7/27/2019 CS IT Global SD Policies Flyer e

1/2

Version V1.0, 25-JAN-2007

CREDIT SUISSEGLOBAL IT SOLUTIONDELIVERY POLICY - FLYER

INTRODUCTION

The CS Global IT Solution Delivery Policy is based on industry standards and relevant regulations.

This document defines the policy covering Solution Delivery (IT Application and Infrastructure

Development). It extends the divisional or regional lifecycle models, like "SDLC+" and "IT Project

Procedure". Adherence to the Policy will ensure the Solution Delivery projects will follow a consistent

and managed path.

The Policy has been endorsed on and signed by all members of the IT Senior Management Team.

GUIDING PRINCIPLE AND SCOPE

This policy applies to every Solution Delivery project with a planned or actual to-date total IT effort of

more than 110 person-days.

It requires a project plan which accounts for the applicable divisional or regional lifecycle model. It

requires monitoring the project execution to identify potential problems and take appropriate corrective

actions in a timely manner. It obviously also requires completion of the work defined in the plan to

accomplish the project's requirements and to deliver high-quality technology solutions to the business.

The controls specified in this document give a high-level guidance on how to follow this policy. They

may also be applied within other projects at their discretion.

GENERAL MANAGEMENT CONTROLS

The Chief Information Officer (CIO) of Credit Suisse IT owns, maintains, communicates and

enforces this policy.

The CIO will review this policy on a regular basis, or when major changes in the organizational

strategy or changes in the regulatory environment are made.

All managers shall be responsible for the compliance of their organizational units with this policy.

They shall provide the quality management resources necessary to identify non-compliances and

track their resolution to closure and they provide the project resources necessary to resolve the

said non-compliances. Managers shall regularly report to their direct managers on the resolution

of non-compliances.

The CIO of the IT business area performing the majority of the project-related development effort

shall determine the mandatory development lifecycle of a cross-business area or -regional project.Such projects shall comply to platform-specific Change Control requirements associated with the

platforms that will be impacted by components and/or systems deployed by the project.

Project managers shall bring all work packages within a projects active phase or lifecycle that

cannot be mapped to a named resource to the attention of their immediate supervisor. The

project managers immediate supervisor shall be responsible for facilitating the reconciliation of

necessary resources to planned work.

Project team members shall be trained on process, methodology and supporting tools as

required to fulfill their assigned roles.

PROJECT MANAGEMENT CONTROLS

Project managers are responsible and accountable for planning and managing the execution of

their projects.

Project managers shall define project roles and assign said roles to adequately skilled project

team members; in particular, project managers shall assign team members to fill requirements

engineering and configuration management roles.

Project managers shall define the roles and identify dedicated resources for all reviewing and

testing activities.

The progressive elaboration of requirements shall serve as an input to project planning activities,

including development of the projects work breakdown structure (WBS).

Project managers shall develop a WBS based on input from relevant project team members and

stakeholders.

They shall decompose the WBS to a level that enables reasonable effort, cost and scheduling

estimates to be made.

Project managers shall develop a project schedule based on input from relevant project team

members and stakeholders. They shall ensure that the schedule is traceable to the WBS.

Project teams shall maintain a list of planned and/or completed external acquisitions including

products, components, and services.

If acquisition alternatives exist, relevant stakeholders shall establish and confirm selection criteria

prior to the final selection of any supplier and/or product. Project teams shall plan for the integration of acquired products with respect to: 1. transfer of

the product to the project; 2. training; and, 3. maintenance and support.

Project managers may initially map each work package in the WBS to a responsible genericrole, but they must map all work packages that are due to be completed within the projects

active or current lifecycle phase to a named human resource who shall be responsible for

delivery of said work package.

Project managers shall create and maintain a project communications plan that details project

stakeholders' responsibilities to the project, and also details project stakeholders'

communication preferences.

Project managers shall maintain a quality assurance plan, including effort estimation for all

reviewing and testing activities.

Project managers shall obtain commitment to the WBS and the project schedule from team

members and providers of resources.

Project managers shall document supplier and/or product selections.

Documentation shall include the following: 1. a list of possible suppliers, 2. selection criteria,

and, 3. evaluation results and rationale behind the decision made.

Project managers shall document formal agreements for each project-related external

acquisition.

For acquisitions that are critical for the success of the project, agreements shall include the list

of deliverables and the respective acceptance criteria, a breakdown of effort and/or cost, a

schedule, and a list of risks and respective mitigation plans.

7/27/2019 CS IT Global SD Policies Flyer e

2/2

Version V1.0, 25-JAN-2007

CREDIT SUISSEGLOBAL IT SOLUTIONDELIVERY POLICY - FLYER

Project managers shall track progress of internal and external suppliers regularly, at least

monthly. This includes milestone tracking and progress reviews.

In case of significant deviations from the agreed plan the project teams shall take appropriate

corrective actions.

Project managers shall develop and maintain a list of project risks based on input from relevant

project team members and stakeholders.

They shall document a mitigation plan for all risks that are deemed to pose a serious threat.

The projects senior stakeholders shall review and approve this plan in advance so that the plan

can be acted upon should the risk manifest into an issue requiring resolution.

Project managers shall lead a project status meeting involving all key project stakeholders no less

than once a month.

At a minimum, the following items will be discussed: 1. changes to project scope; 2. progress

against the current monthly milestone; 3. progress against the overall schedule; 4. project risks;

5. project issues; 6. resource demand versus resource availability or capacity; and, 7. updates to

the project communications plan.

Project managers shall maintain copies of the meeting agendas, attendance records and minutes

of said meetings.

Project managers shall hold one-on-one project status meetings with their immediate supervisor

no less than once a month.

Project managers shall maintain copies of the meeting agendas and minutes of said meetings.

Project teams shall conduct reviews to ensure the consistency of work products and deliverablesand the completion of significant milestones such as phase exits and major deployments.

Project managers shall document the results of the review along with action items and decisions.

APPLICATION AND INFRASTRUCTURE DEVELOPMENT CONTROLS

Designated project team members shall ensure that the requirements received or generated by

the project are gathered and documented and a unique identifier is assigned to each

requirement.

Designated project team members shall analyze and negotiate requirements with the

requirements providers and the project team in order to obtain a common understanding and

agreement. They shall document commitments and decisions.

They shall negotiate changes to existing commitments before project participants commit to the

requirements.

The project sponsor shall sign-off the requirements.

Project teams shall follow a communicated project change request procedure for all changes to

agreed requirements and log all requirements changes.

They shall analyze the impact of requirements changes on commitments, project plans and work

products.

For approved requirements changes the project manager shall update the project plans and work

products accordingly.

Project teams shall verify the project plan and all work products against the agreed requirements

on a regular basis and initiate corrective actions if appropriate.

Designated project team members shall establish and maintain a list of select configuration items

and place them under configuration management including version control.

Project teams must document changes to configuration items and baselines.

Project teams shall create, document, and release baselines of configuration items for project

internal use and for delivery to the project's customers.

Project teams shall systematically record, control and track project change requests to closure

according to the project's change request procedure.

Project teams shall record, control and track changes due to defects.

Project teams shall analyze and document the impact of project change requests on

configuration items.

Project teams shall determine which products or components will be purchased, reused or

developed. They shall conduct the make-or-buy decision using an appropriate evaluation

approach.

Project teams shall develop and maintain technical documentation throughout the entire lifecycle

of the product or component. They shall update technical documentation to reflect any changes

in the system.

Project teams shall develop and maintain appropriate documentation for installation, ongoing

operational support and maintenance tasks to be performed for the developed system, as well

as user documentation and/or online help.

Designated project team members shall perform tests and reviews to verify that functional and

non-functional requirements as well as business objectives are met. This includes user and

operational requirements.

Designated project team members shall review system designs against functional and non-

functional requirements, especially performance, security and control requirements.

Designated project team members shall ensure that production environments are at least

logically segregated from development and testing environments.

Designated project team members shall perform unit testing and system testing for each module

or application.

Acceptance testing shall be performed and the test results shall be documented and retained.

There shall be formal confirmation that testing has been performed according to the test plan.

The sponsor, or the person responsible for the project within the client's reporting line, and by

the decision body responsible for Change Control shall make "Go live" decisions for the system

based, among other criteria, on test results.