|home|about us|consulting solutions|training & workshops|software|resource center

IT and Software Quality Systems

The Need for IT Quality Systems

Standards ensure quality. Quality is obviously important in information technology, whether it be in hardware, software, or networks. Standardized interfaces, for instance, can allow diverse devices and applications to function together. Standards are also vital to computer security and information privacy. When standards exist, all benefit from advances in electronic and mobile commerce. It is in recognition of these needs that ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) introduced three standards in 2005:

• ISO/IEC 17799:2005 for Information Security Management
• ISO/IEC 27001:2005 for Information Security Management
• ISO/IEC 20000:2005 for IT Service Management

ISO/IEC 17799:2005 will be renamed ISO/IEC 27002 in 2007. A new ISO/IEC 27000 series will cover information security matters and already includes a handful of related standards, like ISO/IEC 27001 and the upcoming ISO/IEC 27004 - Information Security Management Metrics and Measurement - currently in draft.

Other approaches include CMMI (Capability Maturity Model Integration) and SCAMPI (Standard CMMI Appraisal Method for Process Improvement) round out Omnex's IT training.

CMMI

CMMI® is created by the Software Engineering Institute and is available in two representations: Staged and Continuous. The CMMI is the successor of CMM, CMM was developed from 1987 until 1997. In 2002 the latest version of CMMI was released: v1.1. The goal of the CMMI project was to improve usability of CMM for software engineering and other disciplines, by integrating all the different models into one model. It was created by members of industry, government and the SEI. The main sponsors included the Office of the Secretary of Defense (OSD) and the National Defense Industrial Association (NDIA) Systems Engineering Committee.

Capability Maturity Model Integration (CMMI®) is an approach that provides organizations with the essential elements for effective processes. It can be used to guide process improvement across a single project, a division, or an entire company. CMMI helps integrate traditionally separate organizational functions, set process improvement goals and priorities, provide guidance for quality processes, and provide a point of reference for appraising current processes.

CMMI builds on and extends the best practices of the Capability Maturity Model for software (SW-CMM), the Systems Engineering Capability model (SECM), the Integrated Product and Process Development (IPPD) and Supplier Sourcing (SS).

Benefits of CMMI

• Explicit linkage of Management and engineering activities to business objectives
• Improved visibility into the product life cycle and engineering activities
• Leveraging from additional areas of best practices (e.g, measurement, risk management, and supplier management)
• Robust high-maturity practices
• Visibility into additional organizational functions critical to their products and services
• Tighter coupling to relevant ISO Standards such as ISO 9001:2000, ISO 15504

SCAMPI

The Standard CMMI Appraisal Method for Process Improvement (SCAMPI^SM) serves as a benchmark of quality ratings relating to (CMMI) models. It may be applied to a wide range of appraisal usage modes, including both internal process improvement and external capability determinations. SCAMPI satisfies all of the Appraisal Requirements for CMMI a Class A appraisal method and supports ISO/IEC 15504 assessments.

Precise information on required practices, parameters, variation limits, and optional practices guidance for enacting the method, should be a part of the SCAMPI plan.

ISO/IEC 17799:2005

ISO/IEC 17799 is entitled “Information technology - Security techniques - Code of practice for information security management”. An earlier version of the standard was published in 2000, which basically was a word-for-word copy of BS 7799-1:1999 from BSI (the British Standards Institute).

ISO/IEC 17799:2005 makes best practices recommendations for information security management to be used by those who start, implement or maintain those systems. According to the standard “information security” involves ensuring that information can only be accessed by those who are authorized, thus ensuring the accuracy and completeness of data/processing methods, and making information available to authorized users when they need it.

There are twelve main sections in the ISO/IEC 17799:2005 standard:

• Risk assessment and treatment
• Security policy
• Organization of information security
• Asset management
• Human resources security
• Physical and environmental security
• Communications and operations management
• Access control
• Information systems acquisition, development and maintenance
• Information security incident management
• Business continuity management
• Compliance

The standard identifies and outlines information security control objectives for each of these sections. It also provides guidance on how to implement each objective. Companies are expected to do well-structured information security risk assessments to determine their requirements before determining what the appropriate controls to be applied are. Specific controls are not mandated for companies, because no general purpose standard can possibly address all the controls that may be needed.

ISO/IEC 27001:2005

ISO/IEC 27001:2005 was developed to provide a specification for an ISMS (Information security management system) and the foundation for third-party audits and certifications. It helps companies identify, manage and minimize threats to information. The standard works in tandem with ISO/IEC 17799:2005. Eventually, BS ISO/IEC 27001 will become part of the new ISO/IEC 27000 series. ISO/IEC 27002 and ISO/IEC 27004 will come out in the next few years.

The standard exists so that organizations can launch and maintain effective information management systems, following the concept of continual improvement. It also follows the principles developed by the OECD (Organization for Economic Cooperation and Development) for security of information and network systems.

ISO/IEC 27001:2005 is broken into the following sections:

• Introduction
• Scope
• Normative References
• Terms and Definitions
• Information Security Management System
• Management Responsibility
• Management review of the ISMS
• ISMS improvement

The standard makes the following suggestions for implementation:

1. Define and create an information security policy
2. Determine the scope of the information security management system
3. Conduct a security risk assessment
4. Manage the risk you identify
5. Select controls that need to be implemented and applied
6. Create an SoA (a "statement of applicability").

ISO/IEC 27001:2005 is synchronized with other management system standards such as ISO 9001 and ISO 14001 and uses the same Plan-Do-Check-Act (PDCA) model found in other standards. ISO/IEC 27001 assures your stakeholders that you adequately address information security within your organization and that you can deal with information security threats.

ISO/IEC 27001:2005 helps organizations with the following:

• management direction and support for information security
• management of information security within the organization
• identification of assets and how to protect them
• reduction of risk due to human error, theft, fraud or misuse of facilities
• prevention of unauthorized access, damage or interference
• management of information processing facilities
• access control
• securing information systems
• counteracting the effects of major failures
• ensuring compliance to laws, regulations and contracts

ISO/IEC 20000:2005

ISO/IEC 20000 was the first international standard for IT Service Management. It was based on BS 15000 from the British Standards Institute (BSI).

ISO/IEC 20000-1 ('part 1') encourages development of an integrated process approach for managed services to meet the business and customer requirements of IT companies.

It is made up of ten sections:

1. Scope
2. Terms & Definitions
3. Planning and Implementing Service Management
4. Requirements for a Management System
5. Planning & Implementing New or Changed Services
6. Service Delivery Process
7. Relationship Processes
8. Control Processes
9. Resolution Processes
10. Release Process.

ISO 20000-2 ('part 2') constitutes a 'code of practice'. It explains the best practices for service management using ISO20000-1. It has the same ten sections as ISO/IEC 20000-1 except for 'Requirements for a Management system', because it imposes no requirements there.

ISO 20000:2005 is based on theories found in the Information Technology Infrastructure Library (ITIL) Framework which was more commonly in use in the 1990s. It also reflects IT Service Management (ITSM) frameworks which emphasize the customer's perception of IT's contribution to the business.

IT Quality Systems Courses

The following courses are offered as onsites at your facility. They are not regularly offered as open enrollment courses:

• Official Introduction To CMMI
• Introduction to CMM
• Introduction to PCMM
• CMM Overview Training (2 days)
• PCMM Overview Training (2 days)
• Overview to eSCM
• Engineering Category PA's of CMMI
• Project Management Category PA's of CMMI
• Process Management Category PA's of CMMI
• Support Category PA's of CMMI
• Software Project Management
• Software Quality Management
• Software Metrics and Statistical techniques
• Software Estimation (2 days)
• Software Configuration Management
• Software Testing Methodology
• Software Reviews & Audits (2 days)
• Software Requirement Management
• Software Design Methodology
• Software Risk Management
• Process Definition Training
• Metrics and Statistical Techniques (2 days)
• SEPG workshop
• BS 7799 - Information Security Management (2 days)
• Internal Auditor Program BS 7799 (2 days)
• Causal analysis
• Decision Analysis and Resolution
• Behavioral Training Program
• Interviewing Skills
• ISMS Awareness Overview (1 day)
• ISMS Awareness Introduction (1/2 day)
• Exploring Information Security Management (1 day)
• ISMS Implementation Executive Awareness Workshop - How to Succeed with an ISMS based on ISO 27001:2005 (2 days)
• The Roadmap to Information Security with ISO/IEC 17799:2005 & ISO/IEC 27001:2005 (2 days)
• Seven Steps to building an ISMS with ISO/IEC 17799:2005 & ISO/IEC 27001:2005 (3 days)
• Auditing your ISMS- Internal Auditor Course based on ISO17799/ISO/IEC 27001:2005 (2 days)
• Certified Information Security Management System(ISMS) Lead Auditor Course based on ISO/IEC17799:2005 & ISO/IEC 27001:2005 (5 days)
• Managing Business Continuity and Disaster Recovery (2 days)
• The Data Protection Act (1-day)
• Implementing an IT Service Management System (ITSMS) with IT Infrastructure Library (ITIL) & ISO 20000 (2 days)
• IT Service Management Systems (ITSMS) for IT Infrastructure process efficiency using the ITIL & ISO 20000 series (2 days)
• IT Service Management Stabilization Workshop #1 (5 days)
• IT Service Management Stabilization Workshop #2 (5 days)
• ITSM Design and Product Implementation Workshops (Custom Length)
• ITSM/ITIL Foundation Certification (2 days)
• ITSM/ITIL Foundation Certification (3 days)
• ITSM/ITIL Practitioner Certification - IPRC (Release & Control) (5 days)
• ITSM/ITIL Service Manager Certification (12 days)