CSQA Questions and Answers

In the prioritization process, risks from the analysis process are ranked from highest to lowest. When possible, they should be ranked quantitatively; otherwise, it is done qualitatively. Items that have similar ranks may need to be ranked separately.

If the high-medium-low method was used to calculate risk, the analyst would need to determine how to rank the two scores of 5, the three scores of 4 and the two scores of 3. In other words, determine whether the value of the frequency or the value of the impact would be more important.

Risks may also be prioritized using a question-and-answer technique to filter out unimportant risks. Four filters are typically used: impact (significant or insignificant), likelihood of occurrence (very likely or not likely), time frame (short-term or long-term), and program control (within control or not within control).

Static testing is another name for in-process reviewing. It means that the test is being performed without executing the code. Static testing occurs throughout the development life cycle; however, a large part of it takes place during the requirements and design phases in the form of walkthrough inspections, and system reviews. Other examples of static testing include code analyzers or writing analyzers.

There are two types of static tests:

Validation

Validation is testing the software in an operational state. While there are several iterations of testing, they do not occur until the latter part of the system development life cycle. Thus, validation does not take advantage of the control theory stating that the control should be placed as close as possible to where the defect occurs. The most common types of validation are unit testing, integration testing, and system testing. Unit testing tests the smallest operating module ofa system; integration testing tests the connecting logic between the modules/units; and the systemtesting validates that the system executes in the organization's operating environment.

Verification

Verification is the static testing of the system in a nonoperational status. It primarily tests the documentation produced by the project team. The documentation includes requirements, design, code, test, and operating documentation. Verification is performed through a variety of processes, including code analyzers, walkthroughs, reviews, and inspections. These verification processes also interact with the project team, end users, and other interested parties. Level 2 also incorporates acceptance testing, in which the end users define the criteria, which the system must meet in order to, be acceptable, and then test against those criteria.

The Test Manager ensures that testing is performed, that it is documented, and that testing techniques are established and developed. The manager is also responsible for:

Planning and estimating tests

Designing the test strategy

Ensuring tests are created and executed in a timely and productive manner

While there is no one best way to develop a security awareness program, the process that follows is an all-inclusive process of the best security awareness training program. This example includes these three steps:

IT management creates a security awareness policy.

Develop the strategy that will be used to implement that policy.

Assign the roles for security and awareness to the appropriate individuals.

Step 1 – Create a Security Awareness Policy

The CIO and/or the IT Director need to establish a security awareness policy. The policy needs to state management’s intension regarding security awareness. Experience has shown that unless senior management actively supports security awareness, there will be a lack of emphasis on security among the staff involved in using information technology and information.

Management support for security awareness begins with the development and distribution of a security awareness policy. Once that policy has been established, management makes security awareness happen through supporting the development of a strategy and tactics for security awareness, appropriately funding those activities, and then becoming personally involved in ensuring the staff knows of management’s support for security awareness.

Step 2 – Develop a Security Awareness Strategy

A successful IT security program consists of: 1) developing an IT security policy that reflects business needs tempered by known risks; 2) informing users of their IT security responsibilities, as documented in the security policy and procedures; and 3) establishing processes for monitoring and reviewing the program.

Security awareness and training should be focused on the organization’s entire user population. Management should set the example for proper IT security behavior within an organization. An awareness program should begin with an effort that can be deployed and implemented in various ways and is aimed at all levels of the organization including senior and executive managers. The effectiveness of this effort will usually determine the effectiveness of the awareness and training program. This is also true for a successful IT security program.

An effective IT security awareness and training program explains proper rules of behavior for the use of an organization’s IT systems and information. The program communicates IT security policies and procedures that need to be followed. This must precede and lay the basis for any sanctions imposed due to noncompliance. Users first should be informed of the expectations. Accountability must be derived from a fully informed, well-trained, and aware workforce.

This step describes the relationship between awareness, training, and education – the awareness training-education continuum. An effective IT security awareness and training program can succeed only if the material used in the program is firmly based on the IT security awareness policy and IT issue-specific policies. If policies are written clearly and concisely, then the awareness and training material – based on the policies – will be built on a firm foundation.

Step 3 – Assign the Roles for Security Awareness

While it is important to have a policy that requires the development and implementation of security and training, it is crucial that IT organizations understand who has responsibility for IT security awareness and training. This step identifies and describes those within an organization that have responsibility for IT security awareness and training.

Some organizations have a mature IT security program, while other organizations may be struggling to achieve basic staffing, funding, and support. The form that an awareness and training program takes can vary greatly from organization to organization. This is due, in part, to the maturity of that program. One way to help ensure that a program matures is to develop and document IT security awareness and training responsibilities for those key positions upon which the success of the program depends.

The starting point in new product development is the decision of what to build for whom. This requires determining customers, finding out what they want, and identifying whatcapabilities can be provided to them. In QFD, the fundamental deployments of customers and quality address this.

Customer Deployment involves determining which types of customers for which the organization is trying to provide a product or service. It precedes the determination of requirements in quality deployment. Customers must be identified first in order to know to which voices to listen. The customer deployment component of QFD is particularly important for software, as a single software product must often satisfy many types of customers.

Quality Deployment has tools and techniques for the exploration and specification of high-value customer requirements (or "demanded quality"). Once captured, the customer requirements are translated and deployed into technical requirements (or “quality characteristics”) in the House of Quality matrix. (The House of Quality is the first matrix that a product development team uses to initiate a Quality Function Deployment (QFD) process.) This can be done at various levels of sophistication, ranging from four matrices to a dozen.

These fundamental deployments are the foundation for downstream design-and-development decisions about “how” the product will work (the horizontal deployments) and 'how well' it will be designed and developed (the vertical deployments). Both horizontal and vertical deployments are required to appropriately handle this complexity.

The IT Quality Plan should include the following:

A reference to the organization's quality policy

An assessment of where the organization currently stands in relation to accomplishing the quality policy

Long-term quality goals - these are discussed below

Short-term quality objectives (i.e., programs) - these are discussed below

The means of implementing the quality objectives

Resources required in order to accomplish the short-term objectives and long term-goals

The checklist must contain the following items to determine necessary management security controls placed over online software systems:

Ensure that staff knows who does what relative to security—the security dos and do nots.

Ensure that staff has sufficient resources and skills to exercise its security responsibilities.

Ensure that security is considered in job performance appraisals and results in appropriate rewards and disciplinary measures.

Ensure awareness of the need to protect information; provide training to operate nformation systems securely and be responsive to security incidents.

Ensure that security is an integral part of the systems development life cycle process and explicitly addressed during each phase of the process.

Ensure that staff with sensitive roles has been vetted.

Ensure that the organization is not dependent on one individual for any key security task (i.e., appropriate segregation of duties).

Ensure that privacy and intellectual property rights, as well as other legal, regulatory, contractual and insurance requirements, have been identified with respect to security and processes in your area of responsibility.

Ensure that applicable security measures have been identified and implemented (e.g., effective backup, basic access control, virus detection and protection, firewalls, intrusion detection and adequate insurance coverage).

Ensure that a suitable technical environment is in place to support security measures

Both the business staff and the quality staff should be involved in IT planning. Involvement is in both strategic and tactical planning.

The objective of this single planning cycle is to ensure that adequate resources and time are available to perform the quality activities. The net result is that the individuals executing the business plan cannot differentiate the quality planning from the business planning. For example, if business planning calls for a quality review prior to the end of each phase of software development, the business staff will assume, that is a logical part of the software development process. If it is not integrated, the review is owned by the quality professional and may not be adequately supported by the IT business staff, such as, system designers and programmers.

Rahail HDD:Users:iMac:Desktop:Screen Shot 2015-01-12 at 6.45.40 PM.png

The figure gives an example of business planning and an example of quality planning. While the blocks show that strategic and tactical business planning and strategic and tactical quality planning occur, the end result is a business plan that incorporates quality activities.

IT Management- IT management must plan for quality and develop an IT policy that documents the objectives for the quality function.

Management committees(also called Process Management Committees) are composed of middle managers and/or key staff personnel, and are responsible for deploying quality management practices throughout the organization. One or more committees may be needed depending on the organization’s size and functional diversity. Committees should represent all the skills and functions needed to work on the specific processes or activities.

The users of the processknow the strengths and weaknesses of the process; they know the type of process changes that can facilitate the use of the process.

Quality Assurance Managerassures the overall process to maintain quality. He/she also manages and maintain a group of quality assurance professionals who have the task of maintaining quality and assuring quality.

Quality Control Function- The method used in your IT organization to acquire tools is two-fold. First, tool vendors send you information about new tools and/or call to explain the tools to you. Second, requests from IT staff members are an important input in determining whether or not to acquire tools. Once acquired, the determination for tool usage is left to the project and/or individual.

There are three COQ categories:

Prevention- Money required preventing errors and to do the job right the first time is considered prevention cost. This category includes money spent on establishing methods and procedures, training workers and planning for quality. Prevention money is all spent before the product is actually built.

Appraisal– Appraisal costs cover money spent to review completed products against requirements. Appraisal includes the cost of inspections, testing and reviews. This money is spent after the product or subcomponents are built but before it is shipped to the user.

Failure– Failure costs are all costs associated with defective products. Some failure costs involve repairing products to make them meet requirements. Others are costs generated by failures, such as the cost of operating faulty products, damage incurred by using them and the costs incurred because the product is not available. The user or customer of the organization may also experience failure costs.

The following figure shows a few examples of the three costs of quality that illustrate the types of activities in each of the categories. Experience has shown that a small group of knowledgeable people can develop estimates for the COQ categories. The estimate does not have to be highly precise because the amounts will be so large that even errors of plus or minus 50% would not affect identifying the actions that need to be taken to reduce the COQ.

Rahail HDD:Users:iMac:Desktop:Screen Shot 2015-01-12 at 3.16.26 PM.png

Measure

A measure is a single quantitative attribute of an entity. It is the basic building block for a measurement program. Examples of measures are lines of code (LOC), work effort, or number of defects. Since quantitative measures can be compared, measures should be expressed in numbers.

For example, the measure LOC refers to the “number” of lines and work effort refers to the “number” of hours, days, or months.

Metrics

A metric is a derived (calculated or composite) unit of measurement that cannot be directly observed, but is created by combining or relating two or more measures. A metric normalizes data so that comparison is possible. Since metrics are combinations of measures they can add more value in understanding or evaluating a process than plain measures. Examples of metrics are mean time to failure and actual effort compared to estimated effort.

There are four main testing stages in a structured software development process. They are:

Unit Testing

These tests demonstrate that a single program, module, or unit of code function as designed. For example, observing the result when pressing a function key to complete an action. Tested units are ready for testing with other system components such as other software units, hardware, documentation, or users.

Integration Testing

These tests are conducted on tasks that involve more than one application or database, or on related programs, modules, or units of code, to validate that multiple parts of the system interact according to the system design. Each integrated portion of the system is then ready for testing with other parts of the system.

System Testing

These tests simulate operation of the entire system and confirm that it runs correctly. Upon completion, the validated system requirements result in a tested system based on the specification developed or purchased.

User Acceptance Testing

This real-world test is the most important to the business, and it cannot be conducted in isolation. Internal staff, customers, vendor, or other users interact with the system to ensure that it will function as desired regardless of the system requirements. The result is a tested system based on user needs.

If the application system is interconnected with applications and/or other software from different contractors, that interrelationship should be specified. It is important to state in the contract that has primary responsibility for tracing and correcting errors. In a multi-contractor environment, when no contractor accepts primary responsibility for error tracking, the customer may need to expend large amounts of funds to trace errors because of the unwillingness of contractors to accept this responsibility.

Identify a problem (effect) with a list of potential causes. This may result from a brainstorming session.

Write the effect at the right side of the paper.

Identify major causes of the problem, which become “big branches”. Six categories of causes are often used: Measurement, Methods, Materials, Machines, People, and Environment, but the categories vary with the effect selected.

Fill in the “small branches” with sub-causes of each major cause until the lowest level sub-cause is identified.

Review the completed cause-and-effect diagram with the work process to verify that these causes (factors) do affect the problem being resolved.

Work on the most important causes first. Teams may opt to use the nominal group technique or Pareto analysis to reach consensus.

Verify the root causes by collecting appropriate data (sampling) to validate a relationship to the problem.

Continue this process to identify all validated causes, and, ultimately the root cause.

A process can be measured by either of the following:

Attributes of the process, such as overall development time, type of methodology used, or the average level of experience of the development staff.

Accumulating product measures into a metric so that meaningful information about the process can be provided. For example, function points per person-month or LOC per person-month can measure productivity (which is product per resources), the number of failures per month can indicate the effectiveness of computer operations, and the number of help desk calls per LOC can indicate the effectiveness of a system design methodology.

There is no standardized list of software process metrics currently available. However, in addition to the ones listed above, some others to consider include:

Number of deliverables completed on time

Estimated costs vs. actual costs

Budgeted costs vs. actual costs

Time spent fixing errors

Wait time

Number of contract modifications

Number of proposals submitted vs. proposals won

Percentage of time spent performing value-added tasks

Force field analysis is a visual team tool used to determine and understand the forces that drive and restrain a change. Driving forces promote the change from the existing state to the desired goal. Opposing forces prevent or fight the change. Understanding the positive and negative barriers helps teams reach consensus faster.

The steps below show how a team uses force field analysis:

Establish a desired situation or goal statement.

Brainstorm and list all possible driving forces.

Brainstorm and list all possible restraining forces.

Determine the relative importance of reaching consensus on each force.

Draw a force field diagram that consists of two columns, driving forces on one side and restraining forces on the other.

Select the most significant forces that need to be acted upon using the nominal group technique to prioritize and reduce the number, if there are too many.

Proceed to a plan of action on the forces selected in the previous step