Docstoc

Project Management Review

Document Sample
Project Management Review Powered By Docstoc
					Project Management Review Risk Control Matrices

Control Objective
Evaluate project management strategy, application
development methodology, and infrastructure planning
approach being utilized during each phase of the (Application
Title) rollout initiative.
Verify that mechanisms have been developed which limit the
ability to make changes to the application and supporting
infrastructure to authorized personnel and ensure that
modifications follow defined change control and/or program
development procedures.




Evaluate (Application Title) application, interface, and
associated infrastructure testing strategies and procedures,
as well as, management plans relating to production
implementation/conversion sequencing activities to help
ensure the continued integrity of the data utilized by the
application and that those resources required by the
application are readily available.
Assess security mechanisms in place and/or planned to
ensure that access to (Application Title) is appropriately
restricted and that only authorized personnel have physical
and logical access to the resources on which the application
resides.
Review plans for ensuring data is appropriately protected
during the developmental stage and also for incorporating
(Application Title) into (Company X)’s data backup, business
continuity, and/or disaster recovery procedures and assess
for reasonableness.
Verify that detailed facility training and education plans, along
with future (Application Title) IS support plans, are in place
and review for reasonableness.
k Control Matrices

         Testing Procedures                                                                 Status   Notes
         1. Through discussions with (Employee Name), identify individuals familiar
         with the overall planning initiative that took place, and is currently underway,
         for implementing (Application Title) across the organization (to include the
         technical application and infrastructure implementation).

         2. Conduct information-gathering interviews to determine the extent to which
         each of the following were formally established and review each for
         reasonableness:
         a) Project Master Plan
         b) (Application Title) design and development plans with particular emphasis
         placed on extent of consultation with applicable hospital operations personnel
         c) Risk Management and Quality Assurance Plans
         d) Post-Implementation Review Plan
         e) Additional critical planning mechanisms (as applicable)


         3. Conduct information-gathering interviews to determine the processes by
         which each of the following were evaluated and review each for
         reasonableness:
         a) Infrastructure and operating system(s) compatibility/requirements
         b) Availability and use of available application control features and
         functionality
         c) Interfaces to other systems within the organization
         d) Utilization and safeguarding of protected health information
         e) Development of resource skill set to support (Application Title) long-term
         f) Resource availability to continue support of existing systems during
         implementation
         g) Identification of financial, operational, and technical stakeholders and
         involvement in:
         i. Planning and Development
         ii. Testing
         iii. Implementation
4. Conduct information-gathering interviews to determine if a formal system
development life cycle methodology is being utilized and appropriately
addresses each of the following:

a) Sufficient controls during the developmental process to include IS and
operations personnel checkpoints at key decision points and required
authorization to proceed
b) Communication to all appropriate employees involved in development and
maintenance
c) Procedures for technological and/or operational change are being used
d) Procedures ensuring user acceptance and sign-off are being used
e) Adequacy of third-party implementer agreements (as applicable)


1. Through discussions with (Employee Name), identify individuals familiar
with the overall planning initiative for incorporating (Application Title) into
existing change control and/or program development processes – or
developing new processes as needed.

2. Conduct information-gathering interviews with selected individuals to
identify the planned processes for each of the following:

a) Identification and approval of necessary changes
b) Review and prioritization of changes
c) Use of a test environment
d) Segregation of duties (e.g., developer access to production)
e) End-user involvement and communication
f) Updates to system, application, and/or training/user documentation

3. Evaluate the planned processes for reasonableness.
1. Through discussions with (Company X), identify individuals responsible for
developing and executing plans for application, interface, and associated
infrastructure testing.
2. Conduct information-gathering interviews to verify that each of these
phases are planned for and included in as part of the system development
process. Determine reasonableness of plans to ensure adequate
coverage/tests in each phase. Document any exceptions or instances
where one of these steps is not planned and evaluate for reasonableness:

a) Unit testing – Testing of individual programs, modules, subroutines or
subprograms.
b) Integration testing – Testing of a group of programs to ensure that a
transaction or data passes between programs.
c) System testing – Testing against specifications and testing all subsystems
with interfaces to other systems which should include Volume/Stress Testing
to ensure the system will adequately handle anticipated and future capacity
usage at peak periods.
d) Acceptance testing – Functional users test the system with live data, test
data, or a combination of live/test data to ensure that the system performs all
functions as intended and to satisfy end-users that the system was designed
and programmed according to their definitions and requirements.
e) Parallel testing – Conduct with live data where the new system and old
system (as applicable) are tested in parallel with the same data.
f) Pilot testing – Testing one department or area at a time until enough
experience is gained prior to launching an all out implementation.
g) Regression testing – Run after changes are made to ensure impact is
minimized.
3. Evaluate testing strategies for reasonableness to ensure that input,
processing, and output controls will be sufficiently tested to help facilitate the
continued integrity of data to be utilized by the application and other
downstream applications (as applicable). To the extent that supporting
documentation is available, obtain and evaluate for appropriateness.

4. Through discussions with (Company X), identify individuals responsible for
production implementation/conversion sequencing activities and conduct
information-gathering interviews with selected individuals to identify the plans
that have been developed for each of the following initiatives to be
performed during the implementation stage and evaluate for reasonableness:
a) Implementation initiation
b) Key decision points and required authorization to proceed
c) Data validation and continued integrity monitoring
d) Back-out plans


1. Through discussions with (Company X), identify individuals familiar with
the overall planning initiative for incorporating (Application Title) into existing
security administration processes – or developing new processes as needed.
2. Conduct information-gathering interviews with selected individuals to
identify the planned processes/mechanisms for each of the following:

a) Review the security plan and strategy to be utilized and assess for
reasonableness.
b) Determine how logical access to the application and physical access to
the location of key application technology infrastructure will be evaluated for
appropriateness, granted, modified, terminated, supported, and reviewed
periodically.
c) Ensure access setup and modification will be appropriately authorized,
terminations and transfers will be performed in a timely manner, and rights
will be periodically reviewed.
d) Determine the ability of users to access the application remotely and
ensure plans and strategies will appropriately limit access to only authorized
personnel.
e) Obtain documentation of specific password parameters to be utilized for
network, database, and application access. Validate that unauthorized
access will be appropriately prevented.

1. Through discussions with (Company X), identify individuals familiar with
the overall planning initiative for incorporating (Application Title) into existing
data backup, business continuity, and/or disaster recovery processes – or
developing new processes as needed.

2. Conduct information-gathering interviews with selected individuals to
identify the planned processes/mechanisms for each of the following:

a) Identification of critical data
b) Backup schedule (including types of backups performed – incremental,
full, etc.)
c) Rotation schedule
d) Critical recovery timeframes
e) Data gap analysis to include how much data was “lost” since last backup
f) Data integrity validation (e.g., mock restores)


3. Evaluate the planned processes for reasonableness.
4. Confirm the location in which data backups will be stored to ensure
access will be restricted to authorized personnel (both physically and
logically) and that data backup sets will be appropriately protected.
5. Identify environmental controls that will be in place to safeguard the
location of key application technology infrastructure and evaluate for
reasonableness.
6. Determine the extent to which formal business continuity and/or disaster
recovery processes exist and ensure coverage will be updated to address
(Application Title) needs. Evaluate each of the following for reasonableness:

a) The existence of formal process(es) and the extent to which (Application
Title) is addressed
b) Recovery of critical hardware/systems
c) Third-party/vendor arrangements
d) Periodic testing/employee awareness


1. Through discussions with (Company X), identify individuals with the
responsibility for developing facility training and education plans as well as
those individuals and/or the third-party vendor that will be responsible for
providing end-user support for (Application Title) users once implemented.

2. Conduct information-gathering interviews with selected individuals to
determine the process by which facility training and education needs were
identified and evaluated as well as the processes by which the associated
programs were developed and are to be deployed. Evaluate the processes
for reasonableness.

a) Identify the extent to which key stakeholders were involved in the
identification and development of training programs and evaluate for
appropriateness.
b) To the extent that training programs have been drafted and/or finalized,
judgmentally select one organization, facility, or departmental training
program and review for reasonableness.
c) Determine the mechanism by which deployment of training programs will
be monitored and evaluate for appropriateness.

3. Conduct information-gathering interviews with selected individuals to
determine the process by which ongoing support needs were identified and
evaluated as well as the process by which the associated mechanisms were
developed that will facilitate support to end-users once (Application Title) has
been implemented.
       a) In the event that a third-party vendor will be utilized to provide all
       or a component of the ongoing support, determine if a contractual
       arrangement or similar agreement has been established to help
       ensure continuity of service.

				
DOCUMENT INFO
Description: Project Management Review document sample