Software & Systems Development Governance : An approach to improving Software Assurance

22 

Loading....

Loading....

Loading....

Loading....

Loading....

Full text

(1)

Software & Systems Development Governance :

An approach to improving Software Assurance

Sridhar Iyengar

IBM Distinguished Engineer

siyengar@us.ibm.com

(2)

Topics Covered

Introduction to Governance – Why do we care

What does Software Assurance have to do with

Governance

Model driven tools integration across the life cycle

Enabling traceability and management of artifacts

(3)
(4)

E01-EDI

Data Warehouse

(Interfaces to and from the Data Warehouse are not displayed on this diagram)

G02 - General Ledger A05 - AP S01 - Sales Corrections I01 PO Receiving I03 Return to Vendor I06 Warehouse Management

Maininframe

PC/NT apps

Unix apps

3rd Party Interface

S06 - Credit App P15 EES Employee Change Notice OTHER APPS - PC AP - Collections/Credit TM - Credit Card DB

ACCTS REC APPS - PC

990COR Bad Debt Beneficial Fees Beneficial Reconcile JEAXF JEBFA JEBKA JEDVA JESOA JEVSA JEVSF NSF TeleCredit Fees

INVENTORY CONTROL APPS - PC

Code Alarm Debit Receivings Devo Sales Display Inventory In Home Junkouts Merchandise Withdrawal Promo Credits RTV Accrual Shrink AP Research - Inv Cntrl AP Research-Addl Rpts Book to Perpetual Inventory

Close Out Reporting Computer Intelligence Data

Count Corrections Cross Ref for VCB Dnlds

Damage Write Off Debit Receivings DFI Vendor Database Display Inventory Reconcile Display Inventory Reporting

INVENTORY CONTROL APPS - PC

DPI/CPI IC Batching Inventory Adj/Count Correct Inventory Control Reports Inventory Levels Inventory Roll Merchandise Withdrawal

Open Receivings PI Count Results PI Time Results from Inv

Price Protection Sales Flash Reporting

Shrink Reporting SKU Gross Margin SKU Shrink Level Detail

USM VCB Downloads

Journal Entry Tool Kit Scorecard - HR L02-Resource Scheduling (Campbell) P09 - P17 Cyborg M02 - Millennium M03 - Millennium 3.0

Banks - ACH and Pos to Pay Cobra B01 - Stock Status S03-Polling P14 On-line New Hire Entry CTS Plan Administrators (401K, PCS, Life, Unicare, Solomon Smith Barney) D01 Post Load Billing I04 Home Deliveries I02 -Transfers Arthur Planning I07 Purchase Order I12 Entertainment Software I05 Inventory Info E13 E3 Interface S04 - Sales Posting V01-Price Management System

I10 Cycle Physical Inventory

I55 SKU Information

K02 Customer Repair

Tracking I35 Early Warning System B02 Merchandise Analysis I13- Auto Replenishment U18 - CTO Intercept

I09 Cycle Counts E02-Employee

Purchase

Texlon 3.5 ACH Stock Options

I17 Customer Perceived In-Stock U16-Texlon SiteSeer C02 - Capital Projects F06 - Fixed Assets US Bank Recon File Star Repair EDI Coordinator Mesa Data NEW Soundscan NPD Group AIG Warranty Guard

Resumix Optika Store Budget Reporting P16 - Tally Sheet Cash Receipts/Credit S05 - House Charges Ad Expense L01-Promo Analysis V02-Price Marketing Support BMP - Bus performance Mngt Store Scorecard I11 Price Testing Valley Media P09 Bonus/HR

I15 Hand Scan Apps Roadshow POS S08 - Vertex Sales Tax A04 - Cust Refund Chks Equifax ICMS Credit Cellular Rollover S09 - Digital Satellite System NPD, SoundScan Sterling VAN Mailbox (Value) I18 SKU Rep X92-X96 Host to AS400 Communication S02 -Layaways Washington, RGIS, Ntl Bus Systems V04-Sign System

I14 Count Corrections NARM P01-Employee Masterfile I06 - Customer Order Frick Co

UAR - Universal Account Reconciliation Depository Banks S07 - Cell Phones S11 - ISP Tracking AAS Fringe PO Cash Over/ Short L60 MDF

Coop SKU Selection Tool SKU Performance Supplier Compliance 1 I35 - CEI ASIS

Misc Accounting/Finance Apps - PC/NT

COBA (Corp office Budget Assistant) PCBS(Profit Center Budget System)

Merchandising Budget AIMS Merch Mngr Approval Batch Forecasting Ad Measurement AIMS Admin AIMS Reporting Ad Launcher V03- Mkt Reactions Spec Source CTO2.Bestbuy. com Rebate Transfer Sign System CopyWriter's Workspace ELT PowerSuite Store Monitor AIS Calendar Stores & Mrkts Due Dates Smart Plus Insertions Orders Budget Analysis Tool Print Costing Invoice App AIS Reports Broadcast Filter Smart Plus Launcher General Maintenance Printer PO Printer Maintenance Vendor Maintenance Vendor Setup Connect 3 Connect 3 Reports Connect 3 PDF Transfer Spec Source SKU Tracking S20-Sales Polling Prodigy PSP In-Home Repair Warranty Billing System Process Servers (Imaging)

Prepared by Michelle Mills

Actual Application Architecture

Complexity is Forcing Change

(5)

Initiatives Underway at IBM

Outside In Design (OID) – Scenario Driven

Componentization – exploit open source or binary components as

needed

Drive componentization and SOA standards

End-end life cycle integration

Move to SOA across and within products

Model Driven Development, Deployment, Security, Management…

Standards (UML, SysML, UML Testing Profile, MOF, XMI, RAS,

SAML, XACML, WS_Security…)

Patterns, Transformations and Recipes

Modeling Tools : Abstract modeling level

(6)

The world of many of our customers

Project Manager

(Bangalore)

Provisioning

(Boulder)

Testing

(Toronto)

Developer

(Warsaw)

Executive

(Somers)

Customer

(Topeka)

Governing a geographically distributed, service-oriented, open computing

environment while ensuring regulatory compliance

(7)

TRADITIONAL

CURRENT REALITY

Co-located teams

Technology first

Vendor lock-in

Application silos

Project driven

Geographically distributed

Compliance

Open computing

Modular systems (SOA)

Value driven

Right-sourcing

Standards

Solution delivery

Transforming software and systems development

Business Driven Development

Enabling organizations to govern the business

process of software and systems development

(8)

Governance

is the exercise of authority,

responsibility and the communication of information

Governance defined

Establishing chain of authority,

accountability and responsibility

Measurements and controls to enable people

(9)

Governance consists of

Establishing chains of responsibility,

authority and communication to

empower people

Executing measurement and control

mechanisms to enable people to carry

out their roles and responsibilities

Manage value

• Align business and software

• At organizational and project levels

- Balance risk and return

- Provide clarity and accountability

Develop flexibly

• Leverage resources anywhere

• Enable agile sourcing choices

• Use iterative processes to reduce risk

Control risk and change

• Continuously measure to reduce risk

• Enable lifecycle change management

• Meet internal and external compliance

needs

Governance

Governing Development,

(10)

Business Analyst

Models

business

processes

Deployment

Manager

Deploys the

solutions

IT Operations

Maintains the Data

Center

CSR

Handles

customer

incident

reports

Insurance Adjuster

Handles claims

that can be

settled by phone

or email

Field Adjuster

Handles

requests that

require on-site

inspection

VP of Claims

Reduces

cost for

claims

processing

VP of Development

Reviews forecast vs actual and

competitive products.

Formulates actions to address

Establishes strategic goals

and ensures company

profitability

CEO

Integration

Developer

Assembles and

implements

solutions

CIO

Responsible for

Technology

Infrastructure

Innovation Insurance Team

Risk Analyst

Analyze, define,

and manage

policies

CFO

Responsible for

accounting and

financial

Manages new

development

projects

Project Manager

Portfolio Manager

Ensures development

projects are aligned with

business strategy

(11)

IMPLEMENTATION FLOW

Analyze

policy

Policy

Change

Identify

require-ments

Identify

remediation

plan (w/LOB)

Prioritize

projects

Estimate

project costs

Initiate

Project

Request

Generate

Audit

Package

START

END

Decompose

projects into

tasks

PROJECT APPROVAL FLOW

Develop, Test

Service

Deploy, Manage

Service

sign-off

Approve

Project

sign-off

Validate

plan &

requirements

Manage

Services

Operations

Development

Governance

Data, Security,

Strategic, Business

Governance

SOA (Service)

Governance

F

e

e

d

b

a

ck

(12)

Governance and processes are the keys to a

successful transition to SOA

Financial transparency

Business/IT alignment

Process control

SOA Governance

Processes

Gather

requirements

Model &

simulate

Design

Discover

Construct & test

Compose

Integrate people

Integrate processes

Manage and

integrate information

Protect information

Manage applications

& services

Manage identity

& compliance

Monitor business metrics

(13)

integrate Custom & COTS software

Service

Justification

Service

Ownership

& Funding

Modeling

Service

Service

Lifecycle

Management

Service

Operations

Management

1.0 Identify Services

2.0 Identify Service

Owners

3.0 Fund Services

4.0 Specify Services

5.0 Realize Services

10.0 Manage

Services

Performance

11.0 Manage

Service Level

6.0 Develop

& Test Services

7.0 Deploy Services

8.0 Manage

Services

9.0 Maintain

Services

Continuous Process Measurement and Management

Decompose

Decompose

business process

business process

and identify

and identify

services required

services required

Establish

Establish

funding, project

funding, project

plans and

plans and

resources

resources

Codify

Codify

business

business

process and

process and

enforce

enforce

standards

standards

Develop

Develop

iteratively, test

iteratively, test

to improve

to improve

predictability,

predictability,

manage change

manage change

to ensure

to ensure

traceability and

traceability and

auditability

auditability

Monitor

Monitor

composite

composite

application

application

performance

performance

and adjust

and adjust

(14)

Model Driven Development & Deployment

Business

Modeling

(BPD,UML)

IT Modeling

(UML, SQL, XSD)

J2EE/Web Services

Development

Wrapping

Orchestration

(J2EE))

Deployment

J2EE App Svr

Web Services

Management

Component

Mgmt

App Mgmt

Design/Build

Run/Manage

WSDL

SCA

XML

SPEM

BPEL

SQL

J2EE

EMF

SQL

UML2

BPEL

Java

CIM

UML2

BPM

Biz

Rules

C++

J2EE

Traceability

Links and

Transformations

(profiles, metamodels,

Code Gen Templates)

Specific metadata

Models

Components, processes

Serve up models,

On Demand

UML2

J2EE

DCM

SAM

(15)

A call to action to the Eclipse Community

End to End Application Lifecycle Tooling (

End to End Application Lifecycle Tooling (

Eclipse.org

Eclipse.org

member value add tools)

member value add tools)

Language Tooling

Language Tooling

(J2EE, Web Services,

(J2EE, Web Services,

Deployment)

Deployment)

Data Tools

Data Tools

(RDBMS, XML

(RDBMS, XML

)

)

Domain

Domain

Specific

Specific

Tools/Apps

Tools/Apps

MDD Tools

MDD Tools

(Object, Data Modeling,

(Object, Data Modeling,

Code generators

Code generators

)

)

Eclipse Tools Integration platform (Models, APIs, XML formats…)

Eclipse Core

Eclipse Core

GEF

GEF

JDT/CDT

JDT/CDT

Testing

Testing

TPTP

TPTP

EMF

EMF

RCP

RCP

ETC.

ETC.

MDD/MDA

MDD/MDA

(UML2,U2TP

(UML2,U2TP

)

)

J2EE

J2EE

(EJB, JSP

(EJB, JSP

)

)

Web Tools

Web Tools

(WTP

(WTP

)

)

SAM*.

SAM*.

(16)
(17)

Security Roles in an Organization

Security Administrator, System/Application

Administrator, Operator

Operations and

Administration

Business analyst, Application programmer,

Identity/Security developer

Development

Chief Security Officer, Security Policy Officer,

Security Architect, Security Auditor

Business Strategy

and decision making

Roles

Organization

(18)
(19)
(20)
(21)

Software Assurance : Some Relevant OMG Standards

UML 2.0 : Architecture, Design & Requirements Capture

UML Testing Profile : Test automation

KDM : Metadata about existing systems

MOF & XMI : Metadata Infrastructure

SysML : System design, Requirements

(22)

Governance consists of

Establishing chains of responsibility,

authority and communication to

empower people

Executing measurement and control

mechanisms to enable people to carry

out their roles and responsibilities

Manage value

• Align business and software

• At organizational and project levels

- Balance risk and return

- Provide clarity and accountability

Develop flexibly

• Leverage resources anywhere

• Enable agile sourcing choices

• Use iterative processes to reduce risk

Control risk and change

• Continuously measure to reduce risk

• Enable lifecycle change management

• Meet internal and external compliance

needs

Governance

Governing Development,

Figure

Updating...

References

Updating...

Related subjects :