Project Scope ManagementProject Scope Management

Information Technology Project Information Technology Project Management,Management,Fifth EditionFifth EditionNote: some slides have been removed from the author’s original presentation.Some slides are added to address security projects

What is Project Scope Management?Scope refers to all the work involved in creating

the products of the project and the processes used to create them

A deliverable is a product produced as part of a project, such as hardware or software, planning documents, or meeting minutes

Project scope management includes the processes involved in defining and controlling what is or is not included in a project

Information Technology Project Management, Fifth Edition, Copyright 20072

Project Scope Management Processes1. Scope planning: deciding how the scope will be defined,

verified, and controlled

2. Scope definition: reviewing the project charter and preliminary scope statement and adding more information as requirements are developed and change requests are approved

3. Creating the WBS: subdividing the major project deliverables into smaller, more manageable components

4. Scope verification: formalizing acceptance of the project scope

5. Scope control: controlling changes to project scope

Information Technology Project Management, Fifth Edition, Copyright 20073

Figure 5-1: Project Scope Management Summary

Information Technology Project Management, Fifth Edition, Copyright 20074

1. Scope Planning and the Scope Management Plan

The scope management plan is a document that includes descriptions of how the team will prepare the project scope statement, create the WBS, verify completion of the project deliverables, and control requests for changes to the project scope

Key inputs include the project charter, preliminary scope statement, and project management plan

Information Technology Project Management, Fifth Edition, Copyright 20075

2. Scope Definition and theProject Scope StatementThe preliminary scope statement, project charter,

organizational process assets, and approved change requests provide a basis for creating the project scope statement

As time progresses, the scope of a project should become more clear and specific

Information Technology Project Management, Fifth Edition, Copyright 20076

Scope definitionThe scope may be described in many different

ways, dependently on the project natureFor example:

The list of functions to be deliveredOutline of technology environment to be coveredCategory of devices to be includedParticular technology solutions to be incorporated

Information Technology Project Management, Fifth Edition, Copyright 20077

3. Creating the Work Breakdown Structure (WBS)A WBS is a deliverable-oriented grouping of the

work involved in a project that defines the total scope of the project

WBS is a foundation document that provides the basis for planning and managing project schedules, costs, resources, and changes

Decomposition is subdividing project deliverables into smaller pieces

A work package is a task at the lowest level of the WBS

Information Technology Project Management, Fifth Edition, Copyright 20078

Approaches to Developing WBSsUsing guidelines: some organizations provide

guidelines for preparing WBSsThe analogy approach: review WBSs of similar

projects and tailor to your projectThe top-down approach: start with the largest

items of the project and break them downThe bottom-up approach: start with the specific

tasks and roll them upMind-mapping approach: mind mapping is a

technique that uses branches radiating out from a core idea to structure thoughts and ideas

Information Technology Project Management, Fifth Edition, Copyright 20079

Figure 5-6: Sample Mind-Mapping Approach for Creating a WBS

Information Technology Project Management, Fifth Edition, Copyright 200710

What Went Wrong?A project scope that is too broad and grandiose

can cause severe problemsScope creep and an overemphasis on technology for

technology’s sake resulted in the bankruptcy of a large pharmaceutical firm, Texas-based FoxMeyer Drug p. 201

In 2001, McDonald’s fast-food chain initiated a project to create an intranet that would connect its headquarters with all of its restaurants to provide detailed operational information in real time; after spending $170 million on consultants and initial implementation planning, McDonald’s realized that the project was too much to handle and terminated it. p.202

Northrop Grumman insurance, 1980’s, system dubbed “Naziware”; not in touch with how end users did their work. p202

Information Technology Project Management, Fifth Edition, Copyright 200711

4. Scope VerificationIt is very difficult to create a good scope statement

and WBS for a projectIt is even more difficult to verify project scope and

minimize scope changesScope verification involves formal acceptance of

the completed project scope by the stakeholdersAcceptance is often achieved by a customer

inspection and then sign-off on key deliverables

Information Technology Project Management, Fifth Edition, Copyright 200712

5. Scope ControlScope control involves controlling changes to

the project scopeGoals of scope control are to:

Influence the factors that cause scope changesAssure changes are processed according to

procedures developed as part of integrated change control

Manage changes when they occurVariance is the difference between planned and

actual performance

Information Technology Project Management, Fifth Edition, Copyright 200713

ScopeCreep

Best Practices for Avoiding Scope Problems1. Keep the scope realistic …

2. Involve users in project scope management …

3. Use off-the-shelf hardware and software whenever possible …

4. Follow good project management processes: …

Information Technology Project Management, Fifth Edition, Copyright 200714

Define Security Project Scope Make sure that your scope covers most vulnerable

assetsPerform vulnerability analysis to identify key areas for your

projectEvaluate outstanding assets and perform risks

analysisUse the company-wide methodology of security risks

management Write so called Residual Risks Statement

Outline security risks that remain after the project implementation

Send the statement to the manager

Information Technology Project Management, Fifth Edition, Copyright 200715

Create Security Project WBSThe same approach as for any other project

Use applicable tasks, e.g installation, hardening, configuration

Practical things to think about:Needs to verify the project deliverables against the enterprise-wide

security architectureNeeds to verify and adjust access control policy and implementationNeeds to change other security policiesNeeds to change SETA (security education, training, and awareness

program)Needs to implement users trainingNeeds to perform security risks assessment after the project

implementation and provide final Residual Risks StatementNeeds to update Business Continuity Plan (aka Disaster Recovery)

Information Technology Project Management, Fifth Edition, Copyright 200716

Verifying Security Project Scope Review with Information Security department at a minimum Review with Risk Management and Compliance for more serious

projects If you have to reduce the scope make sure that the security level is

not silently impacted – go with residual risks statement If the project affects end users, talk to them. Make sure that usability

remains at the acceptable level Talk to IT people. Make sure that the system non-functional

requirements (scalability, performance, flexibility) are not impacted

Information Technology Project Management, Fifth Edition, Copyright 200717

Build WBS on the basis of SDLCThere is misunderstanding of SDLC as it would

apply to the software development projectsSDLC applies to ANY IT projectANY solution assumes

RequirementsDesignImplementation in QATestingLaunch to production

Build your WBS on the basis of SDLC

Information Technology Project Management, Fifth Edition, Copyright 200718