information system

kuroCat123

ISDS351Review2.pptx

Home >Information Systems homework help >information system

What is an Information System?

‹#›

HARDWARE

SOFTWARE

DATA

PROCESS

PEOPLE

Business

Technology

An information system is hardware and software that allow people to follow a process. (Kroenke, 2011)

Information systems move work away from people and into technology

Increasing difficulty of introducing change

Five Component Model

Understanding the Relationship Between Strategic Planning and IT

Improves alignment between business and IT

Alignment: IT organization and resources are focused on actions to support the strategic plan

Implies that the IT and business have a shared vision

Shared vision helps an IT organization in:

Hiring for the right skills and capabilities

Choosing the correct technologies and vendors

Installing the right systems

Focusing on projects that facilitate moving toward the vision and mission

Information Technology for Managers

‹#›

Analyze Situation (2)

Collecting and analyzing facts about its key customers, competitors, and suppliers

Aiming to:

Identify strategically important issues that the organization must address

Reveal the firm’s competitive position against its rivals

Michael Porter’s Five Forces Model: Used for assessing the nature of industry competition

Information Technology for Managers

‹#›

Setting the IT Organizational Strategy

ology for Managers

‹#›

Strategic Plan of an IT Organization

Needed to aid in investments that support the corporate objectives, goals, and strategies

Required to identify correct technologies, vendors, competencies, people, systems, and projects

Depends on the way the rest of the organization perceives it

cost center/service provider

a business partner/business peer

game changer

Information Technology for Managers

‹#›

Role of Information Systems/Technology

‹#›

Game Changer

Business Partner

Service Provider

Core Infrastructure & Services

Business Enablement

Business Innovation

Figure 2.4 - Drivers that Set IT Organizational Strategy and Determine IT Investments

Information Technology for Managers

‹#›

Identifying IT Projects and Initiatives

Require interacting with various business managers and observing other IT organizations and competitors

Must support corporate objectives and goals

Classify various potential projects by type

‹#›

Breakthrough	Enhancement
Growth	Maintenance
Innovation	Mandatory

Prioritizing IT Projects and Initiatives (1)

Process of setting priorities and determining the resulting budget, staffing, and timing needs

Defines which projects will be initiated and when they will be executed

Involves reviewing and evaluating from different perspectives

Information Technology for Managers

‹#›

Prioritizing IT Projects and Initiatives (2)

Projects must relate to a specific organizational goal

Establish tangible and intangible benefits

Benefits must to be measurable

Key Performance Indicators (KPI)

Tangible tied to a value statement

Intangible cannot be tied to a value statement

‹#›

Prioritizing IT Projects and Initiatives (3)

Understand TCO (Total Cost of Ownership)

includes purchase price, operating costs, and support/maintenance fees.

Hardware / Software

License Costs

Annual Maintenance / Support

Extends over years

Switching costs

At deployment & At decommission

Staffing / Training

Environmental (Power/Thermal)

‹#›

Prioritizing IT Projects and Initiatives (4)

Rate of Return

Risk Factors

Project Enablement

Skills?

Backroom/Frontroom

Build vs. Buy

‹#›

Corporate Governance

Processes, customs, rules, procedures, policies, and traditions

Determine how to direct and control management activities

Key players

Board of directors, CEO, senior executives, and shareholders

Information Technology for Managers

‹#›

Issues Addressed by Corporate Governance

Preparing of the firm’s financial statements

Monitoring the choice of accounting principles and policies

Establishing internal controls

Hiring of external auditors

Nominating and selecting of people to the board of directors

Managing risk

Dividend policy

Information Technology for Managers

‹#›

Figure 5.1 - Board of Directors and Various Subcommittees Involved in Governance

Information Technology for Managers

‹#›

IT Governance

Framework that ensures IT decisions are based on goals and objectives

Includes defining:

Decision-making process

Who makes the decisions

Who is held accountable for results

How the results of decisions are communicated, measured, and monitored

Information Technology for Managers

‹#›

Primary Goals of Effective IT Governance

Ensuring that an organization achieves good value from its investments in IT

Mitigating IT-related risks

(Privacy/Security list in textbook is out of date. This will be covered later under Privacy.)

Information Technology for Managers

‹#›

“Good Value”

What is good value?

Good value for whom?

Information Technology for Managers

‹#›

Figure 5.2 - Two Primary Goals of IT Governance

Information Technology for Managers

‹#›

Reward

Ensuring that an Organization Benefits from IT Investments

Efficient governance is needed in the management of IT by business managers

Effective IT strategic planning process ensures close alignment between business and IT project goals and objectives

Involves applying good project management principles

Guide to Microsoft Virtual PC 2005 and Virtual Server 2007

‹#›

Mitigating IT-Related Risks

Requires use of good internal controls and management accountability

Sarbanes-Oxley Act

Holds senior management (CEO and CFO) accountable for the integrity of organization’s financial data and internal controls

Information Technology for Managers

‹#›

Mitigating IT-Related Risks

Internal control

Fundamental concept involves separation of duties

Affected by improper conduct of senior managers and failure to hold the managers accountable

Offers reasonable assurance for:

Effectiveness and efficiency of operations

Reliability of financial reporting

Compliance with applicable laws and regulations

Information Technology for Managers

‹#›

Figure 5.3 - Key Activities Needed for Effective IT Governance

Information Technology for Managers

‹#›

Why Managers Must Understand IT Governance

Guide to Microsoft Virtual PC 2005 and Virtual Server 2007

‹#›

Importance of IT Governance for Managers

Universal goal for businesses

Leveraging IT to transform an enterprise and create value-added services, increased revenue, and decreased expenses

Effective IT governance:

Aligns and integrates the IT organization with the business

Reduces risks and costs

Helps the company gain a business advantage

Information Technology for Managers

‹#›

IT Governance Frameworks

Guide to Microsoft Virtual PC 2005 and Virtual Server 2007

‹#›

IT Infrastructure Library (ITIL)

Set of guidelines initially formulated by the UK government

Used to standardize, integrate, and manage IT service delivery

Provides a proven and practical framework to plan and deliver IT operational services

Organized around a five-phase service life cycle

Levels of training and certification

Foundation, practitioners, and managers

Information Technology for Managers

‹#›

Control Objectives for Information and Related Technology (COBIT)

Set of guidelines

Goal

Aligning IT resources and processes with business objectives, quality standards, monetary controls, and security needs

Issued by the IT Governance Institute

www.isaca.org/COBIT/Pages/default.aspx

Provides guidance for 37 IT-related processes grouped into five major categories and two domains of governance and management

Information Technology for Managers

‹#›

Control Objectives for Information and Related Technology (COBIT)

Maturity level of management processes evaluated on a scale of 0 to 5

Used for each process to evaluate a number of items

Use the information to choose:

Which processes have priority for improvement

Which can be addressed later

Information Technology for Managers

‹#›

Using PDCA and an IT Governance Framework

Plan-Do-Check-Act (PDCA) model

Proven method

Applied to a specific targeted process

Each step in the model has specific objectives

Plan step

Do step

Check step

Act step

Information Technology for Managers

‹#›

Figure 5.5 - Process Improvement Using PDCA and COBIT or ITIL

Information Technology for Managers

‹#›

Business Continuity Planning

Guide to Microsoft Virtual PC 2005 and Virtual Server 2007

‹#›

Business Continuity Planning

Defines the people and procedures required to ensure timely and orderly resumption of an organization’s processes with minimal interruption

International Standards Organizational standard ISO 22301:2012

Specifies requirements to plan, establish, implement, operate, monitor, review, maintain, and continually improve a documented management system

Information Technology for Managers

‹#›

Business Continuity Planning

First rule of BCP and DR:

KEEP THE PEOPLE SAFE

Information Technology for Managers

‹#›

What is an Information System?

‹#›

HARDWARE

SOFTWARE

DATA

PROCESS

PEOPLE

Business

Technology

An information system is hardware and software that allow people to follow a process. (Kroenke, 2011)

Information systems move work away from people and into technology

Increasing difficulty of introducing change

Five Component Model

Business Continuity Planning

People are the most important part of any business

Due diligence: Effort made by an ordinarily prudent or reasonable party to avoid harm to another party

Failure to make the effort is considered negligence

Information Technology for Managers

‹#›

Business Continuity Planning

‹#›

Disaster Recovery Plan

Component of the business continuity plan

Defines the process to recover business information system assets, in the event of a disaster

Focuses on technology recovery

Identifies the people or teams responsible for taking action in the event of a disaster

Information Technology for Managers

‹#›

Disaster Recovery Plan

Identify vital records and data

Conduct business impact analysis

Define resources and actions to recover

Define emergency procedures

Identify and train business continuity teams

Train employees

Practice and update plans

Information Technology for Managers

‹#›

Process for Developing a Disaster Recovery Plan

Identify vital records and data

Determine where and how they are being stored and backed up

Assess the adequacy of the current data storage plan

Offsite backup recommended

Information Technology for Managers

‹#›

RPO vs RTO

Recovery time objective (RTO): Time within which a business function must be recovered

Recovery point objective (RPO): The time in the past to which the business must be recovered.

Maximum Tolerable Downtime (MTD): Greatest amount of business loss that is allowed

MTD = RPO + RTO

‹#›

Recovery Point Objective (past)

Recovery Time Objective (future)

Event

Business Function Classification

ormation Technology for Managers

‹#›

Mission Critical

Systems necessary to keep the mission of the company viable. Examples: sales, production, payment processing, shipping

Business Critical

Systems necessary to support the management of the company. Examples: Reporting, accounts payable, payroll

Essential

Not needed urgently to keep the company running. Examples: Hiring, training, purchasing

Why Managers Must Understand E-Commerce

‹#›

Need for Managers to Understand E-Commerce (1)

E-commerce: Exchange of money for goods and services over electronic networks

Enables organizations and individuals to:

Build new revenue streams

Create and enhance relationships with customers and business partners

Improve operating efficiencies

‹#›

Need for Managers to Understand E-Commerce (2)

To succeed, managers must:

Understand the customers and fundamentals of the markets in which they operate

Understand how the Internet differs from the traditional venues for business activity

Employ business models appropriate to the Internet

‹#›

Figure 7.1 - The Scope of E-Commerce

‹#›

Forms of E-Commerce

‹#›

Forms of e-Commerce

‹#›

Source: https://www.longato.co.uk/social-media-public-sector/

Business-to-Business (B2B) E-Commerce (1)

Revenue generated via B2B transactions greatly exceeds B2C revenue

Exchange of goods and services between businesses via computer networks

Private stores: Buyer has to enter a company identification code and password to make a purchase

‹#›

Business-to-Business (B2B) E-Commerce (2)

Customer portals

Private stores that offer additional services beyond placing an order

Web sites can be accessed online from anywhere in the world

Private company marketplace

Transactions take place between original equipment manufacturers and the companies that sell the final product

Helps to manage the purchasing functions through a Web site

‹#›

Business-to-Business (B2B) E-Commerce (3)

E-procurement software: Allows a company to create an electronic catalog with search capability

Automates key functions of the purchasing process

Creating, reviewing, and approving purchase orders

Transmitting purchase orders electronically to the supplier

‹#›

Business-to-Business (B2B) E-Commerce (4)

Industry consortia-sponsored marketplace

Created by several companies of a specific industry

Allows to gain advantages of the private company marketplace for all members of the consortia

‹#›

Business-to-Consumer (B2C) E-Commerce (1)

Exchange of goods and services between business organizations and individual consumers

Web sites focus on:

Attracting prospects

Converting prospects into customers

Retaining prospects to capture additional future sales

‹#›

Business-to-Consumer (B2C) E-Commerce (2)

Many big retailers have built effective and efficient online Web sites

Modify in-store operations and procedures to meet shoppers’ new expectations

Lure online shoppers into their store by allowing customers to pick up their purchases at a local store

Information Technology for Managers

‹#›

Business-to-Consumer (B2C) E-Commerce (3)

Long tail

Products with low sales volume can collectively make up a market share that exceeds the relatively few current bestsellers

Provided the distribution channel is large enough

Omnichannel retailing: Application of the same business strategy across all marketing channels

Each channel uses the same database of customer information, products, prices, and promotions

‹#›

Consumer-to-Consumer (C2C) E-Commerce

Exchange of goods and services among individuals, facilitated by a third party

Craigslist

Enables individuals or organizations to place ads under the category that will best attract the target audience for their goods or services

eBay

Supports auction style listings in which a seller offers one or more items for sale by a specific date and time

Facebook Marketplace (and more)

‹#›

E-Government Commerce (1)

Use of information technology by government agencies to transform relations between:

Government and citizens (G2C)

Government and businesses (G2B)

Various branches of the government (G2G)

Saves time and money spent on regulatory compliance by providing quick and easy access to:

Business laws, government regulations, forms, and agency contacts

‹#›

E-Government Commerce (2)

County and local governments have made attempts at implementing e-gov Web sites

U.S. General Services Administration (GSA)

Managing partner for several e-gov G2B initiatives

Directed at improving the efficiency and effectiveness of government operations

‹#›

Mobile Commerce (1)

Buying and selling of goods and/or services using a mobile device

Tablet, smartphone, or other portable device

Supports all forms of e-commerce

.Mobi and m.* sites

.mobi never caught on

m.* : mobile specific versions of websites

‹#›

Mobile Commerce (2)

Location-based service: Uses location data to control its features and the information it provides

Query-based or push-based

Geo-fencing

‹#›

Mobile Commerce (3)

Web 2.0

End User generated content

Changes in technology and Web site design

Enhances information sharing, collaboration, and functionality on the Web

‹#›

E-Commerce Critical Success Factors

‹#›

E-Commerce Critical Success Factors (1)

Identifying appropriate e-commerce opportunities

Organization must consider how each potential e-commerce initiative fits into its overall business strategy

Set achievable objectives and time-based measures

‹#›

E-Commerce Critical Success Factors (2)

Acquiring necessary organizational capabilities

Make an objective assessment as to whether or not the organization has adequate skills, sufficient experience, and the culture necessary to succeed

Build vs. Buy

Who will build the site

Who will operate the site

Web site hosting: Involves the storing, serving, and backup of files for one or more Web sites

Offers dedicated hardware or virtual private servers

‹#›

E-Commerce Critical Success Factors (3)

Directing potential customers to the organization’s site

Search engine optimization (SEO)

Ensures that the Web site appears at or near the top of the search engine results

Organic list

Provides a list of potential Web sites to users based on their content and keyword relevancy

Paid listings

Search engine results that appear because of the payment of fees

‹#›

E-Commerce Critical Success Factors (4)

Web page banner ads

Display a graphic and include a hyperlink to the advertisers’ Web site

Banner advertising network

Acts as a broker between Web sites and advertisers

‹#›

E-Commerce Critical Success Factors (7)

Secure Sockets Layer (SSL) / Transaction Layer Security (TLS): Verifies the authenticity of the the Web site to which a user is connected

Payment Card Industry (PCI) Data Security Standard: Requires retailers to implement a set of security management policies

‹#›

E-Commerce Critical Success Factors (8)

Smart card: Contains an embedded microchip that can process instructions and store data

Europay, MasterCard, and Visa jointly developed the EMV standard specifications for authenticating transactions using smart cards

Chip vs. Chip + PIN

‹#›

Advantages of E-Commerce

‹#›

E-Commerce Advantages for the Seller

‹#›

Global marketplace

Build to order

Lower advertising cost

Targeted advertising

7 x 24 ordering

Data gathering

Instant delivery of media

E-Commerce Advantages for Society

‹#›

Less consumer travel = less pollution

Can reach developing countries

More sources creates more competition

But ….

More deliveries = more pollution

Increased online sale = Impact to local businesses

Distant sellers = Harder to validate supply chain

Issues Associated with E-commerce

‹#›

Issues Associated with E-Commerce (1)

Customers fear that their personal data may be stolen or used inappropriately

Concerns about whether online data is secured from access by unauthorized users or hackers

Cultural and linguistic obstacles

Make a Web site less attractive or effective for any subgroup of potential users

People feel more comfortable buying products and services in their own language

Information Technology for Managers

‹#›

Issues Associated with E-Commerce (2)

Difficulty integrating Web and non-Web sales and inventory data

Organizations use separate, non-integrated systems to capture order and inventory information

Significant cost and effort is required to connect inventory and order status data from the Web and non-Web channels

Information Technology for Managers

‹#›

Enterprise System

Ensures that business transactions are processed efficiently and accurately

Employs a database of key operational and planning data that can be shared with authorized users across the organization

Examples

Enterprise resource planning system

Customer relationship management system

Product life cycle management system

‹#›

Enterprise Resource Planning

‹#›

Enterprise Resource Planning (ERP) System

Set of integrated programs that manage a company’s vital business operations

Goals

Enable easy access to business data

Create efficient, streamlined work processes

Enables people in various organizational units to access and update the same information

Based on permission levels assigned within the system

‹#›

Figure 8.1 - Enterprise Resource Planning System

‹#›

Enterprise Resource Planning (ERP) System (continued)

Each industry has different business practices

ERP vendors offer tailored software modules that meet the needs of specific industries

Companies can pick and choose which modules to install

‹#›

Benefits of Using an ERP System (1)

Improved access to quality data for operational decision making

Provides better customer service and support

Strengthens customer and supplier relationships

Generates new business opportunities

Simplified consolidation of financial data

Accurate, consistent, detailed, and up-to-date information is important for business

ERP enables rapid consolidation of data across multiple organizational units and countries

Information Technology for Managers

‹#›

Benefits of Using an ERP System (2)

Improvement of work processes

ERP vendors combine the requirements of leading companies within the same industry to develop a set of best practices

Downside: Possible loss of competitive advantage

Business rules exist for a reason (good or bad)

Elimination of costly, inflexible legacy systems

Separate systems can be replaced with a single integrated set of applications

Downside: Single Point of Failure (SPOF)

Information Technology for Managers

‹#›

Benefits of Using an ERP System (3)

Opportunity to upgrade and standardize technology infrastructure

Standardizing on fewer technologies and vendors reduces ongoing maintenance and support costs

Downside: Standardizes vulnerabilities

Information Technology for Managers

‹#›

Classification of ERP Vendors (1)

Tier I

Target multinational firms with annual revenue exceeding $1 billion

Solutions are complex and expensive to implement and support

Tier II

Target medium-sized firms with annual revenue between $50 million to $1 billion

Solutions are less complex and less expensive to implement and support

Tier III

Target smaller firms with annual revenue between $10 million to $50 million

Solutions are easy and inexpensive to implement and support

‹#›

ERP Customization

Organizations customize an ERP software to:

Integrate other business systems

Add data fields or change field sizes

Meet regulatory requirements

Open-source ERP systems allow organizations to modify the source code to meet their needs

Information Technology for Managers

‹#›

Supply Chain Management (SCM)

‹#›

Supply Chain Management (1)

Planning, execution, and control of all activities involved in:

Raw material sourcing and procurement

Conversion of raw materials to finished products

Warehousing and delivery of products to customers

Goal

Decrease costs and improve customer service

Information Technology for Managers

‹#›

Supply Chain Management (2)

Supply chain includes the following processes

Demand planning: Determining the demand for a company’s products by considering the factors that can affect demand

Sourcing

Manufacturing

Logistics

Customer service

Information Technology for Managers

‹#›

Supply Chain Management (3)

ERP systems do not work directly with manufacturing machines on the production floor

Production data must be passed to the ERP accounting modules to maintain accuracy of data

Production quality data can be added based on the results of quality tests run on a sample

Operational technology (OT) is hardware and software that detects or causes a change, through the direct monitoring and/or control of industrial equipment, assets, processes and events.

Information Technology for Managers

‹#›

Customer Relationship Management

‹#›

Customer Relationship Management (CRM) System

Supports all aspects of customer encounters

Marketing, sales, distribution, accounting, and customer service

Goal

To understand and anticipate the needs of current and potential customers to increase customer retention and loyalty

Information Technology for Managers

‹#›

Figure 8.4 - Customer Relationship Management (CRM) System

‹#›

Features of CRM

Contact management

Sales management

Customer support

Marketing automation

Analysis

Social networking

Access by smartphones

Import contact data

‹#›

Table 8.3 - Primary Benefits of a CRM System

‹#›

Product Life Cycle Management

‹#›

Product Life Cycle Management (PLM)

Enterprise business strategy that creates a common repository of product information and processes to:

Support the collaborative creation, management, dissemination, and use of product and packaging definition information

‹#›

Product Life Cycle Management Software

Manages the data and processes associated with the phases of the product life cycle

Provides support for the following functions

Configuration management

Document management

Engineering change management

Release management

Collaboration with suppliers and original equipment manufacturers (OEMs)

‹#›

Scope of PLM

Use of software to assist in the creation, analysis, and modification of the design of a component

Computer-aided design (CAD)

Use of software to test the robustness and performance of components and assemblies

Computer-aided engineering (CAE)

Use of software to control machine tools and related machinery in the manufacture of products

Computer-aided manufacturing (CAM)

‹#›

Figure 8.7 - PLM Business Strategy

‹#›

PLM Software

Categories of manufacturing

Discrete manufacturing: Production of distinct items that can be decomposed back into their basic components

Autos, airplanes, furniture, or toys

Process manufacturing: Production of products that are the result of a chemical process

Soda, laundry detergent, gasoline, and pharmaceutical drugs

Information Technology for Managers

‹#›

IT/IS Asset Management

Tracking procurement, configuration, deployment, patching, break/fix, and decommission of hardware and software assets

What do you have?

Where is it?

Who is responsible for it?

When does it need to be replaced?

Connects to vendor relationship, procurement, and accounting (at a minimum)

Information Technology for Managers

‹#›

Avoiding Enterprise Systems Failures

‹#›

Ways to Avoid Enterprise Systems Failures (1)

Organizations should:

Assign a full-time executive to manage the project

Appoint an experienced, independent resource to provide project oversight

Allow sufficient time for transition from the old processes to the new processes

Involve users throughout the project and act on their feedback

Deliver project value early and often

‹#›

Ways to Avoid Enterprise Systems Failures (2)

Plan to spend considerable time and money training people

Define metrics to assess project progress and identify project-related risks

Keep the scope of the project well defined and contained to essential business processes

Be wary of modifying the enterprise system software to conform to their business practices

Information Technology for Managers

‹#›

Hosted Software Model for Enterprise Software

Information Technology for Managers

‹#›

Hosted Software Model

Aims to help customers acquire, use, and benefit from the new technology

Associated complexity and high start-up costs are avoided

Advantageous for SMEs as they can experiment with powerful software capabilities without a high investment

Information Technology for Managers

‹#›

Table 8.7 - Advantages and Disadvantages of Hosted Software Model

Information Technology for Managers

‹#›

CIA Triad

‹#›

Confidentiality

Integrity

Availability

Confidentiality: Ensuring that data is only accessible by those who have appropriately approved access.

Integrity:

Ensuring that data is not changed without appropriate permission.

Availability: Ensuring that data is accessible without interruption or delay

Information

Security

Vulnerability, Exploit, Threat

Vulnerability: A weakness in any software, hardware, or configuration that allows confidentiality, integrity, or availability to be violated

Exploit: A specific method for taking advantage of a vulnerability

Threat: A person or group with the skills and knowledge to use an exploit

Risk: Financial loss due to damage, disruption, or loss of information systems (Five Component Model)

‹#›

What is an Information System?

‹#›

HARDWARE

SOFTWARE

DATA

PROCESS

PEOPLE

Business

Technology

An information system is hardware and software that allow people to follow a process. (Kroenke, 2011)

Information systems move work away from people and into technology

Increasing difficulty of introducing change

Five Component Model

Growing Problem

‹#›

Authentication & Authorization

Authentication: Are you who you claim to be?

How do you prove your identity?

User Identifies (provides evidence)

System confirms = Authentication

‹#›

Authorization

Granting access

What do you have permission to do?

Auditing

Tracking actions

Accountability

Monitoring

Authentication & Authorization

Vulnerabilities to A&A

Bypass Authentication

Spoof (fake) Authentication

Bypass Authorization

Bypass Auditing

‹#›

Reasons for Prevalence of Computer Security Incidents

Misuse of user or system accounts with elevated privileges

Default software and configurations are unsecure and not updated

New vulnerabilities introduced by expanding and changing systems

Increasing sophistication of perpetrators of computer crime. Hackers get better over time

Higher computer user expectations

Bring your own device (BYOD)

Policy that permits or encourages employees to use personal mobile devices to access company systems

‹#›

Perpetrators

Black hat hacker : Has malicious intent

White hat hacker : “ethical hackers” – Employees or researchers investigating security

Grey hat hacker : Unauthorized investigation without malicious intent

Cracker : Unethical computer access

Malicious Insider : Employee who steals data or commits sabotage

Industrial Spy : Outsider disguised as insider who steals data or commits sabotage

‹#›

Perpetrators

Cybercriminal : Generic term for “bad guy” who attacks systems for personal gain or to cause damage.

Hacktivist : Uses cybercriminal techniques for a political agenda

Cyberterrorist : Uses cybercriminal methods to inflect harm and fear

Script kiddie : Unskilled cybercriminal using tools available on the internet

Advanced Persistent Threat (APT) : Skilled attackers with extensive resources

‹#›

Types of Exploits

‹#›

Virus : Programming code that modifies other programs in order to operate and propagate

Worm : Capable of spreading without human intervention

Trojan : Malicious code hidden inside a seemingly harmless (and useful) program

Zero-Day : New vulnerability that does not yet have a fix

Spam : Exploits email systems to send unsolicited email to large numbers of people

Distributed Denial of Service (DDOS) : Malicious hacker takes over computers via the Internet

Types of Exploits

‹#›

Phishing: Fraudulently using email to get a recipient to reveal personal data or download malware

Spear-phishing: Phisher sends fraudulent emails to a certain organization’s employees

Whale-phishing: Targeting high level executives or other influential business leaders

Smishing: Uses Short Message Service (SMS) – Text msg

Vishing: Uses voice mail message

Types of Exploits – Social Engineering

‹#›

Trick people into revealing confidential information, such as passwords, account numbers, procedures, or key names

Pretexting: Gaining information through deceit, flattery, false credentials, intimidation, or lax security

Shoulder surfing: Watching while someone enters confidential information or access restricted sites and/or data

Can use in-person influence, email (spam), phone calls, etc.

Information from multiple social engineering attacks can be correlated to create a stronger attack later

Types of Exploits - Identity Theft

‹#›

Occurs when someone steals an individual’s personal information and uses it without their permission

Used to commit fraud or crimes or is sold on the Dark Web

Data breach: Unintended release of sensitive data or the access of sensitive data by unauthorized individuals

Types of Exploits – Card Theft

‹#›

Card Skimmers

Physical card reader mounted on top of a legitimate card reader

Reads and stores card information

Forwards card into real card reader

Cameras

Takes pictures of card

Takes pictures of PIN sequence

Types of Exploits – Insider Threat

‹#›

Usually a Disgruntled Employee

Sabotage

Logic bombs

Violation of policy

Password changes

Data Exfiltration

Send sensitive data outside company via email, file transfer, steganography, or other means

Types of Exploits - Cyberespionage

‹#›

Deployment of malware that secretly steals high-value data in the computer systems of organizations

High-value data includes:

Sales, marketing, and new product development plans, schedules, and budgets

Details about product designs and innovative processes

Employee personal information and customer and client data

Sensitive information about partners and partner agreements

Types of Exploits - Cyberterrorism

‹#›

Intimidation of a government or a civilian population by using information technology to disable critical national infrastructure

Done to achieve political, religious, or ideological goals

Department of Homeland Security (DHS)

Federal agency which aims to protect the U.S. from terrorism and other potential threats

United States Computer Emergency Readiness Team (US-CERT)

Handles security incidents and provides information regarding computer security topics

Types of Exploits – Advanced Persistent Threat (APT)

‹#›

Highly skilled with access to technology resources and money

TTP – Tactics, Techniques, and Procedures

Intruder gains access to a network

Stays there with the intention of stealing data over a long period of time

Compromises targeted systems

Types of Exploits – Advanced Persistent Threat (APT)

‹#›

Phases

Reconnaissance

Incursion

Discovery

Capture

Export

Types of Exploits – Advanced Persistent Threat (APT)

‹#›

Usually Nation-State Endorsed or Supported

A few APT Groups and where they are probably from:

Lazarus Group (APT 38) – North Korea

Fancy Bear (APT 28) – Russia

Double Dragon (APT 41)– China

Helix Kitten (APT 34) – Iran

Equation Group – US National Security Agency

The Shadow Brokers – Russia?

MANY more from other countries

Types of Exploits - Ransomware

‹#›

Encrypts data on the target system (any computer)

Demands money in exchange for decryption key

Malware usually delivered through a phishing attack

Payment is made through untraceable cryptocurrencies (e.g. Bitcoin)

Ransom amounts are low in order to entice payment

Types of Exploits - Ransomware

‹#›

Ransomware causes hospital service interruptions that kill people

PBS News Hour report: https://www.pbs.org/newshour/science/ransomware-and-other-data-breaches-linked-to-uptick-in-fatal-heart-attacks

Ransomware caused delays in treatment

Delayed treatment led to heart attack patients dying

As many as 2,500 deaths per year in the US

Cyber Crime Laws

Computer Fraud and Abuse Act (1984, 1994)

Computer Security Act (1987)

National Infrastructure Protection Act (1996)

Government Information System Reform Act (2000)

Patriot Act (2001)

Federal Information Security Act (2002)

Intellectual Property laws

‹#›

Dilemmas Faced by Business Managers Regarding IT Security

IT Security is no longer optional

Due diligence – Actions taken by prudent people to prevent harm to others.

What resources (people, time, and money) must be spent to safeguard against computer crime

Handling lost sales and increased costs due to necessary security safeguards

Dealing with reputational impact

Actions to be taken if a firm is a victim of a computer crime

Information Technology for Managers

‹#›

The Big Dilemma

Most companies are not in business to be secure, but they must be secure to be in business

Information Technology for Managers

‹#›

Establishing a Security Policy

Executive Governance Issue.

IT Security policy must come from the top

A good security policy describes responsibilities and the behavior expected of all members of the organization

People are the weakest link – and most important link – in the security chain

Automated system rules should mirror an organization’s written policies

Include all devices, software, data, networks, etc.

Companies are including special security requirements for mobile devices

‹#›

Cyber Defense

Identify

Know what threats exist and what assets they attack

Protect

Make it hard for bad guys to penetrate your systems

Detect

Know if a breach occurs

Respond

Stop the attack, assess the damage, gather evidence

Recover

Get back to normal.

Fix the vulnerability

‹#›

Response Plan

In case of an intrusion, there must be a clear reaction plan that addresses:

Notification

Follow the law

Evidence protection

Forensics is a specialized skill set

Containment and eradication

Recovery

Root Cause Analysis (RCA)

Technical cause

Policy, process, and procedure cause

Never hack back

Serious legal implications

‹#›

Risk Assessment

Goal - To identify the best investments of time and resources that will protect the organization from its threats

Asset - Any hardware, software, information system, network, data, or database used by the organization to achieve its objectives

If you don’t know about it, you can’t protect it

Loss event - Any occurrence that has a negative impact on an asset

‹#›

Steps in a Risk Assessment Process

‹#›

Identify all IT assets

Identify loss events or possible risks or threats

Assess the frequency of events and the probability of each potential threat

Determine the impact of each occurring threat

Research mitigations for each threat

Perform cost-benefit analysis on each mitigation

Cost-Benefit Analysis

‹#›

Cost of the mitigation should not be more than the value of the asset

Cost of the mitigation should not be more than the benefit derived

Risk Management

‹#›

Risk Mitigation

Reducing risk by implementing safeguards

Risk Assignment

Transferring risk to another party (e.g. insurance or outsourcing)

Risk Acceptance

Deciding that the mitigation costs exceed the value of the asset

Risk Rejection

Denying or ignoring the risk

Educating Employees and Contractors

Users must lead in protecting an organization’s information systems and data:

Follow company security policies. Don’t bypass them to get work done.

Use strong passwords to protect IT/IS accounts

Do NOT share passwords – For any reason

Question requests from people you do not know

Apply strict access controls to protect data from disclosure or destruction

Report unusual activity – Raise Your Hand

Protect mobile devices – Encrypt and PIN

‹#›

Defense in Depth: Use every technique feasible

Protect all assets in multiple ways

The attackers are using every tool they have

Software Patching: Keep all software current to ensure latest fixes are installed

Validate Configurations: Are your systems configured to be secure?

Only run what is required

Are the configurations tested?

‹#›

Preventive Measures (1)

Firewall: Limits network access based on the organization’s access policy

Stands guard between an organization’s internal network and the Internet

Established through the use of software, hardware, or both

Deep packet inspection: Checking for unauthorized data exiting the corporate network

Email scanning: Check for unauthorized content going out or coming in

‹#›

Preventive Measures (2)

Intrusion detection system (IDS): Monitors system and network resources and activities

Notifies network security personnel when it detects network traffic that attempts to avoid the security measures

Approaches of intrusion detection systems

Knowledge-based

Behavior-based

‹#›

Preventive Measures (3)

Antivirus software: Regularly scans memory and disk drives of computers for viruses

Looks for virus signatures

Virus signatures: Sequences of bytes that indicate the presence of a specific virus

MUST be regularly updated

‹#›

Preventive Measures (4)

Implement safeguards against attacks by malicious insiders

Define Roles and Responsibilities

Segregation of Duties – Don’t give too much authority to one person

Least Privilege – Only let users have access they require for their job

Monitor user access and actions

‹#›

Preventive Measures (5)

Encryption

Encode data so that only those with the key can read the data

Two Factor Authentication (2FA) and Multifactor Authentication (MFA)

Use more than just a password

Something you know (password)

Something you have (authentication token)

Something you are (biometrics)

Someplace you are (location based)

‹#›

Preventive Measures (6)

Preventive Measures (7)

Conduct regular IT security audits

Security audits: Evaluate whether organizations have well-considered security policies in place and if they are being followed

Can evidence be provided that the policies exist and are being followed?

Asset Inventory

You can’t protect what you don’t know about

Third Party Providers

Are contractors and providers using appropriate security?

‹#›

Response Plan

Goal - To regain control and limit damage

Define the people to be notified in the event of a computer security incident

Follow the law on notification

Document all details of the incident

Establish document handling procedures

Define the process for containing the incident

Conduct eradication efforts

Follow-up

Prepare a formal incident report and estimate the monetary damage

‹#›

Computer Forensics

Identifies, collects, examines, and preserves data from computer systems, networks, and storage devices

Preserves the integrity of the data gathered so that it is admissible as evidence in a court of law

Combines elements of law and computer science

Can be highly technical if evidence is to be used for legal purposes

Investigation may be opened in response to a criminal investigation or civil litigation

‹#›

Ethics of Information Systems

Information Systems is the study of how technology is used

Is the tool of technology used for good or not-so good purposes?

How do you know?

What standard do you use?

‹#›

What is Ethics?

‹#›

Morals, Ethics, and Laws

‹#›

Ethics

Set of beliefs about right and wrong behavior

Ethical behavior conforms to generally accepted social norms

Morals

Personal beliefs about right and wrong

Law

System of rules that states what can be done and what cannot be

Doing what is right can be difficult in certain situations

Trolley problem

Trolley Problem

‹#›

Source: wikimedia

Code of Ethics

States the principles and core values that are essential to a professional’s work

Guidelines devised by the Association for Computing Machinery (ACM)

Contribute to society and human well-being

Avoid harm to others (Primum non nocere)

Be honest and trustworthy

Be fair and take action not to discriminate

Honor property rights including copyrights and patents

Give proper credit for intellectual property

Respect the privacy of others

Honor confidentiality

Information Technology for Managers

‹#›

Steps Involved in the Decision-Making Process

‹#›

Gather information

Develop problem statement

Consult others

Identify options

Evaluate options

Choose option

Implement solution

Review results

Personal and External factors

Figure 12.3 - Factors to Weigh in Decision Making

‹#›

Privacy

‹#›

First and Fourth Amendments

First Amendment

Adopted to guarantee Americans’ rights to freedom of religion, freedom of expression, and freedom to assemble

Plays an important role if data is being gathered to track the movement of groups of people

Fourth Amendment

Adopted to protect the people from unreasonable searches and seizures of properties

Violation occurs if data is gathered without obtaining a warrant

‹#›

Figure 12.4 - Sources of Gathering Information

‹#›

Data Brokers

Companies that create profiles on people

Based on aggregated data from arrest records, business directories, social media networks, and other public records

Acxiom/LiveRamp, Epsilon, InfoGroup, Merkle, and more…

Doxing: Gathering information about an individual using information from data brokers

Bad characters threaten to expose their victims’ personal details unless a form of ransom is paid

‹#›

Privacy of Stakeholders

Approaches to balance the needs of stakeholders

New laws, technical solutions, and privacy policies

Reasonable limits on government and business access to personal information

New information and communication technologies must be designed to protect privacy

‹#›

Treating Customer Data Responsibly

Code of Fair Information Practices

Defines five widely accepted core principles concerning fair information practices of privacy protection

Notice/Awareness

Choice/Consent

Access/Participation

Integrity/Security

Enforcement/Redress

‹#›

OECD Privacy Guidelines

1980 Organization for Economic Cooperation and Development (OECD) privacy guidelines

Represent the international consensus regarding the collection and management of personal information

Collect only personal information that is necessary

Protect the information

Control access

Make it available for review

Allow consumers to make corrections

Notification of planned use

Opt out provision

‹#›

EU GDPR

European Union General Data Protection Regulation (GDPR)

Replaces older Data Protection Directive

User (Data Subject) Rights

Consent

Breach Notification

Data Access

Right to be Forgotten

Fine of up to 4% of annual global revenue

‹#›

CCPA

California Consumer Protection Act (went into effect Jan 1, 2020)

Consumer Rights

Know what data is collected

Know when data is sold or shared and to whom

Block the sale of personal data

Access personal data

Request deletion of personal data

No penalty for invoking privacy rights

‹#›

Privacy Governance

Chief Privacy Officer (CPO): Defines, implements, and oversees a set of data privacy policies

Ensures that the organization does not violate state and federal government regulations

Responsibility for privacy still rests with the board and CEO.

‹#›

Establishing an Effective Data Privacy Program

Organization should:

Conduct a thorough assessment to document the sensitive information collected and the details surrounding it

Define a comprehensive data privacy program that meets all data privacy policies and government requirements

Develop a data breach response plan to be implemented in the event of such an incident

Update the data privacy program based on the ongoing changes in regulatory requirements

‹#›

United States v. Jones 565 U.S. 400 (2012)

Police used a GPS tracking device to monitor a suspect’s movements

Police had a search warrant, but violated the terms of the warrant

US Supreme Court unanimously held that this was unconstitutional

One issue was “reasonable expectation of privacy”.

‹#›

Workplace Monitoring

IT usage policy

Establishes boundaries of acceptable behavior

Enables management to take action against violators

Organizations monitor workers to ensure compliance

‹#›

Workplace Monitoring (continued)

Fourth Amendment of the Constitution

Protects citizens from unreasonable searches by the government

Used to protect the privacy of government employees

Cannot be used to control how a private employer treats its employees

Public sector employees have far greater privacy rights than those in private industry

State privacy statutes tend to favor employers over employees

‹#›

Social Networking and Privacy

Social networks encourage members to create a user profile

Involves name, photo, and other personal data

Includes clauses permitting the network operator to collect and store data on users or even share it with third parties

‹#›

Privacy Issues in Social Networking

Information is shared by the operator with other members of a social network

Law enforcement, the press, and the public

Data breaches

Email addresses of the users are obtained

‹#›

Internet Censorship

‹#›

Internet Censorship

Control or suppression of the publishing or accessing of information on the Internet

Forms

Limiting access to certain Web sites or allowing access to only modified content

Rejecting the use of certain key words in search engine searches

Tracking and monitoring the Internet activities of individuals and harassing or jailing them for their Internet use

‹#›

Figure 12.6 - Support for Internet Freedom Linked to Internet Usage

‹#›

Source: “Support for Internet Freedom Linked to Internet Usage,” Pew Research Center, March 18, 2014, www.pewglobal

.org/2014/03/19/emerging-and-developing-nations-want-freedom-on-the-internet/internet-censorship-opinions2.

Internet Access

‹#›

Internet Access: Barriers and Solutions (1)

Digital divide

Describes the distance between those who do and those who don’t have access to modern information and technology

Exists everywhere

Country to country, within countries, and among all age groups and economic classes

Education Rate (E-Rate) program

Advances educational resources by making broadband Internet available to schools

‹#›

Internet Access: Barriers and Solutions (2)

Net neutrality

ISPs should treat all Internet traffic running on their wired or wireless broadband networks the same

FCC sets the rules to govern net neutrality

‹#›

Figure 12.7 - Estimated Growth of the Internet of Everything

‹#›

Source: Greenough, John, “The Internet of Everything: 2015 [Slide Deck],” Business Insider, March 25, 2015, www.businessinsider.com/internet-of-everything-2015-bi-2014-12?op=1.

Project Management Process Groups

A process is a series of actions directed toward a particular result

Project management can be viewed as a number of interlinked processes

The project management process groups include

initiating processes

planning processes

executing processes

monitoring and controlling processes

closing processes

Information Technology Project Management, Eighth Edition

‹#›

Figure 3-1. Percentage of Time Spent on Each Process Group

Information Technology Project Management, Eighth Edition

‹#›

WRONG METRIC

Information Technology Project Management, Eighth Edition

‹#›

Right question:

How did you perform versus the plan?

Good: +/- 2%

Bad: Miss > 5%

The purpose of planning is to manage the triple constraint.

Managing the Triple Contraint

Scope directly correlates to Time/Schedule

Larger scope ~ Longer Time

Time directly correlates to Cost

Longer time ~ Higher Cost

Planning the correct scope leads to better time estimates

Developing the correct time estimate leads to better cost estimates

Information Technology Project Management, Eighth Edition

‹#›

Figure 3-5. Scrum Framework and the Process Groups

Information Technology Project Management, Eighth Edition

‹#›

Two Commandments

‹#›

Plan Your Work

Work Your Plan

Two Commandments - Scrum

‹#›

Plan Your Work

Work Your Plan

Two Commandments - Waterfall

Plan Your Work

Work Your Plan

Analysis

Paralysis

Building the Wrong Things

Traditional vs. Agile

Traditional / Waterfall: Projects with heavy constraints, inexperienced and dispersed teams, large risks, generally clear upfront requirements, and a fairly rigid completion date are best done using a predictive approach

Agile / Scrum: Projects with less rigid constraints, experienced and preferably co-located teams, smaller risks, unclear requirements, and more flexible scheduling would be more compatible with an agile approach

Information Technology Project Management, Eighth Edition

‹#›

Information Technology Project Management, Eighth Edition

‹#›

The Key to Overall Project Success: Good Project Integration Management

Project managers must coordinate all of the other knowledge areas throughout a project’s life cycle

Many new project managers have trouble looking at the “big picture” and want to focus on too many details (See opening case for a real example)

Project integration management is not the same thing as software integration

Information Technology Project Management, Eighth Edition

‹#›

Project Integration Management Processes, Part 1

1. Developing the project charter involves working with stakeholders to create the document that formally authorizes a project—the charter.

2. Developing the project management plan involves coordinating all planning efforts to create a consistent, coherent document—the project management plan.

3. Directing and managing project work involves carrying out the project management plan by performing the activities included in it.

Information Technology Project Management, Eighth Edition

‹#›

Project Integration Management Processes, Part 2

Monitoring and controlling project work involves overseeing activities to meet the performance objectives of the project

Performing integrated change control involves identifying, evaluating, and managing changes throughout the project life cycle.

Closing the project or phase involves finalizing all activities to formally close the project or phase.

Information Technology Project Management, Eighth Edition

‹#›

Figure 4-1. Project Integration Management Summary

Scope

Time

Cost

Quality

Human Resources

Communication

Risk

Procurement

Stakeholders

Information Technology Project Management, Eighth Edition

‹#›

Financial Analysis of Projects

Financial considerations are often an important consideration in selecting projects

Three primary methods for determining the projected financial value of projects:

Net present value (NPV) analysis

Return on investment (ROI)

Payback analysis

Information Technology Project Management, Eighth Edition

‹#›

Net Present Value Analysis

Net present value (NPV) analysis is a method of calculating the expected net monetary gain or loss from a project by discounting all expected future cash inflows and outflows to the present point in time

Projects with a positive NPV should be considered if financial value is a key criterion

The higher the NPV, the better

Information Technology Project Management, Eighth Edition

‹#›

Figure 4-4. Net Present Value Example

Empty cell	A	B	C	D	E	F	G
1	Discount rate	10%	Empty cell	Empty cell	Empty cell	Empty cell	Empty cell
2	Empty cell	Empty cell	Empty cell	Empty cell	Empty cell	Empty cell	Empty cell
3	Project 1	Year 1	Year 2	Year 3	Year 4	Year 5	Total
4	Benefits	$0	$2,000	$3,000	$4,000	$5,000	14,000
5	Costs	$5,000	$1,000	$1,000	$1,000	$1,000	$9,000
6	Cash flow	($5,000)	$1,000	$2,000	$3,000	$4,000	$5,000 (with arrow. Note that totals are equal, but Net Present Values are not because of the time value of money)
7	Net Present Value (arrow)	$2,316	Empty cell	Empty cell	Empty cell	Empty cell	Empty cell
8	Empty cell	Formula=npv(b1,b6:f6)	Empty cell	Empty cell	Empty cell	Empty cell	Empty cell
9	Empty cell	Empty cell	Empty cell	Empty cell	Empty cell	Empty cell	Empty cell
10	Project 2	Year 1	Year 2	Year 3	Year 4	Year 5	Total
11	Benefits	$1,000	$2,000	$4,000	$4,000	$4,000	$15,000
12	Costs	$2,000	$2,000	$2,000	$2.000	$2,000	$10,000
13	Cash flow	($1,000)	$0	$2,000	$2,000	$2,000	$5,000 (with arrow. Note that totals are equal, but Net Present Values are not because of the time value of money)
14	Net present value (arrow)	$3,201	Empty cell	Empty cell	Empty cell	Empty cell	Empty cell
15	Empty cell	Formula=npv(b1,b13:f13)	Empty cell	Empty cell	Empty cell	Empty cell	Empty cell
16	Empty cell	Empty cell	Empty cell	Empty cell	Empty cell	Empty cell	Empty cell
17	Empty cell	Empty cell	Empty cell	Empty cell	Empty cell	Empty cell	Empty cell

Information Technology Project Management, Eighth Edition

‹#›

Figure 4-5. JWD Consulting NPV Example

Note: See the template called business_case_financials.xls

Discount Rate	8 percent	Empty cell	Empty cell	Empty cell	Empty cell	Empty cell
Assume the project is completed in Year 0	Empty cell	Empty cell	Year	Empty cell	Empty cell	Empty cell
Empty cell	0	1	2	3	Total	Empty cell
Costs	140,000	40,000	40,000	40,000	Empty cell	Empty cell
Discount factor	1	.93	.86	.79	Empty cell	Empty cell
Discounted benefits	0	186,000	172,000	158,000	516,000	Empty cell
Discounted benefits - costs	(140,000)	148,800	137,600	126,400	(Net present value) 272,800 (arrow pointing)	NPV (has arrow)
Cumulative benefits – costs	(140,000)	8,800 (Payback In Year 1)	146,400	272,800	Empty cell	Empty cell
ROI (with arrow)	112% (return on investment)	Payback in Year 1 (with arrow pointing up)	Empty cell	Empty cell	Empty cell	Empty cell

Information Technology Project Management, Eighth Edition

‹#›

NPV Calculations

Determine estimated costs and benefits for the life of the project and the products it produces

Determine the discount rate (check with your organization on what to use)

Calculate the NPV (see text for details)

Use Excel NPV() function

Notes: Some organizations consider the investment year as year 0, while others start in year 1. Some people entered costs as negative numbers, while others do not. Check with your organization for their preferences

Information Technology Project Management, Eighth Edition

‹#›

Return on Investment

Return on investment (ROI) is calculated by subtracting the project costs from the benefits and then dividing by the costs

ROI = (total discounted benefits - total discounted costs) / discounted costs

The higher the ROI, the better

Many organizations have a required rate of return or minimum acceptable rate of return on investment for projects

Internal rate of return (IRR) can by calculated by finding the discount rate that makes the NPV equal to zero

Information Technology Project Management, Eighth Edition

‹#›

Payback Analysis

Another important financial consideration is payback analysis

The payback period is the amount of time it will take to recoup, in the form of net cash inflows, the total dollars invested in a project

Payback occurs when the net cumulative discounted benefits equals the costs

Many organizations want IT projects to have a fairly short payback period

Information Technology Project Management, Eighth Edition

‹#›

Figure 4-6. Charting the Payback Period

Information Technology Project Management, Eighth Edition

‹#›

Developing a Project Charter

After deciding what project to work on, it is important to let the rest of the organization know

A project charter is a document that formally recognizes the existence of a project and provides direction on the project’s objectives and management

Key project stakeholders should sign a project charter to acknowledge agreement on the need and intent of the project; a signed charter is a key output of project integration management

Information Technology Project Management, Eighth Edition

‹#›

Inputs for Developing a Project Charter

A project statement of work

A business case

Agreements

Enterprise environmental factors

Organizational process assets, which include formal and informal plans, policies, procedures, guidelines, information systems, financial systems, management systems, lessons learned, and historical information

Information Technology Project Management, Eighth Edition

‹#›

Developing a Project Management Plan

A project management plan is a document used to coordinate all project planning documents and help guide a project’s execution and control

Plans created in the other knowledge areas are subsidiary parts of the overall project management plan

Information Technology Project Management, Eighth Edition

‹#›

Common Elements of a Project Management Plan

Introduction or overview of the project

Description of how the project is organized

Management and technical processes used on the project

Work to be done, schedule, and budget information

Information Technology Project Management, Eighth Edition

‹#›

Table 4-2. Sample Contents for a Software Project Management Plan (SPMP)

MAJOR SECTION HEADINGS	SECTION TOPICS
Overview	Purpose, scope, and objectives; assumptions and constraints; project deliverables; schedule and budget summary; evolution of the plan
Project Organization	External interfaces; internal structure; roles and Responsibilities
Managerial Process Plan	Start-up plans (estimation, staffing, resource acquisition; and project staff training plans); work plan (work activities, schedule, resource, and budget allocation); control plan; risk management plan; closeout plan
Technical Process Plans	Process model; methods, tools, and techniques; infrastructure Plan; product acceptance plan
Supporting Process Plans	Configuration management plan; verification and validation plan; documentation plan; quality assurance plan; reviews And audits; problem resolution plan; subcontractor manage- ment plan; process improvement plan
IEEE Standard 1058-1998.	Empty cell

Information Technology Project Management, Eighth Edition

‹#›

Directing and Managing Project Work

Involves managing and performing the work described in the project management plan

The majority of time and money is usually spent on execution

The application area of the project directly affects project execution because the products of the project are produced during execution

Information Technology Project Management, Eighth Edition

‹#›

Coordinating Planning and Execution

Project planning and execution are intertwined and inseparable activities

Those who will do the work should help to plan the work

Project managers must solicit input from the team to develop realistic plans

Information Technology Project Management, Eighth Edition

‹#›

Providing Leadership and a Supportive Culture

Project managers must lead by example to demonstrate the importance of creating and then following good project plans

Organizational culture can help project execution by

providing guidelines and templates

tracking performance based on plans

Project managers may still need to break the rules to meet project goals, and senior managers must support those actions

Information Technology Project Management, Eighth Edition

‹#›

Capitalizing on Product, Business, and Application Area Knowledge

It is often helpful for IT project managers to have prior technical experience

On small projects, the project manager may be required to perform some of the technical work or mentor team members to complete the projects

On large projects, the project manager must understand the business and application area of the project

Information Technology Project Management, Eighth Edition

‹#›

Project Execution Tools and Techniques

Expert judgment: Experts can help project managers and their teams make many decisions related to project execution

Meetings: Meetings allow people to develop relationships, pick up on important body language or tone of voice, and have a dialogue to help resolve problems.

Project management information systems: There are hundreds of project management software products available on the market today, and many organizations are moving toward powerful enterprise project management systems that are accessible via the Internet

See the What Went Right? example of Kuala Lumpur’s Integrated Transport Information System on p. 169

Information Technology Project Management, Eighth Edition

‹#›

Monitoring and Controlling Project Work

Changes are inevitable on most projects, so it’s important to develop and follow a process to monitor and control changes

Monitoring project work includes collecting, measuring, and disseminating performance information

A baseline is the approved project management plan plus approved changes

Information Technology Project Management, Eighth Edition

‹#›

Performing Integrated Change Control

Three main objectives are:

Influencing the factors that create changes to ensure that changes are beneficial

Determining that a change has occurred

Managing actual changes as they occur

Information Technology Project Management, Eighth Edition

‹#›

Change Control on Information Technology Projects

Former view: The project team should strive to do exactly what was planned on time and within budget

Problem: Stakeholders rarely agreed up-front on the project scope, and time and cost estimates were inaccurate

Modern view: Project management is a process of constant communication and negotiation

Solution: Changes are often beneficial, and the project team should plan for them

Information Technology Project Management, Eighth Edition

‹#›

Change Control System

A change control system is a formal, documented process that describes when and how official project documents and work may be changed

Describes who is authorized to make changes and how to make them

Information Technology Project Management, Eighth Edition

‹#›

Change Control Board (CCB)

A change control board is a formal group of people responsible for approving or rejecting changes on a project

CCBs provide guidelines for preparing change requests, evaluate change requests, and manage the implementation of approved changes

Includes stakeholders from the entire organization

Some CCBs only meet occasionally, so it may take too long for changes to occur

Information Technology Project Management, Eighth Edition

‹#›

Configuration Management

Configuration management ensures that the descriptions of the project’s products are correct and complete

Involves identifying and controlling the functional and physical design characteristics of products and their support documentation

Configuration management specialists identify and document configuration requirements, control changes, record and report changes, and audit the products to verify conformance to requirements

Information Technology Project Management, Eighth Edition

‹#›

Table 4-3. Suggestions for Performing Integrated Change Control

View project management as a process of constant communication and negotiation.

Plan for change.

Establish a formal change control system, including a change control board (CCB).

Use effective configuration management.

Define procedures for making timely decisions on smaller changes.

Use written and oral performance reports to help identify and manage change.

Use project management and other software to help manage and communicate changes.

Focus on leading the project team and meeting overall project goals and expectations.

Information Technology Project Management, Eighth Edition

‹#›

Closing Projects or Phases

To close a project or phase, you must finalize all activities and transfer the completed or cancelled work to the appropriate people

Main outputs include

Final product, service, or result transition

Organizational process asset updates

What is Project Scope Management?

Scope refers to all the work involved in creating the products of the project and the processes used to create them

A deliverable is a product produced as part of a project, such as hardware or software, planning documents, or meeting minutes

Project scope management includes the processes involved in defining and controlling what is or is not included in a project

Information Technology Project Management, Eighth Edition

‹#›

Project Documentation and Artifacts

There are many ways to document a project

All of them have good points and all of them have not-so-good points.

Pick a method and get good at it

What’s very important is making sure you have the right requirements

Information Technology Project Management, Eighth Edition

‹#›

Project Scope Management Processes

Planning scope: determining how the project’s scope

and requirements will be managed

Collecting requirements: defining and documenting the features and functions of the products produced during the project as well as the processes used for creating them

Defining scope: reviewing the project charter, requirements documents, and organizational process assets to create a scope statement

Creating the Work Breakdown Structure (WBS): subdividing the major project deliverables into smaller, more manageable components

Validating scope: formalizing acceptance of the project deliverables

Controlling scope: controlling changes to project scope throughout the life of the project

Information Technology Project Management, Eighth Edition

‹#›

Planning Scope Management

The project team uses expert judgment and meetings to develop two important outputs: the scope management plan and the requirements management plan

The scope management plan is a subsidiary part of the project management plan (project integration)

Information Technology Project Management, Eighth Edition

‹#›

Defining Scope

Project scope statements should include at least a product scope description, product user acceptance criteria, and detailed information on all project deliverables. It is also helpful to document other scope-related information, such as the project boundaries, constraints, and assumptions. The project scope statement should also reference supporting documents, such as product specifications

As time progresses, the scope of a project should become more clear and specific

Information Technology Project Management, Eighth Edition

‹#›

Scope Management Plan Contents

How to prepare a detailed project scope statement

How to create a Work Breakdown Structure (WBS)

How to maintain and approve the WBS

How to obtain formal acceptance of the completed project deliverables

How to control requests for changes to the project scope

Information Technology Project Management, Eighth Edition

‹#›

Requirements Management Plan

The PMBOK® Guide, Fifth Edition, describes requirements as “conditions or capabilities that must be met by the project or present in the product, service, or result to satisfy an agreement or other formally imposed specification”

The requirements management plan documents how project requirements will be analyzed, documented, and managed

Information Technology Project Management, Eighth Edition

‹#›

Collecting Requirements

For some IT projects, it is helpful to divide requirements development into categories called elicitation, analysis, specification, and validation

It is important to use an iterative approach to defining requirements since they are often unclear early in a project

Information Technology Project Management, Eighth Edition

‹#›

Figure 5-2. Relative Cost to Correct a Software Requirement Defect

Information Technology Project Management, Eighth Edition

‹#›

Methods for Collecting Requirements

Interviewing

Focus groups and facilitated workshops

Using group creativity and decision-making techniques

Questionnaires and surveys

Observation

Prototyping

Information Technology Project Management, Eighth Edition

‹#›

Methods for Collecting Requirements

Benchmarking, or generating ideas by comparing specific project practices or product characteristics to those of other projects or products inside or outside the performing organization, can also be used to collect requirements

Information Technology Project Management, Eighth Edition

‹#›

Requirements Traceability Matrix

A requirements traceability matrix (RTM) is a table that lists requirements, various attributes of each requirement, and the status of the requirements to ensure that all requirements are addressed

Table 5-1. Sample entry in an RTM

Information Technology Project Management, Eighth Edition

‹#›

Requirement No.	Name	Category	Source	Status
R32	Laptop memory	Hardware	Project charter and corporate laptop specifications	Complete. Laptops ordered meet requirement by having 4GB of memory.

Creating the Work Breakdown Structure (WBS)

A WBS is a deliverable-oriented grouping of the work involved in a project that defines the total scope of the project

WBS is a foundation document that provides the basis for planning and managing project schedules, costs, resources, and changes

Decomposition is subdividing project deliverables into smaller pieces

A work package is a task at the lowest level of the WBS

The scope baseline includes the approved project scope statement and its associated WBS and WBS dictionary

Information Technology Project Management, Eighth Edition

‹#›

Approaches to Developing WBSs

The analogy approach: Review WBSs of similar projects and tailor to your project

The top-down approach: Start with the largest items of the project and break them down

The bottom-up approach: Start with the specific tasks and roll them up

Information Technology Project Management, Eighth Edition

‹#›

The WBS Dictionary and Scope Baseline

Many WBS tasks are vague and must be explained more so people know what to do and can estimate how long it will take and what it will cost to do the work

A WBS dictionary is a document that describes detailed information about each WBS item

Information Technology Project Management, Eighth Edition

‹#›

Advice for Creating a WBS and WBS Dictionary, Part 1

A unit of work should appear at only one place in the WBS.

A WBS item is the responsibility of only one individual, even though many people may be working on it

The WBS must be consistent with the way in which work is actually going to be performed; it should serve the project team first, and other purposes only if practical

Project team members should be involved in developing the WBS to ensure consistency and buy-in

Information Technology Project Management, Eighth Edition

‹#›

Advice for Creating a WBS and WBS Dictionary, Part 2

Each WBS item must be documented in a WBS dictionary to ensure accurate understanding of the scope of work included and not included in that item

The WBS must be a flexible tool to accommodate inevitable changes while properly maintaining control of the work content in the project according to the scope statement

Information Technology Project Management, Eighth Edition

‹#›

Information Technology Project Management, Eighth Edition

‹#›

Validating Scope

It is very difficult to create a good scope statement and WBS for a project

It is even more difficult to verify project scope and minimize scope changes

Scope validation involves formal acceptance of the completed project deliverables

Acceptance is often achieved by a customer inspection and then sign-off on key deliverables

Information Technology Project Management, Eighth Edition

‹#›

Controlling Scope

Scope control involves controlling changes to the project scope (change control portion of project integration management)

Goals of scope control are to

influence the factors that cause scope changes

assure changes are processed according to procedures developed as part of integrated change control, and

manage changes when they occur

Variance is the difference between planned and actual performance

Information Technology Project Management, Eighth Edition

‹#›

Suggestions for Improving User Input

Develop a good project selection process and insist that sponsors are from the user organization

Have users on the project team in important roles

Have regular meetings with defined agendas, and have users sign off on key deliverables presented at meetings

Deliver something to users and sponsors on a regular basis

Don’t promise to deliver when you know you can’t

Co-locate users with developers

Information Technology Project Management, Eighth Edition

‹#›

Suggestions for Reducing Incomplete and Changing Requirements, Part 1

Develop and follow a requirements management process

Use techniques such as prototyping, use case modeling, and JAD to get more user involvement

Put requirements in writing and keep them current

Create a requirements management database for documenting and controlling requirements

Information Technology Project Management, Eighth Edition

‹#›

Provide adequate testing and conduct testing throughout the project life cycle

Review changes from a systems perspective

Emphasize completion dates to help focus on what’s most important

Allocate resources specifically for handling change requests/enhancements like NWA did with ResNet

Information Technology Project Management, Eighth Edition

‹#›

Suggestions for Reducing Incomplete and Changing Requirements, Part 2

High level to Low Level

Sequencing

Dependencies

Predecessors

Successors

Duration

Effort

Cost

Progressive Elaboration

‹#›

Time is a scarce resource

Time has the least amount of flexibility; it passes no matter what happens on a project

Managers often cite delivering projects on time as one of their biggest challenges

Schedule issues are the main reason for conflicts on projects, especially during the second half of projects

Importance of Project Schedules

‹#›

Some people prefer to follow schedules and meet deadlines while others do not

Different cultures and even entire countries have different attitudes about schedules

Individual Work Styles and Cultural Differences Lead to Schedule Conflicts

‹#›

Strong leadership helps projects succeed more than good charts

Project managers should use

empowerment

incentives

discipline (rigorous methods, not punishment)

negotiation

Working with People Issues

‹#›

Many people misuse project management software because they don’t understand important concepts and have not had training

You must enter dependencies to have dates adjust automatically and to determine the critical path

You must enter actual schedule information to compare planned and actual progress

For people who know the software:

Managing the software is not the same as managing the project.

Words of Caution on Using Project Management Software

‹#›

Perform reality checks on schedules

Allow for contingencies

Don’t plan for everyone to work at 100% capacity all the time

Hold progress meetings with stakeholders and be clear and honest in communicating schedule issues

Schedule Control Suggestions

‹#›

The goals is

to know the status of the schedule

determine that the schedule has changed

understand why the schedule has changed

control factors that cause schedule changes

manage changes when they occur

Controlling the Schedule

‹#›

Tools and techniques include

Progress reports

A schedule change control system

Project management software, including schedule comparison charts like the tracking Gantt chart

Variance analysis, such as analyzing float or slack

Performance management, such as earned value (chapter 7)

Controlling the Schedule

‹#›

Book by Frederick Brooks, written in 1975

Some tasks can’t be made to go faster by adding more people

The Mythical Man-Month

‹#›

First review the draft schedule or estimated completion date in the project charter

Prepare a more detailed schedule with the project team

Make sure the schedule is realistic and followed

Alert top management well in advance if there are schedule problems

Reality Checks on Scheduling

‹#›

Planning schedule management: determining the policies, procedures, and documentation that will be used for planning, executing, and controlling the project schedule

Defining activities: identifying the specific activities that the project team members and stakeholders must perform to produce the project deliverables

Sequencing activities: identifying and documenting the relationships between project activities

Estimating activity resources: estimating how many resources a project team should use to perform project activities

Estimating activity durations: estimating the number of work periods that are needed to complete individual activities

Developing the schedule: analyzing activity sequences, activity resource estimates, and activity duration estimates to create the project schedule

Controlling the schedule: controlling and managing changes to the project schedule

Project Time Management Processes

‹#›

The project team uses expert judgment, analytical techniques, and meetings to develop the schedule management plan

A schedule management plan includes:

Project schedule model development

The scheduling methodology

Level of accuracy and units of measure

Control thresholds

Rules of performance measurement

Reporting formats

Process descriptions

Planning Schedule Management

‹#›

An activity or task is an element of work normally found on the work breakdown structure (WBS) that has an expected duration, a cost, and resource requirements

Activity definition involves developing a more detailed WBS and supporting explanations to understand all the work to be done so you can develop realistic cost and duration estimates

Defining Activities

‹#›

An activity list is a tabulation of activities to be included on a project schedule that includes

the activity name

an activity identifier or number

a brief description of the activity

Activity attributes provide more information such as predecessors, successors, logical relationships, leads and lags, resource requirements, constraints, imposed dates, and assumptions related to the activity

Activity Lists and Attributes

‹#›

Involves reviewing activities and determining dependencies

A dependency or relationship is the sequencing of project activities or tasks

You must determine dependencies in order to use critical path analysis

Sequencing Activities

‹#›

Mandatory dependencies: inherent in the nature of the work being performed on a project, sometimes referred to as hard logic

Discretionary dependencies: defined by the project team., sometimes referred to as soft logic and should be used with care since they may limit later scheduling options

External dependencies: involve relationships between project and non-project activities

Three types of Dependencies

‹#›

Activities are represented by boxes

Arrows show relationships between activities

More popular than ADM method and used by project management software

Better at showing different types of dependencies

Precedence Diagramming Method (PDM)

‹#›

Figure 6-3. Task Dependency Types

Task dependency	Example	Description
Finish-to-start (FS)	A diagram of a box labeled A in the top left corner and a box labeled B in the bottom right corner. An arrow points from the right side of box A to the top side of box B.	Task (B) cannot start until task (A) finishes.
Start-to-start (SS)	A diagram of a box labeled A above a box labeled B. Box B is more aligned to the right. An arrow points from the left side of box A down towards the left side of box B.	Task (B) cannot start until task (A) starts.
Finish-to-finish (FF)	A diagram of a box labeled A above a box labeled B. Box B is more aligned to the left. An arrow points from the right side of box A and down to the right side of box B.	Task (B) cannot finish until task (A) finishes.
Start-to-finish (SF)	A diagram of a box labeled A in the top right corner and a box labeled B in the bottom left corner. An arrow points from the left side of box A to the right side of box B.	Task (B) cannot finish until task (A) starts.

‹#›

Figure 6-4. Sample PDM Network Diagram

‹#›

Before estimating activity durations, you must have a good idea of the quantity and type of resources that will be assigned to each activity; resources are people, equipment, and materials

Consider important issues in estimating resources

How difficult will it be to do specific activities on this project?

What is the organization’s history in doing similar activities?

Are the required resources available?

A resource breakdown structure is a hierarchical structure that identifies the project’s resources by category and type

Estimating Activity Resources

‹#›

Duration includes the actual amount of time worked on an activity plus elapsed time

Effort is the number of workdays or work hours required to complete a task

Effort does not normally equal duration

People doing the work should help create estimates, and an expert should review them

Activity Duration Estimating

‹#›

A milestone is a significant event that normally has no duration

They’re useful tools for setting schedule goals and monitoring progress

Examples include obtaining customer sign-off on key documents or completion of specific products

Milestones

‹#›

Milestones should be

Specific

Measurable

Assignable

Realistic

Time-framed

SMART Criteria

‹#›

Instead of providing activity estimates as a discrete number, such as four weeks, it’s often helpful to create a three-point estimate

an estimate that includes an optimistic, most likely, and pessimistic estimate, such as three weeks for the optimistic, four weeks for the most likely, and five weeks for the pessimistic estimate

Three-point estimates are needed for PERT and Monte Carlo simulations

Three-Point Estimates

‹#›

Uses results of the other time management processes to determine the start and end date of the project

Ultimate goal is to create a realistic project schedule that provides a basis for monitoring project progress for the time dimension of the project

Important tools and techniques include Gantt charts, critical path analysis, and critical chain scheduling, and PERT analysis

Developing the Schedule

‹#›

Gantt charts provide a standard format for displaying project schedule information by listing project activities and their corresponding start and finish dates in a calendar format

Symbols include:

A black diamond: a milestones

Thick black bars: summary tasks

Lighter horizontal bars: durations of tasks

Arrows: dependencies between tasks

Gantt Charts

‹#›

A buffer is additional time to complete a task

Murphy’s Law states that if something can go wrong, it will

Parkinson’s Law states that work expands to fill the time allowed

In traditional estimates, people often add a buffer to each task and use it if it’s needed or not

Buffers and Critical Chain

‹#›

PERT is a network analysis technique used to estimate project duration when there is a high degree of uncertainty about the individual activity duration estimates

PERT uses probabilistic time estimates

duration estimates based on using optimistic, most likely, and pessimistic estimates of activity durations, or a three-point estimate

Program Evaluation and Review Technique (PERT)

The Importance of Project Cost Management

IT projects have a poor track record for meeting budget goals

A cost overrun is the additional percentage or dollar amount by which actual costs exceed estimates

A 2011 Harvard Business Review study reported an average cost overrun of 27 percent. The most important finding was the discovery of a large number of gigantic overages or “black swans”

Information Technology Project Management, Eighth Edition

‹#›

What is Cost and Project Cost Management?

IT projects have a poor track record for meeting budget goals

A cost overrun is the additional percentage or dollar amount by which actual costs exceed estimates

Cost is a resource sacrificed or foregone to achieve a specific objective or something given up in exchange

Project cost management includes the processes required to ensure that the project is completed within an approved budget

Information Technology Project Management, Eighth Edition

‹#›

Project Cost Management Processes

Planning cost management :determining the policies, procedures, and documentation that will be used for planning, executing, and controlling project cost.

Estimating costs: developing an approximation or estimate of the costs of the resources needed to complete a project

Determining the budget: allocating the overall cost estimate to individual work items to establish a baseline for measuring performance

Controlling costs: controlling changes to the project budget

Information Technology Project Management, Eighth Edition

‹#›

Basic Principles of Cost Management

Most members of an executive board better understand and are more interested in financial terms than IT terms , so IT project managers must speak their language

Profits are revenues minus expenditures

Profit margin is the ratio of revenues to profits

Life cycle costing considers the total cost of ownership, or development plus support costs, for a project

Cash flow analysis determines the estimated annual costs and benefits for a project and the resulting annual cash flow

You cannot measure Return on Investment (ROI) unless you have a benefits measurement process in place

Information Technology Project Management, Eighth Edition

‹#›

Types of Costs and Benefits

Tangible costs or benefits are those costs or benefits that an organization can easily measure in dollars

Intangible costs or benefits are costs or benefits that are difficult to measure in monetary terms

Direct costs are costs that can be directly related to producing the products and services of the project

Indirect costs are costs that are not directly related to the products or services of the project, but are indirectly related to performing the project

Sunk cost is money that has been spent in the past; when deciding what projects to invest in or continue, you should not include sunk costs

Information Technology Project Management, Eighth Edition

‹#›

More Basic Principles of Cost Management

Learning curve theory states that when many items are produced repetitively, the unit cost of those items decreases in a regular pattern as more units are produced

Reserves are dollars included in a cost estimate to mitigate cost risk by allowing for future situations that are difficult to predict

Contingency reserves allow for future situations that may be partially planned for (sometimes called known unknowns) and are included in the project cost baseline

Management reserves allow for future situations that are unpredictable (sometimes called unknown unknowns

Information Technology Project Management, Eighth Edition

‹#›

Planning Cost Management

The project team uses expert judgment, analytical techniques, and meetings to develop the cost management plan

A cost management plan includes:

Level of accuracy and units of measure

Organizational procedure links

Control thresholds

Rules of performance measurement

Reporting formats

Process descriptions

Information Technology Project Management, Eighth Edition

‹#›

Estimating Costs

Project managers must take cost estimates seriously if they want to complete projects within budget constraints

It’s important to know the types of cost estimates, how to prepare cost estimates, and typical problems associated with IT cost estimates

Information Technology Project Management, Eighth Edition

‹#›

Table 7-1. Types of Cost Estimates

Information Technology Project Management, Eighth Edition

‹#›

Rough order of Magnitude (ROM)

Very early estimate, can be off by up to 100%

Budgetary

Early projection, can be off by up to 25%

Definitive

Refined as project matures, needs to be within 5%

More on Cost Estimates

Estimates are usually done at various stages of a project and should become more accurate as time progresses

A large percentage of total project costs are often labor costs

Information Technology Project Management, Eighth Edition

‹#›

Table 7-2. Maximum FTE by Department by Year

Department	Year 1	Year 2	Year 3	Year 4	Year 5	Totals
Information system	24	31	35	13	13	116
Marketing systems	3	3	3	3	3	15
Reservations	12	29	33	9	7	90
Contractors	2	3	1	0	0	6
Totals	41	66	72	25	23	227

Information Technology Project Management, Eighth Edition

‹#›

Cost Estimation Tools and Techniques

Basic tools and techniques for cost estimates:

Analogous or top-down estimates: use the actual cost of a previous, similar project as the basis for estimating the cost of the current project

Bottom-up estimates: involve estimating individual work items or activities and summing them to get a project total

Parametric modeling uses project characteristics (parameters) in a mathematical model to estimate project costs

Information Technology Project Management, Eighth Edition

‹#›

Typical Problems with IT Cost Estimates

Estimates are done too quickly

People lack estimating experience

Human beings are biased toward underestimation

Management desires accuracy

Information Technology Project Management, Eighth Edition

‹#›

Sample Cost Estimate

See the text for a detailed example of creating a cost estimate for the Surveyor Pro project described in the opening case

Before creating an estimate, know what it will be used for, gather as much information as possible, and clarify the ground rules and assumptions for the estimate

If possible, estimate costs by major WBS categories

Create a cost model to make it easy to make changes to and document the estimate

Information Technology Project Management, Eighth Edition

‹#›

Best Practice

Function points are a means of measuring software size in terms that are meaningful to end users

Function points are comprised of inputs, outputs, inquiries, internal data, and external interface data. Basically, what operations is the program performing.

User stories are a common way to describe requirements in a simple, concise way

Developers can analyze user stories to estimate function points and person-hours

Information Technology Project Management, Eighth Edition

‹#›

Determining the Budget

Cost budgeting involves allocating the project cost estimate to individual work items over time

The WBS is a required input to the cost budgeting process since it defines the work items

Important goal is to produce a cost baseline

a time-phased budget that project managers use to measure and monitor cost performance

Information Technology Project Management, Eighth Edition

‹#›

Controlling Costs

Project cost control includes

Monitoring cost performance

Ensuring that only appropriate project changes are included in a revised cost baseline

Informing project stakeholders of authorized changes to the project that will affect costs

Many organizations around the globe have problems with cost control

Information Technology Project Management, Eighth Edition

‹#›

Earned Value Management (EVM)

EVM is a project performance measurement technique that integrates scope, time, and cost data

Given a baseline (original plan plus approved changes), you can determine how well the project is meeting its goals

You must enter actual information periodically to use EVM

More and more organizations around the world are using EVM to help control project costs

Information Technology Project Management, Eighth Edition

‹#›

Earned Value Management Terms

The planned value (PV), formerly called the budgeted cost of work scheduled (BCWS), also called the budget, is that portion of the approved total cost estimate planned to be spent on an activity during a given period

Actual cost (AC), formerly called actual cost of work performed (ACWP), is the total of direct and indirect costs incurred in accomplishing work on an activity during a given period

The earned value (EV), formerly called the budgeted cost of work performed (BCWP), is an estimate of the value of the physical work actually completed

EV is based on the original planned costs for the project or activity and the rate at which the team is completing work on the project or activity to date

Information Technology Project Management, Eighth Edition

‹#›

Rate of Performance

Rate of performance (RP) is the ratio of actual work completed to the percentage of work planned to have been completed at any given time during the life of the project or activity

For example, suppose the server installation was halfway completed by the end of week 1. The rate of performance would be 50% because by the end of week 1, the planned schedule reflects that the task should be 100 percent complete and only 50 percent of that work has been completed

Information Technology Project Management, Eighth Edition

‹#›

Rules of Thumb for Earned Value Numbers

Negative numbers for cost and schedule variance indicate problems in those areas

CPI and SPI less than 100% indicate problems

Problems mean the project is costing more than planned (over budget) or taking longer than planned (behind schedule)

The CPI can be used to calculate the estimate at completion (EAC)—an estimate of what it will cost to complete the project based on performance to date. The budget at completion (BAC) is the original total budget for the project

Information Technology Project Management, Eighth Edition

‹#›

The Importance of Project Quality Management

Many people joke about the poor quality of IT products (see cars and computers joke)

People seem to accept systems being down occasionally or needing to reboot their PCs

But quality is very important in many IT projects

Information Technology Project Management, Eighth Edition

‹#›

Considerations for Project Quality Management

What is your tolerance for being wrong?

Downtime

Errors

Customer dissatisfaction

What is the cost of being wrong?

Lost revenue

Lost customers

Reputational impact

Information Technology Project Management, Eighth Edition

‹#›

Considerations for Project Quality Management

If the product does not have good quality, was the scope constraint actually met?

Does anyone intentionally design in poor quality?

Also… How good does it need to be?

Information Technology Project Management, Eighth Edition

‹#›

What Is Project Quality?

The International Organization for Standardization (ISO) defines quality as “the degree to which a set of inherent characteristics fulfills requirements” (ISO9000:2000)

Other experts define quality based on:

Conformance to requirements: The project’s processes and products meet written specifications Does it do what you said it would?

Fitness for use: A product can be used as it was intended

Why would there be a difference?

Information Technology Project Management, Eighth Edition

‹#›

What Is Project Quality Management?

Project quality management ensures that the project will satisfy the needs for which it was undertaken

Processes include:

Planning quality management: Identifying which quality standards are relevant to the project and how to satisfy them; a metric is a standard of measurement

Performing quality assurance: Periodically evaluating overall project performance to ensure the project will satisfy the relevant quality standards

Performing quality control: Monitoring specific project results to ensure that they comply with the relevant quality standards

Information Technology Project Management, Eighth Edition

‹#›

Planning Quality

Implies the ability to anticipate situations and prepare actions to bring about the desired outcome

Important to prevent defects by:

Selecting proper materials

Training and indoctrinating people in quality

Planning a process that ensures the appropriate outcome

Information Technology Project Management, Eighth Edition

‹#›

Scope Aspects of IT Projects

Functionality is the degree to which a system performs its intended function

Features are the system’s special characteristics that appeal to users

System outputs are the screens and reports the system generates

Performance addresses how well a product or service performs the customer’s intended use

Reliability is the ability of a product or service to perform as expected under normal conditions

Maintainability addresses the ease of performing maintenance on a product

Information Technology Project Management, Eighth Edition

‹#›

Who’s Responsible for the Quality of Projects?

Project managers are ultimately responsible for quality management on their projects

Several organizations and references can help project managers and their teams understand quality

International Organization for Standardization (www.iso.org)

IEEE (www.ieee.org)

Information Technology Project Management, Eighth Edition

‹#›

Performing Quality Assurance

Quality assurance includes all the activities related to satisfying the relevant quality standards for a project

Another goal of quality assurance is continuous quality improvement. Kaizen is the Japanese word for improvement or change for the better

Lean involves evaluating processes to maximize customer value while minimizing waste

Benchmarking generates ideas for quality improvements by comparing specific project practices or product characteristics to those of other projects or products within or outside the performing organization

A quality audit is a structured review of specific quality management activities that help identify lessons learned that could improve performance on current or future projects

Information Technology Project Management, Eighth Edition

‹#›

Controlling Quality

The main outputs of quality control are:

Acceptance decisions

Rework

Process adjustments

There are Seven Basic Tools of Quality that help in performing quality control

Information Technology Project Management, Eighth Edition

‹#›

Cause-and-Effect Diagrams

Cause-and-effect diagrams trace complaints about quality problems back to the responsible production operations

They help you find the root cause of a problem

Also known as fishbone or Ishikawa diagrams

Can also use the 5 whys technique where you repeated ask the question “Why” (five is a good rule of thumb) to peel away the layers of symptoms that can lead to the root cause

Information Technology Project Management, Eighth Edition

‹#›

Quality Control Charts

A control chart is a graphic display of data that illustrates the results of a process over time

The main use of control charts is to prevent defects, rather than to detect or reject them

Quality control charts allow you to determine whether a process is in control or out of control

When a process is in control, any variations in the results of the process are created by random events; processes that are in control do not need to be adjusted

When a process is out of control, variations in the results of the process are caused by non-random events; you need to identify the causes of those non-random events and adjust the process to correct or eliminate them

Information Technology Project Management, Eighth Edition

‹#›

Pareto Charts

A Pareto chart is a histogram that can help you identify and prioritize problem areas

Pareto analysis is also called the 80-20 rule, meaning that 80 percent of problems are often due to 20 percent of the causes

Information Technology Project Management, Eighth Edition

‹#›

Flowcharts

Flowcharts are graphic displays of the logic and flow of processes that help you analyze how problems occur and how processes can be improved

They show activities, decision points, and the order of how information is processed

Information Technology Project Management, Eighth Edition

‹#›

Six Sigma

Six Sigma is “a comprehensive and flexible system for achieving, sustaining, and maximizing business success. Six Sigma is uniquely driven by close understanding of customer needs, disciplined use of facts, data, and statistical analysis, and diligent attention to managing, improving, and reinventing business processes”*

*Pande, Peter S., Robert P. Neuman, and Roland R. Cavanagh, The Six Sigma Way, New York: McGraw-Hill, 2000, p. xi.

Information Technology Project Management, Eighth Edition

‹#›

Basic Information on Six Sigma

The target for perfection is the achievement of no more than 3.4 defects per million opportunities

The principles can apply to a wide variety of processes

Six Sigma projects normally follow a five-phase improvement process called DMAIC

Information Technology Project Management, Eighth Edition

‹#›

DMAIC

DMAIC is a systematic, closed-loop process for continued improvement that is scientific and fact based

DMAIC stands for:

Define: Define the problem/opportunity, process, and customer requirements

Measure: Define measures, then collect, compile, and display data

Analyze: Scrutinize process details to find improvement opportunities

Improve: Generate solutions and ideas for improving the problem

Control: Track and verify the stability of the improvements and the predictability of the solution

Information Technology Project Management, Eighth Edition

‹#›

How is Six Sigma Quality Control Unique?

It requires an organization-wide commitment.

Training follows the “Belt” system

Six Sigma organizations have the ability and willingness to adopt contrary objectives, such as reducing errors and getting things done faster

It is an operating philosophy that is customer focused and strives to drive out waste, raise levels of quality, and improve financial performance at breakthrough levels

Information Technology Project Management, Eighth Edition

‹#›

Types of Tests

Unit testing tests each individual component (often a program) to ensure it is as defect-free as possible

Integration testing occurs between unit and system testing to test functionally grouped components

System testing tests the entire system as one entity

User acceptance testing is an independent test performed by end users prior to accepting the delivered system

Information Technology Project Management, Eighth Edition

‹#›

Testing Alone Is Not Enough

Watts S. Humphrey, a renowned expert on software quality, defines a software defect as anything that must be changed before delivery of the program

Testing does not sufficiently prevent software defects because:

The number of ways to test a complex system is huge

Users will continue to invent new ways to use a system that its developers never considered

Humphrey suggests that people rethink the software development process to provide no potential defects when you enter system testing; developers must be responsible for providing error-free code at each stage of testing

Information Technology Project Management, Eighth Edition

‹#›

Modern Quality Management

Modern quality management:

Requires customer satisfaction requirements? Fitness?

Prefers prevention to inspection

Recognizes management responsibility for quality

Noteworthy quality experts include Deming, Juran, Crosby, Ishikawa, Taguchi, and Feigenbaum

Information Technology Project Management, Eighth Edition

‹#›

ISO Standards

ISO 9000 is a quality system standard that:

Is a three-part, continuous cycle of planning, controlling, and documenting quality in an organization

Provides minimum requirements needed for an organization to meet its quality certification standards

Helps organizations around the world reduce costs and improve customer satisfaction

See www.iso.org for more information

Information Technology Project Management, Eighth Edition

‹#›

Improving Information Technology Project Quality

Several suggestions for improving quality for IT projects include:

Establish leadership that promotes quality

Understand the cost of quality

Focus on organizational influences and workplace factors that affect quality

Follow maturity models

Information Technology Project Management, Eighth Edition

‹#›

The Cost of Quality

The cost of quality is the cost of conformance plus the cost of nonconformance

Conformance means delivering products that meet requirements and fitness for use

Cost of nonconformance means taking responsibility for failures or not meeting quality expectations

A study reported that software bugs cost the U.S. economy $59.6 billion each year and that one third of the bugs could be eliminated by an improved testing infrastructure

Information Technology Project Management, Eighth Edition

‹#›

Five Cost Categories Related to Quality

Prevention cost: Cost of planning and executing a project so it is error-free or within an acceptable error range

Appraisal cost: Cost of evaluating processes and their outputs to ensure quality

Internal failure cost: Cost incurred to correct an identified defect before the customer receives the product

External failure cost: Cost that relates to all errors not detected and corrected before delivery to the customer

Measurement and test equipment costs: Capital cost of equipment used to perform prevention and appraisal activities

Information Technology Project Management, Eighth Edition

‹#›

Maturity Models

Maturity models are frameworks for helping organizations improve their processes and systems

The Software Quality Function Deployment Model focuses on defining user requirements and planning software projects

The Software Engineering Institute’s Capability Maturity Model Integration is a process improvement approach that provides organizations with the essential elements of effective processes

Information Technology Project Management, Eighth Edition

‹#›

CMMI Levels

CMMI levels, from lowest to highest, are:

Incomplete

Performed

Managed

Defined

Quantitatively Managed

Optimizing

Companies may not get to bid on government projects unless they have a CMMI Level 3

Information Technology Project Management, Eighth Edition

‹#›

Importance of Good Communications

Information Technology Project Management, Eighth Edition

‹#›

“The single biggest problem in communication is the illusion that it has taken place.”

-- George Bernard Shaw

Importance of Good Communications

The greatest threat to projects is a failure to communicate

Our culture portrays IT professionals as not being good communicators

Research shows that IT professionals must be able to communicate effectively to succeed in their positions

Strong verbal and non-technical skills (“soft skills”) are a key factor in career advancement for IT professionals

Information Technology Project Management, Eighth Edition

‹#›

Keys to Good Communications

Project managers say they spend as much as 90 percent of their time communicating

The other 10% is spent preparing to communicate

Need to focus on group and individual communication needs

Use formal and informal methods for communicating

Distribute important information in an effective and timely manner

Set the stage for communicating bad news

Information Technology Project Management, Eighth Edition

‹#›

Project Communications Management Processes

Planning communications management: Determining the information and communications needs of the stakeholders

Managing communications: Creating, distributing, storing, retrieving, and disposing of project communications based on the communications management plan

Controlling communications: Monitoring and controlling project communications to ensure that stakeholder communication needs are met

Information Technology Project Management, Eighth Edition

‹#›

Personal Preferences Affect Communication Needs (Gross Generalizations and Labels)

Introverts like more private communications, while extroverts like to discuss things in public

Intuitive people like to understand the big picture, while sensing people need step-by-step details

Thinkers want to know the logic behind decisions, while feeling people want to know how something affects them personally

Judging people are driven to meet deadlines while perceiving people need more help in developing and following plans

Information Technology Project Management, Eighth Edition

‹#›

Importance of Face-to-Face Communication

Research says that in a face-to-face interaction:

58 percent of communication is through body language.

35 percent of communication is through how the words are said

7 percent of communication is through the content or words that are spoken

Pay attention to more than just the actual words someone is saying

A person’s tone of voice and body language say a lot about how he or she really feels

Information Technology Project Management, Eighth Edition

‹#›

Distributing Information in an Effective and Timely Manner

Don’t bury crucial information

Don’t be afraid to report bad information

Oral communication via meetings and informal talks helps bring important information—good and bad—out into the open

Information Technology Project Management, Eighth Edition

‹#›

Other Communication Considerations

Rarely does the receiver interpret a message exactly as the sender intended

Geographic location and cultural background affect the complexity of project communications

Different working hours

Language barriers

Different cultural norms

Information Technology Project Management, Eighth Edition

‹#›

Figure 10-2. The Impact of the Number of People on Communications Channels

Information Technology Project Management, Eighth Edition

‹#›

Communications Management Plan Contents

Stakeholder communications requirements

Information to be communicated, including format, content, and level of detail

Who will receive the information and who will produce it

Suggested methods or technologies for conveying the information

Frequency of communication

Escalation procedures for resolving issues

Revision procedures for updating the communications management plan

A glossary of common terminology

Why – How - Who – When – What

‹#›

Managing Communications

Managing communications is a large part of a project manager’s job

Getting project information to the right people at the right time and in a useful format is just as important as developing the information in the first place

Important considerations include the use of technology, the appropriate methods and media to use, and performance reporting

Information Technology Project Management, Eighth Edition

‹#›

Using Technology to Enhance Creation and Distribution

Technology can facilitate the process of creating and distributing information, when used properly

It is important to select the appropriate communication method and media

Information Technology Project Management, Eighth Edition

‹#›

Classifications for Communication Methods

Interactive communication: Two or more people interact to exchange information via meetings, phone calls, or video conferencing. Most effective way to ensure common understanding

Push communication: Information is sent or pushed to recipients without their request via reports, e-mails, faxes, voice mails, and other means. Ensures that the information is distributed, but does not ensure that it was received or understood

Pull communication: Information is sent to recipients at their request via Web sites, bulletin boards, e-learning, knowledge repositories like blogs, and other means

Information Technology Project Management, Eighth Edition

‹#›

Table 10-2. Media Choice Table (slide 1 of 2)

KEY: 1 = EXCELLENT 2 = ADEQUATE 3 = INAPPROPRIATE

HOW WELL MEDIUM IS SUITED TO:	Hard Copy	Telephone Call	Voicemail	E-mail	Meeting	Website
Assessing commitment	3	2	3	3	1	3
Building consensus	3	2	3	3	1	3
Mediating a conflict	3	2	3	3	1	3
Resolving a misunderstanding	3	1	3	3	2	3
Addressing negative behavior	3	2	3	2	1	3
Expressing support/appreciation	1	2	2	1	2	3
Encouraging creative thinking	2	3	3	1	3	3
Making an ironic statement	3	2	2	3	1	3
Conveying a reference document	1	3	3	3	3	3
Reinforcing one's authority	1	2	3	3	1	1
Providing a permanent record	1	3	3	1	3	2
Maintaining confidentiality	2	1	2	3	1	1
Conveying simple information	2	2	1	1	2	3
Asking an informational question	3	2	1	1	3	3
Making a simple request	3	3	1	1	3	3
Giving complex instructions	3	3	3	2	1	2
Addressing many people	2	3	3 or 1*	2	3	1

Galati, Tess. Email Composition and Communication (EmC2) Practical Communications, Inc. (www.pracom.com) (2001).

*Depends on system availability

Information Technology Project Management, Eighth Edition

‹#›

Reporting Performance

Performance reporting keeps stakeholders informed about how resources are being used to achieve project objectives

Status reports describe where the project stands at a specific point in time

Progress reports describe what the project team has accomplished during a certain period of time

Forecasts predict future project status and progress based on past information and trends

Information Technology Project Management, Eighth Edition

‹#›

Controlling Communications

The main goal of controlling communications is to ensure the optimal flow of information throughout the entire project life cycle

Are the messages effective?

Are the messages reaching the right audience?

Are the messages timely?

Information Technology Project Management, Eighth Edition

‹#›

Developing Better Communication Skills

Most companies spend a lot of money on technical training for their employees, even when employees might benefit more from communications training

Individual employees are also more likely to enroll voluntarily in classes to learn the latest technology than in classes that develop soft skills

As organizations become more global, they realize they must invest in ways to improve communication with people from different countries and cultures

It takes leadership to improve communication

Toastmasters International

Information Technology Project Management, Eighth Edition

‹#›

Running Effective Meetings

Determine if a meeting can be avoided

Define the purpose and intended outcome of the meeting

Determine who should attend the meeting

Provide an agenda to participants before the meeting

Prepare handouts and visual aids, and make logistical arrangements ahead of time

Run the meeting professionally

Set the ground rules for the meeting

Build relationships

Information Technology Project Management, Eighth Edition

‹#›

Sample Collaborative Tools

A SharePoint portal allows users to create custom Web sites to access documents and applications stored on shared devices

Google Docs allow users to create, share, and edit documents, spreadsheets, and presentations online

A wiki is a Web site designed to enable anyone who accesses it to contribute or modify Web page content

Kanban boards visually show tasks that need to be done, are in progress, or are completed

Information Technology Project Management, Eighth Edition

‹#›

Using E-Mail, Instant Messaging, Texting, and Collaborative Tools Effectively

Make sure that e-mail, instant messaging, texting, or collaborative tools are an appropriate medium for what you want to communicate

Be sure to send information to the right people

Use meaningful subject lines and limit the content of emails to one main subject, and be as clear and concise as possible

Be sure to authorize the right people to share and edit your collaborative documents

Information Technology Project Management, Eighth Edition

‹#›

Using Templates for Project Communications

Many technical people are afraid to ask for help

Good writers are also readers

Providing examples and templates for project communications saves time and money

Research shows that companies that excel in project management make effective use of templates

Information Technology Project Management, Eighth Edition

‹#›

Lessons Learned Reports

The project manager and project team members should each prepare a lessons-learned report

A reflective statement that documents important things an individual learned from working on the project

The project manager often combines information from all of the lessons-learned reports into a project summary report

See template and sample in Chapter 3

Information Technology Project Management, Eighth Edition

‹#›

Project Archives

It is also important to organize and prepare project archives

Project archives are a complete set of organized project records that provide an accurate history of the project

These archives can provide valuable information for future projects as well

Information Technology Project Management, Eighth Edition

‹#›

The Importance of Project Risk Management

Project risk management is the art and science of identifying, analyzing, and responding to risk throughout the life of a project and in the best interests of meeting project objectives

Risk management is often overlooked in projects, but it can help improve project success by helping select good projects, determining project scope, and developing realistic estimates

Information Technology Project Management, Eighth Edition

‹#›

Research Shows Need to Improve Project Risk Management

Study by Ibbs and Kwak shows risk has the lowest maturity rating of all knowledge areas

A similar survey was completed with software development companies in Mauritius, South Africa in 2003, and risk management also had the lowest maturity

KLCI study shows the benefits of following good software risk management practices

Information Technology Project Management, Eighth Edition

‹#›

Table 11-1. Project Management Maturity by Industry Group and Knowledge Area*

KEY: 1 = LOWEST MATURITY RATING 5 = HIGHEST MATURITY RATING

Knowledge Area	Engineering/ Construction	Telecommunications	Information Systems	Hi-Tech Manufacturing
Scope	3.52	3.45	3.25	3.37
Time	3.55	3.41	3.03	3.50
Cost	3.74	3.22	3.20	3.97
Quality	2.91	3.22	2.88	3.26
Human Resources	3.18	3.20	2.93	3.18
Communications	3.53	3.53	3.21	3.48
Risk	2.93	2.87	2.75	2.76
Procurement	3.33	3.01	2.91	3.33

*Ibbs, C. William and Young Hoon Kwak. “Assessing Project Management Maturity,” Project Management Journal (March 2000).

Information Technology Project Management, Eighth Edition

‹#›

Figure 11-1. Benefits from Software Risk Management Practices*

*Source: Kulik and Weber, KLCI Research Group

Information Technology Project Management, Eighth Edition

‹#›

Negative Risk

A dictionary definition of risk is “the possibility of loss or injury”

Negative risk involves understanding potential problems that might occur in the project and how they might impede project success

Negative risk management is like a form of insurance; it is an investment

Information Technology Project Management, Eighth Edition

‹#›

Risk Can Be Positive

Positive risks are risks that result in good things happening; sometimes called opportunities

A general definition of project risk is an uncertainty that can have a negative or positive effect on meeting project objectives

The goal of project risk management is to minimize potential negative risks while maximizing potential positive risks

Information Technology Project Management, Eighth Edition

‹#›

Risk Utility

Risk utility or risk tolerance is the amount of satisfaction or pleasure received from a potential payoff

Utility rises at a decreasing rate for people who are risk-averse

Those who are risk-seeking have a higher tolerance for risk and their satisfaction increases when more payoff is at stake

The risk-neutral approach achieves a balance between risk and payoff

Information Technology Project Management, Eighth Edition

‹#›

Figure 11-2. Risk Utility Function and Risk Preference

Information Technology Project Management, Eighth Edition

‹#›

Project Risk Management Processes, Part 1

Planning risk management : Deciding how to approach and plan the risk management activities for the project

Identifying risks: Determining which risks are likely to affect a project and documenting the characteristics of each

Performing qualitative risk analysis: Prioritizing risks based on their probability and impact of occurrence

Information Technology Project Management, Eighth Edition

‹#›

Project Risk Management Processes, Part 2

Performing quantitative risk analysis: Numerically estimating the effects of risks on project objectives

Planning risk responses: Taking steps to enhance opportunities and reduce threats to meeting project objectives

Controlling risk: Monitoring identified and residual risks, identifying new risks, carrying out risk response plans, and evaluating the effectiveness of risk strategies throughout the life of the project

Information Technology Project Management, Eighth Edition

‹#›

Knowledge Area	Risk Conditions
Integration	Inadequate planning; poor resource allocation; poor integration management; lack of post-project review
Scope	Poor definition of scope or work packages; incomplete definitions
Time	Errors in estimating time or resource availability; errors in determining the critical path; poor allocations and management of float; early release of competitive products
Cost	Estimating errors; inadequate productivity, cost, change, or contingency
Quality	Poor attitude towards quality; substandard design, materials, and workmanship; inadequate quality assurance program
Human resource	Poor conflict management; poor project organization and definition of responsibilities; absence of leadership
Communications	Carelessness in planning or communicating
Risk	Ignoring risk; unclear analysis of risk; poor insurance management
Procurement	Unenforceable conditions or contract clauses; adversarial relations
Stakeholders	Lack of consultation with key stakeholder