The next key step was to conduct research on project management standards, practices, methodologies etc. That research, which included a long list of existing maturity models see Exhibit 2 , in addition to the organizational research done at BNYCS, would create the blend of input required to develop the model. The last key step was to employ a highly interactive approach to the development of the model, bringing BNYCS employees and Whittman-Hart consultants together as partners on the development of the model.
With these elements secured, the partnership was ready to proceed, and the remainder of this paper outlines the engagement between BNYCS and Whittman-Hart in general tasks and activities that apply to any company interested in embarking on such an initiative.
One of the first elements of the engagement was a thorough review of the business drivers behind the development of a maturity model. The expectations of the organization, the degree to which the model would be used, and the scope of the organization to be assessed by the model were important elements.
Additionally, because the purpose of project management in the organization was to help it successfully complete strategic initiatives and achieve its goals, the model had to have a direct link to the strategy, mission and vision of the organization.
To accomplish this task, BNYCS and Whittman-Hart reviewed the strategic documents of the organization, the organization history, goals, and structure.
For example, at BNYCS, growth and product development were central to the strategy and mission of the company, which indicates that timely delivery of products is one of the highest priorities and should be reflected in the maturity model. Following the high-level review of the strategy and the business drivers for the organization, the next step was to review the goals from the individual executives in the firm.
Through a series of interviews, the Whittman-Hart consultants were able to develop a sense of the anticipated outcome that these executives hoped to see as a result of implementing project management practices. The individuals, in some cases, represent areas of process focus in the maturity model. Project managers needed to track the performance of departments to the projected ROI months and years after the completion of a project.
In such an example, the expectations of the individual indicated the need for specific processes and activities, which can be elements in a maturity model. The goals of these individuals translated into descriptions of activities and processes reflected at various levels of maturity.
At this point in the process, the general structure of the maturity model began to take shape. The model was constructed with five levels, following a common practice among maturity models. Additionally, process and functional areas were added as cross-reference categories for the five levels. The result was a matrix, the cells of which could be completed with descriptions of the process performing at various levels of maturity.
The Human Resource Development subprocess category, for example, would have descriptions for team selection processes characteristic of each level of maturity. The matrix, once complete, would become the scale against which the organization would be scored.
The assessment questions would be developed based on the content of this matrix, and the results of the assessment could be graphically represented on the matrix. The sum of these ratings could represent the composite score for an organization. However, simply gathering goals from the organization and its individual leaders would not be enough to secure a successful finish to this type of engagement. As with any engagement, the ROI expectations needed to be understood and met. Of course, there are many ways to approach ROI for such an initiative.
Generally, the ROI can be considered in two ways. Most commonly, ROI can be considered as a measurement of the performance of the specific engagement at hand. Alternatively, ROI can be viewed as a facet of another, perhaps larger project. In this engagement; for example, the ROI calculations were based on the scope of the overall implementation of project management practices. The development and use of a maturity model were considered elements of a larger project.
In fact, they were designed to support the implementation and help ensure that the ROI targets were met by identifying gaps or weaknesses in processes that impact the bottom line. Perhaps it is more common for an organization to consider the ROI as a metric for the project to develop and use a maturity model, not the overall use of project management.
In such a scenario, the promise of ROI is based on the presumption that the assessment will identify areas for improvement, and that making those improvements will yield measurable results on the bottom line.
Clearly, to come to a positive ROI in such a system requires that the benefits from the improvements be greater than the cost of creating and using the maturity model. Additionally, it is reasonable to presume that at the upper ends of maturity, there is a diminishing return for the effort.
Therefore, before embarking on such a project, organizations must try to consider the room for improvement that exists. In essence, this amounts to a rough, self-assessment, prior to a proper assessment. An organization that is already quite advanced in its project management practices may not have enough room for improvement that the impact to the bottom line will cover the costs of creating the maturity model, depending on volume of activity, profit margins, costs, etc.
Organizations that are young and lacking in process maturity are likely to benefit so significantly from such an assessment that the costs are easily covered. For example, at BNYCS, where the use of a maturity model was an element of an initiative to implement a project management office, the number of gaps in the processes provided the organization plenty of opportunity to impact the bottom line—resulting in a positive ROI.
As nice as it is to report a positive ROI, it is not always the measure of project success. As is true for all projects, in the development and use of a maturity model, it is important to identify the measures of success.
Ideally, the measures of success can be derived from the business drivers and goals. It is particularly important to interview the executive sponsor of the engagement to identify the measures of success. These measures, whenever possible, should be tangible. A fuzzy or vague measure of success will leave both parties at risk.
For the consulting group, the risk is that the customer will be left unsatisfied, even when the project appeared to be a success. For the contracting organization, the risk is that an important business deliverable will be missed, causing frustration with the engagement.
To safeguard both parties, it is important to have clear and measurable goals that can be used as the ultimate measures of success.
For both parties, it is also beneficial if the measures of success are tied to the organizational strategy and goals, thus yielding the most value and impact to the organization. For the executive sponsor, the engagement for the maturity model should be viewed as a flagship project. Read the FAQ. View trusted cloud providers. Read the press release. Contact us to apply. There are multiple levels of assurance for companies that submit to the STAR registry. Each level has a different set of requirements.
You can also download the following information as a pdf here. At level one organizations can submit one or both of the security and privacy self-assessments. For the security assessment, organizations use the Cloud Controls Matrix to evaluate and document their security controls.
Organizations should pursue this level if they are Operating in a low-risk environment Wanting to offer increased transparency around the security controls they have in place. Looking for a cost-effective way to improve trust and transparency. CSA STAR Self-Assessment is a complimentary offering that documents the security controls provided by various cloud computing offerings, thereby helping users assess the security of cloud providers they currently use or are considering using.
This information then becomes publicly available, promoting industry transparency and providing customer visibility into specific provider security practices. You can learn more about the transition timeline from CAIQ v3. A company after the publication of the relevant document on the Registry will receive a Compliance Mark valid for 1 year.
Level 2 of STAR allows organizations to build off of other industry certifications and standards to make them specific for the cloud. Organizations looking for a third-party audit can choose from one or more of the security and privacy audits and certifications.
This guide will explain both the practical steps as well as overall strategy you will need to implement to earn a STAR Certification or Attestation. Learn about the zero-trust maturity model Duo used to deal with these security concerns and the strategies they adopted.
The rise of privacy is becoming prominent in the cloud era. The need to protect data and individual privacy is a must. In this webinar, learn what you should be continuously managing to ensure privacy protection.
Teaches the fundamentals of cloud security including: architecture, data security, managing risk and more. Advanced hands-on training for secure cloud operations. Learn advanced techniques for designing, deploying and managing secure cloud architectures and being well prepared for incident response.
This course includes the CCSK exam token and teaches the fundamentals of cloud security including: architecture, data security, managing risk and more. Virtual Instructor Led Course. This training includes a CCSK exam token and teaches the fundamentals of cloud security including: architecture, data security, managing risk and more.
0コメント