"The world must
actually be such as to generate ignorance and inquiry; doubt and
hypothesis, trial and temporal conclusions... The ultimate evidence
of genuine hazard, contingency, irregularity and indeterminateness in
nature is thus found in the occurrence of thinking."
- John Dewy (1958)i
The software enterprise consists of a
vast forest of applications with each serving it's own genus and
function, each program and system maintaining it's relevant business
function. This “Ecosystem” has
many dependent factors however it's usually a homogeneous
environment, where most systems within an organization are similar in
nature or utilize a similar base computing system to ensure that
function and form are not chaotic.
To
take an organization that has a “Chaotic” environment
and standardize it is to undergo the process of maturity or the
cyclical process of software and hardware audits according to
existing standards and determine which gaps if any exist and what is
required to remedy them.
The
key aspects to consider in organizing the software enterprise are to
determine which standards and guidelines may add value to said
organization and to develop a plan to implement them by using or
devising road maps to apply said standards by using formal
methodologies such as CoBIT from the ISACA.(ISACA,2010)ii
CoBIT
is a methodology used to manage methodologies; an example would be to
formally apply the CMMI from SEI to an organization to determine the
maturity levels and gaps. The CMMI is available free of charge from
the SEI at Carnegie Mellon and it incorporates a lot of the standards
and process from Six-Sigma. The CMMI is a collection of best
practices (SEI, n.d.)iii,
so given that it is a collection of what can be done; determining
what must be done is a matter of business practice in Gap Assessment
and Impact Assessment as well as Risk Assessments and value
assessments for the organization's core business practices; the
CMMI-DEV would apply if the organization is a development house, the
CMMI-SVC may apply if the organization offers services.
In
addition to utilizing methodologies to adopt standards we would also
need to consider which standards we must adopt to reduce chaos; The
ISO standard for software development quality assurance is 9000-3 the
current iteration of this standard is entitled ISO 90003:2004 and is
available from the ISO/IEC.(ISO, 2004)iv
Other relevant standards include the IEEE 12407, ISO/IEC 15504 for
quality assurance plans, ISO 27001 and ISO 27002 to improve the
organizations security stance.
Standardization
is one method to ensure that a software enterprise is producing
quality secure software of great value but it cannot do this without
having an enterprise project management office in place to ensure
that the desired standards are being met with the current versions or
methods thus we must also ensure that project management methods are
being observed as well such as the broad adoption of SDLC.
In
addition to the above formal methods there is also the question of
good “Due Care” as
defined by the (ISC)2.(Tipton, 2010)v
Is the corporation or organization engaged in planning for business
continuity? Disaster Recovery and Availability requirements? Are all
of these formally defined and understood by both the Executive and
Employees of all departments; thus not limited to just IT.
Thus
the key considerations for any software enterprise are weather or not
the office environment is standarized and mature? Is every desktop in
said software Enterprise managed by a formal methodology including
ITSM standards from the ITIL as defined by the U.K. Office of
Government Commerce(ITIL, OGC, 2010)vi;
such as Release and Problem Management along with formal
Configuration and Change management? The other common sense
consideration is; Does the people, process and technology function as
they should to achieve the business goals of the organization?
Now
the reasons behind the adoption of standards, methods, and
methodologies to be used to apply said standards to said software
enterprise are very simple; they are industry proven methods used to
improve the value, availability and quality of the software
enterprise. The people and process may be simple, the technology is
complex and the goal is to reduce the amount of chaos within the
software enterprise to a manageable level that can be quantified and
measured and reported upon. Not only will this increase the
organizations competitiveness it will also make it a far more secure
and resilient entity; however we are assuming that these standards
methodologies and processes are adopted and implemented with care and
wisdom as endorsed by the Executive and understood by the employees.
The
ecosystem in a rain-forest is wonderfully diverse and very deadly.
The ecosystem in a managed forest is less complex and far more
habitable as well as productive. The goal of the exercises in
adoption of methods and standards by the nature of assessment and
feedback; is to change the nature of the software enterprise from a
risky and chaotic stance to a risk averse and standardized one that
is measurable and quantifiable in human terms.
If we
are unaware of the dangers lurking in the trees how can we ever hope
to produce any paper?
Conversely
if we have diverse separate groups of individuals formulating
software projects with no oversight or consideration for goals in
quality or management how may we ever hope to maintain our level of
quality or client base?
iKellert,
Steven H. (University of Chicago Press, 1993) In the Wake of
Chaos P.1 ISBN: 0-226-42976-8
iin.a.
(ISACA, 2010) CoBIT 4.1 [Online]
PDF Document, Available from:
http://www.isaca.org/Knowledge-Center/cobit/Pages/Downloads.aspx
(Accessed on October 16th
2011)
iiin.a.
(Software Engineering Institutie, Carnegie Meallon Unviersity, 2010)
CMMI Solutions: Process Areas [Online]
World Wide Web, Avaialble from:
http://www.sei.cmu.edu/cmmi/solutions/index.cfm
(Accessed on October 16th
2011)
ivn.a.
(ISO/IEC, 2005) Software engineering -- Guidelines for the
application of ISO 9001:2000 to computer software [Online]
PDF Document, Available
from:http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=35867
(Accessed on October 16th
2011)
vTipton,
Harold F. (Taylor & Francis, 2010) Official (ISC)2 Guide to
the CISSP CBK, Second Edition P.
266 ISBN: 978-1-4398-0959-4
vin.a.
(APM Group LTD. 2007) Official ITIL Website [Online]
World Wide Web, Available from: http://www.itil-officialsite.com/
(Accessed on October 16th
2011)
No comments:
Post a Comment