transparent delivery
Managed ServicesSupporting commercial solutions
• On-going support and maintenance services• 3rd party application support• System hosting• Reducing overall cost of ownership• Freeing organisation to focus
on core skills and strategic projects• Secure, modern premises• UK facilities & staff
Working with IPL“IPL is our strategic software partner...track record of delivering high quality, leading edge software...”
Commercial Director
“IPL brought a fresh and independent look at the way we develop systems...helped us to take a valuable step back from the day-to-day detail...together, we will develop more successful solutions...” CIO
“...a first class and dependable software development service... contributed value at many levels in the design and development cycle” CTO
Working with IPL
“Actually appear to live the culture of customer support and commitment. Deliver what they say they are going to deliver when they say they are going to deliver” Programme Manager
“They are a reliable, professional outfit...work hard to understand the clients requirements and deliver against them”Application Support Manager
“Very competent, very proactive, willing to assist, reliable and effective.” Programme Manager