IS Quality-Management Strategies and Policies

Previous page
Table of content
Next page

Per ISACA, quality assurance usually performs two distinct tasks:

  • Quality assurance (QA) Helps the IT department ensure that the personnel are following prescribed quality processes. For example, QA helps ensure that programs and documentation adhere to the standards and naming conventions.

  • Quality control (QC) Is responsible for conducting tests or reviews to verify that software is free from defects and meets user expectations. This can be done at various stages of the development of application systems, but it must be done before the programs are moved into production.

An example of a standard quality-assurance model is the Software Capability Maturity Model (CMM) developed by Carnegie Melon's Software Engineering Institute. The CMM model provides a framework for improving software life cycle processes and specific metrics to improve the software process. CMM has maturity levels that are designed with continuous process improvement in mind, to increase product and service quality through the implementation of best practices.


ISACA refers to CMM in both its study material and the exam, even though the CMM model was upgraded to CMMI (Capability Maturity Model Integration) in 2000.


Per the CMM model documentation, software process maturity is the extent to which a specific process is explicitly defined, managed, measured, controlled, and effective. The more mature an organization's software process is, the higher the productivity and quality of the software products produced are. As software process maturity increases, the organization institutionalizes its software process via policies, standards, and organizational structures. This institutionalization entails building an infrastructure and a corporate culture that supports the methods, practices, and procedures of the business so that they endure after those who originally defined them have gone. The CMM maturity levels are shown in Figure 2.2.

Figure 2.2. CMM maturity levels.


IT management can use assessment methods to provide a mechanism to determine whether the activities of the organization have deviated from the planned or expected levels. These methods include IS budgets, capacity and growth planning, industry standards/benchmarking, financial management practices, and goal accomplishment. Quality management is the means by which the IS department processes are controlled, measured, and improved. Management principles focus on areas such as people, change, processes, and security. Industry standards/benchmarking provide a means of determining the level of performance provided by similar information-processing facility environments.


The quality assurance group ensures that the programs and program changes and documentation adhere to established standards.


The International Organization for Standardization (ISO) has created the ISO 9000 series, which is implemented by 634,000 organizations in 152 countries. ISO 9000 has become an international reference for quality management requirements in business-to-business dealings. Per ISO, the ISO 9000 family is primarily concerned with "quality management" or what the organization does to fulfill the following:

  • The customer's quality requirements

  • Applicable regulatory requirements

  • Customer satisfaction

  • Continual improvement of its performance in pursuit of these objectives

ISO 9001/9002/9003 contains guidelines about design, development, production, installation servicing, and final inspection/testing.

Per ISO, ISO 9001:2000, "Quality Management Systems," specifies requirements for a quality-management system. Adherence to these requirements demonstrates that the organization has the capability to consistently provide products that do the following:

  • Meet customer and applicable regulatory requirements

  • Enhance customer satisfaction through the effective application of the system

  • Include processes for continual improvement of the system and the assurance of conformity to customer and applicable regulatory requirements

All requirements of this international standard are generic and are intended to apply to all organizations, regardless of type, size, and product provided.


The 1994 versions of ISO 9001/9002/9003 were combined into a single revised document represented by ISO 9001:2000 (see www.iso.org/iso/en/iso9000-14000/iso9000/faqs.html).


ISO 9126 focuses on the end result of good software processes, such as the quality of the actual software product. ISO 9126 provides definitions of the characteristics and associated quality-evaluation process to be used when specifying the requirements for and evaluating the quality of software products throughout the software life cycle. The following are specific definitions associated with the ISO standards.

  • ISO/IEC TR 9126-2:2003 provides external metrics for measuring attributes of six external quality characteristics defined in ISO/IEC 9126-1.

    • Users of ISO/IEC TR 9126-2:2003 can select or modify and apply metrics and measures from ISO/IEC TR 9126-2:2003, or can define application-specific metrics for their individual application domain.

    • ISO/IEC TR 9126-2:2003 is intended to be used together with ISO/IEC 9126-1.

    • ISO/IEC TR 9126-2:2003 contains an explanation of how to apply software quality metrics, a basic set of metrics for each subcharacteristic, and an example of how to apply metrics during the software product life cycle. ISO/IEC TR 9126-2:2003 does not assign ranges of values of these metrics to rated levels or to grades of compliance because these values are defined for each software product or a part of the software product, depending on such factors as category of the software, integrity level, and users' needs. Some attributes might have a desirable range of values that does not depend on specific user needs but that depends on generic factors, such as human cognitive factors.

    • The metrics listed in ISO/IEC TR 9126-2:2003 are not intended to be an exhaustive set. Developers, evaluators, quality managers, and acquirers can select metrics from ISO/IEC TR 9126-2:2003 for defining requirements, evaluating software products, measuring quality aspects, and other purposes.

  • ISO/IEC TR 9126-3 defines internal metrics.

    • Internal metrics measure the software itself, external metrics measure the behavior of the computer-based system that includes the software, and quality in use metrics measure the effects of using the software in a specific context of use.

  • ISO/IEC 9126-4 defines quality in use metrics, for measuring the characteristics or subcharacteristics.

In conjunction with these standards, organizations can perform certification and accreditation activities. These activities are commonly performed within the U.S. federal government and are defined as follows:

  • CertificationThis is a major consideration before processing is authorized, but it is not the only consideration. Certification is the technical evaluation that establishes the extent to which a computer system, application, or network design and implementation meet a prespecified set of security requirements.

  • AccreditationThis is the authorization and approval granted to an information system to process in an operational environment. It is made on the basis of a certification by designated technical personnel that the system meets prespecified technical requirements for achieving adequate system security.

Certification activities include testing systems and their controls to ensure that the systems meet the control objectives. When the certification is complete, any deficiencies are noted and forwarded to the appropriate authority for accreditation. During the accreditation process, the approving authority reviews the results of controls testing and determines the level of risk associated with the deficiencies. If the approving authority determines that the risk associated with the deficiencies is acceptable, the system is allowed to process in an operational environment with a plan to correct the deficiencies (remediation). If the level of risk is beyond an acceptable level, the deficiencies must be corrected before the system can go into operation.

The IS auditor must review quality assurance activities to ensure that quality assurance personnel are creating and reviewing prescribed quality processes. The auditor also must make sure that a standard quality-control process is in place for conducting tests or reviews, to verify and ensure that software and systems are free from defects and that they meet user expectations.


Quality assurance could be an additional responsibility of the security administrator. Although making the security administrator responsible for application programming, systems programming, or data entry would not provide an adequate segregation of duties, working in quality assurance does not constitute improper segregation of duties.



Previous page
Table of content
Next page
Exam Cram 2. CISA
Cisa Exam Cram 2
ISBN: B001EEFNHG
EAN: N/A
Year: 2005
Pages: 146
BUY ON AMAZON
Kanban Made Simple: Demystifying and Applying Toyotas Legendary Manufacturing Process
Snort Cookbook
Making Sense of Change Management: A Complete Guide to the Models, Tools and Techniques of Organizational Change
MySQL Cookbook
Logistics and Retail Management: Emerging Issues and New Challenges in the Retail Supply Chain
InDesign Type: Professional Typography with Adobe InDesign CS2
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy