Group 4
Knowledge in IS/IT
processes and standards
Group 4 Members
•
•
•
•
•
•
•
•
•
•
•
951765
961633
961742
961716
961748
961717
961741
961720
961747
971715
971704
吳劉軒
謝彥敏
謝泓廷
陳冠嘉
許逸民
蕭宇婷
江柏緯
顏伯旭
游原丞
范雋彥
黃馨儀
COBIT
ILIT
PCIDSS
CISSP
ISMS
BS25999
ISO/ICE 12207
ISO 20000
ISO/ICE 38500
ISO 15288
CMMI
COBIT
951765 吳劉軒
What is the COBIT? (Control Objectives for
Information and related Technology)
COBIT is the set of best practices (framework) for
information technology (IT) management created by the
Information Systems Audit and Control Association
(ISACA), and the IT Governance Institute (ITGI). COBIT
provides managers, auditors, and IT users with a set of
generally accepted measures, indicators, processes and
best practices to assist them in maximizing the benefits
derived through the use of information technology and
developing appropriate IT governance and control in a
company.
IT Governance Focus Areas
COBIT Principle
COBIT Cube
COBIT Package Content
•
•
•
•
•
Executive Summary
Governance and Control Framework
Control Objectives
Management Guidelines
Implementation Toolset Guide
• IT Assurance Guide
The Difference Between COBIT and Other
IT/IS Standards
•
ISO/IEC 27002 (was ISO17799) is an international standard which
provides best practice advice and guidance on Information Security.
ITIL is source of best practice information and processes relating to
the delivery of IT as a service.
COBIT and the above standards/frameworks can be used together to
achieve process improvement. COBIT does not supply a how-to route
map for implementation of IT or Information Security bestpractices. This is where ISO/IEC 17799 and ITIL come in. They supply
best practice information and processes. COBIT provides a us the
control by which we can measure the processes contained in ISO
17799 and ITIL and which can be leveraged for process improvement.
COBIT Structure
COBIT includes 34 IT processes that
are grouped into four domains. The
four domains are:
• Plan and Organize
• Acquire and Implement
• Deliver and Support
• Monitor and Evaluate
IT Processes Using COBIT_1
IT Processes Using COBIT_2
What are the benefits of implementing COBIT?
• A common language for executives, management and IT
professionals
• A better understanding of how the business and IT can work
together for
• successful delivery of IT initiatives
• Improved efficiency and optimization of cost
• Reduced operational risk
• Clear policy development
• More efficient and successful audits
• Clear ownership and responsibilities, based on process
orientation
• as a tool for Sarbanes-Oxley Act Compliance
Certification Institution
• http://www.iiiedu.org.tw/ites/COBIT.htm
• http://edu.uuu.com.tw/
• http://www.isaca.org/
The Picture Of COBIT License
ITIL
Information Technology
Infrastructure Library
961633 謝彥敏
What is ITIL
• ITIL is a set of concepts and practices for
Information Technology Services Management
(ITSM), Information Technology (IT)
development and IT operations.
• Developed by the Office for Government
Commerce (OGC) in England
• ITIL gives detailed descriptions of a number of
important IT practices and provides
comprehensive checklists, tasks and procedures
that any IT organization can tailor to its needs.
ITIL
• Information flow modularization
For manage IT Infrastructure including
hardware, software, organization
communicating, process, documents and
employee.
– Help Desk
– 10 management process modules
• IT Service Support
• IT Service Delivery
ITIL v3 library
• Five volumes comprise the ITIL v3,
published in May 2007:
– ITIL Service Strategy
– ITIL Service Design
– ITIL Service Transition
– ITIL Service Operation
– ITIL Continual Service Improvement
ITIL v3 process model
ITIL v3 library
Service Strategy
• Providing guidance on clarification and
prioritization of service-provider
investments in services.
• Key topics covered include service value
definition, business-case development,
service assets, market analysis, and
service provider types.
ITIL v3 library
Service Design
• Providing good-practice guidance on the
design of IT services, processes, and
other aspects of the service management
effort.
ITIL v3 library
Service Transition
• Related to the delivery of services required
by a business into live/operational use,
and often encompasses the "project" side
of IT rather than "BAU" (Business as
usual).
ITIL v3 library
Service Operation
• The part of the lifecycle where the services
and value is actually directly delivered.
• The monitoring of problems and balance
between service reliability and cost etc are
considered.
ITIL v3 library
Service Improvement
• Service Improvement aims to align and
realign IT Services to changing business
needs by identifying and implementing
improvements to the IT services that
support the Business Processes.
ITIL v3 Life Cycle
Certification Institutions
• ITIL Certification Management
Board (ICMB)
- EXIN
- ISEB
Payment Card Industry Data Security Standard
（PCI DSS）
961742 謝泓廷
What is PCI DSS?
1. The standard was created to help
organizations that process card payments
prevent credit card fraud through increased
controls around data and its exposure to
compromise.
2. PCI DSS is a standard that all organizations,
including online retailers, must follow when
storing, processing and transmitting their
customer's credit card data.
It include six principles and twelve requirements
1.Build and Maintain a Secure Network
a. Install and maintain a firewall configuration to
protect cardholder data
b. Do not use vendor-supplied defaults for
system passwords and other security
parameters
2.Protect Cardholder Data
c. Protect stored cardholder data
d. Encrypt transmission of cardholder data
across open, public networks
3.Regularly Monitor and Test Networks
e. Track and monitor all access to network
resources and cardholder data
f. Regularly test security systems and processes
4.Maintain an Information Security Policy
g. Define information security responsibilities
h. Maintain a policy that addresses information
security
5.Maintain a Vulnerability Management
Program
i.Use and regularly update anti-virus software
j.Develop and maintain secure systems and
applications
6.Implement Strong Access Control Measures
k. Restrict access to cardholder data by
business need-to-know
l. Assign a unique ID to each person with
computer access
Steps to reach the standard
1. QSA: Qualified Security Assessor(third-party validator)
1. ASV: Approved Scanning Vendor (third-party scanning service
provider)
1. SAQ:Self-Assessment Questionnaire
Self-Assessment Questionnaire
• 1. A validation tool intended to assist
merchants and service providers in selfevaluating their compliance .
TÜV Rheinland Group is a QSA
Qualys is an Approved Scanning Vendor (ASV)
Certification Level
1.PCI DSS include four levels. Different organizations reach the standard
according to the transaction volume.
Certification Institutions
• 1. Payment Card Industry Security Standards
Council. (PCI SSC).
• 2. The PCI SSC is also responsible for the
training and QSA and ASV that validate
merchant and service provider.
Certified Information
Systems Security
Professional(CISSP)
961716 陳冠嘉
What is CISSP?
1. CISSP is a certification for a information
security professionals. Certified
Information Security Professional is
offered by the International Information
Systems Security Certification
Consortium.
What is CISSP?
2. A certification reflecting the
qualifications of information
systems security practitioners. The
CISSP covering topics such as
Access Control Systems,
Cryptography, and Security
Management Practices.
What is CISSP?
3. Employers feel the need to protect
their assets and their networks.
Hackers had evolved a group of
specialized malicious code writers
and spread their code over the
internet.
CISSP ten domains
CISSP include ten domains
1.Access Control
– For access control on a highway, see limited-access
highway. For standardised forms of names in a library
catalog, see authority control
2. Application Development Security
– Application security encompasses measures taken
throughout the application's life-cycle to prevent
exceptions in the security policy of an application or
the underlying system (vulnerabilities) through flaws
in the design, development, maintenance of the
application
3. Business Continuity and Disaster Recovery Planning
– After a disaster , Enterprises can continue to operate
& Expected to shorten the impact on business
interruption time after disaster
CISSP include ten domains
4. Cryptography
– Modern cryptography intersects the disciplines of
mathematics, computer science, and engineering.
Applications of cryptography include ATM cards, computer
passwords, and electronic commerce.
5. Information Security Governance & Risk
Management
– The information used by an organization to implement
comprehensive management, in order to properly protect
the information.
– Risks can come from uncertainty in financial markets,
project failures credit risk, accidents, natural causes and
disasters as well as deliberate attacks from an adversary.
CISSP include ten domains
6.Legal, Regulations, Investigations and Compliance
– Laws, regulations and other legal obligations the
company advice and staff training.
Include (1)Major Legal Systems
(2)Common and Civil Law
(3)Regulations, Laws and Information
Security
7.Operations Security
– Operations security is a process that identifies critical
information to eliminate or reduce adversary
exploitation of friendly critical information.
CISSP include ten domains
8.Physical (Environmental) Security
– Physical security can be as simple as a locked door
or as elaborate as multiple layers of armed Security
guards and Guardhouse placement.
9.Security Architecture and Design
– A computer security model is a scheme for specifying
and enforcing security policies. A security model may
be founded upon a formal model of access rights, a
model of computation, a model of distribute
computing, or no particular theoretical grounding at all.
10. Telecommunications and Network Security
– Include (1)The concept of network security and risk
(2)Business goals and network security
CISSP information
security develop cycle
Five processes to become
a certified CISSP
1.
2.
3.
4.
5.
Examination
Certification
Endorsement
Audit
Maintenance Requirements
Certified Organization
(ISC) 2 is the top information security
certification organizations, was founded in
1989, and now has more than 120
countries to more than 50,000 security
experts awarded the relevant certificates.
(ISC) 2 now offers the following six kinds
of authentication
Certified Organization
1. SSCP (Systems Security Certified Practitioner)
2. CAP (certification and evaluation experts)
3. CISSP (Certified Information Systems Security
Professional)
4. CISSP upgrade version of the CISSP-ISSAP
(Information Systems Security Architecture
Expert)
5. CISSP-ISSMP (Information Systems Security
Management Specialist)
6. CISSP-ISSEP (Information Systems Security
Engineering Expert)
ISO 27000-series
--Information security
management systems (ISMS)
961748許逸民
What is ISO 27000-series
• The ISO/IEC 27000-series comprises
information security standards published jointly
by the International Organization for
Standardization(ISO) and the International
Electrotechnical Commission (IEC).
• The series provides best practice
recommendations on information security
management, risks and controls within the
context of an overall Information Security
Management System (ISMS).
ISMS implementation and
certification process flowchart
ISO/IEC 27003
• Full name:ISO/IEC 27003 — Information
security management system
implementation guidance
• The purpose of ISO/IEC 27003 is to
provide help and guidance in
implementing an ISMS (Information
Security Management System).
How to Implementing an ISMS
1. Obtaining management approval for initiating
an ISMS project. (Chapter 5 in ISO/IEC 27003)
2. Defining ISMS scope, boundaries and ISMS
policy. (Chapter 6)
3. Conducting information security requirements
analysis. (Chapter 7)
4. Conducting risk assessment and planning risk
treatment. (Chapter 8)
5. Design the ISMS. (Chapter 9)
1.Obtaining management approval
for initiating an ISMS project
• Clarify the organization’s priorities to
develop an ISMS.
• Define the preliminary ISMS scope.
• Create the business case and the project
plan for management approval.
2.Defining ISMS scope,
boundaries and ISMS policy
• Define organizational scope and
boundaries.
• Define information communication
technology (ICT) scope and boundaries.
• Define physical scope and boundaries.
• Integrate each scope and boundaries to
obtain the ISMS scope and boundaries
• Develop the ISMS policy and obtain
approval from management
3.Conducting information security
requirements analysis
• Define information security requirements
for the ISMS process.
• Identify assets within the ISMS scope.
• Conduct an information security
assessment.
4.Conducting risk assessment and
planning risk treatment
• Conduct risk assessment.
• Select the control objectives and controls .
• Obtain management authorization for
implementing and operating an ISMS.
5.Design the ISMS
• Design organizational information security.
• Design ICT and physical information
security.
• Design ISMS specific information security.
• Produce the final ISMS project plan.
ISO/IEC 27001
• Full name: ISO/IEC 27001 — Information
security management systems —
Requirements
ISO 27001 Audit Process
Stage1
Informal Review
of ISMS
Stage2
Formal
Compliance
Audit
Stage3
Follow-up
Reviews
Audit Process: Stage1
• Stage 1 is a preliminary review of the
ISMS.
• This stage serves to familiarize the
auditors with the organization.
Audit Process: Stage2
• Stage 2 is a more detailed and formal
compliance audit, independently testing
the ISMS against the requirements
specified in ISO/IEC 27001.
• Passing this stage results in the ISMS
being certified compliant with ISO/IEC
27001.
Audit Process: Stage3
• Stage 3 involves follow-up reviews or
audits to confirm that the organization
remains in compliance with the standard.
• Certification maintenance requires periodic
re-assessment audits to confirm that the
ISMS continues to operate as specified
and intended. These should happen at
least annually.
ISMS Certification/Consulting
• Certification:
Bureau of Standard, Metrology &
Inspection, M.O.E.A., R.O.C.
• Consulting:
– CHYUN-HUNG INTERNATIONAL BUSINESS
CO., LTD.
– ETBEST INTERNATIONAL Co. Ltd.
BS 25999
Business Continuity
Management
Reference number
BS 25999-2:2007
©BSI 2007
961717 蕭宇婷
What is BS 25999?
Definition:
BS 25999 is British Standards Institution's
standard in the field of Business Continuity
Management. The standard establishes
the process, principles and terminology of
BCM.
BS 25999(I)
1. BS 25999 aims to achieve:
 Provides a basis for understanding business
continuity management.
 Provides a means of measurement that is
consistent and recognized.
 Provides a system based on established
good practice.
BS 25999(II)
2. BS 25999 comprises two parts.
 The first part of BS 25999 (BS 25999-1:2006)
was published by the British Standards
Institution in December 2006.
 The second part of BS 25999 (BS 259992:2007) was published in November 2007.
BS 25999-1:2006
a. The first, "BS 25999-1:2006
Business Continuity
Management. Code of Practice",
takes the form of general
guidance and seeks to establish
processes, principles and
terminology for Business
Continuity Management.
BS 25999-2:2007
b. The second, "BS 25999-2:2007
Specification for Business Continuity
Management", specifies requirements for
implementing, operating and improving a
documented Business Continuity
Management System (BCMS), describing
only requirements that can be objectively
and independently audited.
PLAN-DO-CHECK-ACT model
The Process of BS 259992:2007(I)
1. Planning the Business Continuity
Management System.(PLAN)
•
•
The first step requires that the organization
defines its business continuity requirements
in terms of its overall objectives and that the
scope of the BCMS is clearly defined.
Also establish business targets, controls,
processes and procedures.
The Process of BS 259992:2007(II)
2. Implementing and Operating the BCMS.
(DO)
a. Internal Audit
• If the organization already has an internal
audit function it may make sense to utilize
the processes and procedures already being
used.
• Even personnel not specifically trained in
business continuity may be used as internal
audit should be an objective process.
The Process of BS 259992:2007(III)
b. Management Review
• Management review would ordinarily be
an annual exercise involving review of
internal and external audit activity,
resources and other inputs and outputs.
• The overall objective of the management
review is to determine if the BCMS
continues to meet the organizations needs.
• A management review may also take
place in light of significant organizational
change.
The Process of BS 259992:2007(IV)
3. Monitoring and Reviewing the
BCMS.(CHECK)
•
•
To ensure that the BCMS is continually
monitored the Check stage covers internal
audit and management review of the BCMS.
Developing and implementing a BCM
response. Include incident management
structures, incident management and
business continuity plans.
The Process of BS 259992:2007(V)
4. Maintaining and Improving the
BCMS.(ACT)
• To ensure that the BCMS is both maintained
and improved on an ongoing basis this step
looks at preventative and corrective action.
• The standard requires that organizations
continually improve the general effectiveness
of the BCMS with a mixture of both
preventative and corrective actions.
The Process of BS 259992:2007(VI)
• Preventative and corrective actions are
identified by a range of activities such as
audits, event analysis or management
reviews.
• They have to be formally recorded and
acted upon and these records held for
inspection.
The Process of BS 259992:2007(VII)
• Exercising, maintenance, audit and selfassessment of the BCM culture.
• Without testing the BCM response an
organization cannot be certain that they
will meet their requirements.
• Exercise, maintenance and review
processes will enable the business
continuity capability to continue to meet
the organizations goals.
The Process of BS 259992:2007(VIII)
Conclusion:
The general requirement of the
standard is that the organization, fairly
obviously, develops, implements,
maintains and improves a business
continuity management system in line with
familiar the PLAN-DO-CHECK-ACT model.
ISO/IEC 12207
software lifecycle processes
Reference Number :
ISO/IEC 12207:2008
©ISO 2008
961741江柏緯
What is ISO/IEC 12207?
Definition
ISO 12207 is an ISO standard for
software lifecycle processes. It aims to
be the standard that defines all the tasks
required for developing and maintaining
software.
Five Processes of ISO/IEC 12207
1. Acquisition Process
2. Supply Process
3. Development Process
4. Operation Process
5. Maintenance Process
Acquisition Process (I)
 Start acquisition :
The need is described why to acquire, develop, or
enhance a product;
System requirements are defined and approved if
applicable
Evaluation of other options, like a purchase of an offthe-shelf product or enhancement of an existing
product;
……
Acquisition Process (II)
 Request for proposal preparation:
 Prepare Contract
Selection procedure for suppliers are developed;
Suppliers, based on the developed selection
procedure, are selected;
The tailor-made ISO/IEC 12207 standard must be
included in the contract;
Acquisition Process (III)
 Negotiate changes
Negotiations are held with the selected suppliers
 Update contract
Contract is updated with the result from the
negotiations in the previous activity.
 Supplier monitoring
Activities of the suppliers according to the agreements made are
monitored
 Acceptance and completion
Supply Process
 The supply phase a project management
plan is developed.
 This plan contains information about the
project such as different milestones that
need to be reached.
 This project management plan is needed
during the next phase which is the
development phase.
Development Process (I)
 Define software requirements:
Gather the software requirements, or demands, for the
product that is to be created.
 Create High level design:
A basic layout of the product is created
 Create Module design:
Development Process (II)
 Coding
The code is created according to the high level design
and the module design.
 Execute Module test
The different modules are tested for correct functioning.
 Execute Integration test
The communication between modules is tested for
correct functioning.
 Execute System test
This test checks whether all software requirements are
present in the product.
Operation & Maintenance Process
 The operation-phase consists of
activities like assisting users in working
with the created software product
 The maintenance-phase consists of
maintenance-tasks to keep the product
up and running.
ISO 20000Information Technology Service
Management
961720 顏伯旭
What is ISO/IEC 20000?
ISO / IEC 20000 is the first worldwide standard specifically aimed at
IT Service Management. It describes an integrated set of
management processes for the effective delivery of services to the
business and its customers.
ISO / IEC 20000 is aligned with and complementary to the process
approach defined within ITIL from the Office of Government
Commerce (OGC).
ISO/IEC 20000 consists of two parts: ISO / IEC 20000 consists of
two parts:
1. ISO / IEC 20000-1:2005
2. ISO / IEC 20000-2:2005
ISO / IEC 20000-1:2005
ISO / IEC 20000-1:2005 is the formal Specification and defines the
requirements for an organisation to deliver managed services of an
acceptable quality for its customers. The scope includes:
•
•
•
•
•
•
•
Requirements for a management system;
Planning and implementing service management;
Planning and implementing new or changed services;
Service delivery process;
Relationship processes;
Resolution processes;
Control processes; and Release processes
ISO / IEC 20000-2:2005
ISO / IEC 20000-2:2005 is the Code of Practice and
describes the best practices for Service Management
processes within the scope of ISO / IEC 20000-1. The
code of Practice will be of particular use to organisations
preparing to be audited against ISO / IEC 20000 or
planning service improvements.
ISO 20000 Service Management Processes
ISO 20000 Service Management
Processes(2)
ISO 20000 include 13 process. emphasizing on continuous improvement
process
Service delivery
- Service level management -To negotiate Service Level
Agreements with the customers and to design services in accordance with
the agreed service level targets. Service Level Management is also
responsible for ensuring that all Operational Level Agreements and
Underpinning Contracts are appropriate, and to monitor and report on
service levels.
- Capacity management-To ensure that the capacity of IT services
and the IT infrastructure is able to deliver the agreed service level targets in
a cost effective and timely manner. Capacity Management considers all
resources required to deliver the IT service, and plans for short, medium
and long term business requirements.
ISO 20000 Service Management
Processes(3)
- Continuous Service Improvement- Service
management system plan, implement and improve the optimization
should follow the "planning, implementation, inspection and
improvement," a continuously loop, spiral process to continuously
improve the effectiveness of monitoring and management system,
the PDCA process of continuous improvement consistent with the
principles of Quality Control .
- Security Management -includes the security controls that are
implemented and maintained to address the impact and likelihood of
incidents at various stages. Services are planned to identify, control, and
protect assets used in connection with the storage, transmission, and
processing of information.
-Budgeting & Accounting- To manage the service provider's
budgeting, accounting and charging requirements
ISO 20000 Service Management
Processes(4)
-Service
reporting-
Central
-Change Management-One of ITIL processes, change
management through control and management of IT related change,
so change may impact the production environment and minimize
risk, thereby enhancing the overall stability of the IT environment.
-Configuration Management
One of ITIL processes, configuration management is responsible for description,
tracking and reporting of all IT infrastructure for each device or system management
processes. These devices and systems are called configuration items (CI). Each CI
to effective management, tracking and control to support the company's IT
infrastructure services and run successfully
ause.
ISO 20000 Service Management
Processes(5)
Release
-Release Management
One of ITIL processes, release management through standardized
methods and procedures, planning and monitoring of new services
(including software and hardware) of the deployment and release process,
improve the success rate of on-line and reduce the possible problems and
risks.
Resolution
-Incident Management
One of ITIL processes, Incident Management is responsible for handling
IT incidents and user requests. It is designed to quickly restore the
interrupted or affected by IT services, is to meet for the purpose of
characterization of the phenomenon, rather than find the root c
ISO 20000 Service Management
Processes(6)
-Problem Management
One of ITIL processes, problem management is responsible for resolving major
emergency or with the same symptoms in a group event. Its purpose is to identify the
root causes of the incident, and by lifting the root causes to prevent similar incidents
from happening again. At the same time the problem management process is also
responsible for preventing incidents.
Relationship
-supplier management
To ensure that all contracts with suppliers support the needs of the business, and
that all suppliers meet their contractual commitments.
-Business
Relationship Management
To decide on a strategy to serve customers, and to develop the service provider's offerings and
capabilities.
ISO 20000 Verification process
ISO 20000 Verification process
(step1)
Step1- prepare
•
•
•
•
•
•
•
•
•
know the meaning of the Certification
Determine the scope of IT Service Management Certification
Establish the vision ，decide the respect and the order of the Service Management
Improvement
Determine the expect earning from each parts.
Understand the content of certification Comprehensive and the affect to the individual and
the
organization
Access to information ： Exchange of experiences with the similar organization and
Consulting with
the Consultant 、 Training providers and Forums
Get the support from Senior managers
Get the knowledge of ITIL 、ISO20000
Choose a Verification Agency， Confirm the scope of audit
ISO 20000 Verification process
(step2)
Step2- Initial assessment and plan development
•
Preliminary assessment and do the gap analysis；determine the Areas of
improvement ； manage the risk in the process of Certification。
Formulate an overall plan ，get the Support and commitment from related
•
respect
ISO 20000 Verification process
(step3)
Step3- Narrow the gap
•
•
•
•
•
Establish Management Service Improvement Plan(use PDCA)
Basic on ISO 20000：《服務管理規範》to do the Assess ；
use ISO 20000、ITIL to develop the service management policies,
processes,
procedures
Implement the service management processes
Periodic inspection and review 。
WHAT is PDCA?
P（Plan）
D（Do）
C（Check）
A（Action）
ISO 20000 Verification process
(step4)
Step4- prepare to Legalize the Audit
• If necessary ，contact Certification agency to do the Internal Audit
and order the schedule for the Formal review
• Full exchange the opinion with Certification Agency to establish the
common understanding of scope of the audit and the content of the
audit
• Prepare the ” evidence” for the audit：For example: Documentation 、
Record
ISO 20000 Verification process
(step5)
Step5- Legalize the Audit
•
•
•
•
Typical certification audit include：
The Provision of the Reference and the scope of audit.
The assess to the documentation and process –(not in Scene)
The audit to staff and process(in Scene)
The statement of the audit results
If the system achieve ISO 200000 System requirement, ISO 20000
will do the Certification statement and Award the Certificate.
ISO 20000 Verification process
(step6)
Step6- Maintain
The expiration date of Certification is three years.So，the
Comprehensive Certification audit is needed every three years. The
Certification Agency do the “Supervise Audit” to ensure the quality
certification and Continuous improvement of service management
every year.
ISO 20000 Certification Award
Certification Institutions
BSI
BSI is a leading global provider of
standards, management systems, business
improvement and regulatory approval
information.
ISO/IEC 38500
Corporate Governance of
Information Technology standard
Reference number
ISO/IEC 38500:2008(E)
© ISO/IEC 2008
961747游原丞
What is ISO/IEC 38500
Corporate governance of information
technology standard
Provides a framework for effective
governance of IT to assist organizations
to understand and fulfill their legal,
regulatory, and ethical obligations in
respect of their organizations’ use of IT.
Objectives
 Provide a framework of principles for Directors to use
when evaluating, directing and monitoring the use of IT
in their organizations.
 Assuring stakeholders that they can have confidence in
the organization's corporate governance of IT
 Informing/guiding Directors in governing the use of IT in
their organization
 Providing a basis for objective evaluation of the
corporate governance of IT
 Also intended to guide those involved in designing and
implementing the management system of those policies
and processes that support governance.
Framework for Good Corporate
Governance of IT
Principles



Guide decision making
what should happen
6 principles for good corporate governance of IT
1. Responsibility
2. Strategy
3. Acquisition
4. Performance
5. Conformance
6. Human Behavior
The six principles (1)
 Principle 1: Responsibility
Individuals and groups within the organization
understand and accept their responsibilities in respect of
both supply of, and demand for IT.
 Principle 2: Strategy
The organization’s business strategy takes into account
the current and future capabilities of IT.
 Principle 3: Acquisition
IT acquisitions are made for valid reasons, on the basis
of appropriate and ongoing analysis, with clear and
transparent decision making.
The six principles (2)
 Principle 4: Performance
IT is fit for purpose in supporting the organization,
providing the services, levels of service and service
quality required to meet current and future business
requirements.
 Principle 5: Conformance
IT complies with all mandatory legislation and
regulations.
 Principle 6: Human Behavior
IT policies, practices and decisions demonstrate respect
for Human Behavior, including the current and evolving
needs of all the ‘people in the process’.
Model
Directors should govern IT through
three main tasks:
a) Evaluate the current and future use
of IT.
b) Direct preparation and
implementation of plans and policies
to ensure that use of IT meets
business objectives.
c) Monitor conformance to policies,
and performance against the plans.
Model for Corporate Governance of IT
Evaluate
 Directors should examine and make judgment on the
current and future use of IT.
 Directors should consider the external or internal
pressures acting upon the business, such as
technological change, economic and social trends, and
political influences.
 Directors should undertake evaluation continually, as
pressures change.
 Directors should take account of both current and future
business needs.
Direct
 Directors should assign responsibility for, and direct
preparation and implementation of plans and policies.
 Directors should ensure that the transition of projects to
operational status is properly planned and managed.
 Directors should encourage a culture of good governance
of IT in their organization by requiring managers to provide
timely information, to comply with direction and to conform
with the six principles of good governance.
 If necessary, directors should direct the submission of
proposals for approval to address identified needs.
Monitor
 Directors should monitor, through appropriate
measurement systems, the performance of IT.
They should reassure themselves that
performance is in accordance with plans,
particularly with regard to business objectives.
 Directors should also make sure that IT
conforms with external obligations (regulatory,
legislation, common law, contractual) and
internal work practices.
Guidance for the corporate
governance of IT
 Principle 1: Responsibility
a. Evaluate
Directors should evaluate the options for assigning
responsibilities in respect of the organization’s current and
future use of IT.
b. Direct
Directors should direct that plans be carried out according to
the assigned IT responsibilities.
c. Monitor
Directors should monitor that appropriate IT governance
mechanisms are established.
Guidance for the corporate
governance of IT (cont.)
 Principle 2: Strategy
a. Evaluate
Directors should evaluate developments in IT and business
processes to ensure that IT will provide support for future
business needs.
b. Direct
Directors should direct the preparation and use of plans and
policies that ensure the organization does benefit from
developments in IT.
c. Monitor
Directors should monitor the progress of approved IT
proposals to ensure that they are achieving objectives in
required timeframes using allocated resources.
Guidance for the corporate
governance of IT (cont.)
 Principle 3: Acquisition
a. Evaluate
Directors should evaluate options for providing IT to realize
approved proposals, balancing risks and value for money of
proposed investments.
b. Direct
Directors should direct that IT assets (systems and
infrastructure) be acquired in an appropriate manner.
c. Monitor
Directors should monitor IT investments to ensure that they
provide the required capabilities.
Guidance for the corporate
governance of IT (cont.)
 Principle 4: Performance
a. Evaluate
Directors should evaluate the risks to continued operation of
the business arising from IT activities.
b. Direct
Directors should ensure allocation of sufficient resources so
that IT meets the needs of the organization, according to the
agreed priorities and budgetary constraints.
c. Monitor
Directors should monitor the extent to which IT does support
the business.
Guidance for the corporate
governance of IT (cont.)
 Principle 5: Conformance
a. Evaluate
Directors should regularly evaluate the organization’s internal
conformance to its system for Governance of IT.
b. Direct
Directors should direct that all actions relating to IT be ethical.
c. Monitor
Directors should monitor IT compliance and conformance
through appropriate reporting and audit practices, ensuring
that reviews are timely, comprehensive, and suitable for the
evaluation of the extent of satisfaction of the business.
Guidance for the corporate
governance of IT (cont.)
 Principle 6: Human Behavior
a. Evaluate
Directors should evaluate IT activities to ensure that human
behaviors are identified and appropriately considered.
b. Direct
Directors should direct that IT activities are consistent with
identified human behavior.
c. Monitor
Directors should monitor IT activities to ensure that identified
human behaviors remain relevant and that proper attention is
given to them.
ISO 15288
The System Life Cycle Process standard
for the 21 st century 21st
S971715 范雋彥
Key business domains
•
•
•
•
•
•
•
Aerospace
Telecommunications
Transportation systems
Military systems
Ship building
Finance and Administrative systems
Information Technology systems
ISO 15288 Scope
• ISO/IEC 15288 establishes a common
framework for describing the life cycle of
systems created by humans. It defines a
set of processes and associated
terminology. These processes can be
applied at any level in the hierarchy of a
system’s development.
Use of ISO 15288
•
•
•
•
•
•
•
•
Acquisition model
Supplier management
Supply model
Development
Risk reduction
Organizational development
Professional development
Process improvement program
Example of life cycle stages,
objectives and decisions
Concept
Identify
stakeholders’ need
Explore concept
Propose viable
solutions
• The outcomes of the concept stage should provide:
1. identification of new system concepts;
2. assessment of system concepts and solutions
(including enabling systems);
3. stakeholder requirements preparation and baselining
(technical and usability
4. specifications for the selected system concept);
5. identification of the enabling systems infrastructure.
Development
Refine system
requirements
Determine system
components
Build system
• The Development stage is based on the
refined objectives and requirements from
the previous stage. During this stage the
system soft- and hardware,
computers,personnel, production
capability, training, support and facilities
are determined,analysed, designed,
fabricated, integrated, tested and
evaluated.
Production
Verify and
validate system
Mass produce
system
Inspect and test
• During this stage the system product will be (individually or
mass) produced. The product may go through redesigns and
enhancements
• The Production stage starts with the approval to produce the
system product for the acquirer or the market. It may continue
through the remainder of the life cycle. The purpose is to
produce the system product(s) and the enabling system
products. In addition, it aims to store, deliver, and install the
product(s) as needed by acquirer /market.
Utilization.
Operate system to satisfy users’need
• This stage includes the processes involved in the use
of the system's products in order to provide services,
monitor performance and identify and report
anomalies. The response to the problems may range
from no action through to minor changes, major
(permanent) modifications, and end-of-life retirement.
• The purpose of this stage is to operate and use the
system products and services within specified
environments and to ensure constant operational
effectiveness.
Support
Operating the
support system
Providing
support services
Monitoring
performance
• This stage includes operating the support system
and providing support services to users of the
operational system, monitoring performance of the
support system and services and reporting of
anomalies, failures and deficiencies.
• The purpose of this stage is to provide logistics,
maintenance and support services to ensure
sustained system operation and suitable service.
Retirement
Operating the
retirement system
Monitoring the
retirement system
Reporting failure
• The purpose is to remove the system and
related operational and support services
and to operate and support the retirement
system.
CMMI
Capability Maturity Model
Integration
971704 黃馨儀
Date：2010/05/30
What is Capability Maturity Model
Integration? (CMMI)
Definition
• A process improvement approach
• Helping organizations improve their
performance.
• Guiding process improvement across a
project, a division, or an entire organization.
CMMI Staged Maturity Levels
•
Level 1 – Initial.
– The software process is characterized as ad
hoc, and occasionally even chaotic.
•
Level 2 – Repeatable.
– Basic project management processes are
established to track cost, schedule, and
functionality.
CMMI Staged Maturity Levels
•
Level 3 – Defined.
– Use an approved, tailored version of the
organization's standard software process for
developing and maintaining software.
•
Level 4 – Managed.
– Detailed measures of the software process
and product quality are collected.
CMMI Staged Maturity Levels
• Level 5 – Optimizing.
– Continuous process improvement is enabled
by quantitative feedback from the process and
from innovative ideas and technologies.
The Model of CMMI Staged
• The model has several nested components.
• It described below with the help of an
example from Requirement Management
process area.
CMMI Staged Model
CMMI Implementation Steps
• 1. Secure Sponsorship and Funding.
– Ensure that your process improvement
program has a senior management sponsor
and funding.
• 2. Take Core Training.
– To understand basic concepts of the CMMI
Product Suite, attend the appropriate CMMI,
Version 1.2 course.
CMMI Implementation Steps
• 3. Prepare Your Organization for Change.
– Treat process improvement as a project.
Establish the business reasons and the
business goals for the effort.
• 4. Form a Process Group.
– This group coordinates process improvement
activities across the enterprise and exists for
the duration of the process improvement
activity.
CMMI Implementation Steps
• 5. Know Where You Are.
– Determine how your processes compare to
CMMI model practices using an ARC Class C
compliant appraisal method.
• 6. Know Where You Are Going.
– Using the same format as the picture of where
you are, create a picture of where you want to
be.
CMMI Implementation Steps
• 7. Communicate and Coordinate.
– Share the plan with everyone who will be
affected and listen to their comments.
• 8. Track Your Progress.
– Compare the picture of where you are to the
one of where you want to be. The difference is
the focus of your process improvement
program.
Reference Website
• 1.
http://www.sei.cmu.edu/cmmi/start/index.cfm
• 2. Process area (CMMI)
http://en.wikipedia.org/wiki/Process_area_(CMMI)
• 3. CMMI Appraisal
http://www.cmmiconsulting.co.uk/cmmi-appraisal
• 4. Parker SCITech Group - CMMI Implementation
http://www.parkerscitech.com/CMMI.htm
Reference Website
• 5. Achieving CMMI Levels
http://zone.ni.com/devzone/cda/tut/p/id/6026
• 6. What? CMMI Processes ways than one
http://w3.cyu.edu.tw/kwsheng/20050204.pdf
• 7. Capability Maturity Model Integration – Wikipedia
http://en.wikipedia.org/wiki/Capability_Maturity_Mod
el_Integration