SEPG Using the Mission Diagnostic: Lessons Learned. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213

Similar documents
SEPG Using the Mission Diagnostic: Lessons Learned. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213

Practical Risk Management: Framework and Methods

Mission Success in Complex Environments (MSCE)

Evaluating CSIRT Operations

Assuring Mission Success in Complex Settings

Rethinking Risk Management

HE MONITOR. Rethinking Risk Management This issue is dedicated to new research from the SEI in risk management

Understanding Model Representations and Levels: What Do They Mean?

OCTAVE -S Implementation Guide, Version 1.0. Volume 9: Strategy and Plan Worksheets. Christopher Alberts Audrey Dorofee James Stevens Carol Woody

OCTAVE -S Implementation Guide, Version 1.0. Volume 2: Preparation Guidance. Christoper Alberts Audrey Dorofee James Stevens Carol Woody.

Security Measurement and Analysis

When Recognition Matters WHITEPAPER OCTAVE RISK ASSESSMENT WITH OCTAVE.

A Freshwater Partners White Paper

Agenda. Enterprise Risk Management Defined. The Intersection of Enterprise-wide Risk Management (ERM) and Business Continuity Management (BCM)

Inside of a ring or out, ain t nothing wrong with going down. It s staying down that s wrong. Muhammad Ali

CARNEGIE MELLON UNIVERSITY

Establishing a National Computer Security Incident Response Team (CSIRT) Transcript

Software Project & Risk Management Courses Offered by The Westfall Team

ISACA. The recognized global leader in IT governance, control, security and assurance

ISO whitepaper, January Inspiring Business Confidence.

Managing capital. The essential guide for growth oriented companies

Architecture Analysis

CGEIT Certification Job Practice

Risk Based Testing. -Why we need RBT? -Types of risks -Managing risks -Methods of evaluation & risk analysis -Costs and benefits

Using Pilots to Assess the Value and Approach of CMMI Implementation

Acquisition Overview: The Challenges

What Metrics Should a CSIRT Collect to Measure. Success?

Developing a successful governance strategy. By Muhammad Iqbal Hanafri, S.Pi., M.Kom. IT GOVERNANCE STMIK BINA SARANA GLOBAL

SWEN 256 Software Process & Project Management

The ABC's of Assessments - What you Need to Know

Complexity and Software: How to Meet the Challenge. NDIA CMMI Technology Conference

Information and Technology. Governance. System for

POLICY ON RISK MANAGEMENT

Seven Key Success Factors for Identity Governance

Executive Teams and the Use of ISO in Decision Making. Scott Wightman, ARM-E National Director Gallagher ERM Practice

Portfolio Management Professional (PfMP)

PPM Software Deployment Guide:

Working better by working together

The Sector Skills Council for the Financial Services Industry. National Occupational Standards. Risk Management for the Financial Sector

The CMMI Value Proposition

Risk and Resilience: Considerations for Information Security Risk Assessment and Management

Intelligent Automation Opportunities in the Federal Government

Finding Hidden Value through Workforce Optimization Solutions. Enabling evidence-based decision-making

Risk Advisory Services Developing your organisation s governance for competitive advantage

ISO INTERNATIONAL STANDARD. Risk management Principles and guidelines. Management du risque Principes et lignes directrices

System-of-Systems Influences on Acquisition Strategy Development

Texas Tech University System

A Taxonomy-Based Model for Identifying Risks

462 Index. B brainstorming asset identification, briefing participants, 73 business unit participation, 32 33

Introduction to Software Product Lines Patrick Donohoe Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213

Gleim CIA Review Updates to Part Edition, 1st Printing June 2018

Improving Acquisition in Government Requirements Management Leading Practices: CMMI-ACQ Visualization

Creating a Risk Intelligent Enterprise: Scenario planning and war-gaming

Why Roadmapping Software is Key to New Product Innovation Success

Risk Methodology K-12

Strategy Analysis. Chapter Study Group Learning Materials

Simplifying the Risk & Compliance THE PREMISE

A Model for CAS Self Assessment

Resource Management?

Your reputation is hard-earned. Why risk it with poor supply chain management?

Fielding high-performing innovation teams

Managers at Bryant University

Operational Transaction Services

Agenda. Brief Introduction. Corporate Philosophy. Business Verticals. Clients. Confidential 2

Software in System Engineering: Affects on Spacecraft Flight Software

London. November 27 th, Results. Lanesborough Hotel

How Cisco IT Manages IT Service Costs

Hospital Resource Vulnerability Assessment (RVA) Implementation Guide

Director Position Description

Clause-byclause. Interpretation. Transitioning to ISO 9001:2015

HCCA Audit & Compliance Committee Conference. February 29-March 1, Drivers of ERM. Enterprise Risk Management in Healthcare.

Risk Management Guidelines of the CGIAR System

Enterprise Risk Management Demystified

Selecting a Standard Bidding Document for IT Procurement

EXECUTIVE STRATEGIES FOR RISK MANAGEMENT BY STATE DEPARTMENTS OF TRANSPORTATION EXECUTIVE SUMMARY

4180: Defined Processes, Evidence, and Rescuing Corporate Knowledge: Achieving Standards Compliance in Agile and Lean Environments

Principles of Procurement for High- Technology Systems

Rational Software White Paper TP 174

Arizona DCYF Final Project Report Executive Summary

Element IA1: Principles of Health and Safety Management

Ready for GDPR? Five steps to turn compliance into your advantage

Ways to Evaluate and Address Your Outsourcing Risk

Requirements Analysis and Design Definition. Chapter Study Group Learning Materials

LIFECYCLE APPROACH TO SERVICE MANAGEMENT ROLES WHITE PAPER

SOA Research Agenda. Grace A. Lewis

Objective (c.f., p.58)

Road map for. March 19, Enterprise Risk Management USI Insurance Services National, Inc. All rights reserved.

Decision Analysis Making the Big Decisions

USING PILOTS TO ASSESS THE VALUE AND APPROACH OF CMMI IMPLEMENTATION. Goddard Space Flight Center (GSFC)

Customer Success Services. Services you need for successful digital transformation

Winning at Implementation, Losing at Effectiveness

Show notes for today's conversation are available at the podcast web site.

Internal Audit & the Audit Committee

Agile Master Data Management

SCAMPI SM C ++ to C- How much is enough?

Measurement in Higher Maturity Organizations: What s Different and What s Not?

COBIT 5. COBIT 5 Online Collaborative Environment

Guiding Principles COPYRIGHTED MATERIAL

Effective Reduction of Avoidable Complexity in Embedded Systems

Gleim CPA Review Updates to Business Environment and Concepts 2018 Edition, 1st Printing March 2018

Transcription:

SEPG 2008 Using the Mission Diagnostic: Lessons Learned Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213

(MSCE) Part of the Dynamic Systems Program, the MSCE Project develops methods, tools, and techniques for Advancing the state-of-the-practice for risk management Managing assurance in Multi-enterprise, distributed projects and processes Software-intensive systems and systems of systems The project team builds on more than 15 years of SEI research and development in risk management Continuous Risk Management for software-development projects Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE ) for organizational security 2

Topics Background Overview of Mission Diagnostic Applying Mission Diagnostic Lessons Learned Questions 3

Background 4

Traditional Approaches: Projects and Support Functions Traditional management approaches focus on issues directly under the control of projects or operational processes Portfolio Management Strategic Planning Information Technology Various functions within an organization that support projects and processes can increase or mitigate risk Finance Project/Process Management Other Some of these functions are outsourced to third parties Human Resources Work Space/ Facilities Decision making is usually not well coordinated Contracting Legal and Compliance Enterprise Business Continuity Planning 5

Distributed Programs and Operational Processes Frequently collaborative ventures with multiple organizations Partner actions can increase or mitigate risk Distributed programs and processes are especially vulnerable to Conflicting priorities Uneven resource allocation Complex interrelationships Dynamic conditions Organization A Organization C Organization B Organization D Typical consequences can include hidden risks, unmitigated risks, and locally optimized risk mitigation 6

Need to Establish and Sustain Momentum Towards Success Change Event Momentum Toward Objectives Event Change Change Event Objectives Achieving success requires 1. Establishing sufficient momentum toward objectives 2. Sustaining momentum when stressed by events 3. Sustaining momentum when circumstances change 7

MOSAIC SEI Mission-Oriented Success Analysis and Improvement Criteria (MOSAIC) Is a management approach for establishing and maintaining a reasonable degree of confidence that objectives will be achieved Comprises a suite of assessment and management methods Can be applied across the life cycle and supply chain Strategy Evaluation Design Planning Testing/ Integration Operations/ Maintenance Concept Exploration Requirements Analysis Development Activities Release/Production Project or Program Execution Operational or Business Process Execution 8

Focus on Outcomes Context Current Conditions Potential Events Execution 1 2 3 4 5 Success Failure Range of Potential Outcomes Traditional Risk Management MOSAIC Traditional risk management is focused on managing potential problems or obstacles that can lead to adverse consequences MOSAIC is focused on managing the outcome, or result, of each project or business-process objective 9

Overview of Mission Diagnostic 10

MOSAIC Assessments Mission Diagnostic Protocol (MDP) Mission Assurance Analysis Protocol (MAAP) Analysis Complexity Two protocols are currently defined: MDP is a simple, time-efficient analysis that estimates the potential for success for a project or process based on a small set of key drivers MAAP is an in-depth, complex analysis that determines the potential for success for key objectives in distributed environments based on both key drivers and an operational model 11

Potential for Success The likelihood that an objective will be achieved Excellent The objective will almost certainly be achieved. High The objective will most likely be achieved. Medium The objective is just as likely to be achieved as not. Low The objective will most likely not be achieved. Minimal The objective will almost certainly not be achieved. 12

Applying MDP Positive Conditions and Potential Events Negative Conditions and Potential Events Driver 1 Driver 2 Driver 3... Driver n Excellent High Medium Low Minimal Focus of MDP Potential for Success The potential for success is determined by Evaluating a small set of key drivers of success or failure Applying a simple algorithm to determine the potential for success 13

What Are Drivers? A driver is a condition or circumstance that influences the outcome of a project or business process A success driver guides a project or business process toward a successful outcome A failure driver guides a project or business process toward an unsuccessful outcome Each project or process has a mixture of success and failure drivers influencing the eventual outcome Drivers are used to estimate the degree of momentum toward project or business-process objectives 14

Consider a Wide Range of Drivers Outcome Design Events Objectives Execution Environment You need to analyze a wide range of success and failure drivers 15

Generic Set of Drivers 1. Are project goals realistic and well-articulated? 2. Are communication and information sharing about mission activities effective? 3. Are customer requirements and needs well understood? 4. Are organizational and political conditions facilitating completion of project activities? 5. Is the project plan sufficient? 6. Does project management facilitate execution of tasks and activities? 7. Is task execution efficient and effective? 8. Is staffing sufficient to execute all project activities? 9. Are the technological and physical infrastructures adequate to support all project activities? 10. Are changing circumstances & unpredictable events effectively managed? 16

Evaluating Drivers Question Answer 1. Are project goals realistic and well-articulated? No Likely no X Equally likely Likely yes Yes Each driver is evaluated based on the data collected Probability is incorporated into the range of answers for each driver 17

Analyzing Project Drivers Yes Likely yes Equally likely Uncertainty Line Likely no No Project Goals Communication Customer Requirements Org/Political Conditions Project Plan Project Management Task Execution Staffing Infrastructure Event Management A simple analysis provides insight into the potential for success 18

Managing the Potential for Success Potential for Success Excellent High Medium Low Minimal Success Threshold Current State Desired State The potential for success is the likelihood that the desired outcome will occur The goal is to ensure that the potential for success is within tolerance 19

Applying Mission Diagnostic 20

Applications of Mission Diagnostic We have applied Mission Diagnostic (MD) in the following domains: Cyber-security incident management Software development portfolio management Software development and deployment MD proved to be an effective in all cases For each domain, we tailored the MD drivers and some of our techniques 21

Cyber-Security Incident Management We used MD as an adjunct to a detailed functional assessment to provide a broad, risk-based view of the response team s potential for successful operations Identified 10 drivers Additional 5-10 minutes per interview using broad questions Assessed operational processes and practices used To prevent, detect, and respond to incidents For various types of events and incidents Method was transitioned to incident response team experts for further use 22

Software Development Portfolio Management Customer wanted a quick, risk-based means of sorting through various software development projects based on their potential return-oninvestment and risk at different points in their life-cycles Identified 14 drivers based on previous successes and failures Conducted face-to-face interviews Transitioned method to client at the end of the first pilot 23

Software Development and Deployment Used MD for a rapid, high-level assessment of the potential for a successful deployment of a software-intensive system Identified 18 drivers, with a particular focus on deployment concerns Conducted interviews using teleconferencing to keep costs down 24

Lessons Learned 25

Self-Application MD assessments can be self-applied Simple, algorithmic aspect Generic set of 10 drivers is useful in most applications* You do not have to be an expert in MD to get actionable results We have successfully transitioned tailored MD assessments to customers * Tailoring drivers does require some expertise and experience 26

Number of Drivers Time-efficiency is a key aspect of a MD assessment; keeping the number of drivers small is essential Between 10 and 15 drivers will generally provide good results We have successfully used 18 drivers 27

New Sets of Drivers We began with a generic set of 10 drivers, then Tailored the generic drivers to create a 10 driver set for cyber-security incident management projects Developed a new set of 14 drivers with a focus on ROI and other business concerns for software development portfolio management Developed a new set of 18 drivers focusing on technical and programmatic concerns for system development and deployment projects 28

On-Site Interviews and Teleconferencing Usually used on-site interviews, requiring from 10 to 45 minutes, depending on the number of drivers On-site interviews can be more effective, but are harder to schedule and can require additional expenses Teleconferences were just as effective, but did raise issue of being unsure who was really on the other end of the phone In cyber-security, we used only 4-5 questions to collect information for the 10 drivers; other information came from the parallel, in-depth assessment All techniques were effective at raising concerns, strengths, and issues 29

Algorithmic Analysis MD assessments use simple algorithms to calculate the potential for success Does not require extensive risk or assessment experience to use Basic means of identifying potential for success Results are sufficient for managers to determine where to make improvements Provides only a broad view of the potential for success More complex/advanced analyses would be needed to provide a more refined view or to consider alternative outcomes 30

Outcome-Based Scenario Analysis For software development and deployment projects, we borrowed outcome-based scenario analysis from the more complex MAAP assessment Determined minimal, moderate, and good pictures of success and the potential for each to occur Able to show that at least some type of success was possible Requires additional expertise to identify and assess alternative scenarios 31

Useful Complement to In-depth Assessments When used with the in-depth functional assessment for cyber-security incident management teams, MD provided a useful, alternative view into the current state of the team and its operational processes Easier to understand the key issues and risks (10 or less) Senior management quickly understood the situation and what was needed for improvements MD results were used by senior managers to deal with risks that were beyond the control of the technical/project leads Drivers provided a more effective means of quickly communicating risk between senior managers and technical/project leads In-depth assessment results were used by technical/project leads to conduct localized improvements 32

New Areas of Research and Development From the software development and deployment project, we will create a new assessment protocol that blends MD and MAAP New Protocol Mission Diagnostic Protocol (MDP) Mission Assurance Analysis Protocol (MAAP) Analysis Complexity Working with different layers of information, responsibility, communication, and risk mitigation across and within organizations has started research into a new taxonomy for success management based on conditions and events We will be conducting research into using the MD as a basis for continuous management of project and process risk. 33

You Don t Need Detailed Assessments to see you are going in the wrong direction! A quick, efficient assessment like the MD can reveal if you are generally heading for success or failure Point out areas that need to be improved Identify general areas that could benefit from detailed analyses or assessments (e.g., a security assessment) A quick assessment of your current state can make you stop and think and, sometimes, that s what you need the most 34

Questions 35

For Additional Information Christopher Alberts cja@sei.cmu.edu 412-268-3045 (Office) 412-268-5758 (Fax) Audrey Dorofee ajd@sei.cmu.edu 412-268-6396 (Office) 412-268-5758 (Fax) For updated slides or more information http://www.sei.cmu.edu/msce/ sei-mosaic@sei.cmu.edu Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 36

37

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback