1 / Fall 2008 / EDS INTERNAL
11 April 2007
CMM, ISO, Sarbanes Oxley
CMM vs. ISODavid S. Craft CIRM, PMP
Engineering & Manufacturing Services
2 / 10 April 2007 / EDS INTERNAL
11 April 2007
CMM vs. ISO, Sarbanes Oxley
Agenda
Who Am I - EDS
Software Systems Development
ISO
CMM
Sarbanes Oxley
3 / 10 April 2007 / EDS INTERNAL
11 April 2007
CMM vs. ISO, Sarbanes Oxley
Who Am I
VISTA Volunteer
Industrial Engineer
Chief Industrial Engineer
Manager Production Planning & Control
Inventory Control ManagerShift Supervisor
Materials Manager
ConsultantProject Manager
Team Leader
Managing Consultant Engineering and Manufacturing ServicesApplications Service Delivery EDS
Internal ISO Auditor
4 / 10 April 2007 / EDS INTERNAL
11 April 2007
CMM vs. ISO, Sarbanes Oxley
5 / 10 April 2007 / EDS INTERNAL
11 April 2007
CMM vs. ISO, Sarbanes Oxley
Process
To Develop Software and Systems You Need A Process
• Anything goes
• Defined
• Structured
6 / 10 April 2007 / EDS INTERNAL
11 April 2007
CMM vs. ISO, Sarbanes Oxley
7 / 10 April 2007 / EDS INTERNAL
11 April 2007
CMM vs. ISO, Sarbanes Oxley
8 / 10 April 2007 / EDS INTERNAL
11 April 2007
CMM vs. ISO, Sarbanes Oxley
Process, people and technology are the major determinants of project cost,
quality and schedule.
9 / 10 April 2007 / EDS INTERNAL
11 April 2007
CMM vs. ISO, Sarbanes Oxley
Common Misconceptions
I don’t need defined processes I have:– Really good people
– Advanced Technology
– An experienced manager
Defined Processes:– Interfere with creativity
– Equals bureaucracy + regimentation
– Isn’t needed when building prototypes
– Is only useful on large projects
– Hinders agility in fast moving projects
– Costs too much
10 / 10 April 2007 / EDS INTERNAL
11 April 2007
CMM vs. ISO, Sarbanes Oxley
Why We Need Standard Processes
Estimating (History)• Scope
• Cost
• Time
• Tools
Deliver the Product to Estimate (Visibility)• Time
• Cost
• Quality
Handling/Controlling Changes• Planned
• Unplanned
• Scope Creep
11 / 10 April 2007 / EDS INTERNAL
11 April 2007
CMM vs. ISO, Sarbanes Oxley
How to Achieve Quality Processes
ISO
CMM
12 / 10 April 2007 / EDS INTERNAL
11 April 2007
CMM vs. ISO, Sarbanes Oxley
ISO – CMM Differences
ISO9001:2000 CMMIInternational standard, applies to all types of organizations, supports both product and service oriented organizations
Written specifically for software development companies
A brief document – about 25 pages long, identifying the minimal requirements for a quality system
A detailed document – over 500 pages long
Emphasizes on a management of continuous improvement process, based on the PDCA (Plan-Do-Check-Act) model
Emphasizes on achieving “maturity” and improving its process continuously
One level of standard. The standard is based on recommendation
Defines 5 maturity levels of the organization, covering 25 process areas (PAs)
Netta Dotan, Quality Assurance & project management, Ronkal Office Technologies
13 / 10 April 2007 / EDS INTERNAL
11 April 2007
CMM vs. ISO, Sarbanes Oxley
ISO – CMM Differences – My View
ISO 9000 SW-CMMIOutwardly focused Inwardly focused
Minimum requirements with implied continuous improvements
Explicit continuous quality improvement
Registration Document No documentation
Certification audit for a 50 employee organization will be executed by -12 auditors during one day
Certification audit for a 50 employee organization will be executed by 4 auditors during 4-5 days
Netta Dotan, Quality Assurance & project management, Ronkal Office Technologies
14 / 10 April 2007 / EDS INTERNAL
11 April 2007
CMM vs. ISO, Sarbanes Oxley
Both require the organization be explicit about what their processes and quality systems are
Say what you do; do what you say
The organization records and tracks data for objective analysis
Require strong management support to succeed
Provide a structured and measured approach to quality improvement
Require an outside audit for “certification”
Both are refined/improved over time
ISO – CMM Similarities
15 / 10 April 2007 / EDS INTERNAL
11 April 2007
CMM vs. ISO, Sarbanes Oxley
Meet ISO
ISO (International Organization for Standardization) is the world's largest developer and publisher of International Standards.
ISO is a network of the national standards institutes of 157 countries, one member per country, with a Central Secretariat in Geneva, Switzerland, that coordinates the system.
ISO is a non-governmental organization that forms a bridge between the public and private sectors. On the one hand, many of its member institutes are part of the governmental structure of their countries, or are mandated by their government. On the other hand, other members have their roots uniquely in the private sector, having been set up by national partnerships of industry associations.
Therefore, ISO enables a consensus to be reached on solutions that meet both the requirements of business and the broader needs of society.
16 / 10 April 2007 / EDS INTERNAL
11 April 2007
CMM vs. ISO, Sarbanes Oxley
What are standards?
Standards are documented agreements containing technical specifications or other precise criteria to be used consistently as rules, guidelines, or definitions of characteristics, to ensure that materials, products, processes and services are fit for their purpose.
For example, the format of the credit cards, phone cards, and "smart" cards that have become commonplace is derived from an ISO International Standard. Adhering to the standard, which defines such features as an optimal thickness (0,76 mm), means that the cards can be used worldwide.
International Standards thus contribute to making life simpler, and to increasing the reliability and effectiveness of the goods and services we use.
Last modified 2002-07-17
17 / 10 April 2007 / EDS INTERNAL
11 April 2007
CMM vs. ISO, Sarbanes Oxley
The ISO 9000 and ISO 14000 families are among ISO's best known standards ever. ISO 9001:2000 and ISO 14001 (1996 and 2004 versions) are implemented by over 1,000,000 organizations in 161 countries.
The ISO 9000 family addresses "quality management". This means what the organization does to fulfill:
•the customer's quality requirements and •applicable regulatory requirements, while aiming to •enhance customer satisfaction, and •achieve continual improvement of its performance in pursuit of these objectives.
The ISO 14000 family addresses "environmental management". This means what the organization does to:
•minimize harmful effects on the environment caused by its activities, and to
•achieve continual improvement of its environmental performance.
ISO 9000 and ISO 14000 (Management Systems)
18 / 10 April 2007 / EDS INTERNAL
11 April 2007
CMM vs. ISO, Sarbanes Oxley
ISO’s ImpactIn the global economy ISO 9001:2000 and ISO 14001:2004 have become thoroughly integrated
with the world economy. ISO 9001:2000 is now firmly established as the globally accepted
standard for providing assurance about the quality of goods and services in supplier-customer relations.
The positive roles played in globalization by ISO’s standards for quality and environmental management systems include the following:
• a unifying base for global businesses and supply chains – such as the automotive and oil and gas sectors
• a technical support for regulation – as, for example, in the medical devices sector)
• a tool for major new economic players to increase their participation in global supply chains, in export trade and in business process outsourcing;
• a tool for regional integration – as shown by their adoption by new or potential members of the European Union
In the rise of services in the global economy – nearly 33 % of ISO 9001:2000 certificates in 2005 went to organizations in the service sectors.
19 / 10 April 2007 / EDS INTERNAL
11 April 2007
CMM vs. ISO, Sarbanes Oxley
Sector Standards Pages
Generalities, Infrastructure and Sciences 1,482 54,929
Health, Safety and Environment 684 24,062
Engineering Technologies 4,659 202,370
Electronics, Information Technology and Telecommunications
2,739 181,455
Transport and Distribution of Goods 1,835 49,435
Agriculture and Food Technology 997 22,495
Materials Technology 4,166 101,731
Construction 341 12,447
Special Technologies 138 3,416
Total 17,041 652,340
Where are the Standards (12/31/07)
20 / 10 April 2007 / EDS INTERNAL
11 April 2007
CMM vs. ISO, Sarbanes Oxley
The ISO family includes:• ISO 9000:2000 – Quality Management Systems –
Fundamentals and vocabulary• ISO 9001:2000 – Quality Management Systems -
Requirements• ISO 9004:2000 – Quality Management Systems –
Guidelines for performance improvement• ISO 19011 – Guidelines on quality and/or environmental
management systems auditing.• ISO 10012 Measurement control system
Which ISO Standards
21 / 10 April 2007 / EDS INTERNAL
11 April 2007
CMM vs. ISO, Sarbanes Oxley
Quality System Documentation
QualityQualityManualManual
Level 1Level 1DefinesDefines
Approach andApproach andResponsibilityResponsibility
ProceduresProceduresLevel 2Level 2DefinesDefines
Who, What, WhenWho, What, When
Work/JobWork/JobInstructionsInstructions
Level 3Level 3Answers Answers
HowHow
Records/DocumentationRecords/Documentation
Level 4Level 4Results: shows that Results: shows that
the system is the system is operatingoperating
22 / 10 April 2007 / EDS INTERNAL
11 April 2007
CMM vs. ISO, Sarbanes Oxley
ISO 9001:2000 Structure
4. Quality Management System4.1 General requirements4.2 Document requirements
5. Management Responsibility
5.1 Management commitment
5.2 Customer focus5.3 Quality policy5.4 Planning5.5 Responsibility, authority,
communication5.6 Management review
6. Resource Management6.1 Provision of resources6.2 Human resources6.3 Infrastructure6.4 Work environment
7. Product realization7.1 Planning of product realization7.2 Customer-related processes7.3 Design and development7.4 Purchasing7.5 Production and service provision7.6 Control of monitoring and
measuring devices
8. Measurement, Analysis & Improvement8.1 General8.2 Monitoring and measurement8.3 Control of nonconforming product8.4 Analysis of data8.5 Improvement
23 / 10 April 2007 / EDS INTERNAL
11 April 2007
CMM vs. ISO, Sarbanes Oxley
Meet CMM
CMM – Capability Maturity Model
The Capability Maturity models have been developed by the Software Engineering Institute (SEI)
The Carnegie Mellon SEI is a federally funded (US Department of Defense) research and development center that provides the technical leadership to advance the practice of software engineering so that software intensive systems can be acquired and sustained with predictable and improved cost, schedule and quality.
24 / 10 April 2007 / EDS INTERNAL
11 April 2007
CMM vs. ISO, Sarbanes Oxley
25 / 10 April 2007 / EDS INTERNAL
11 April 2007
CMM vs. ISO, Sarbanes Oxley
SCAMPI – Standard CMMI Appraisal Method for Process Improvement
26 / 10 April 2007 / EDS INTERNAL
11 April 2007
CMM vs. ISO, Sarbanes Oxley
27 / 10 April 2007 / EDS INTERNAL
11 April 2007
CMM vs. ISO, Sarbanes Oxley
Process AreasRequirements Management Organizational Process Definition
Project Planning Organizational Training
Project Monitoring & Control Integrated Project Management
Supplier Agreement Management Risk Management
Measurement & Analysis Integrated Teaming
Process & Product Quality Assurance
Integrated Supplier Management
Configuration Management Decision Analysis & Resolution
Requirements Development Organizational Environment for Integration
Technical Solution Organizational Process Performance
Product Integration Quantitative Project Management
Verification Organizational Innovation & Deployment
Validation Causal Analysis & Resolution
Organizational Process Focus
28 / 10 April 2007 / EDS INTERNAL
11 April 2007
CMM vs. ISO, Sarbanes Oxley
29 / 10 April 2007 / EDS INTERNAL
11 April 2007
CMM vs. ISO, Sarbanes Oxley
EIA – Electronic Industries Alliance Interim Standard
30 / 10 April 2007 / EDS INTERNAL
11 April 2007
CMM vs. ISO, Sarbanes Oxley
31 / 10 April 2007 / EDS INTERNAL
11 April 2007
CMM vs. ISO, Sarbanes Oxley
32 / 10 April 2007 / EDS INTERNAL
11 April 2007
CMM vs. ISO, Sarbanes Oxley
33 / 10 April 2007 / EDS INTERNAL
11 April 2007
CMM vs. ISO, Sarbanes Oxley
34 / 10 April 2007 / EDS INTERNAL
11 April 2007
CMM vs. ISO, Sarbanes Oxley
35 / 10 April 2007 / EDS INTERNAL
11 April 2007
CMM vs. ISO, Sarbanes Oxley
36 / 10 April 2007 / EDS INTERNAL
11 April 2007
CMM vs. ISO, Sarbanes Oxley
37 / 10 April 2007 / EDS INTERNAL
11 April 2007
CMM vs. ISO, Sarbanes Oxley
38 / 10 April 2007 / EDS INTERNAL
11 April 2007
CMM vs. ISO, Sarbanes Oxley
39 / 10 April 2007 / EDS INTERNAL
11 April 2007
CMM vs. ISO, Sarbanes Oxley
Staged Process Area Continuous
L2 Requirements Management Engineering
L2 Project Planning Project Mgmt
L2 Project Monitoring and Control Project Mgmt
L2 Supplier Agreement Management Project Mgmt
L2 Measurement and Analysis Support
L2 Process and Product Quality Assurance Support
L2 Configuration Management Support
L3 Requirements Development Engineering
L3 Technical Solution Engineering
L3 Product Integration Engineering
L3 Verification Engineering
L3 Validation Engineering
L3 Organizational Process Focus Process Mgmt.
L3 Organizational Process Definition Process Mgmt.
L3 Organizational Training Process Mgmt.
L3 Integrated Project Management Project Mgmt
L3 Risk Management Project Mgmt
L3 Integrated Teaming Project Mgmt
L3 Integrated Supplier Management Project Mgmt
L3 Decision Analysis and Resolution Support
L3 Organizational Environment for Integration Support
L4 Organizational Process Performance Process Mgmt.
L4 Quantitative Project Management Project Mgmt
L5 Organizational Innovation and Deployment Process Mgmt.
L5 Causal Analysis and Resolution Support
CMM Process Areas
40 / 10 April 2007 / EDS INTERNAL
11 April 2007
CMM vs. ISO, Sarbanes Oxley
Examples of CMMI Impact: ROI
5:1 ROI for quality activities (Accenture)
13:1 ROI calculated as defects avoided per hour spent in training and defect prevention (Northrop Grumman Defense Enterprise Systems)
Avoided $3.72 M in costs due to better cost performance (Raytheon North Texas Software Engineering) as the organization improved from SW-CMM level 4 to CMMI level 5
2:1 ROI over 3 years (Siemens Information Systems Ltd, India)
2.5:1 ROI over 12st year, with benefits amortized over less than 6 months (reported under non disclosure)
(reported by the American Society for Quality)
41 / 10 April 2007 / EDS INTERNAL
11 April 2007
CMM vs. ISO, Sarbanes Oxley
Sarbanes-Oxley ImplicationsWith its more than 300 discrete points of enforceable law, this is the most significant piece of account legislation passed since the formation of the SEC in 1933
SOX was passed with the specific intent of increasing accountability and attempting to install ethical behavior in financial reporting and business operations.
With this increase spotlight on reporting, companies must invest resources and focus into their internal control process
The Act created the Public Company Accounting Oversight Board (PCAOB) to oversee the activities of the auditing profession and mandated reforms to enhance corporate and criminal fraud accountability.
A goal of SOX legislation is to continually improve the transparency of financial and business events that can impact the accuracy and future validity of financial statements. Projects to improve processes and regular review of controls will become common-place activities as compliance evolves. Tools that simplify project completion and track status will better enable organization to cost-effectively undertake these projects.
42 / 10 April 2007 / EDS INTERNAL
11 April 2007
CMM vs. ISO, Sarbanes Oxley
SOX Major Section
302 – Corporate Responsibility for Financial Reports• Requires Executives to certify the accuracy of corporate
financial reports
404 – Management Assessment of Internal Controls• Requires executives and auditors to confirm the
effectiveness of internal controls for financial reporting
409 – Real Time Issuers Disclose• Requires any material changes in financial state of issuer
be communicated quickly and with supporting data to the public
43 / 10 April 2007 / EDS INTERNAL
11 April 2007
CMM vs. ISO, Sarbanes Oxley
Implications for IT
Configuration management is now a must
Change controls must be handled more carefully
Security, security, security
All system changes must be verifiable by a clear audit trail
Reduce reliance on batch processing, update data warehouse more frequently
Interfaces from any financial system must be documented and controlled
IT activities must be aligned with the company’s governance and risk policies