Software Certifications CSQA CSQA Certified Software Quality Analyst Exam Practice Test

The life cycle testing concept is illustrated in the following figure. This illustration shows that when the project starts, both the system development process and system test process begins. The team that is developing the system begins the systems development process and the team that is conducting the system test begins planning the system test process. Both teams start at the same point using the same information. The systems development team has the responsibility to define and document the requirements for developmental purposes. The test team will likewise use those same requirements, but for the purpose of testing the system. At appropriate points during the developmental process, the test team will test the developmental process in an attempt to uncover defects. The test team should use the structured testing techniques outlined in this guide as a basis of evaluating the system development process deliverables.

Rahail HDD:Users:iMac:Desktop:Screen Shot 2015-01-13 at 1.07.56 AM.png

Actual experience with measurement suggests that recurring costs of 2 - 3% of direct project costs are adequate for data collection and analysis and for project tracking and monitoring. This small price buys real help in meeting project goals, and in increasing project control through better budgeting, problem anticipation, risk reduction, and incremental process improvement.

If you want to develop a baseline of customer satisfaction, you might ask your customer to rate the following factors using “very satisfied” to “very dissatisfied” as a scale:

Availability– Accessible to the customer, as agreed (e.g., product is available when you need it).

Correctness– Accurate and meets business and operational requirements (e.g., automated information is accurate).

Flexibility– Easy to customize for specific needs (e.g., easy to enhance product with new features).

Usability– Easy to learn, easy to use, and relevant (e.g., the way you interact with components of the product is consistent).

Caring– Demonstrating empathy, courtesy, and commitment (e.g., project team is sensitive to your needs).

Industry accepted definitions of quality are “conformance to requirements” (from Philip Crosby) and “fit for use” (from Dr. Joseph Juran and Dr. W. Edwards Deming). These two definitions are not inconsistent.

Meeting requirements is a producer’s view of quality. This is the view of the organization responsible for the project and processes, and the products and services acquired, developed, and maintained by those processes. Meeting requirements means that the person building the product does so in accordance with the requirements. Requirements can be very complete or they can be simple, but they must be defined in a measurable format, so it can be determined whether they have been met. The producer’s view of quality has these four characteristics:

Doing the right thing

Doing it the right way

Doing it right the first time

Doing it on time without exceeding cost

Being fit for use is the customer’s definition. The customer is the end user of the products or services. Fit for use means that the product or service meets the customer’s needs regardless ofthe product requirements. Of the two definitions of quality, fit for use, is the more important. The customer’s view of quality has these characteristics:

Receiving the right product for their use

Being satisfied that their needs have been met

Meeting their expectations

Being treated with integrity, courtesy and respect

Consider questions such as:

How big is the risk?

What exactly is being exposed to the risk?

Can this be considered an acceptable risk?

What alternatives are there?

Will alternatives invoke additional risks?

As it is impossible to be completely certain of the impact or likelihood of many events, these events are estimated using a combination of historical data, knowledge of the event, and experience and judgment. Tools such as simulation, decision trees, or calculating a monetary value are used. Risk can be calculated by structured (associated with data) and unstructured (focus on judgment and experience) methods. Regardless of the method used, two elements must always be considered:

The probability of such an event occurring

The resulting impact if the event occurs

While there is no one best way to develop a security awareness program, the process that follows is an all-inclusive process of the best security awareness training program. This example includes these three steps:

IT management creates a security awareness policy.

Develop the strategy that will be used to implement that policy.

Assign the roles for security and awareness to the appropriate individuals.

Step 1 – Create a Security Awareness Policy

The CIO and/or the IT Director need to establish a security awareness policy. The policy needs to state management’s intension regarding security awareness. Experience has shown that unless senior management actively supports security awareness, there will be a lack of emphasis on security among the staff involved in using information technology and information.

Management support for security awareness begins with the development and distribution of a security awareness policy. Once that policy has been established, management makes security awareness happen through supporting the development of a strategy and tactics for security awareness, appropriately funding those activities, and then becoming personally involved in ensuring the staff knows of management’s support for security awareness.

Step 2 – Develop a Security Awareness Strategy

A successful IT security program consists of: 1) developing an IT security policy that reflects business needs tempered by known risks; 2) informing users of their IT security responsibilities, as documented in the security policy and procedures; and 3) establishing processes for monitoring and reviewing the program.

Security awareness and training should be focused on the organization’s entire user population. Management should set the example for proper IT security behavior within an organization. An awareness program should begin with an effort that can be deployed and implemented in various ways and is aimed at all levels of the organization including senior and executive managers. The effectiveness of this effort will usually determine the effectiveness of the awareness and training program. This is also true for a successful IT security program.

An effective IT security awareness and training program explains proper rules of behavior for the use of an organization’s IT systems and information. The program communicates IT security policies and procedures that need to be followed. This must precede and lay the basis for any sanctions imposed due to noncompliance. Users first should be informed of the expectations. Accountability must be derived from a fully informed, well-trained, and aware workforce.

This step describes the relationship between awareness, training, and education – the awareness training-education continuum. An effective IT security awareness and training program can succeed only if the material used in the program is firmly based on the IT security awareness policy and IT issue-specific policies. If policies are written clearly and concisely, then the awareness and training material – based on the policies – will be built on a firm foundation.

Step 3 – Assign the Roles for Security Awareness

While it is important to have a policy that requires the development and implementation of security and training, it is crucial that IT organizations understand who has responsibility for IT security awareness and training. This step identifies and describes those within an organization that have responsibility for IT security awareness and training.

Some organizations have a mature IT security program, while other organizations may be struggling to achieve basic staffing, funding, and support. The form that an awareness and training program takes can vary greatly from organization to organization. This is due, in part, to the maturity of that program. One way to help ensure that a program matures is to develop and document IT security awareness and training responsibilities for those key positions upon which the success of the program depends.

Measurement Dashboards

Measurement dashboards (also called key indicators) are used to monitor progress and initiate change. A measurement dashboard is analogous to the dashboard on a car. Various key indicators are presented in comparison to their own desired target value (i.e., speed, oil temperature). Arrayed together, they provide an overall snapshot of the car's performance, health, and operating quality. Measurement dashboards help ensure that all critical performance areas are analyzed in relation to other areas. Indicators evaluated alone can lead to faulty conclusions and decision-making.

Key Indicators

Key indicators are the metrics used by management to help them fulfill their management responsibilities. Managers decide what key metrics they need. A dashboard is comprised of the total number of key indicators used by a single manager. The concept of “key” means the metric is considered important by the user in managing job responsibilities. Normally the key indicator is created from many different measures. For example, the Dow Jones Average is created from the combining of stock prices from approximately 40 different stocks.

Control charts provide a way of objectively defining a process and variation. They establish measures on a process, improve process analysis and allow process improvements to be based on facts. Note: variation is briefly described here to put control charts in perspective. Skill Category 8 provides additional details on the topic of variation.

The intent of a control chart is to determine if a process is statistically stable and then to monitor the variation of stable process where activities are repetitive. There are two types of variation:

Common or random causes of variation

These are inherent in every system over time, and are a part of the natural operation of the system. Resolving common cause problems requires a process change.

Special causes of variation

These are not part of the system all the time. They result from some special circumstance and require changes outside the process for resolution.

Control charts are suitable for tracking items such as:

Production failures

Defects by life cycle phase

Complaint/failures by application/software

Response time to change request

Cycle times/delivery times

Mean time to failure

In business and accounting literature, the environment is referred to in many different ways. In accounting literature it is sometimes called the “control environment,” other times the “management environment,” and sometimes just the environment in which work is performed.

For the purpose of this skill category, we will refer to it as the “quality environment.” What is important to understand is that the environment significantly impacts the employee’s attitude about complying with policies and procedures. For example, if IT management conveys that they do not believe that following the system development methodology is important, project personnel most likely will not follow that system development methodology. Likewise, if IT management conveys a lack of concern over security, employees will be lax in protecting their passwords and securing confidential information.

Objective measurement uses hard data that can be obtained by counting, stacking, weighing, timing, etc. Examples include number of defects, hours worked, or completed deliverables. An objective measurement should result in identical values for a given measure, when measured by two or more qualified observers.

Subjective data is normally observed or perceived. It is a person's perception of a product or activity, and includes personal attitudes, feelings and opinions, such as how easy a system is to use, or the skill level needed to execute the system. With subjective measurement, even qualified observers may determine different values for a given measure, since their subjective judgment is involved in arriving at the measured value. The reliability of subjective measurement can be improved through the use of guidelines, which define the characteristics that make the measurement result one value or another.

Following are a few other examples of objective and subjective measures:

The size of a software program measured in LOC is an objective product measure. Any informed person, working from the same definition of LOC, should obtain the same measure value for a given program.

The classification of software as user-friendly is a subjective product measure. For a scale of 1-5, customers of the software would likely rate the product differently. The reliability of the measure could be improved by providing customers with a guideline that describes how having or not having a particular attribute affects the scale.

Development time is an objective process measure.

Level of programmer experience is a subjective process measure.

The five maturity levels are:

Level 1: Initial

At the initial level, an organization does not provide a stable environment for developing and maintaining software. When an organization lacks sound management practices, the benefits of good software engineering practices are undermined by reaction-driven commitments. In a crisis, projects typically abandon any planned procedures and revert to a code and fix methodology. Success depends on having exceptional people.

The process capability at Level 1 is considered ad hoc because the software development process constantly changes as the work progresses. Schedules, budgets, functionality, and product quality are generally unpredictable.

Level 2: Repeatable

Level 2 organizations have installed basic management controls. Policies for managing a software project and procedures to implement those policies are established. Planning and managing projects is based on experience with similar projects. Realistic project commitments are based upon the results observed on previous projects and on the requirements of the current project. Project managers track software costs, schedules, and functionality. Problems in meeting commitments are identified when they arise. Software requirements and the work products developed to satisfy them are baselined and their integrity is controlled.

Level 3: Defined

The standard engineering and management processes for developing and maintaining software across an organization are documented, and these processes are integrated as a whole. There is a group responsible for the organization’s software process activities, e.g., a standards development group. An organization-wide training program is implemented to ensure that the staff and the managers have the knowledge and skills required to fulfill their assigned roles.

Level 4: Managed

A Level 4 organization sets quantitative quality goals for both software products and processes. Productivity and quality are measured and included in an organization-wide database. Projects achieve control over their products and processes by narrowing the variation in their process performance to fall within acceptable quantitative boundaries.

Level 5: Optimizing

At Level 5 the entire organization is focused on continuous process improvement. The organization has the means to identify weaknesses and strengthen the process proactively, with the goal of preventing the occurrence of defects. Software project teams analyze defects to determine their root causes, and lessons learned are disseminated to other projects.

Process improvement must be accomplished by emphasizing teamwork. The PIT component addresses this need. Every member of the organization should become involved in the process improvement process. Not everyone must be on a team, although as many teams as practical should be organized. The two methods below are recommended for creating the teams.

Natural Work Group

Natural work groups, such as a system development project team, characterize the way companies currently organize their employees. Using natural work groups for a PIT is the easiest, quickest, and least confusing method. Generally, these teams already exist, and the members have established working relationships. They are also usually aware of improvements that could be made to improve the effectiveness of their work group.

If natural work group teams elect to address problems that impact beyond their team, the improvement process should support the collaboration of multiple teams working on problems with a broad scope. The measurement system would be required to track and report these instances, so appropriate reward and recognition would occur for these shared team efforts.

Interdepartmental Teams

This method of organizing teams across departmental boundaries promotes interdepartmental teamwork and contributes to breaking barriers (and problems) that exist within organizations.

It is also an excellent way to address problems that affect more than one work group or department. Because these types of problems are typically more complex, it is only recommended as a method of organizing when the PITs are mature.

Select Process and Team

The process to be improved may be selected by the improvement team or assigned by management. Leaders of improvement teams are usually process owners, and members are process users and may be cross-functional. Organizational improvement team members are usually volunteers; however, if subject experts are required and none volunteer, management will assign them. After the process has been selected and the improvement team formed, customers of, and suppliers to, the process are determined. If not already on the team, customer and supplier representatives should be added when practical.

Describe the Process

Two simultaneous actions are initiated in this step: defining customer-supplier relationships and determining actual process flow. The customer's requirements are defined using operational definitions to assure complete understanding between those providing the product or service and the customer. The customer's quality characteristics are defined and the current state of satisfying these, determined. In most instances, the customer referred to is the internal customer. This same idea is applied to the suppliers in the process. The process owner's expectations are defined for suppliers of inputs to the process. The customer and supplier must then agree on the specifications to be met and how quality will be measured.

Assess the Process

To assure that decisions are being made using precise and accurate data, the measurement system used to assess the process must be evaluated. If the measurement is counting, care should be taken to assure that everyone is counting the same things in the same manner. Once it has been determined that the measurement system accurately describes the data of interest, the input and output should be measured and baselines established.

Brainstorm for Improvement

The team should review all relevant information, such as the process flowchart, cause-and-effect diagrams, and control charts. A brainstorming session may be held to generate ideas for reducing input variation. It may help to visualize the ideal process. Improvement ideas must be prioritized and a theory for improvement developed. The what, how, and why of the improvement should be documented so everyone agrees to the plan. All statistical tools should be used in this step, although brainstorming is used the most.

Plan How to Test Proposed Improvement(s)

In this step a plan for testing the proposed improvement developed in the preceding step is created. This process improvement plan specifies what data is to be collected, how the data is to be collected, who will collect the data, and how the data will be analyzed after collection. The specific statistical tools to be used for analysis are defined. Attention is given to designing data collection forms that are simple, concise, and easy to understand. The forms should be tested before being put into use. The process improvement plan is a formal document that is approved by the improvement team.

Analyze Results

The plan developed in the prior step is implemented. The required data is collected using the previously tested forms, and then analyzed using the statistical tools noted in the process improvement plan. The plan is reviewed at improvement team meetings to track progress on process improvement. The tools usually used in this step are data collection methods, flowcharts, run charts, scatter diagrams, histograms, measurement capability, control charts, process capability, and advanced statistical techniques.

Compare Results

This step uses the same statistical tools as in Step 3 to compare the test results with that predicted in Step 4. Has the process been improved? Do the test results agree with scientific or engineering theory? If the results are not as expected, can they be explained? When results are not as expected, it is not a failure - something is still learned about the process and its variation. The new information will be used to develop a new theory. Care is taken to document lessons learned and accomplishments. A set of before and after Pareto charts, histograms, run charts, or control charts are generally used in this step.

Change Process or Redo Steps 4-8

If the results are not as expected, then based on what was learned, a new method for improvement must be developed by reverting back to Step 4. If the results are as expected, and are practical and cost effective, the change recommended in the process improvement plan is implemented. The implementation should be monitored to assure that the gains made in reducing variation are maintained. The team then returns to Step 2 to update the process documentation.

In-Process Reviews

In-Process reviews are used to examine a product during a specific time period of its life cycle, such as during the design activity. They are usually limited to a segment of a project, with the goal of identifying defects as work progresses, rather than at the close of a phase or even later, when they are more costly to correct. These reviews may use an informal, semiformal or formal review format.

Checkpoint Reviews

These are facilitated reviews held at predetermined points in the development process. The objective is to evaluate a system as it is being specified, designed, implemented, and tested. Checkpoint reviews focus on ensuring that critical success factors are being adequately addressed during system development. The participants are subject matter experts on the specific factors to be reviewed against, and could include customer representatives, analysts, programmers, vendors, auditors, etc. For example, if system performance was identified as a critical requirement, three checkpoint reviews might be set up at the end of the requirements, design, and coding phases to ensure there were no performance issues before proceeding to the next phase. Instead of walking team members through a general checklist (as would be done in a phase-end review), a designated performance expert would look specifically at whether performance requirements were being met.

Post-Implementation Reviews

Post-implementation reviews (also known as "postmortems") are conducted in a formal format up to six months after implementation is complete, in order to audit the process based on actual results. They are held to assess the success of the overall process after release, and to identify any opportunities for process improvement.

These reviews focus on questions such as: “Is the quality what was expected?” “Did the process work?” “Would buying a tool have improved the process?” or “Would automation have sped up the process?” Post-implementation reviews are of value only if some use is made of the findings. The quality assurance practitioner draws significant insight into the processes used and their behaviors.

The checklist must contain the following items to determine necessary management security controls placed over online software systems:

Ensure that staff knows who does what relative to security—the security dos and do nots.

Ensure that staff has sufficient resources and skills to exercise its security responsibilities.

Ensure that security is considered in job performance appraisals and results in appropriate rewards and disciplinary measures.

Ensure awareness of the need to protect information; provide training to operate nformation systems securely and be responsive to security incidents.

Ensure that security is an integral part of the systems development life cycle process and explicitly addressed during each phase of the process.

Ensure that staff with sensitive roles has been vetted.

Ensure that the organization is not dependent on one individual for any key security task (i.e., appropriate segregation of duties).

Ensure that privacy and intellectual property rights, as well as other legal, regulatory, contractual and insurance requirements, have been identified with respect to security and processes in your area of responsibility.

Ensure that applicable security measures have been identified and implemented (e.g., effective backup, basic access control, virus detection and protection, firewalls, intrusion detection and adequate insurance coverage).

Ensure that a suitable technical environment is in place to support security measures