Upload
dave-friesen
View
320
Download
2
Tags:
Embed Size (px)
Citation preview
Agile Software Development for IT Risk Control Professionals
Dave Friesen, CISA, CMA, CISSP
ISACA Willamette Valley ChapterJanuary 2014
Dave Friesen 2
Today
Walk through
Agile Scrum
Key practice and
risk+control considerations
Dave Friesen 3
Agile
source: agilemanifesto.org
Deliver early and continuouslyAdapt to changes
Produce working software often
Collaborate(tech teams, +business)
Simplicity is essentialSelf-organizing teams excel
Dave Friesen 4
Why Agile?
Deliver systems faster
Respond to changes
Create competitive advantage
Increase transparency
Improve quality
Dave Friesen 5
Scrum
Dave Friesen 6
Scrum has been used by
MicrosoftYahooGoogleElectronic ArtsIBMLockheed MartinPhilipsSiemensNokiaCapital One
BBCIntuit Nielsen MediaBMC SoftwareIpswitchJohn DeereLexis NexisSabreSalesforce.com
source: mountaingoatsoftware.com
Dave Friesen 7
Scrum has been used for
Commercial software
In-house development
Contract development
Fixed-price projects
Financial applications
ISO 9001-certified applications
Embedded systems
24x7 systems (3 9’s)
the Joint Strike Fighter
Video game development
FDA-approved, life-critical systems
Satellite-control software
Websites
Handheld software
Mobile phones
Network switching applications
ISV applications
source: mountaingoatsoftware.com
Dave Friesen 8
Scrum roles: the Product Owner
Drives Product vision,roadmap and business
case
Defines and prioritizesProduct requirements
Determines releases,sequencing
“Owns” budget
Accepts (rejects) results
Expertise?
Experience?
Dave Friesen 9
the Team
Delivers Product
Cross-functional
Self-organizing
Small(+nimble)
Collaborative
Expertise mix?
Skill+ mix?
Committed?
Dave Friesen 10
the ScrumMaster
Drives Scrum process
Removes “roadblocks”
(Not resource orproject manager)
Goal:Make Team successful
Dave Friesen 11
Scrum approach: work in Sprints
Iterative design, code/configure,
test
Typically 2-4 weeks
Fixed duration(never extended)
No changes!
Goal:Working software
Dave Friesen 12
Sprints vs. Releases
Dave Friesen 13
Context: Product Planning
Product vision, roadmap
Business drivers, goalsBusiness case
Needs, features
Financial, people
Portfolio, release viewsSizing. . .
Product “ownership?”
Strategic?(business, tech)
Dependencies?
Dave Friesen 14
the Product Backlog
All expected Product work
Functional requirements
Operational requirements
Known issues
Sized as possible
Prioritized by Product Owner
Dave Friesen 15
User Stories
Discrete pieces of functionality
Written fromuser perspective(human or technical)
Enough detail for estimating,
designing, testing
Dave Friesen
16
Sprint Planning
Product Owner and Team (ScrumMaster facilitates)
Sprint Goal
Prioritized User Stories
Technical Tasks
Dave Friesen 17
the Sprint Backlog
All expected Sprint work
Technical to-do’s
Team’s commitment
Focused onSprint Goal
Dave Friesen 18
Tasks
Coding, configuring,
testing, design, R&D, +
Typically n:1 withUser Stories
Estimates
SprintTask Board
Operational coverage?
Performance, capacity,availability?
Process considerations?
Interface controls?
Security features?
Regulatory/compliance considerations?
Dave Friesen
Consistent architecture andapproach?
19
Sprint: Building the Product
Design/Coding/Configuring
Integrating
Refactoring
Writing tests
Planned featureDevelopment?
Secure developmentpractices?
Frequent builds andintegration?
Security analysis (+action)?
Usual controls: Sourcemanagement; environments; +
Dave Friesen 20
Sprint: Testing
Iterativethroughout Sprint
Frequent build:test ➝ rapid feedback
ValidatesStories and Tasks
Goal:Build quality in
Speed of Agile
Scenario coverage?
Unit testing?
More than functional
“Enough” documentation?
Defect/issue management?
User acceptance?
Usual controls: independence, environments, +
Dave Friesen 21
Daily Scrums
ScrumMaster andTeam
(others observe)
Daily stand-up(15 minutes)
Did yesterday?Doing today?Roadblocks?
(risk management)
Dave Friesen 22
Tracking Sprint Burndown
How’s the work coming?
Dave Friesen 23
Sprint Reviews
Team, ScrumMaster, Product Owner;
+”the world”
Team demo’s(feedback)
Informal; time-boxed
Product Owner accepts (rejects)
(Product Backlog updated)
Dave Friesen 24
Working Software and Releases
Business readiness?
Operational readiness?
Usual controls: approvals; contingency plans;
environment/access; smoke test
Dave Friesen 25
Sprint Retrospectives
Team, ScrumMaster,Product Owner
What is/isn’t working
Accurate estimates?Complete Sprints?Release quality?
Release effectiveness?
Goal:Continuous improvement
Dave Friesen 26
and iterate
Dave Friesen 27
Agile Values
source: agilemanifesto.org (mountaingoatsoftware.com)
Comprehensivedocumentation
Contractnegotiation
Following aplan
Processes andtools
Workingsoftware
Customercollaboration
Responding tochange
Individuals andinteractions
over
over
over
over
Questions?
Dave Friesen 29
Resources
www.scrumalliance.org
www.mountaingoatsoftware.com