Practical Risk Management: Framework and Methods

Similar documents
Mission Success in Complex Environments (MSCE)

SEPG Using the Mission Diagnostic: Lessons Learned. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213

SEPG Using the Mission Diagnostic: Lessons Learned. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213

Rethinking Risk Management

Evaluating CSIRT Operations

Assuring Mission Success in Complex Settings

HE MONITOR. Rethinking Risk Management This issue is dedicated to new research from the SEI in risk management

Security Measurement and Analysis

CARNEGIE MELLON UNIVERSITY

OCTAVE -S Implementation Guide, Version 1.0. Volume 9: Strategy and Plan Worksheets. Christopher Alberts Audrey Dorofee James Stevens Carol Woody

Introduction to Software Product Lines Patrick Donohoe Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213

Software in System Engineering: Affects on Spacecraft Flight Software

Acquisition Overview: The Challenges

Supply-Chain Risk Analysis

Version manage enterprise risk, compliance, and resiliency. The Framework for Process Improvement. History

CGEIT Certification Job Practice

Inside of a ring or out, ain t nothing wrong with going down. It s staying down that s wrong. Muhammad Ali

Integration Competency Center Deployment

Understanding Model Representations and Levels: What Do They Mean?

Complexity and Software: How to Meet the Challenge. NDIA CMMI Technology Conference

OCTAVE -S Implementation Guide, Version 1.0. Volume 2: Preparation Guidance. Christoper Alberts Audrey Dorofee James Stevens Carol Woody.

COMPLIANCE TRUMPS RISK

Software Architecture Evaluation Framework The Aerospace Corporation

CMMI Level 2 for Practitioners: A Focused Course for Your Level 2 Efforts

System-of-Systems Influences on Acquisition Strategy Development

Improving Operational Resilience Processes

A Primer on. Software Licensing. Charlene Gross Software Engineering Institute. Do You Own It or Not? Charlene Gross, April 19-23, 2010

Presented at the 2009 ISPA/SCEA Joint Annual Conference and Training Workshop - Making the Case for SOA Arlene F.

CMMI Version 1.2. Model Changes

Beyond IPPD: Distributed collaboration in a Systems-of-Systems (SoS)- context

CMMI V2.0 MODEL AT-A-GLANCE. Including the following views: Development Services Supplier Management. CMMI V2.0 outline BOOKLET FOR print.

Agenda. Enterprise Risk Management Defined. The Intersection of Enterprise-wide Risk Management (ERM) and Business Continuity Management (BCM)

Streamlining Processes and Appraisals

Passit4Sure.OG Questions. TOGAF 9 Combined Part 1 and Part 2

LIST OF TABLES. Table Applicable BSS RMF Documents...3. Table BSS Component Service Requirements... 13

Risk & Compliance. the way we do it. QualityData Advantage. for Basel Compliance

Risk and Resilience: Considerations for Information Security Risk Assessment and Management

Strategy Analysis. Chapter Study Group Learning Materials

Effective Reduction of Avoidable Complexity in Embedded Systems

When Recognition Matters WHITEPAPER OCTAVE RISK ASSESSMENT WITH OCTAVE.

Given the competitive importance of

Certification Program in Smart Government & Digital Transformation

Exam Questions OG0-091

CGEIT ITEM DEVELOPMENT GUIDE

Business Resilience: Proactive measures for forward-looking enterprises

This resource is associated with the following paper: Assessing the maturity of software testing services using CMMI-SVC: an industrial case study

Aerospace Software Architecture Evaluation Framework - Introduction

Software Project & Risk Management Courses Offered by The Westfall Team

In Pursuit of Agility -

Manage Risk. Enhance Compliance. Boost Profitability.

Streamline your business processes for far-reaching results. EY s Business Process Management Services practice

Improving Acquisition in Government Requirements Management Leading Practices: CMMI-ACQ Visualization

Gleim CIA Review Updates to Part Edition, 1st Printing June 2018

Using CMMI with Defense Acquisition

We Focus Our Energy On Delivery BOXLEYGROUP.COM

Defining a Maturity Scale for Governing Operational Resilience

Managing Information Systems Seventh Canadian Edition. Laudon, Laudon and Brabston. CHAPTER 14 Project Management, Business Value, and Managing Change

Engineering Practices and Patterns for Rapid BIT Evolution

Why SDN Matters to Government

Focus on Resiliency: A Process Improvement Approach to Security

Oh No, DevOps is Tough to Implement!

Agile CIO Operating Model

Bridging Strategy to Execution through a Stakeholder Lens

Advanced Engineering Environments for Small Manufacturing Enterprises

CMMI Version 1.3: Are you Ready for Release?

Certified Business Analysis Professional - Introduction

The Method Framework for Engineering System Architectures (MFESA)

Rethinking the Role of IT

Translate stakeholder needs into strategy. Governance is about negotiating and deciding amongst different stakeholders value interests.

An Overview of the Smart Grid Maturity Model (SGMM)

SYSTEMS MODELING AND SIMULATION (SMS) A Brief Introduction

Architecting and Standardization

SOLUTION BRIEF RSA ARCHER PUBLIC SECTOR SOLUTIONS

CERT Resilience Management Model, Version 1.2

CGEIT QAE ITEM DEVELOPMENT GUIDE

TOPIC DESCRIPTION SUPPLEMENT for the SYSTEMS ENGINEERING SURVEY DESCRIPTION

Service oriented architecture solutions White paper. IBM SOA Foundation: providing what you need to get started with SOA.

Applying Agility to DoD Common Operating Platform Environment Initiatives

More than 2000 organizations use our ERM solution

The Smart Grid Maturity Model & The Smart Grid Interoperability Maturity Model. #GridInterop

Software Engineering. Lecture 7: CMMI

Achieving SA-CMM Maturity Level A DoD Acquisition Management Experience

Developing Requirements for Secure System Function

Applying Software Architecture Principles in a DoD Acquisition

Analytics: The Widening Divide

Securing Intel s External Online Presence

Federal Enterprise Architecture

Customer Success Services. Services you need for successful digital transformation

IBM and SAS: The Intelligence to Grow

TSP Performance and Capability Evaluation (PACE): Customer Guide

SOA Research Agenda. Grace A. Lewis

What Metrics Should a CSIRT Collect to Measure. Success?

A Taxonomy of Operational Risks

ARE YOU GOING DIGITAL WITHOUT A NET?

Design of an Integrated Model for Development of Business and Enterprise Systems

Risk Methodology K-12

AGILE DEVELOPMENT AND DELIVERY FOR INFORMATION TECHNOLOGY

Enterprise Digital Architect

A Vision of an ISO Compliant Company by Bruce Hawkins, MRG, Inc.

On demand operating environment solutions To support your IT objectives Transforming your business to on demand.

Transcription:

New SEI Course! Practical Risk Management: Framework and Methods September 23-24, 2009 Arlington, VA Register at: www.sei.cmu.edu/products/courses/p78.html 1

13 th International Software Product Line Conference 2009 (SPLC) http://www.sei.cmu.edu/splc2009/index.html Organizations Need Software Product Lines Now More Than Ever! Effectively using software product lines improves time to market, cost, productivity, and quality. They also enable rapid market entry and flexible response. And, using software product lines simplifies software maintenance and enhancement. 2

Research, Technology, and System Solutions Program: Working with the SEI If you need to improve The SEI can the structure and behavior of your harness the appropriate technology to software-reliant systems (regardless of scale) help you solve specific problems your ability to predict that behavior help you launch initiatives help you improve your capabilities conduct applied research that meets your needs partner with you to create leading edge techniques, methods, and tools For more information contact info@sei.cmu.edu 3

CERT's Podcast Series: Security for Business Leaders. http://www.cert.org/podcast/ 4

SEPG Conference Series SEPG is the premier, global conference series on software and systems process management http://www.sei.cmu.edu/sepg/index.html 5

Get Certified! SEI Certifications: Proof of your skill from a world leader in software engineering. http://www.sei.cmu.edu/certification/ 6

Want a Closer Connection to the SEI? Become an SEI Member! http://www.sei.cmu.edu/membership/ 7

Do you have the knowledge you need? SEI Education & Training http://www.sei.cmu.edu/products/courses/ 8

A Practical Approach for Managing Risk Christopher Alberts Audrey Dorofee June 18, 2009 Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213

Biography: Christopher Alberts Christopher Alberts is a senior member of the technical staff at the Software Engineering Institute. He is currently developing methods for managing systemic risk during the development and operation of software-intensive systems and systems of systems. Prior to his work in this area, he co-developed the OCTAVE approach for managing information security risks and the Continuous Risk Management methodology for managing software development project risks. He has also co-authored two books, Managing Information Security Risks: The OCTAVE SM Approach (Addison-Wesley 2002) and the Continuous Risk Management Guidebook (Software Engineering Institute 1996). 10

Biography: Audrey Dorofee Audrey Dorofee is a senior member of the technical staff at the Software Engineering Institute. She is currently focused on the development and transition of advanced methods, tools and techniques for managing risk and opportunity in complex environments. She has co-authored two books, Managing Information Security Risks: The OCTAVE SM Approach (Addison-Wesley 2002) and the Continuous Risk Management Guidebook (Software Engineering Institute 1996). 11

Polling Question #1 Are you experienced in managing risk? Answers: Yes experienced in managing risks No new to risk management 12

Mission Success in Complex Environments (MSCE) Project Part of the SEI Acquisition Support Program (ASP), the MSCE Project develops methods, tools, and techniques for Advancing the state-of-the-practice for risk management Assuring success in complex, uncertain environments The project builds on more than 17 years of SEI research and development in risk management. Continuous Risk Management for software-development projects Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE ) for organizational security 13

Topics Mosaic Approach Driver Analysis Standard Set of Program Drivers Risk Management Framework Implementing Mosaic Summary 14

Mosaic Approach 15

Widespread Use of Risk Management Most programs and organizations implement some type of risk management approach when developing and operating softwareintensive systems. Risk management plan Processes Tools However, preventable failures continue to occur. Uneven and inconsistent application of risk-management practice Significant gaps in risk-management practice Ineffective integration of risk-management practice Increasingly complex management environment 16

Rethinking Risk Management: A New Paradigm Traditional Paradigm Managing potential hazards Tactical approach Point solutions Single type of risk (e.g., program, security, architecture) Single life-cycle phase Single entity (e.g., program, process, organization, system) New Paradigm Achieving success Systemic approach Integrated, holistic solutions Multiple types of risk Applicable across the life cycle Scalable to multi-enterprise, multisystem environments 17

Tactical and Systemic Approaches Potential Event Consequence Condition Potential Event Condition Consequence Condition Potential Event Condition Consequence Potential Event Condition Impact on Objectives 18

Mosaic What An approach for managing risk and opportunity across the life cycle and supply chain Core Technologies Assessment Methods Risk Management Framework Products and Services Courses Workshops Course and Workshop Combinations Evaluations 19

Mosaic: Focus on Assessment Every organization has preferred management practices The foundation of the Mosaic approach is a suite of methods for assessing risk continuously Mosaic also provides guidance for leveraging existing management practices to develop, implement, and track risk mitigation plans Act Plan Organizational Management Practices Check Mosaic Management Guidance Do 20

Mosaic Assessments Mosaic assessments are modular in design Driver identification and analysis provide a common front end for multiple back-end analyses Gap Analysis Basic Risk Analysis Intermediate Risk Analysis Mission Success Analysis Integrated Risk and Opportunity Analysis Mission Assurance Analysis Risk Simulation Models Other Types of Analysis Driver Analysis Driver Identification 21

Mosaic: A Range of Analysis Options Basic Analysis Advanced Analysis Gap Analysis Basic Risk Analysis Intermediate Risk Analysis Mission Success Analysis Integrated Risk and Opportunity Analysis Mission Assurance Analysis Risk Simulation Models Mosaic analysis methods range from basic to advanced. 22

Driver Analysis 23

Mosaic: Driver-Based Assessment A driver is a factor that has a strong influence on the eventual outcome or result. Key Objectives Driver 1 Driver 2 Driver 3 Driver N Positive Conditions and Potential Events Negative Conditions and Potential Events 24

Driver Framework Driver Categories Objectives Preparation Execution Environment Resilience Result The driver framework is a common structure for classifying a set of drivers. 25

Drivers: Success and Failure States The process being used to develop (and deploy) the system is sufficient. Success State Process The process being used to develop (and deploy) the system is insufficient. Failure State A driver can guide the outcome toward key objectives (success state) or away from them (failure state). 26

Mosaic: Integrating Multiple Types of Risk Driver Categories Objectives Preparation Execution Environment Resilience Result Process risk IT risk Product risk Programmatic interoperability risk Security risk Operational risk Requirements risk Architecture risk Mosaic provides an integrated view of the overall risk to key objectives. System integration risk System survivability risk 27

Basic Set of Drivers for Software Programs 1. Program Objectives 2. Plan 3. Process 4. Task Execution 5. Coordination 6. External Interfaces 7. Information Management 8. Technology 9. Facilities and Equipment 10. Organizational Conditions 11. Compliance 12. Event Management 13. Requirements 14. Design and Architecture 15. System Capability 16. System Integration 17. Operational Support 18. Adoption Barriers 19. Operational Preparedness 20. Certification and Accreditation 28

Driver Analysis Question Answer 3. Is the process being used to develop and deploy the system sufficient? Consider: Process design; measurements and controls; process efficiency and effectiveness; acquisition and development life cycles; training No Likely no X Equally likely Likely yes Yes Don t Know Driver questions are phrased from the success perspective. Probability is incorporated into the range of answers for each driver. The rationale for selecting an answer is recorded. 29

Driver Profile Programmatic Drivers Product Drivers Yes Yes Driver Value Likely Yes Equally Likely Likely No Driver Value Likely Yes Equally Likely Likely No No No 1. Program Objectives 2. Plan 3. Process 4. Task Execution 5. Coordination 6. External Interfaces 7. Information Management 8. Technology 9. Facilities & Equipment 10. Organizational Conditions 11. Compliance 12. Event Management 13. Requirements 14. Design & Architecture 15. System Capability 16. System Integration 17. Operational Support 18. Adoption Barriers 19. Operational Preparedness 20. Certification & Accreditation A simple analysis provides insight into current conditions. 30

Basic Risk Analysis: Mission Risk Mission Risk Probability Impact Risk Exposure 3. The process being used to develop and deploy the system is insufficient. High Severe High Determined using results of driver analysis Determined using standard risk analysis methods 31

Risk Profile Risk Profile Objectives Execution Resilience High 1. Program Objectives Medium 4. Task Execution Medium 12. Event Management Low 5. Coordination Minimal 6. External Interfaces Minimal 7. Information Management Minimal 8. Technology Minimal 9. Facilities and Equipment Preparation Environment Product Medium 2. Plan High 10. Organizational Conditions Low 13. Requirements High 3. Process Minimal 11. Compliance Medium 14. Design and Architecture Low 15. System Capability High 16. System Integration Medium 17. Operational Support Medium 18. Adoption Barriers Medium 19. Operational Preparedness Medium 20. Certification and Accreditation A risk profile can be presented in relation to A Practical a framework Approach for Managing Risk or taxonomy. 32

Standard Set of Program Drivers 33

Driver Questions: Objectives 1. Program Objectives Are program objectives (product, cost, schedule) realistic and achievable? 34

Driver Questions: Preparation 2. Plan Is the plan for developing (and deploying) the system sufficient? 3. Process Is the process being used to develop (and deploy) the system sufficient? 35

Driver Questions: Execution -1 4. Task Execution Are tasks and activities performed effectively and efficiently? 5. Coordination Are activities within each team and across teams coordinated appropriately? 6. External Interfaces Will work products from suppliers, partners, or collaborators meet the program s quality and timeliness requirements? 36

Driver Questions: Execution -2 7. Information Management Is the program s information managed appropriately? 8. Technology Does the program team have the tools and technologies it needs to develop the system and transition it to operations? 9. Facilities and Equipment Are facilities and equipment sufficient to support the program? 37

Driver Questions: Environment 10. Organizational Conditions Are enterprise, organizational, and political conditions facilitating completion of program activities? 11. Compliance Does the program comply with all relevant policies, laws, and regulations? 38

Driver Questions: Resilience 12. Event Management Does the program have sufficient capacity and capability to identify and manage potential events and changing circumstances? 39

Driver Questions: Result -1 13. Requirements Are system requirements well understood? 14. Design and Architecture Are the design and architecture sufficient to meet system requirements and provide the desired operational capability? 15. System Capability Will the system satisfactorily meet its requirements? 40

Driver Questions: Result -2 16. System Integration Will the system sufficiently integrate and interoperate with other systems when deployed? 17. Operational Support Will the system effectively support operations? 18. Adoption Barriers Have barriers to customer/user adoption of the system been managed appropriately? 41

Driver Questions: Result -3 19. Operational Preparedness Will people be prepared to operate, use, and maintain the system? 20. Certification and Accreditation Will the system be appropriately certified and accredited for operational use? 42

Polling Question #2 Do you use a risk management method that addresses all 20 driver questions? Answers: Yes No Don t know 43

Risk Management Framework 44

Mosaic: Enabling Best Practice Mosaic also provides guidance for determining if an existing risk management practice is effective. The Risk Management Framework defines best practice for risk management. Mosaic provides approaches for evaluating a program s risk management practice. Consistency Evaluation establishes whether key framework requirements are satisfied by a risk management practice Effectiveness Evaluation establishes the likelihood that a risk management practice will produce intended results (i.e., keep risk within an acceptable tolerance) 45

Risk Management Framework -1 Phase 1 Prepare for Risk Management Phase 2 Perform Risk Management Activities Phase 3 Sustain and Improve Risk Management Activities Assess Mitigate Plan 46

Risk Management Framework -2 The Risk Management Framework is implementation independent. Defines risk management activities Does not specify how to perform those activities The framework provides a Foundation for a comprehensive risk management methodology Basis for improving a risk management practice 47

Polling Question #3 Is your current risk management practice effective? Answers: Effective all critical risks are being identified and mitigated; no unexpected, critical problems Needs improvement some critical problems are showing up that should have been caught as risks Not very helpful information not used by managers making decisions Just a check-the-box process because we have to do it Don t know 48

Implementing Mosaic 49

Ways of Implementing Mosaic Improve an existing risk management practice using the Risk Management Framework Adopt one of Mosaic s assessment methods Select the appropriate assessment platform (basic to advanced) Tailor drivers and artifacts based on mission and objectives Use Mosaic to integrate risk information in a multi-enterprise environment 50

Mosaic: An Integrated Decision-Making Approach Decision-Making Data Back-End Analysis Systemic View Driver Analysis Tactical View Positive Conditions Negative Conditions Potential Events with Positive Consequences Potential Events with Negative Consequences Strengths Weaknesses/ Tactical Tactical Issues Opportunities Risks 51

Extending Driver Analysis Driver analysis provide a foundation for program decision making. Mosaic also includes a variety of back-end analyses for more in-depth evaluation of drivers. Gap analysis (Mission Diagnostic) Basic risk analysis (Risk Diagnostic) Intermediate risk analysis Mission success analysis Integrated risk and opportunity analysis Gap Analysis Basic Risk Analysis Intermediate Risk Analysis Mission Success Analysis Integrated Risk and Opportunity Analysis Mission Assurance Analysis Risk Simulation Models Other Types of Analysis Mission assurance analysis (Mission Assurance Analysis Protocol MAAP) Risk simulation models Driver Analysis Driver Identification Others 52

Mosaic in Multi-Enterprise Environments Programs that cross multiple organizational boundaries require a systemic viewpoint when managing risk. Acquire and maintain abroad view of the risk to program objectives Avoid local optimization of risk Keep volume of risk data to a manageable level 53

Integrated View of Risk in Multi-Enterprise Environments SEI Mosaic SEI Continuous Risk Management SEI Mosaic Proprietary Risk Management Proprietary Risk Management 54

Summary 55

Mosaic Assessments: Key Characteristics Straightforward and easy to apply Comprehensive, holistic view of a program s risk drivers Fully scalable to multi-system and multi-enterprise environments Easily integrated with existing management practices Success oriented Systemic, top-down analysis 56

Mosaic Assessments: Application in Multiple Domains Program risk management Mission and software assurance Information technology (IT) management Data management Cyber-security management Business process management Critical infrastructure protection Others 57

Potential Areas of Future Research Metrics Risk-based improvement Modeling and simulation 58

Mosaic Resources SEI web pages http://www.sei.cmu.edu/risk/ Twenty Questions for Program Managers Presentations Technical Reports A Framework for Categorizing Key Drivers of Risk Mission Diagnostic Protocol, Version 1.0: A Risk-Based Approach for Assessing the Potential for Success Preview of the Mission Assurance Analysis Protocol (MAAP): Assessing Risk and Opportunity in Complex Environments 59

Mosaic: Portfolio -1 Courses Risk Management Framework: Best Practices in Risk Management Introduction to Practical Risk Management Practical Risk Management: Framework and Methods Workshops Risk Management Tailoring and Improvement Workshops Course and Workshop Combinations 60

Mosaic: Portfolio -2 Evaluations Systemic Risk Evaluation Mission Success Evaluation Risk Management Framework Evaluation Custom Evaluation 61

Focus of Mosaic Products and Services Basic Analysis Advanced Analysis Gap Analysis Basic Risk Analysis Courses and Workshops Intermediate Risk Analysis Mission Success Analysis Integrated Risk and Opportunity Analysis Evaluations Mission Assurance Analysis Research and Development Risk Simulation Models 62

Public Training in September 2009 Practical Risk Management: Framework and Methods September 23-24, 2009 SEI office in Arlington, VA 63

For Additional Information Christopher Alberts Email: cja@sei.cmu.edu Phone: 412-268-3045 Fax: 412-268-5758 Audrey Dorofee Email: ajd@sei.cmu.edu Phone: 412-268-6396 Fax: 412-268-5758 WWW U.S. mail http://www.sei.cmu.edu/risk/ Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 64

65

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback