IT项目管理中有哪些是需要注意的

Risk management in the IT industry

Every organization has a mission In this digital era, as organizations use automated information technology (IT) systems to process their information for better support of their missions, risk management plays a critical role in protecting an organization’s information assets, and therefore its mission, from IT-related risk

Risk management is the process that allows IT managers to balance the operational and economic costs of protective measures and achieve gains in mission capability by protecting the IT systems and data that support their organizations’ missions This process is not unique to the IT environment; indeed it pervades decision-making in all areas of our daily lives

An effective risk management process is an important component of a successful IT security program The principal goal of an organization’s risk management process should be to protect the organization and its ability to perform their mission, not just its IT assets Therefore, the risk management process should not be treated primarily as a technical function carried out by the IT experts who operate and manage the IT system, but as an essential management function of the organization

So, who should be involved in risk management of an organization

Personnel who should support and participate in the risk management process are:-

• Senior Management Senior management, under the standard of due care and

ultimate responsibility for mission accomplishment, must ensure that the necessary resources are effectively applied to develop the capabilities needed to accomplish the mission They must also assess and incorporate results of the risk assessment activity into the decision making process An effective risk management program that assesses and mitigates IT-related mission risks requires the support and involvement of senior management

• Chief Information Officer (CIO) The CIO is responsible for the agency’s IT

planning, budgeting, and performance including its information security components Decisions made in these areas should be based on an effective risk management program

• System and Information Owners The system and information owners are responsible for ensuring that proper controls are in place to address integrity, confidentiality, and availability of the IT systems and data they own Typically the system and information owners are responsible for changes to their IT systems The system and information owners must therefore understand their role in the risk management process and fully support this process

• Business and Functional Managers The managers responsible for business

operations and IT procurement process must take an active role in the risk

management process These managers are the individuals with the authority and

responsibility for making the trade-off decisions essential to mission accomplishment Their involvement in the risk management process enables the achievement of proper security for the IT systems, which, if managed properly, will provide mission effectiveness with a minimal expenditure of resources

• ISSO Information System Security Officer and computer security officers are responsible for their organizations’ security programs, including risk management Therefore, they play a leading role in introducing an appropriate, structured methodology to help identify, evaluate, and minimize risks to the IT systems that support their organizations’ missions

• IT Security Practitioners IT security practitioners (eg, network, system,

application, and database administrators; computer specialists; security analysts;

security consultants) are responsible for proper implementation of security

requirements in their IT systems As changes occur in the existing IT system

environment (eg, expansion in network connectivity, changes to the existing

infrastructure and organizational policies, introduction of new technologies), the IT

security practitioners must support or use the risk management process to identify and assess new potential risks and implement new security controls as needed to

safeguard their IT systems

• Security Awareness Trainers (Security/Subject Matter Professionals) The

organization’s personnel are the users of the IT systems Use of the IT systems and

data according to an organization’s policies, guidelines, and rules of behavior is critical to mitigating risk and protecting the organization’s IT resources To minimize risk to the IT systems, it is essential that system and application users be provided with security awareness training Therefore, the IT security trainers or security/subject matter professionals must understand the risk management process so that they can develop appropriate training materials and incorporate risk assessment into training programs to educate the end users

Most organizations have tight budgets for IT security; therefore, IT security spending must be reviewed as thoroughly as other management decisions A well-structured risk management methodology, when used effectively, can help management identify appropriate controls for providing the mission-essential security capabilities

Risk management encompasses three processes: risk assessment, risk mitigation, and evaluation and assessment

Risk assessment is the first process in the risk management methodology Organizations use risk assessment to determine the extent of the potential threat and the risk associated with an IT system throughout its SDLC (System Development Life Cycle) The risk assessment methodology encompasses nine primary steps, which are

• Step 1System Characterization

• Step 2Threat Identification

• Step 3Vulnerability Identification

• Step 4Control Analysis

• Step 5Likelihood Determination

• Step 6Impact Analysis

• Step 7Risk Determination

• Step 8Control Recommendations , and

• Step 9Results Documentation

Risk mitigation, the second process of risk management, involves prioritizing, evaluating, and implementing the appropriate risk-reducing controls recommended from the risk assessment process

When control actions must be taken, the following rule applies:

Address the greatest risks and strive for sufficient risk mitigation at the lowest cost, with minimal impact on other mission capabilities

The following risk mitigation methodology describes the approach to control implementation:

• Step 1Prioritize Actions

Based on the risk levels presented in the risk assessment report, the implementation

actions are prioritized

• Step 2Evaluate Recommended Control Options

The controls recommended in the risk assessment process may not be the most

appropriate and feasible options for a specific organization and IT system The objective is to select the most appropriate control option for minimizing risk

• Step 3Conduct Cost-Benefit Analysis

To aid management in decision making and to identify cost-effective controls, a cost benefit analysis is conducted

• Step 4Select Control

On the basis of the results of the cost-benefit analysis, management determines the

most cost-effective control(s) for reducing risk to the organization’s mission The

controls selected should combine technical, operational, and management control

elements to ensure adequate security for the IT system and the organization

• Step 5Assign Responsibility

Appropriate persons (in-house personnel or external contracting staff) who have the

appropriate expertise and skill-sets to implement the selected control are identified,

and responsibility is assigned

• Step 6Develop a Safeguard Implementation Plan

During this step, a safeguard implementation plan (or action plan) is developed The plan should, at a minimum, contain the following information:

– Risks and associated risk levels

– Recommended controls

– Prioritized actions (with priority given to items with Very High and High risk

levels)

– Selected planned controls (determined on the basis of feasibility, effectiveness,

benefits to the organization, and cost)

– Required resources for implementing the selected planned controls

– Lists of responsible teams and staff

– Start date for implementation

– Target completion date for implementation

–Maintenance requirements

• Step 7Implement Selected Control(s)

Depending on individual situations, the implemented controls may lower the risk

level but not eliminate the risk

In implementing the above recommended controls to mitigate risk, an organization should consider technical, management, and operational security controls, or a combination of such controls, to maximize the effectiveness of controls for their IT systems and organization Security controls, when used appropriately, can prevent, limit, or deter threat-source damage to an organization’s mission

And now we come to the last process but not the least, EVALUATION AND ASSESSMENT

In most organizations, the network itself will continually be expanded and updated, its components changed, and its software applications replaced or updated with newer versions In addition, personnel changes will occur and security policies are likely to change over time These changes mean that new risks will surface and risks previously mitigated may again become a concern Thus, the risk management process is ongoing and evolving

To put in a nutshell, a successful risk management program will rely on

(1) senior management’s commitment;

(2) the full support and participation of the IT team ;

(3) the competence of the risk assessment team, which must have the expertise to apply the risk assessment methodology to a specific site and system, identify mission risks, and provide cost-effective safeguards that meet the needs of the organization;

(4) the awareness and cooperation of members of the user community, who must follow procedures and comply with the implemented controls to safeguard the mission of their organization; and

(5) an ongoing evaluation and assessment of the IT-related mission risks

Thank you very much for your attention!

上述内容的大体意思如下：

1、2、3 段：数字化时代，企业和组织的运作已离不开IT系统，因此对它的风险管理变得非常重要。风险管理就是找到维护系统安全与费用开销平衡的手段。一个有效的风险管理是维护系统的安全 *** 作来完成企业的目标而不是仅仅维护IT资产；因此必须将它视为一个主要的管理功能来对待。

4、5、6段：这里列举与风险管理挂钩的人员与部门，并强调要有良好的方法来发挥有限的管理预算，才能有效地达到目的。

7、8、9、10、11段：IT风险管理涵盖三大步骤：风险评估、风险缓解及评价与判断。风险评估通过9个步骤来判定在IT系统的发展寿命周期中的所有风险和其严重性，然后做出控制选择。风险缓解是阐述如何以最低的花费来达到最高的效果，这里列举了7个步骤。第三就是评价与判断；随着时间的转移，多数企业的网络都会扩容或更新，软硬件也会更换或升级，人员的调整及安全措施的改变，这些都会产生新的风险。因此，风险管理是永无休止和不停进展的。

12段：最后总结，一个成功的风险管理计划有5个重点：1高层的决心；2IT队伍的全力支持及参与；3风险评估队的专业能力；4 使用人员按规定 *** 作；5 不停的对IT风险作评估与判断。

参考资料：

项目管理者联盟文章 在软件项目的开发过程中，需求变更贯穿了软件项目的整个生命周期，从软件的项目立项，研发，维护，用户的经验在增加，对使用软件的感受有变化，以及整个行业的新动态，都为软件带来不断完善功能，优化性能，提高用户友好性的要求。在软件项目管理过程中，项目经理经常面对用户的需求变更。如果不能有效处理这些需求变更，项目计划会一再调整，软件交付日期一再拖延，项目研发人员的士气将越来越低落，将直接导致项目成本增加、质量下降及项目交付日期推后。这决定了项目组必须拥有需求管理策略。 1问题分析 问题分析可以通过了解问题及涉众的最初需要，并提出高层解决方案来实现。它是为找出“隐藏在问题之后的问题”而进行的推理和分析。问题分析期间，将对“什么是面临实际问题”和“谁是涉众”等问题达成一致。而且，您还要从业务角度界定解决方案，以及制约该解决方案的因素。您应该已经对项目进行过商业理由分析，这将便于您更好地预计能从构建中的项目中得到多少投资回报。项目管理培训 2理解涉众需要 需求来自各个方面，比如来自客户、合作伙伴、最终用户或是某领域的专家。您需要掌握如何准确判断需求应来源于哪方面、如何接近这些来源并从中获取信息。提供这些信息主要出处的个人在本项目中称为涉众。如果您正在开发一个在您公司内部使用的信息系统，那么在开发团队中应包括具有最终用户经验和业务领域专业知识的人员。通常讨论将在业务模型这一级上展开，而不是在系统这一级上展开。如果正在开发一个要在市场上出售的产品，那么您可以充分调动营销人员，以便更好地了解该市场中用户的需要。获取需要的活动可使用这样一些技巧：访谈、集体讨论、概念原型设计、问卷调查和竞争性分析等。获取结果可能是一份图文并茂的请求或需要列表，并按相互之间的优先级列出。 3定义系统 定义系统指的是解释涉众需求，并整理为对要构建系统的意义明确的说明。在系统定义的初期要确定以下内容：需求构成、文档格式、语言形式、需求的具体程度(需求量及详细程度)、需求的优先级和预计工作量(不同人在不同的实践中通常对这两项内容的看法大不相同)、技术和管理风险以及最初规模。系统定义活动还可包括与最关键的涉众请求直接联系的初期原型和设计模型。系统定义的结果是用自然语言和图解方式表达的系统说明。

关键控制点一 项目的时间控制 

首先，要明确项目期望值，做好需求调研，围绕企业的核心业务流程，制定切实可行的项目目标，这个目标万不可贪大求全，面面俱到，目的是满足核心业务流程需求，与核心业务流程关系不大或者毫无关系的内容，缓建或根本不建，将业务期望聚焦在更容易把控和量化的目标上来。项目实施完全围绕该期望进行，这也是项目实施中最重要的一点。

其次，信息化项目是需要多部门、多环节充分协作的系统工程，任何部门和环节的时间延误，都会导致整个项目实施周期的延长。因此，对影响项目进度的“短板”环节，进行着力攻坚，促进其与项目的其它环节步调一致，协同共进，能够有效保障项目的实施周期。

再次，信息化项目往往周期较长，因此需要针对项目的实施阶段制定的项目时间保障机制，保证项目每一天都有明确的目标，才能对项目的进度进行有效掌控。

最后，由于信息化项目涉及面较广，参与人数众多，人员的素质参差不齐，对项目的把握也各不相同，因此在项目开始前需对参与项目的人员甚至高层管理人员，进行项目普及性培训，在项目进行中进行相关的项目培训……俗话说，磨刀不误砍柴工，提高每一位参与人员的项目能力才能有效提高项目实施的效率，从而保障项目的实施周期。

关键控制点二 项目的成本控制 

首先，信息化项目是it技术在企业业务的应用，其开发和实施都建立在业务部门提出的项目需求之上。然而，由于项目开发和实施的时间较长，常常出现这样的情况，在系统开发完毕后，业务需求却已经改变，致使项目不得不重新进行开发。形成影响项目成本的主要因素。

产生这种情况的原因，一方面是因为项目小组前期调研不够深入，没有全面掌握业务部门的真正需求和需求的发展方向，另一方面是因为随着项目的深入，业务部门对项目在业务中的应用有了更加深刻的认识。想要控制这种来自需求改变的成本增加，项目经理除了在项目前期进行更加深入的项目调研外，还应该加大对业务人员的培训力度，让他们先于项目应用而对项目拥有更加深入的了解。

其次，在项目实施过程中，各种与业务相关的应用需求纷至沓来，不断增加的项目需求，将使项目预算不断增加，从而形成影响项目成本的又一重要因素。对于这种情况，项目经理要区别对待，如果确系有助项目期望的实现并能够帮助提高项目实施效果的需求，哪怕影响到项目的成本和延长项目的实施周期也要采纳这种需求，这是对项目的一种有益补充;如果与项目期望关系不大甚至没有关系的需求，则应坚决摒弃。

因此在项目实施前做好准确的项目期望，划定明确的项目开发任务和范围并严格执行，能够有效控制这类项目成本增加。

最后，信息化项目成本的另一主要来源是人力资源成本，因此在看到项目的硬件、软件等硬性成本同时，也不能忽略人力资源这一软性成本。有效控制项目实施时间、合理配置人力资源、避免人力资源浪费是控制这项成本的关键。

关键控制点三 项目的质量控制 

信息化项目的质量控制包括两个方面，一方面是it技术本身(硬件、软件、系统)的质量控制，另一方面也是最重要的一方面，是it技术应用于企业的质量控制。对于前者，我们可以依照国家的质量标准进行考量，而对于后者，则没有统一的标准，并难以实行量化控制，但无论如何，信息化项目的主体是企业，检验it技术应用于企业质量好坏的唯一标准则应该是项目在企业中的实施效果。因此做好信息化项目中的质量控制需做到：

对项目技术方案进行适应性评估 信息化项目的最终效果体现在企业的应用，因此不适应企业实际情况的方案即使技术再先进、架构再稳定也不是好的方案。这就要求企业的项目经理，在拿到软件公司(实施方)提供的项目方案后，首先要对其进行适应性评估：一方面，评估项目方案与企业其它项目的技术路线是否一致。信息化项目是影响企业多个层面的系统工程，因此它并不是独立的，而是与其它项目紧密相连的。如果信息化各个项目的技术路线不一致，将会导致信息化项目间信息流通不通、数据接口不一致，形成各种信息“孤岛”;另一方面，评估项目方案与企业业务的结合程度。信息化系统最终用户是业务部门，因此项目方案要适应企业的业务需求，并易于与企业的业务流程融合在一起，并在充分满足业务需求的基础上，对业务水平有计划的进行提高。项目管阶段性评估与项目验收并重 信息化项目的建设一般周期较长，且信息化项目建设的效果也需要一定的时间才能显现出来，因此如果项目的验收和评估都集中到项目完成后进行，就会导致项目承担风险过大。信息化项目边实施、边应用、边考量、边改进的阶段性评估，不仅有助于项目经理在项目进行中进行质量控制，而且能够有效降低信息化项目的风险。

对项目实施进行文档跟踪 在项目实施过程中，分别根据实施的每个阶段编写建设(使用)手册，进行文档跟踪，并在项目完成后最终汇总成统一的项目建设(使用)文档，能够有助于项目经理对项目质量的把握和监督。

关键控制点四 项目的风险控制 

对信息化项目进行风险控制能够减少信息化项目实施过程中的不确定因素，有效提高信息化项目实施的成功率。由于信息化项目的核心是通过it技术为企业的业务提供应用服务，因此信息化项目的风险主要来自以下三个方面：

一是技术风险，技术架构好坏、软件提供方的技术能力以及项目实施方的实施经验等因素形成了信息化项目的技术风险。为了规避项目的技术风险，企业的项目经理，一方面要选择开发能力较强的软件提供方和经验丰富、服务优良的项目实施方;另一方面还要把握项目的技术架构与企业其它信息化项目技术架构之间的一致性;此外，引入第三方的专业咨询、监理和项目评估也是企业规避技术风险的有效手段。

二是应用风险，信息化项目应用于企业，与企业业务之间的适应水平、结合程度以及项目实施带来的影响等因素形成了信息化项目的应用风险。在项目实施前，进行项目适应性评估能够预测项目与企业业务之间的结合程度，并能够有效预期项目应用后所带来的问题，提前研究解决办法;项目实施中，边实施、边应用，随时监控项目的实施情况和应用效果，出现问题及时解决，也能够有效规避项目的应用风险。

三是实施风险，这种风险源于项目在实施过程中的时间、成本、质量的不确定性因素。而降低这种风险的手段就是项目经理通过自身所具备的组织、决策、沟通、业务、技术等能力，对项目的时间、成本、质量进行严格控制。

希望可以帮到您，谢谢！

以上就是关于帮忙写一个英文的:IT业中的风险管理的演讲稿(完成好追加50分)全部的内容，包括:帮忙写一个英文的:IT业中的风险管理的演讲稿(完成好追加50分)、请问企业内控与IT内控有什么关系、如何做好IT项目之需求管理等相关内容解答，如果想了解更多相关内容，可以关注我们，你们的支持是我们更新的动力！