Software & Systems Development Governance :
An approach to improving Software Assurance
Sridhar Iyengar
IBM Distinguished Engineer
Topics Covered
♣
Introduction to Governance – Why do we care
♣
What does Software Assurance have to do with
Governance
♣
Model driven tools integration across the life cycle
Enabling traceability and management of artifacts
E01-EDI
Data Warehouse
(Interfaces to and from the Data Warehouse are not displayed on this diagram)
G02 - General Ledger A05 - AP S01 - Sales Corrections I01 PO Receiving I03 Return to Vendor I06 Warehouse Management
Maininframe
PC/NT apps
Unix apps
3rd Party Interface
S06 - Credit App P15 EES Employee Change Notice OTHER APPS - PC AP - Collections/Credit TM - Credit Card DB
ACCTS REC APPS - PC
990COR Bad Debt Beneficial Fees Beneficial Reconcile JEAXF JEBFA JEBKA JEDVA JESOA JEVSA JEVSF NSF TeleCredit Fees
INVENTORY CONTROL APPS - PC
Code Alarm Debit Receivings Devo Sales Display Inventory In Home Junkouts Merchandise Withdrawal Promo Credits RTV Accrual Shrink AP Research - Inv Cntrl AP Research-Addl Rpts Book to Perpetual Inventory
Close Out Reporting Computer Intelligence Data
Count Corrections Cross Ref for VCB Dnlds
Damage Write Off Debit Receivings DFI Vendor Database Display Inventory Reconcile Display Inventory Reporting
INVENTORY CONTROL APPS - PC
DPI/CPI IC Batching Inventory Adj/Count Correct Inventory Control Reports Inventory Levels Inventory Roll Merchandise Withdrawal
Open Receivings PI Count Results PI Time Results from Inv
Price Protection Sales Flash Reporting
Shrink Reporting SKU Gross Margin SKU Shrink Level Detail
USM VCB Downloads
Journal Entry Tool Kit Scorecard - HR L02-Resource Scheduling (Campbell) P09 - P17 Cyborg M02 - Millennium M03 - Millennium 3.0
Banks - ACH and Pos to Pay Cobra B01 - Stock Status S03-Polling P14 On-line New Hire Entry CTS Plan Administrators (401K, PCS, Life, Unicare, Solomon Smith Barney) D01 Post Load Billing I04 Home Deliveries I02 -Transfers Arthur Planning I07 Purchase Order I12 Entertainment Software I05 Inventory Info E13 E3 Interface S04 - Sales Posting V01-Price Management System
I10 Cycle Physical Inventory
I55 SKU Information
K02 Customer Repair
Tracking I35 Early Warning System B02 Merchandise Analysis I13- Auto Replenishment U18 - CTO Intercept
I09 Cycle Counts E02-Employee
Purchase
Texlon 3.5 ACH Stock Options
I17 Customer Perceived In-Stock U16-Texlon SiteSeer C02 - Capital Projects F06 - Fixed Assets US Bank Recon File Star Repair EDI Coordinator Mesa Data NEW Soundscan NPD Group AIG Warranty Guard
Resumix Optika Store Budget Reporting P16 - Tally Sheet Cash Receipts/Credit S05 - House Charges Ad Expense L01-Promo Analysis V02-Price Marketing Support BMP - Bus performance Mngt Store Scorecard I11 Price Testing Valley Media P09 Bonus/HR
I15 Hand Scan Apps Roadshow POS S08 - Vertex Sales Tax A04 - Cust Refund Chks Equifax ICMS Credit Cellular Rollover S09 - Digital Satellite System NPD, SoundScan Sterling VAN Mailbox (Value) I18 SKU Rep X92-X96 Host to AS400 Communication S02 -Layaways Washington, RGIS, Ntl Bus Systems V04-Sign System
I14 Count Corrections NARM P01-Employee Masterfile I06 - Customer Order Frick Co
UAR - Universal Account Reconciliation Depository Banks S07 - Cell Phones S11 - ISP Tracking AAS Fringe PO Cash Over/ Short L60 MDF
Coop SKU Selection Tool SKU Performance Supplier Compliance 1 I35 - CEI ASIS
Misc Accounting/Finance Apps - PC/NT
COBA (Corp office Budget Assistant) PCBS(Profit Center Budget System)
Merchandising Budget AIMS Merch Mngr Approval Batch Forecasting Ad Measurement AIMS Admin AIMS Reporting Ad Launcher V03- Mkt Reactions Spec Source CTO2.Bestbuy. com Rebate Transfer Sign System CopyWriter's Workspace ELT PowerSuite Store Monitor AIS Calendar Stores & Mrkts Due Dates Smart Plus Insertions Orders Budget Analysis Tool Print Costing Invoice App AIS Reports Broadcast Filter Smart Plus Launcher General Maintenance Printer PO Printer Maintenance Vendor Maintenance Vendor Setup Connect 3 Connect 3 Reports Connect 3 PDF Transfer Spec Source SKU Tracking S20-Sales Polling Prodigy PSP In-Home Repair Warranty Billing System Process Servers (Imaging)
Prepared by Michelle Mills
Actual Application Architecture
Complexity is Forcing Change
Initiatives Underway at IBM
♣
Outside In Design (OID) – Scenario Driven
♣
Componentization – exploit open source or binary components as
needed
Drive componentization and SOA standards
♣
End-end life cycle integration
♣
Move to SOA across and within products
♣
Model Driven Development, Deployment, Security, Management…
♣
Standards (UML, SysML, UML Testing Profile, MOF, XMI, RAS,
SAML, XACML, WS_Security…)
♣
Patterns, Transformations and Recipes
Modeling Tools : Abstract modeling level
The world of many of our customers
Project Manager
(Bangalore)
Provisioning
(Boulder)
Testing
(Toronto)
Developer
(Warsaw)
Executive
(Somers)
Customer
(Topeka)
Governing a geographically distributed, service-oriented, open computing
environment while ensuring regulatory compliance
TRADITIONAL
CURRENT REALITY
Co-located teams
Technology first
Vendor lock-in
Application silos
Project driven
Geographically distributed
Compliance
Open computing
Modular systems (SOA)
Value driven
Right-sourcing
Standards
Solution delivery
Transforming software and systems development
Business Driven Development
Enabling organizations to govern the business
process of software and systems development
Governance
is the exercise of authority,
responsibility and the communication of information
Governance defined
♣
Establishing chain of authority,
accountability and responsibility
♣
Measurements and controls to enable people
Governance consists of
Establishing chains of responsibility,
authority and communication to
empower people
Executing measurement and control
mechanisms to enable people to carry
out their roles and responsibilities
Manage value
• Align business and software
• At organizational and project levels
- Balance risk and return
- Provide clarity and accountability
Develop flexibly
• Leverage resources anywhere
• Enable agile sourcing choices
• Use iterative processes to reduce risk
Control risk and change
• Continuously measure to reduce risk
• Enable lifecycle change management
• Meet internal and external compliance
needs
Governance
Governing Development,
Business Analyst
Models
business
processes
Deployment
Manager
Deploys the
solutions
IT Operations
Maintains the Data
Center
CSR
Handles
customer
incident
reports
Insurance Adjuster
Handles claims
that can be
settled by phone
or email
Field Adjuster
Handles
requests that
require on-site
inspection
VP of Claims
Reduces
cost for
claims
processing
VP of Development
Reviews forecast vs actual and
competitive products.
Formulates actions to address
Establishes strategic goals
and ensures company
profitability
CEO
Integration
Developer
Assembles and
implements
solutions
CIO
Responsible for
Technology
Infrastructure
Innovation Insurance Team
Risk Analyst
Analyze, define,
and manage
policies
CFO
Responsible for
accounting and
financial
Manages new
development
projects
Project Manager
Portfolio Manager
Ensures development
projects are aligned with
business strategy
IMPLEMENTATION FLOW
Analyze
policy
Policy
Change
Identify
require-ments
Identify
remediation
plan (w/LOB)
Prioritize
projects
Estimate
project costs
Initiate
Project
Request
Generate
Audit
Package
START
END
Decompose
projects into
tasks
PROJECT APPROVAL FLOW
Develop, Test
Service
Deploy, Manage
Service
sign-off
Approve
Project
sign-off
Validate
plan &
requirements
Manage
Services
Operations
Development
Governance
Data, Security,
Strategic, Business
Governance
SOA (Service)
Governance
F
e
e
d
b
a
ck
Governance and processes are the keys to a
successful transition to SOA
♣
Financial transparency
♣
Business/IT alignment
♣
Process control
♣
SOA Governance
Processes
♣
Gather
requirements
♣
Model &
simulate
♣
Design
♣
Discover
♣
Construct & test
♣
Compose
♣
Integrate people
♣
Integrate processes
♣
Manage and
integrate information
♣
Protect information
♣
Manage applications
& services
♣
Manage identity
& compliance
♣
Monitor business metrics
integrate Custom & COTS software
Service
Justification
Service
Ownership
& Funding
Modeling
Service
Service
Lifecycle
Management
Service
Operations
Management
1.0 Identify Services
2.0 Identify Service
Owners
3.0 Fund Services
4.0 Specify Services
5.0 Realize Services
10.0 Manage
Services
Performance
11.0 Manage
Service Level
6.0 Develop
& Test Services
7.0 Deploy Services
8.0 Manage
Services
9.0 Maintain
Services
Continuous Process Measurement and Management
Decompose
Decompose
business process
business process
and identify
and identify
services required
services required
Establish
Establish
funding, project
funding, project
plans and
plans and
resources
resources
Codify
Codify
business
business
process and
process and
enforce
enforce
standards
standards
Develop
Develop
iteratively, test
iteratively, test
to improve
to improve
predictability,
predictability,
manage change
manage change
to ensure
to ensure
traceability and
traceability and
auditability
auditability
Monitor
Monitor
composite
composite
application
application
performance
performance
and adjust
and adjust
Model Driven Development & Deployment
Business
Modeling
(BPD,UML)
IT Modeling
(UML, SQL, XSD)
J2EE/Web Services
Development
Wrapping
Orchestration
(J2EE))
Deployment
J2EE App Svr
Web Services
Management
Component
Mgmt
App Mgmt
Design/Build
Run/Manage
WSDL
SCA
XML
SPEM
BPEL
SQL
J2EE
EMF
SQL
UML2
BPEL
Java
CIM
UML2
BPM
Biz
Rules
C++
J2EE
Traceability
Links and
Transformations
(profiles, metamodels,
Code Gen Templates)
Specific metadata
Models
Components, processes
Serve up models,
On Demand
UML2
J2EE
DCM
SAM
A call to action to the Eclipse Community
End to End Application Lifecycle Tooling (
End to End Application Lifecycle Tooling (
Eclipse.org
Eclipse.org
member value add tools)
member value add tools)
Language Tooling
Language Tooling
(J2EE, Web Services,
(J2EE, Web Services,
Deployment)
Deployment)
Data Tools
Data Tools
(RDBMS, XML
(RDBMS, XML
…
…
)
)
Domain
Domain
Specific
Specific
Tools/Apps
Tools/Apps
…
…
MDD Tools
MDD Tools
(Object, Data Modeling,
(Object, Data Modeling,
Code generators
Code generators
…
…
)
)
Eclipse Tools Integration platform (Models, APIs, XML formats…)
Eclipse Core
Eclipse Core
GEF
GEF
JDT/CDT
JDT/CDT
Testing
Testing
TPTP
TPTP
EMF
EMF
RCP
RCP
ETC.
ETC.
MDD/MDA
MDD/MDA
(UML2,U2TP
(UML2,U2TP
…
…
)
)
J2EE
J2EE
(EJB, JSP
(EJB, JSP
…
…
)
)
Web Tools
Web Tools
(WTP
(WTP
…
…
)
)
SAM*.
SAM*.
Security Roles in an Organization
Security Administrator, System/Application
Administrator, Operator
Operations and
Administration
Business analyst, Application programmer,
Identity/Security developer
Development
Chief Security Officer, Security Policy Officer,
Security Architect, Security Auditor
Business Strategy
and decision making
Roles
Organization
Software Assurance : Some Relevant OMG Standards
♣
UML 2.0 : Architecture, Design & Requirements Capture
♣
UML Testing Profile : Test automation
♣
KDM : Metadata about existing systems
♣
MOF & XMI : Metadata Infrastructure
♣
SysML : System design, Requirements
Governance consists of
Establishing chains of responsibility,
authority and communication to
empower people
Executing measurement and control
mechanisms to enable people to carry
out their roles and responsibilities
Manage value
• Align business and software
• At organizational and project levels
- Balance risk and return
- Provide clarity and accountability
Develop flexibly
• Leverage resources anywhere
• Enable agile sourcing choices
• Use iterative processes to reduce risk
Control risk and change
• Continuously measure to reduce risk
• Enable lifecycle change management
• Meet internal and external compliance
needs
Governance
Governing Development,
