3.05 Global IT Solution Delivery Policy - Rev 1.0

7/27/2019 3.05 Global IT Solution Delivery Policy - Rev 1.0

1/8

Credit SuisseFor internal use only

1/8

P-00309Policy

CS Global IT Solution Delivery Policy

Valid from 01-OCT-2007 Version 1.0Issuing Unit KO (IT COO) Author Philippe LanducciContact KOAM, IT Methodology and Quality ManagementReferencesReplaces noneOriginal Language EnglishScope/Recipients Credit Suisse IT

SummaryThis Global IT Solution Delivery Policy defines minimum global requirements for Solution

Delivery (IT Application and Infrastructure Development). The purpose of the Policy is to ensurethat the Solution Delivery projects will follow a consistent and managed path.The Policy regulates roles and responsibilities in the area of project management, softwareengineering, and related functional management.

ChangesNone. This is a new policy.

Minimum Global StandardsThe following MGS apply to the present policy: All regulations stated in this policy:

- G_GOV-01 to G_GOV-06- G_PM-01 to G_PM-20- G_DEV-01 to G_DEV-19

shall serve as global minimum standards.


2/8

Credit SuissePolicy

CS Global IT Solution Delivery PolicyVersion 1.0

P-00309

2/8

Table of contents

1. Introduction

2. Scope

3. General Management

4. Project Management

5. Application and Infrastructure Development

6. Abbreviations and Terms

7. Change History

1. IntroductionThe CS P-00309 is based on industry standards and relevant regulations1. This documentdefines the policy covering Solution Delivery (IT Application and Infrastructure Development). Itextends the divisional or regional lifecycle models, like "SDLC+" and "IT Project Procedure". Adherence to the Policy will ensure the Solution Delivery projects will follow a consistent andmanaged path.

2. Scope

This policy applies to every Solution Delivery project with a planned or actual to-date total ITeffort of more than 110 person-days. It requires a project plan which accounts for theapplicable divisional or regional lifecycle model. It requires monitoring the project execution toidentify potential problems and take appropriate corrective actions in a timely manner. Itobviously also requires completion of the work defined in the plan to accomplish the project'srequirements and to deliver high-quality technology solutions to the business.

The controls specified in this document give a high-level guidance on how to follow this policy.They may also be applied within other projects at their discretion.

This policy is a mandatory standard for Credit Suisse IT, and does not replace any regulations or standards already in place within Credit Suisse. Business area- or region-specific policies maysupersede this standard providing they contain the full scope of the global Policy. They mayhowever be more comprehensive or specific.

1 "Capability Maturity Model Integration (CMMI"), "IT Infrastructure Library (ITIL)", "Project Management Body of Knowledge (PMBOK, Guide to)","Software Engineering Body of Knowledge (SWEBOK, Guite to)", SOX/CSG General Computer Controls (CSG GCCs).


3/8

Credit SuissePolicy


P-00309

3/8

3. General Management

Generic Practices / Institutionalization

1G_GOV-01

The Chief Information Officer (CIO) of Credit Suisse IT owns, maintains, communicatesand enforces this policy.

2G_GOV-02

The CIO will review this policy on a regular basis, or when major changes in theorganizational strategy or changes in the regulatory environment are made.

3

G_GOV-03

All managers shall be responsible for the compliance of their organizational units with thispolicy. They shall provide the quality management resources necessary to identify non-compliances and track their resolution to closure and they provide the project resourcesnecessary to resolve the said non-compliances. Managers shall regularly report to their direct managers on the resolution of non-compliances.

4G_GOV-04

The CIO of the IT business area performing the majority of the project-relateddevelopment effort shall determine the mandatory development lifecycle of a cross-business area or -regional project. Such projects shall comply to platform-specificChange Control requirements associated with the platforms that will be impacted bycomponents and/or systems deployed by the project.

5G_GOV-05

Project managers shall bring all work packages within a project s active phase or lifecyclethat cannot be mapped to a named resource to the attention of their immediatesupervisor. The project manager s immediate supervisor shall be responsible for facilitatingthe reconciliation of necessary resources to planned work.

6G_GOV-06

Project team members shall be trained on process, methodology and supporting tools asrequired to fulfill their assigned roles.

4. Project Management

Project Planning

1G_PM-01

Project managers are responsible and accountable for planning and managing theexecution of their projects.

2G_PM-02

Project managers shall define project roles and assign said roles to adequately skilledproject team members; in particular, project managers shall assign team members to fillrequirements engineering and configuration management roles.

3G_PM-03

Project managers shall define the roles and identify dedicated resources for all reviewingand testing activities.

4G_PM-04

The progressive elaboration of requirements shall serve as an input to project planningactivities, including development of the project s work breakdown structure (WBS).

5G_PM-05

Project managers shall develop a WBS based on input from relevant project teammembers and stakeholders. They shall decompose the WBS to a level that enablesreasonable effort, cost and scheduling estimates to be made.

6G_PM-06

Project managers shall develop a project schedule based on input from relevant projectteam members and stakeholders. They shall ensure that the schedule is traceable to theWBS.

7G_PM-07

Project teams shall maintain a list of planned and/or completed external acquisitionsincluding products, components, and services.

8G_PM-08

If acquisition alternatives exist, relevant stakeholders shall establish and confirm selectioncriteria prior to the final selection of any supplier and/or product.


4/8

Credit SuissePolicy


P-00309

4/8

9G_PM-9

Project teams shall plan for the integration of acquired products with respect to:1. transfer of the product to the project; 2. training; and, 3. maintenance and support.

10G_PM-10

Project managers may initially map each work package in the WBS to a responsible generic role, but they must map all work packages that are due to be completed withinthe project s active or current lifecycle phase to a named human resource who shall beresponsible for delivery of said work package.

11G_PM-11

Project managers shall create and maintain a project communications plan that detailsproject stakeholders' responsibilities to the project, and also details project stakeholders'communication preferences.

12G_PM-12

Project managers shall maintain a quality assurance plan, including effort estimation for allreviewing and testing activities.

13G_PM-13

Project managers shall obtain commitment to the WBS and the project schedule fromteam members and providers of resources.

Project Execution & Project Monitoring and Control

14G_PM-14

Project managers shall document supplier and/or product selections. Documentationshall include the following: 1. a list of possible suppliers, 2. selection criteria, and,3. evaluation results and rationale behind the decision made.

15G_PM-15

Project managers shall document formal agreements for each project-related externalacquisition. For acquisitions that are critical for the success of the project, agreementsshall include the list of deliverables and the respective acceptance criteria, a breakdown ofeffort and/or cost, a schedule, and a list of risks and respective mitigation plans.

16G_PM-16

Project managers shall track progress of internal and external suppliers regularly, at leastmonthly. This includes milestone tracking and progress reviews. In case of significantdeviations from the agreed plan the project teams shall take appropriate correctiveactions.

17G_PM-17

Project managers shall develop and maintain a list of project risks based on input fromrelevant project team members and stakeholders. They shall document a mitigation planfor all risks that are deemed to pose a serious threat. The project s senior stakeholdersshall review and approve this plan in advance so that the plan can be acted upon shouldthe risk manifest into an issue requiring resolution.

18

G_PM-18

Project managers shall lead a project status meeting involving all key project stakeholders

no less than once a month. At a minimum, the following items will be discussed:1. changes to project scope; 2. progress against the current monthly milestone;3. progress against the overall schedule; 4. project risks; 5. project issues; 6. resourcedemand versus resource availability or capacity; and, 7. updates to the projectcommunications plan. Project managers shall maintain copies of the meeting agendas,attendance records and minutes of said meetings.

19G_PM-19

Project managers shall hold one-on-one project status meetings with their immediatesupervisor no less than once a month. Project managers shall maintain copies of themeeting agendas and minutes of said meetings.

20G_PM-20

Project teams shall conduct reviews to ensure the consistency of work products anddeliverables and the completion of significant milestones such as phase exits and major deployments. Project managers shall document the results of the review along with actionitems and decisions.


5/8

Credit SuissePolicy


P-00309

5/8

5. Application and Infrastructure Development

Requirements Engineering

1G_DEV-01

Designated project team members shall ensure that the requirements received or generated by the project are gathered and documented and a unique identifier is assignedto each requirement.

2G_DEV-02

Designated project team members shall analyze and negotiate requirements with therequirements providers and the project team in order to obtain a common understandingand agreement. They shall document commitments and decisions. They shall negotiatechanges to existing commitments before project participants commit to the requirements.

3G_DEV-03

The project sponsor shall sign-off the requirements.

4G_DEV-04

Project teams shall follow a communicated project change request procedure for allchanges to agreed requirements and log all requirements changes. They shall analyze theimpact of requirements changes on commitments, project plans and work products.For approved requirements changes the project manager shall update the project plansand work products accordingly.

5G_DEV-05

Project teams shall verify the project plan and all work products against the agreedrequirements on a regular basis and initiate corrective actions if appropriate.

Configuration & Change Management6

G_DEV-06

Designated project team members shall establish and maintain a list of selectconfiguration items and place them under configuration management including versioncontrol. Project teams must document changes to configuration items and baselines.

7G_DEV-07

Project teams shall create, document, and release baselines of configuration items for project internal use and for delivery to the project's customers.

8G_DEV-08

Project teams shall systematically record, control and track project change requests toclosure according to the project's change request procedure. Project teams shall record,control and track changes due to defects.

9G_DEV-09

Project teams shall analyze and document the impact of project change requests onconfiguration items.

System Development and Implementation

10G_DEV-10

Project teams shall determine which products or components will be purchased, reused or developed. They shall conduct the make-or-buy decision using an appropriate evaluationapproach.

11G_DEV-11

Project teams shall develop and maintain technical documentation throughout the entirelifecycle of the product or component. They shall update technical documentation toreflect any changes in the system.

12G_DEV-12

Project teams shall develop and maintain appropriate documentation for installation,ongoing operational support and maintenance tasks to be performed for the developedsystem, as well as user documentation and/or online help.


6/8

Credit SuissePolicy


P-00309

6/8

Quality Assurance

13G_DEV-13

Designated project team members shall perform tests and reviews to verify that functionaland non-functional requirements as well as business objectives are met. This includesuser and operational requirements.

14G_DEV-14

Designated project team members shall review system designs against functional andnon-functional requirements, especially performance, security and control requirements.

15G_DEV-15

Designated project team members shall ensure that production environments are at leastlogically segregated from development and testing environments.

16G_DEV-16

Designated project team members shall perform unit testing and system testing for eachmodule or application.

17G_DEV-17

Acceptance testing shall be performed and the test results shall be documented andretained.

18G_DEV-18

There shall be formal confirmation that testing has been performed according to the testplan.

19G_DEV-19

The sponsor, or the person responsible for the project within the client's reporting line,and by the decision body responsible for Change Control shall make "Go live" decisions for the system based, among other criteria, on test results.


7/8

Credit SuissePolicy


P-00309

7/8

6. Abbreviations and Terms

IT-PV "IT-Projektvorgehen" (IT Project Procedure) Standard Project Lifecycle modelmandatory for medium to large development projects on CS' Swiss Banking ITPlatform.

SDLC+ Standard project lifecycle model mandatory within CS Investment Banking IT, and within Corporate Systems outside Switzerland.

WBS Work Breakdown Structure - A deliverable-oriented hierarchical decomposition ofthe work to be executed by the project team to accomplish the project objectivesand create the required deliverables. The deliverable orientation of the hierarchyincludes both internal and external deliverables.

ChangeRequest

Requests to expand or reduce the project scope, modify policies, processes, plans,or procedures, modify costs or budgets, or revise schedules. Requests for a changecan be direct or indirect, externally or internally initiated, and legally or contractuallymandated or optional. Only formally documented requested changes are processedand only approved change requests are implemented.

Configurationitem

A single product- and project-related work product or an aggregation of these, thatare designated for configuration management and seen as single entity in theconfiguration management process. Examples of configuration items aredocuments (project plan, design document, requirement specification, test concept,risk list etc.) as well as code elements.

Formalagreement

May be a contract, a license, or a memorandum of agreement between the projectand a supplier.

Projectchangerequest

A project change request is a need or request that impacts the existing baselinedproducts or components in the IT assets of the organization. It can be for examplea change in an existing baselined requirement.

Projectmanager

The person or persons responsible for carrying out the project management tasks ofa project or a program.

Significantdeviation

A deviation which, when left unresolved, may preclude the project from meeting itsobjectives.

Sponsor The customer of the project, the person who provides the budget for the project tobe executed.

For further terms and explanations, refer to the central CS IT Glossary under http://itglossary.csintra.net/glossary/


8/8

Credit SuissePolicy


P-00309

8/8

7. Change HistoryVersion Date Author, Org. Unit Status Comment / Description of changeV1.0 25-Jan-07 Ph. Landucci,

KOAMFinal Approved by the IT Senior Management

Team on January 25th, 2007.

Tom SanzoneCredit Suisse CIOsig.

Documents

3.05 Global IT Solution Delivery Policy - Rev 1.0