Agile Projects Need Agile Audit 10 September 2014 Presentations/Agile... · Agile Project need...

12
GRC 2.0 - Breaking Down The Silos ISACA Ireland Conference 3 rd October 2014 Agile Project need Agile Controls and Audit Christopher Wright BSc(hon), CPFA, CISA, MBCS, MAPM Certified ScrumMaster, [email protected]

Transcript of Agile Projects Need Agile Audit 10 September 2014 Presentations/Agile... · Agile Project need...

Page 1: Agile Projects Need Agile Audit 10 September 2014 Presentations/Agile... · Agile Project need Agile Controls and Audit ... I had questions: 1. What is “AGILE”? 2. ... Agile Projects

GRC 2.0 - Breaking Down The Silos

ISACA Ireland Conference – 3rd

October 2014

Agile Project need Agile Controls and Audit

Christopher Wright BSc(hon), CPFA,

CISA, MBCS, MAPM

Certified ScrumMaster,

[email protected]

Page 2: Agile Projects Need Agile Audit 10 September 2014 Presentations/Agile... · Agile Project need Agile Controls and Audit ... I had questions: 1. What is “AGILE”? 2. ... Agile Projects

GRC 2.0 - Breaking Down The Silos

ISACA Ireland Conference – 3rd

October 2014

Tired of late delivery of projects ?

Unresponsive to emerging cyber-

threats ?

Confused by

spiralling

delivery

costs?

Exhausted

by winging

users?

Distracted

by tedious

auditors?

Overcome

by project

paperwork

?

THEN YOU NEED.....

Page 3: Agile Projects Need Agile Audit 10 September 2014 Presentations/Agile... · Agile Project need Agile Controls and Audit ... I had questions: 1. What is “AGILE”? 2. ... Agile Projects

GRC 2.0 - Breaking Down The Silos

ISACA Ireland Conference – 3rd

October 2014

SUPERAGILE

THE NEW WONDER DRUG

Say goodbye to....Project overruns

Dissatisfied users

Endless project paperwork

Governance

Overworked project teams

Tiresome auditors

Always read the label.....There may be side effects. May contain nuts.

Page 4: Agile Projects Need Agile Audit 10 September 2014 Presentations/Agile... · Agile Project need Agile Controls and Audit ... I had questions: 1. What is “AGILE”? 2. ... Agile Projects

GRC 2.0 - Breaking Down The Silos

ISACA Ireland Conference – 3rd

October 2014

Sounds too good to be true....

I had questions:1. What is “AGILE”?

2. How do we do

“AGILE”?

3. What are “AGILE’S”

risks and controls?

4. Is “AGILE” audit

different?

Now I have some answers

Page 5: Agile Projects Need Agile Audit 10 September 2014 Presentations/Agile... · Agile Project need Agile Controls and Audit ... I had questions: 1. What is “AGILE”? 2. ... Agile Projects

GRC 2.0 - Breaking Down The Silos

ISACA Ireland Conference – 3rd

October 2014

Agile definition

Use of evolutionary, incremental and iterative delivery to

converge on an optimal customer solution [inc security]

Maximising the business value with right sized, just enough,

and just in time processes and documentation

The ability to create and respond to change in order to profit

in a turbulent global business

The ability to re-prioritize use of resources when

requirements, technology and knowledge shift

A very fast response to sudden market changes and

emerging threats, by intensive customer interactionSource : David F Rico, Lean and Agile Systems Engineering : http://davidfrico.com

1. What is “AGILE”?

Page 6: Agile Projects Need Agile Audit 10 September 2014 Presentations/Agile... · Agile Project need Agile Controls and Audit ... I had questions: 1. What is “AGILE”? 2. ... Agile Projects

GRC 2.0 - Breaking Down The Silos

ISACA Ireland Conference – 3rd

October 2014

Agile Manifesto

“We are uncovering better ways of developing [products] by doing it and helping others do it. Through this work we have come to value:

Individuals and interactions over processes and tools

Working [products] over comprehensive documentation

Customer collaboration over contract negotiations

Responding to change over following a plan

That is while there is value in the items on the right, we value the

items on the left more.”

Source : Martin Fowler & Jim Highsmith. “The Agile Manifesto.” Software development, 8 , August 2001.

1. What is “AGILE”?

Page 7: Agile Projects Need Agile Audit 10 September 2014 Presentations/Agile... · Agile Project need Agile Controls and Audit ... I had questions: 1. What is “AGILE”? 2. ... Agile Projects

GRC 2.0 - Breaking Down The Silos

ISACA Ireland Conference – 3rd

October 2014

Scrum Approach to Agile

2. How do we do “AGILE”?

Product

Owner

Scrum

Team

Scrum

Master

Page 8: Agile Projects Need Agile Audit 10 September 2014 Presentations/Agile... · Agile Project need Agile Controls and Audit ... I had questions: 1. What is “AGILE”? 2. ... Agile Projects

GRC 2.0 - Breaking Down The Silos

ISACA Ireland Conference – 3rd

October 2014

Risks & Benefits

3. What are “AGILE’S” risks?

As for Waterfall:

• Will project

complete on time?

• Will it meet

business

requirements?

• Will it be on

budget?

• Will it be secure?

However......

• Incremental basis

reduces the

potential impact

• Users more involved

& test by using a

module !

• Different constraints

Plus ........

• Lower risk

project will be

agile enough?

• Product could

be more fit for

purpose?

• Embed

security in

NFR’s / US’s

Page 9: Agile Projects Need Agile Audit 10 September 2014 Presentations/Agile... · Agile Project need Agile Controls and Audit ... I had questions: 1. What is “AGILE”? 2. ... Agile Projects

GRC 2.0 - Breaking Down The Silos

ISACA Ireland Conference – 3rd

October 2014

Poor Management of Agility Risk

R3 R3.Ourco.5.

1

3. What are “AGILE’S” risks?

Is it secure?Is it scalable?

Is it standardised ?

Page 10: Agile Projects Need Agile Audit 10 September 2014 Presentations/Agile... · Agile Project need Agile Controls and Audit ... I had questions: 1. What is “AGILE”? 2. ... Agile Projects

GRC 2.0 - Breaking Down The Silos

ISACA Ireland Conference – 3rd

October 2014

Audit – 3 tips

Lose the tie

4. Is “AGILE” audit different?

Be proactive Be creative

• Don’t wait to audit

until end of project;

• Use the “force” –

manifesto etc;

• Prepare well before

the audit

• Keep an open mind

• Try to fit into the

culture

• Maintain

independence but

watch the attitude

• Think like a scrum

team

• Focus on people

and product – not

paperwork

Page 11: Agile Projects Need Agile Audit 10 September 2014 Presentations/Agile... · Agile Project need Agile Controls and Audit ... I had questions: 1. What is “AGILE”? 2. ... Agile Projects

GRC 2.0 - Breaking Down The Silos

ISACA Ireland Conference – 3rd

October 2014

Key Takeaways

We can not stop the Agile tide

Agile allows us to respond to emerging threats

Agile provides some audit and governance

benefits

Need to use Waterfall and Agile together as appropriate

Approach Agile controls in an Agile way

Focus on behaviours not Project process

Outputs are more important than documentation

Use the Agile manifesto [email protected]

Page 12: Agile Projects Need Agile Audit 10 September 2014 Presentations/Agile... · Agile Project need Agile Controls and Audit ... I had questions: 1. What is “AGILE”? 2. ... Agile Projects

GRC 2.0 - Breaking Down The Silos

ISACA Ireland Conference – 3rd

October 2014

Do you have

any

questions?