Agile Software Development for IT Risk Control Professionals

Dave Friesen, CISA, CMA, CISSP

ISACA Willamette Valley ChapterJanuary 2014

Dave Friesen 2

Today

Walk through

Agile Scrum

Key practice and

risk+control considerations

Dave Friesen 3

Agile

source: agilemanifesto.org

Deliver early and continuouslyAdapt to changes

Produce working software often

Collaborate(tech teams, +business)

Simplicity is essentialSelf-organizing teams excel

Dave Friesen 4

Why Agile?

Deliver systems faster

Respond to changes

Create competitive advantage

Increase transparency

Improve quality

Dave Friesen 5

Scrum

Dave Friesen 6

Scrum has been used by

MicrosoftYahooGoogleElectronic ArtsIBMLockheed MartinPhilipsSiemensNokiaCapital One

BBCIntuit Nielsen MediaBMC SoftwareIpswitchJohn DeereLexis NexisSabreSalesforce.com

source: mountaingoatsoftware.com

Dave Friesen 7

Scrum has been used for

Commercial software

In-house development

Contract development

Fixed-price projects

Financial applications

ISO 9001-certified applications

Embedded systems

24x7 systems (3 9’s)

the Joint Strike Fighter

Video game development

FDA-approved, life-critical systems

Satellite-control software

Websites

Handheld software

Mobile phones

Network switching applications

ISV applications

source: mountaingoatsoftware.com

Dave Friesen 8

Scrum roles: the Product Owner

Drives Product vision,roadmap and business

case

Defines and prioritizesProduct requirements

Determines releases,sequencing

“Owns” budget

Accepts (rejects) results

Expertise?

Experience?

Dave Friesen 9

the Team

Delivers Product

Cross-functional

Self-organizing

Small(+nimble)

Collaborative

Expertise mix?

Skill+ mix?

Committed?

Dave Friesen 10

the ScrumMaster

Drives Scrum process

Removes “roadblocks”

(Not resource orproject manager)

Goal:Make Team successful

Dave Friesen 11

Scrum approach: work in Sprints

Iterative design, code/configure,

test

Typically 2-4 weeks

Fixed duration(never extended)

No changes!

Goal:Working software

Dave Friesen 12

Sprints vs. Releases

Dave Friesen 13

Context: Product Planning

Product vision, roadmap

Business drivers, goalsBusiness case

Needs, features

Financial, people

Portfolio, release viewsSizing. . .

Product “ownership?”

Strategic?(business, tech)

Dependencies?

Dave Friesen 14

the Product Backlog

All expected Product work

Functional requirements

Operational requirements

Known issues

Sized as possible

Prioritized by Product Owner

Dave Friesen 15

User Stories

Discrete pieces of functionality

Written fromuser perspective(human or technical)

Enough detail for estimating,

designing, testing

Dave Friesen

16

Sprint Planning

Product Owner and Team (ScrumMaster facilitates)

Sprint Goal

Prioritized User Stories

Technical Tasks

Dave Friesen 17

the Sprint Backlog

All expected Sprint work

Technical to-do’s

Team’s commitment

Focused onSprint Goal

Dave Friesen 18

Tasks

Coding, configuring,

testing, design, R&D, +

Typically n:1 withUser Stories

Estimates

SprintTask Board

Operational coverage?

Performance, capacity,availability?

Process considerations?

Interface controls?

Security features?

Regulatory/compliance considerations?

Dave Friesen

Consistent architecture andapproach?

19

Sprint: Building the Product

Design/Coding/Configuring

Integrating

Refactoring

Writing tests

Planned featureDevelopment?

Secure developmentpractices?

Frequent builds andintegration?

Security analysis (+action)?

Usual controls: Sourcemanagement; environments; +

Dave Friesen 20

Sprint: Testing

Iterativethroughout Sprint

Frequent build:test ➝ rapid feedback

ValidatesStories and Tasks

Goal:Build quality in

Speed of Agile

Scenario coverage?

Unit testing?

More than functional

“Enough” documentation?

Defect/issue management?

User acceptance?

Usual controls: independence, environments, +

Dave Friesen 21

Daily Scrums

ScrumMaster andTeam

(others observe)

Daily stand-up(15 minutes)

Did yesterday?Doing today?Roadblocks?

(risk management)

Dave Friesen 22

Tracking Sprint Burndown

How’s the work coming?

Dave Friesen 23

Sprint Reviews

Team, ScrumMaster, Product Owner;

+”the world”

Team demo’s(feedback)

Informal; time-boxed

Product Owner accepts (rejects)

(Product Backlog updated)

Dave Friesen 24

Working Software and Releases

Business readiness?

Operational readiness?

Usual controls: approvals; contingency plans;

environment/access; smoke test

Dave Friesen 25

Sprint Retrospectives

Team, ScrumMaster,Product Owner

What is/isn’t working

Accurate estimates?Complete Sprints?Release quality?

Release effectiveness?

Goal:Continuous improvement

Dave Friesen 26

and iterate

Dave Friesen 27

Agile Values

source: agilemanifesto.org (mountaingoatsoftware.com)

Comprehensivedocumentation

Contractnegotiation

Following aplan

Processes andtools

Workingsoftware

Customercollaboration

Responding tochange

Individuals andinteractions

over

over

over

over

Questions?

Dave Friesen 29

Resources

www.scrumalliance.org

www.mountaingoatsoftware.com