Identify, prioritize, specify and agree on business functional and technical requirements covering the full scope of all initiatives required to achieve the expected outcomes of the IT-enabled investment program.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Identify, document and analyze risks associated with the business requirements and solution design as part of the organization’s process for the development of requirements.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Develop a feasibility study that examines the possibility of implementing the requirements. Business management, supported by the IT function, should assess the feasibility and alternative courses of action and make a recommendation to the business sponsor.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Verify that the process requires the business sponsor to approve and sign off on business functional and technical requirements and feasibility study reports at predetermined key stages. The business sponsor should make the final decision with respect to the choice of solution and acquisition approach.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Translate business requirements into a high-level design specification for software acquisition, taking into account the organization’s technological direction and information architecture. Have the design specifications approved by management to ensure that the high-level design responds to the requirements. Reassess when significant technical or logical discrepancies occur during development or maintenance.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Prepare detailed design and technical software application requirements. Define the criteria for acceptance of the requirements. Have the requirements approved to ensure that they correspond to the high-level design. Perform reassessment when significant technical or logical discrepancies occur during development or maintenance.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Implement business controls, where appropriate, into automated application controls such that processing is accurate, complete, timely, authorized and auditable.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Address application security and availability requirements in response to identified risks and in line with the organization’s data classification, information architecture, information security architecture and risk tolerance.

Configure and implement acquired application software to meet business objectives.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

In the event of major changes to existing systems that result in significant change in current designs and/or functionality, follow a similar development process as that used for the development of new systems.

Ensure that automated functionality is developed in accordance with design specifications, development and documentation standards, QA requirements, and approval standards. Ensure that all legal and contractual aspects are identified and addressed for application software developed by third parties.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Develop, resource and execute a software QA plan to obtain the quality specified in the requirements definition and the organization’s quality policies and procedures.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Track the status of individual requirements (including all rejected requirements) during the design, development and implementation, and approve changes to requirements through an established change management process.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Develop a strategy and plan for the maintenance of software applications.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Produce a plan for the acquisition, implementation and maintenance of the technological infrastructure that meets established business functional and technical requirements and is in accord with the organization’s technology direction.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Implement internal control, security and auditability measures during configuration, integration and maintenance of hardware and infrastructural software to protect resources and ensure availability and integrity. Responsibilities for using sensitive infrastructure components should be clearly defined and understood by those who develop and integrate infrastructure components. Their use should be monitored and evaluated.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Develop a strategy and plan for infrastructure maintenance, and ensure that changes are controlled in line with the organization’s change management procedure. Include periodic reviews against business needs, patch management, upgrade strategies, risks, vulnerabilities assessment and security requirements.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Establish development and test environments to support effective and efficient feasibility and integration testing of infrastructure components.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Develop a plan to identify and document all technical, operational and usage aspects such that all those who will operate, use and maintain the automated solutions can exercise their responsibility.

Transfer knowledge to business management to allow those individuals to take ownership of the system and data, and exercise responsibility for service delivery and quality, internal control, and application administration.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Transfer knowledge and skills to allow end users to effectively and efficiently use the system in support of business processes.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Transfer knowledge and skills to enable operations and technical support staff to effectively and efficiently deliver, support and maintain the system and associated infrastructure.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Develop and follow a set of procedures and standards that is consistent with the business organization’s overall procurement process and acquisition strategy to acquire IT-related infrastructure, facilities, hardware, software and services needed by the business.

Set up a procedure for establishing, modifying and terminating contracts for all suppliers. The procedure should cover, at a minimum, legal, financial, organizational, documentary, performance, security, intellectual property, and termination responsibilities and liabilities (including penalty clauses). All contracts and contract changes should be reviewed by legal advisers.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Select suppliers according to a fair and formal practice to ensure a viable best fit based on specified requirements. Requirements should be optimized with input from potential suppliers.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Protect and enforce the organization’s interests in all acquisition contractual agreements, including the rights and obligations of all parties in the contractual terms for the acquisition of software, development resources, infrastructure and services.

Set up formal change management procedures to handle in a standardized manner all requests (including maintenance and patches) for changes to applications, procedures, processes, system and service parameters, and the underlying platforms.

Assess all requests for change in a structured way to determine the impact on the operational system and its functionality. Ensure that changes are categorized, prioritized and authorized.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Establish a process for defining, raising, testing, documenting, assessing and authorizing emergency changes that do not follow the established change process.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Establish a tracking and reporting system to document rejected changes, communicate the status of approved and in-process changes, and complete changes. Make certain that approved changes are implemented as planned.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Whenever changes are implemented, update the associated system and user documentation and procedures accordingly.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Train the staff members of the affected user departments and the operations group of the IT function in accordance with the defined training and implementation plan and associated materials, as part of every information systems development, implementation or modification project.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Establish a test plan based on organization-wide standards that defines roles, responsibilities, and entry and exit criteria. Ensure that the plan is approved by relevant parties.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Establish an implementation and fallback/backout plan. Obtain approval from relevant parties.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Define and establish a secure test environment representative of the planned operations environment relative to security, internal controls, operational practices, data quality and privacy requirements, and workloads.

Plan data conversion and infrastructure migration as part of the organization’s development methods, including audit trails, rollbacks and fallbacks.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Test changes independently in accordance with the defined test plan prior to migration to the operational environment. Ensure that the plan considers security and performance.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Ensure that business process owners and IT stakeholders evaluate the outcome of the testing process as determined by the test plan. Remediate significant errors identified in the testing process, having completed the suite of tests identified in the test plan and any necessary regression tests. Following evaluation, approve promotion to production.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Following testing, control the handover of the changed system to operations, keeping it in line with the implementation plan. Obtain approval of the key stakeholders, such as users, system owner and operational management. Where appropriate, run the system in parallel with the old system for a while, and compare behavior and results.

Establish procedures in line with the organizational change management standards to require a post-implementation review as set out in the implementation plan.

There are no PSGs published for this topic; however, the topic is under review for future PSGs