Testing Small Agile Projects from Agile Vancouver Quality Conference 2014
Agile Projects Need Agile Audit 10 September 2014 Presentations/Agile... · Agile Project need...
Transcript of Agile Projects Need Agile Audit 10 September 2014 Presentations/Agile... · Agile Project need...
GRC 2.0 - Breaking Down The Silos
ISACA Ireland Conference – 3rd
October 2014
Agile Project need Agile Controls and Audit
Christopher Wright BSc(hon), CPFA,
CISA, MBCS, MAPM
Certified ScrumMaster,
GRC 2.0 - Breaking Down The Silos
ISACA Ireland Conference – 3rd
October 2014
Tired of late delivery of projects ?
Unresponsive to emerging cyber-
threats ?
Confused by
spiralling
delivery
costs?
Exhausted
by winging
users?
Distracted
by tedious
auditors?
Overcome
by project
paperwork
?
THEN YOU NEED.....
GRC 2.0 - Breaking Down The Silos
ISACA Ireland Conference – 3rd
October 2014
SUPERAGILE
THE NEW WONDER DRUG
Say goodbye to....Project overruns
Dissatisfied users
Endless project paperwork
Governance
Overworked project teams
Tiresome auditors
Always read the label.....There may be side effects. May contain nuts.
GRC 2.0 - Breaking Down The Silos
ISACA Ireland Conference – 3rd
October 2014
Sounds too good to be true....
I had questions:1. What is “AGILE”?
2. How do we do
“AGILE”?
3. What are “AGILE’S”
risks and controls?
4. Is “AGILE” audit
different?
Now I have some answers
GRC 2.0 - Breaking Down The Silos
ISACA Ireland Conference – 3rd
October 2014
Agile definition
Use of evolutionary, incremental and iterative delivery to
converge on an optimal customer solution [inc security]
Maximising the business value with right sized, just enough,
and just in time processes and documentation
The ability to create and respond to change in order to profit
in a turbulent global business
The ability to re-prioritize use of resources when
requirements, technology and knowledge shift
A very fast response to sudden market changes and
emerging threats, by intensive customer interactionSource : David F Rico, Lean and Agile Systems Engineering : http://davidfrico.com
1. What is “AGILE”?
GRC 2.0 - Breaking Down The Silos
ISACA Ireland Conference – 3rd
October 2014
Agile Manifesto
“We are uncovering better ways of developing [products] by doing it and helping others do it. Through this work we have come to value:
Individuals and interactions over processes and tools
Working [products] over comprehensive documentation
Customer collaboration over contract negotiations
Responding to change over following a plan
That is while there is value in the items on the right, we value the
items on the left more.”
Source : Martin Fowler & Jim Highsmith. “The Agile Manifesto.” Software development, 8 , August 2001.
1. What is “AGILE”?
GRC 2.0 - Breaking Down The Silos
ISACA Ireland Conference – 3rd
October 2014
Scrum Approach to Agile
2. How do we do “AGILE”?
Product
Owner
Scrum
Team
Scrum
Master
GRC 2.0 - Breaking Down The Silos
ISACA Ireland Conference – 3rd
October 2014
Risks & Benefits
3. What are “AGILE’S” risks?
As for Waterfall:
• Will project
complete on time?
• Will it meet
business
requirements?
• Will it be on
budget?
• Will it be secure?
However......
• Incremental basis
reduces the
potential impact
• Users more involved
& test by using a
module !
• Different constraints
Plus ........
• Lower risk
project will be
agile enough?
• Product could
be more fit for
purpose?
• Embed
security in
NFR’s / US’s
GRC 2.0 - Breaking Down The Silos
ISACA Ireland Conference – 3rd
October 2014
Poor Management of Agility Risk
R3 R3.Ourco.5.
1
3. What are “AGILE’S” risks?
Is it secure?Is it scalable?
Is it standardised ?
GRC 2.0 - Breaking Down The Silos
ISACA Ireland Conference – 3rd
October 2014
Audit – 3 tips
Lose the tie
4. Is “AGILE” audit different?
Be proactive Be creative
• Don’t wait to audit
until end of project;
• Use the “force” –
manifesto etc;
• Prepare well before
the audit
• Keep an open mind
• Try to fit into the
culture
• Maintain
independence but
watch the attitude
• Think like a scrum
team
• Focus on people
and product – not
paperwork
GRC 2.0 - Breaking Down The Silos
ISACA Ireland Conference – 3rd
October 2014
Key Takeaways
We can not stop the Agile tide
Agile allows us to respond to emerging threats
Agile provides some audit and governance
benefits
Need to use Waterfall and Agile together as appropriate
Approach Agile controls in an Agile way
Focus on behaviours not Project process
Outputs are more important than documentation
Use the Agile manifesto [email protected]
GRC 2.0 - Breaking Down The Silos
ISACA Ireland Conference – 3rd
October 2014
Do you have
any
questions?