Project Management Review Risk Control Matrices Control Objective Evaluate project management strategy, application development methodology, and infrastructure planning approach being utilized during each phase of the (Application Title) rollout initiative. Verify that mechanisms have been developed which limit the ability to make changes to the application and supporting infrastructure to authorized personnel and ensure that modifications follow defined change control and/or program development procedures. Evaluate (Application Title) application, interface, and associated infrastructure testing strategies and procedures, as well as, management plans relating to production implementation/conversion sequencing activities to help ensure the continued integrity of the data utilized by the application and that those resources required by the application are readily available. Assess security mechanisms in place and/or planned to ensure that access to (Application Title) is appropriately restricted and that only authorized personnel have physical and logical access to the resources on which the application resides. Review plans for ensuring data is appropriately protected during the developmental stage and also for incorporating (Application Title) into (Company X)’s data backup, business continuity, and/or disaster recovery procedures and assess for reasonableness. Verify that detailed facility training and education plans, along with future (Application Title) IS support plans, are in place and review for reasonableness. k Control Matrices Testing Procedures Status Notes 1. Through discussions with (Employee Name), identify individuals familiar with the overall planning initiative that took place, and is currently underway, for implementing (Application Title) across the organization (to include the technical application and infrastructure implementation). 2. Conduct information-gathering interviews to determine the extent to which each of the following were formally established and review each for reasonableness: a) Project Master Plan b) (Application Title) design and development plans with particular emphasis placed on extent of consultation with applicable hospital operations personnel c) Risk Management and Quality Assurance Plans d) Post-Implementation Review Plan e) Additional critical planning mechanisms (as applicable) 3. Conduct information-gathering interviews to determine the processes by which each of the following were evaluated and review each for reasonableness: a) Infrastructure and operating system(s) compatibility/requirements b) Availability and use of available application control features and functionality c) Interfaces to other systems within the organization d) Utilization and safeguarding of protected health information e) Development of resource skill set to support (Application Title) long-term f) Resource availability to continue support of existing systems during implementation g) Identification of financial, operational, and technical stakeholders and involvement in: i. Planning and Development ii. Testing iii. Implementation 4. Conduct information-gathering interviews to determine if a formal system development life cycle methodology is being utilized and appropriately addresses each of the following: a) Sufficient controls during the developmental process to include IS and operations personnel checkpoints at key decision points and required authorization to proceed b) Communication to all appropriate employees involved in development and maintenance c) Procedures for technological and/or operational change are being used d) Procedures ensuring user acceptance and sign-off are being used e) Adequacy of third-party implementer agreements (as applicable) 1. Through discussions with (Employee Name), identify individuals familiar with the overall planning initiative for incorporating (Application Title) into existing change control and/or program development processes – or developing new processes as needed. 2. Conduct information-gathering interviews with selected individuals to identify the planned processes for each of the following: a) Identification and approval of necessary changes b) Review and prioritization of changes c) Use of a test environment d) Segregation of duties (e.g., developer access to production) e) End-user involvement and communication f) Updates to system, application, and/or training/user documentation 3. Evaluate the planned processes for reasonableness. 1. Through discussions with (Company X), identify individuals responsible for developing and executing plans for application, interface, and associated infrastructure testing. 2. Conduct information-gathering interviews to verify that each of these phases are planned for and included in as part of the system development process. Determine reasonableness of plans to ensure adequate coverage/tests in each phase. Document any exceptions or instances where one of these steps is not planned and evaluate for reasonableness: a) Unit testing – Testing of individual programs, modules, subroutines or subprograms. b) Integration testing – Testing of a group of programs to ensure that a transaction or data passes between programs. c) System testing – Testing against specifications and testing all subsystems with interfaces to other systems which should include Volume/Stress Testing to ensure the system will adequately handle anticipated and future capacity usage at peak periods. d) Acceptance testing – Functional users test the system with live data, test data, or a combination of live/test data to ensure that the system performs all functions as intended and to satisfy end-users that the system was designed and programmed according to their definitions and requirements. e) Parallel testing – Conduct with live data where the new system and old system (as applicable) are tested in parallel with the same data. f) Pilot testing – Testing one department or area at a time until enough experience is gained prior to launching an all out implementation. g) Regression testing – Run after changes are made to ensure impact is minimized. 3. Evaluate testing strategies for reasonableness to ensure that input, processing, and output controls will be sufficiently tested to help facilitate the continued integrity of data to be utilized by the application and other downstream applications (as applicable). To the extent that supporting documentation is available, obtain and evaluate for appropriateness. 4. Through discussions with (Company X), identify individuals responsible for production implementation/conversion sequencing activities and conduct information-gathering interviews with selected individuals to identify the plans that have been developed for each of the following initiatives to be performed during the implementation stage and evaluate for reasonableness: a) Implementation initiation b) Key decision points and required authorization to proceed c) Data validation and continued integrity monitoring d) Back-out plans 1. Through discussions with (Company X), identify individuals familiar with the overall planning initiative for incorporating (Application Title) into existing security administration processes – or developing new processes as needed. 2. Conduct information-gathering interviews with selected individuals to identify the planned processes/mechanisms for each of the following: a) Review the security plan and strategy to be utilized and assess for reasonableness. b) Determine how logical access to the application and physical access to the location of key application technology infrastructure will be evaluated for appropriateness, granted, modified, terminated, supported, and reviewed periodically. c) Ensure access setup and modification will be appropriately authorized, terminations and transfers will be performed in a timely manner, and rights will be periodically reviewed. d) Determine the ability of users to access the application remotely and ensure plans and strategies will appropriately limit access to only authorized personnel. e) Obtain documentation of specific password parameters to be utilized for network, database, and application access. Validate that unauthorized access will be appropriately prevented. 1. Through discussions with (Company X), identify individuals familiar with the overall planning initiative for incorporating (Application Title) into existing data backup, business continuity, and/or disaster recovery processes – or developing new processes as needed. 2. Conduct information-gathering interviews with selected individuals to identify the planned processes/mechanisms for each of the following: a) Identification of critical data b) Backup schedule (including types of backups performed – incremental, full, etc.) c) Rotation schedule d) Critical recovery timeframes e) Data gap analysis to include how much data was “lost” since last backup f) Data integrity validation (e.g., mock restores) 3. Evaluate the planned processes for reasonableness. 4. Confirm the location in which data backups will be stored to ensure access will be restricted to authorized personnel (both physically and logically) and that data backup sets will be appropriately protected. 5. Identify environmental controls that will be in place to safeguard the location of key application technology infrastructure and evaluate for reasonableness. 6. Determine the extent to which formal business continuity and/or disaster recovery processes exist and ensure coverage will be updated to address (Application Title) needs. Evaluate each of the following for reasonableness: a) The existence of formal process(es) and the extent to which (Application Title) is addressed b) Recovery of critical hardware/systems c) Third-party/vendor arrangements d) Periodic testing/employee awareness 1. Through discussions with (Company X), identify individuals with the responsibility for developing facility training and education plans as well as those individuals and/or the third-party vendor that will be responsible for providing end-user support for (Application Title) users once implemented. 2. Conduct information-gathering interviews with selected individuals to determine the process by which facility training and education needs were identified and evaluated as well as the processes by which the associated programs were developed and are to be deployed. Evaluate the processes for reasonableness. a) Identify the extent to which key stakeholders were involved in the identification and development of training programs and evaluate for appropriateness. b) To the extent that training programs have been drafted and/or finalized, judgmentally select one organization, facility, or departmental training program and review for reasonableness. c) Determine the mechanism by which deployment of training programs will be monitored and evaluate for appropriateness. 3. Conduct information-gathering interviews with selected individuals to determine the process by which ongoing support needs were identified and evaluated as well as the process by which the associated mechanisms were developed that will facilitate support to end-users once (Application Title) has been implemented. a) In the event that a third-party vendor will be utilized to provide all or a component of the ongoing support, determine if a contractual arrangement or similar agreement has been established to help ensure continuity of service.
Pages to are hidden for
"Project Management Review"Please download to view full document