MANAGEMENT
GUIDELINES
Goals and Metrics
From Inputs
PO2 Data dictionary; data classification scheme, optimised business system plan
PO3 Regular ‘state of technology’ updates PO5 Cost/benefits reports
PO8 Acquisition and development standards PO10 Project management guidelines,
detailed project plans
AI1 Business requirements feasibility study AI6 Change process description
Outputs
To
Application security controls specification DS5 Application and package software knowledge AI4
Procurement decisions AI5
Initial planned SLAs DS1
Availability, continuity and recovery
specification DS3 DS4
Activity Goals
• Translating business requirements into design specifications
• Adhering to development standards for all modifications
• Prioritising requirements based on business relevance
• Separating development, testing and operational activities
IT Goals
• Define how business functional and control requirements are translated in effective and efficient automated solutions.
• Acquire and maintain integrated and standardised application systems. Process Goals
• Acquire and maintain applications that cost-effectively meet the defined business requirements.
• Acquire and maintain applications in line with IT strategy and IT architecture. • Ensure the development process is timely
and cost-effective.
Activities
RACI Chart Functions
CEO CFO Business ExecutiveCIO Business Process OwnerHead Oper ations
Chief Ar chitect
Head DevelopmentHead IT Administr
ation
PMO Compliance, Audit,
Risk and Security
Translate business requirements into high-level design specification. C C A/R R C Prepare detailed design and technical software application requirements. I C C C A/R R C Specify application controls within the design. R C A/R R R Customise and implement acquired automated functionality. C C A/R R C Develop formalised methodologies and processes to manage the application
development process. C C C A C R C
Create a software quality assurance plan for the project. I C R A/R C Track and manage application requirements. R A/R Develop a plan for the maintenance of software applications. C C A/R C
A RACI chart identifies who is Responsible, Accountable, Consulted and/or Informed.
AI2 Acquire and Maintain Application Software
D D
Acquire and Implement
AI2 Acquire and Maintain Application Software
Management of the process of Acquire and maintain application software that satisfies the business requirement for IT of
making available applications in line with business requirements, and doing so in time and at a reasonable cost is:
0 Non-existent when
There is no process for designing and specifying applications. Typically, applications are obtained based on vendor driven offerings, brand recognition or IT staff familiarity with specific products, with little or no consideration of actual requirements.
1 Initial/Ad Hocwhen
There is an awareness that a process for acquiring and maintaining applications is required. Approaches to acquiring and
maintaining application software vary from project to project. A variety of individual solutions to particular business requirements are likely to have been acquired independently, resulting in inefficiencies with maintenance and support. There is little consideration of application security and availability in the design or acquisition of application software.
2 Repeatable but Intuitive when
There are different, but similar, processes for acquiring and maintaining applications based on the expertise within the IT function. The success rate with applications depends greatly on the in-house skills and experience levels within IT. Maintenance is usually problematic and suffers when internal knowledge has been lost from the organisation. There is little consideration of application security and availability in the design or acquisition of application software.
3 Defined Process when
A clear, defined and generally understood process exists for the acquisition and maintenance of application software. This process is aligned with IT and business strategy. An attempt is made to apply the documented processes consistently across different
applications and projects. The methodologies are generally inflexible and difficult to apply in all cases, so steps are likely to be bypassed. Maintenance activities are planned, scheduled and co-ordinated.
4 Managed and Measurable when
There is a formal and well-understood methodology that includes a design and specification process, criteria for acquisition, a process for testing and requirements for documentation. Documented and agreed approval mechanisms exist to ensure that all steps are followed and exceptions are authorised. Practices and procedures have evolved to be well suited to the organisation, used by all staff and applicable to most application requirements.
5 Optimised when
Application software acquisition and maintenance practices are aligned with the defined process. The approach is component- based, with predefined, standardised applications matched to business needs. The approach is enterprisewide. The acquisition and maintenance methodology is well advanced and enables rapid deployment, allowing for high responsiveness and flexibility in responding to changing business requirements. The application software acquisition and implementation methodology has been subjected to continuous improvement and is supported by internal and external knowledge databases containing reference materials and best practices. The methodology creates documentation in a predefined structure that makes production and maintenance efficient.
MATURITY
MODEL
Acquire and Implement
Acquire and Maintain Application Software
HIGH-LEVEL
CONTROL
OBJECTIVE
Control over the IT process of
Acquire and maintain technology infrastructure
that satisfies the business requirement for IT of
acquiring and maintaining an integrated and standardised IT infrastructure by focusing on
providing appropriate platforms for the business applications in line with the defined IT architecture and technology standards
is achieved by
• Producing a technology acquisition plan that aligns to the technology infrastructure plan
• Planning infrastructure maintenance
• Implementing internal control, security and auditability measures and is measured by
• Percent of platforms that are not in line with the defined IT
AI3 Acquire and Maintain Technology Infrastructure
Organisations should have processes for the acquisition, implementation and upgrade of the technology infrastructure. This requires a planned approach to acquisition, maintainance and protection of infrastructure in line with with agreed technology strategies and the provision of development and test environments. This ensures that there is ongoing technological support for business applications. Effectiv eness Efficiency ConfidentialityInteg rity
AvailabilityComplianceReliability