SAD Assignment 5
About my school
As a state university, primarily the University of Southeastern Philippines is a big government institution that provides big range of services may it be to students, staff, and employees and also to others. With that, it needs or requires a big real time system that could be adaptive to any changes that may occur or imposed from time to time. Being a university type of institution, the crucial parts of the system are the data, records or accounts, the system governance flow, and the management which must be taken care of seriously. Since it caters educational related professions, it is expected to last for a long period of time be it in a number of decades or century. An exclusive system for the university itself must be able to support the university needs and that would last up to the university’s existence.
Systems Development Life Cycle
It is a project management technique that divides complex projects into smaller, more easily managed segments or phases. Segmenting projects allows managers to verify the successful completion of project phases before allocating resources to subsequent phases.
Software development projects typically include initiation, planning, design, development, testing, implementation, and maintenance phases. However, the phases may be divided differently depending on the organization involved.
We will know that the life cycle was developed specifically for the university if it practices the following Systems Development Life Cycle Phases that is related to the system itself and provides solutions to every phases that meets the need of the university.
Systems Development Life Cycle Phases
Initiation Phase
• To add, improve, or correct a system
- identified and formally requested through the presentation of a business case.
• The business case should, at a minimum
- describe a proposal’s purpose, identify expected benefits, and explain how the proposed system supports one of the organization’s business strategies.
• The business case should also identify alternative solutions and detail
- as many informational, functional, and network requirements as possible.
• To conduct a more thorough feasibility study
- requires management to verify the accuracy of the preliminary assumptions and identify resource requirements in greater detail.
Primary issues organizations should consider when compiling feasibility study support documentation include:
- Business Considerations:
1. Strategic business and technology goals and objectives;
2. Expected benefits measured against the value of current technology;
3. Potential organizational changes regarding facilities or the addition/reduction of end users, technicians, or managers;
4. Budget, scheduling, or personnel constraints; and
5. Potential business, regulatory, or legal issues that could impact the feasibility of the project.
- Functional Requirements:
1. End-user functional requirements;
2. Internal control and information security requirements;
3. Operating, database, and backup system requirements Connectivity requirements
4. Network support requirements
5. Interface requirements
- Project Factors:
1. Project management methodology;
2. Risk management methodology;
3. Estimated completion dates of projects and major project phases; and
4. Estimated costs of projects and major project phases.
- Cost/Benefit Analysis:
Expected useful life of the proposed product;
Alternative solutions
Nonrecurring project costs
Recurring operational costs
Tangible benefits
Intangible benefits
- Should be compiled and submitted for senior management or board study.
- Should provide an overview of the proposed project and identify expected costs and benefits in terms of economic, technical, and operational feasibility.
- Document should also describe alternative solutions and include a recommendation for approval or rejection.
- Document should be reviewed and signed off on by all affected parties.
Planning Phase
It is the most critical step in completing development, acquisition, and maintenance projects. Careful planning, particularly in the early stages of a project, is necessary to coordinate activities and manage project risks effectively.
• Coordinate discussions between user, audit, security, design, development, and network personnel to identify and document as many functional, security, and network requirements as possible.
Primary items organizations should address in formal project plans include:
1. Project Overview -should identify the project, project sponsors, and project managers; and should describe project goals, background information, and development strategies.
2. Roles and Responsibilities –should define the primary responsibilities of key personnel, including project sponsors, managers, and team members.
3. Communication –should establish procedures for gathering and disseminating information. Standard report forms, defined reporting requirements, and established meeting schedules facilitate project communications.
4. Defined Deliverables – Clearly defined expectations are a prerequisite for successfully completing projects.
5. Control Requirements – involves designing and building automated control and security features into applications. Identifying all required features and exactly where they should be placed is not always possible during initial project phases.
6. Risk Management –should establish procedures to ensure managers appropriately assess, monitor, and manage internal and external risks throughout a project’s life cycle.
7. Change Management –standards should be in place to control changes in order to minimize disruptions to the development process.
8. Standards –should reference applicable standards relating to project oversight activities, system controls, and quality assurance.
9. Documentation –should identify the type and level of documentation personnel must produce during each project phase.
10. Scheduling –identify and schedule major project phases and the tasks to be completed within each phase.
11. Testing –should develop testing plans that identify testing requirements and schedule testing procedures throughout the initial phases of a project
12. Staff Development –should develop training plans that identify training requirements and schedule training procedures to ensure employees are able to use and maintain an application after implementation.
Design Phase
• involves converting the informational, functional, and network requirements identified during the initiation and planning phases into unified design specifications that developers use to script programs during the development phase.
• designs are constructed in various ways.
• end users, designers, developers, database managers, and network administrators should review and refine the prototyped designs in an iterative process until they agree on an acceptable design.
• management should be particularly diligent when using prototyping tools to develop automated controls. Prototyping can enhance an organization’s ability to design, test, and establish controls.
• Designers should carefully document completed designs.
• Organizations should create initial testing, conversion, implementation, and training plans during the design phase.
Application Control Standards
• Application controls include policies and procedures associated with user activities and the automated controls designed into applications.
• Designing appropriate security, audit, and automated controls into applications is a challenging task. Adding controls late in the development process or when applications are in production is more expensive, time consuming, and usually results in less effective controls.
• Standards should be in place to ensure end users, network administrators, auditors, and security personnel are appropriately involved during initial project phases.
• Application control standards enhance the security, integrity, and reliability of automated systems by ensuring input, processed, and output information is authorized, accurate, complete, and secure.
Input Controls
• Automated input controls help ensure employees accurately input information, systems properly record input, and systems either reject, or accept and record, input errors for later review and correction. Examples of automated input controls include:
1. Check Digits – Check digits are numbers produced by mathematical calculations performed on input data such as account numbers.
2. Duplication Checks – Duplication checks confirm that duplicate information is not input.
3. Limit Checks – Limit checks confirm that a value does not exceed predefined limits.
4. Range Checks – Range checks confirm that a value is within a predefined range of parameters.
5. Reasonableness Checks – Reasonableness checks confirm that a value meets predefined criteria.
6. Sequence Checks – Sequence checks confirm that a value is sequentially input or processed.
7. Validity Checks – Validity checks confirm that a value conforms to valid input criteria.
Processing Controls
• Automated processing controls help ensure systems accurately process and record information and either reject, or process and record, errors for later review and correction. Processing includes merging files, modifying data, updating master files, and performing file maintenance.
• Examples of automated processing controls include:
1. Batch Controls – Batch controls verify processed run totals against input control totals. Batches are verified against various items such as total dollars, items, or documents processed.
2. Error Reporting – Error reports identify items or batches that include errors. Items or batches with errors are withheld from processing, posted to a suspense account until corrected, or processed and flagged for later correction.
3. Transaction Logs – Users verify logged transactions against source documents. Administrators use transaction logs to track errors, user actions, resource usage, and unauthorized access.
4. Run-to-Run Totals – Run-to-run totals compiled during input, processing, and output stages are verified against each other.
5. Sequence Checks – Sequence checks identify or reject missing or duplicate entries.
6. Interim Files – Operators revert to automatically created interim files to validate the accuracy, validity, and completeness of processed data.
7. Backup Files – Operators revert to automatically created master-file backups if transaction processing corrupts the master file.
Output Controls
• Automated output controls help ensure systems securely maintain and properly distribute processed information. Examples of automated output controls include:
1. Batch Logs – Batch logs record batch totals. Recipients of distributed output verify the output against processed batch log totals.
2. Distribution Controls – Distribution controls help ensure output is only distributed to authorized individuals.
3. Destruction Controls – Destruction controls help ensure electronically distributed and stored information is destroyed appropriately by overwriting outdated information or demagnetizing (degaussing) disks and tapes.
Development Phase
• Involves converting design specifications into executable programs. Effective development standards include requirements that programmers and other project participants discuss design specifications before programming begins.
• Procedural programming involves the line-by-line scripting of logical instructions that are combined to form a program.
• Advancements in programming techniques include the concept of "object-oriented programming."
• Organizations should complete testing plans during the development phase. Additionally, they should update conversion, implementation, and training plans and user, operator, and maintenance manuals.
Development Standards
• should be in place to address the responsibilities of application and system programmers. Application programmers are responsible for developing and maintaining end-user applications.
• Development standards should prohibit a programmer's access to data, programs, utilities, and systems outside their individual responsibilities.
• Coding standards, which address issues such as the selection of programming languages and tools, the layout or format of scripted code, and the naming conventions of code routines and program libraries, are outside the scope of this document.
Library Controls
• Libraries are collections of stored documentation, programs, and data. Program libraries include reusable program routines or modules stored in source or object code formats.
Library controls should include:
1. Automated Password Controls – Management should establish logical access controls for all libraries or objects within libraries.
2. Automated Library Applications – When feasible, management should implement automated library programs, which are available from equipment manufacturers and software vendors
Version Controls
• Library controls facilitate software version controls. Version controls provide a means to systematically retain chronological copies of revised programs and program documentation.
• Development version control systems, sometimes referred to as concurrent version systems, assist organizations in tracking different versions of source code during development.
Software Documentation
• should maintain detailed documentation for each application and application system in production.
• The documentation should contain detailed application descriptions, programming documentation, and operating instructions.
• Standards should be in place that identify the type and format of required documentation such as system narratives, flowcharts, and any special system coding, internal controls, or file layouts not identified within individual application documentation.
• should maintain documentation for internally developed programs and externally acquired products.
• Examiners should consider access and change controls when assessing documentation activities.
• System documentation should include:
1. System Descriptions – System descriptions provide narrative explanations of operating environments and the interrelated input, processing, and output functions of integrated application systems.
2. System Documentation – System documentation includes system flowcharts and models that identify the source and type of input information, processing and control actions (automated and manual), and the nature and location of output information.
3. System File Layouts – System file layouts describe collections of related records generated by individual processing applications.
Application documentation should include:
1. Application Descriptions – Application descriptions provide narrative explanations of the purpose of an application and provide overviews of data input, processing, and output functions.
2. Layouts – Layouts represent the format of stored and displayed information such as database layouts, screen displays, and hardcopy information.
3. Program Documentation – Program documentation details specific data input, processing, and output instructions, and should include documentation on system security.
4. Naming Conventions – Naming conventions are a critical part of program documentation.
5. Operator Instructions – Organizations should establish operator instructions regarding all processing applications.
6. End-User Instructions – Organizations should establish end-user instructions that describe how to use an application.
Testing Phase
• requires organizations to complete various tests to ensure the accuracy of programmed code, the inclusion of expected functionality, and the interoperability of applications and other network components.
• identify program defects or weaknesses during the testing process. Procedures should be in place to ensure programmers correct defects quickly and document all corrections or modifications.
• Primary tests include:
1. Acceptance Testing – End users perform acceptance tests to assess the overall functionality and interoperability of an application.
2. End-to-End Testing – End users and system technicians perform end-to-end tests to assess the interoperability of an application and other system components such as databases, hardware, software, or communication devices.
3. Functional Testing – End users perform functional tests to assess the operability of a program against predefined requirements. Functional tests include black box tests, which assess the operational functionality of a feature against predefined expectations, or white box tests, which assess the functionality of a feature’s code.
4. Integration Testing – End users and system technicians perform integration tests to assess the interfaces of integrated software components.
5. Parallel Testing – End users perform parallel tests to compare the output of a new application against a similar, often the original, application.
6. Regression Testing – End users retest applications to assess functionality after programmers make code changes to previously tested applications.
7. Stress Testing – Technicians perform stress tests to assess the maximum limits of an application.
8. String Testing – Programmers perform string tests to assess the functionality of related code modules.
9. System Testing – Technicians perform system tests to assess the functionality of an entire system.
10. Unit Testing – Programmers perform unit tests to assess the functionality of small modules of code.
Implementation Phase
• involves installing approved applications into production environments. Primary tasks include announcing the implementation schedule, training end users, and installing the product. Additionally, organizations should input and verify data, configure and test system and security parameters, and conduct post-implementation reviews.
• Verifying the accuracy of the input data and security configurations is a critical part of the implementation process.
PROJECT EVALUATION
• should conduct post-implementation reviews at the end of a project to validate the completion of project objectives and assess project management activities.
• should analyze the effectiveness of project management activities by comparing, among other things, planned and actual costs, benefits, and development times.
Maintenance Phase
• involves making changes to hardware, software, and documentation to support its operational effectiveness. It includes making changes to improve a system’s performance, correct problems, enhance security, or address user requirements
• Change management (sometimes referred to as configuration management) involves establishing baseline versions of products, services, and procedures and ensuring all changes are approved, documented, and disseminated.
• changes must be made quickly.
• Emergency change controls should include the same procedures as routine change controls.
• should test routine and, whenever possible, emergency changes prior to implementation and quickly notify affected parties of all changes.
• Patch management programs should address procedures for evaluating, approving, testing, installing, and documenting software modifications.
• patch management process involves maintaining an awareness of external vulnerabilities and available patches.
• should carefully document all modifications to ensure accurate system inventories.
• Management should coordinate all technology related changes
• Quality assurance, security, audit, regulatory compliance, network, and end-user personnel
• Risk and security review should be done whenever a system modification is implemented to ensure controls remain in place.
Disposal Phase
• involves the orderly removal of surplus or obsolete hardware, software, or data.
• primary tasks include the transfer, archiving, or destruction of data records.
• should transfer data from production systems in a planned and controlled manner that includes appropriate backup and testing procedures.
• should maintain archived data in accordance with applicable record retention requirements.
• should also archive system documentation in case it becomes necessary to reinstall a system into production.
• should destroy data by overwriting old information or degaussing (demagnetizing) disks and tapes.
Reference:
http://www.ffiec.gov/ffiecinfobase/booklets/d_a/08.html
No comments:
Post a Comment