IT Service Management Process Improvement based on ISO/IEC 15504: A systematic review

Context

In recent years, many software companies have considered Software Process Improvement (SPI) as essential for successful software development. These companies have also shown special interest in IT Service Management (ITSM). SPI standards have evolved to incorporate ITSM best practices.

Objective

This paper presents a systematic literature review of ITSM Process Improvement initiatives based on the ISO/IEC 15504 standard for process assessment and improvement.

Method

A systematic literature review based on the guidelines proposed by Kitchenham and the review protocol template developed by Biolchini et al. is performed.

Results

Twenty-eight relevant studies related to ITSM Process Improvement have been found. From the analysis of these studies, nine different ITSM Process Improvement initiatives have been detected. Seven of these initiatives use ISO/IEC 15504 conformant process assessment methods.

Conclusion

During the last decade, in order to satisfy the on-going demand of mature software development companies for assessing and improving ITSM processes, different models which use the measurement framework of ISO/IEC 15504 have been developed. However, it is still necessary to define a method with the necessary guidelines to implement both software development processes and ITSM processes reducing the amount of effort, especially because some processes of both categories are overlapped.     

Transitioning international software engineering standards to academia: Analyzing the results of the adoption of ISO/IEC 29110 in four Mexican universities

Software standards, targeted for the software industry, were developed to contribute to the development of quality products within budget and schedule, by optimizing efforts and resources. For small companies, the largest percentage of software companies in Mexico, they are fundamental for their growth and survival. However, academic programs do not always match industry requirements. In previous studies, the curricula in Computer Science and Informatics, and Software Engineering, of 4 Mexican universities, were compared with two software industry standards: the MoProSoft standard, a Mexican standard designed for organizations having up to 50 people and the Basic profile of the ISO/IEC 29110 developed specifically for organizations having up to 25 people. The analysis of the academic programs showed a better coverage of ISO/IEC 29110 than MoProSoft. In this paper, these two standards are mapped to understand the results of the analysis in detail and provide recommendations regarding academic programs. The analysis provides an evidence that the processes of the Basic profile of ISO/IEC 29110 are better covered by the universities curricula because the processes provides the minimal set of practices to be performed while a project is executed from the beginning until the delivery of a software. In addition, this mapping presents a clear differentiation between these two standards that might help Software Development Centers to understand where to start in the implementation of one of them.     

A serious game for teaching the fundamentals of ISO/IEC/IEEE 29148 systems and software engineering – Lifecycle processes – Requirements engineering at undergraduate level

In the context of software engineering education, there is a recurrent demand for new approaches and techniques that support the application and transfer of knowledge to real-life situations with the aim of encouraging a more active learning among students. In particular, serious games have recently become an important learning resource for teaching the fundamentals of software process standards at undergraduate level. However, poor effort has been made to create a serious game that supports the teaching of the ISO/IEC/IEEE 29148:2011 Systems and Software Engineering – Lifecycle Processes – Requirements Engineering, an international standard that specifies the required processes that are to be implemented by requirements engineering for systems and software products (including services) throughout the lifecycle. With this in mind, a serious game called “Requengin” has been developed to provide undergraduate students with an interactive learning environment to facilitate the introduction of ISO/IEC/IEEE 29148:2011. The main objective of the game is to strengthen the comprehension and application of the main processes of the standard and some related requirements engineering techniques. Requengin was designed to simulate an academic library where players must apply the requirements engineering processes with the aim of changing the traditional management system by a software system while they receive, at the same time, preliminary training in ISO/IEC/IEEE 29148:2011. The results obtained by empirical evaluation indicate that Requengin could potentially contribute to an improvement in students’ acquisition of knowledge about ISO/IEC/IEEE 29148:2011, while also improving levels of motivation.     

Misleading Metrics and Unsound Analyses

The authors demonstrate that the recommendations for analyzing productivity in the appendix to the ISO/IEC 15939 standard are inappropriate. They also show that problems with the ISO/IEC advice can be compounded if software engineers attempt to apply statistical process-control techniques to software productivity metrics. They recommend using small meaningful data sets as the basis for productivity analysis and using effort-estimation models to assess productivity rather than productivity metrics. This article is part of a special focus section of software metrics     

Evaluation of the implementation of a subset of ISO/IEC 29110 Software Implementation process in four teams of undergraduate students of Ecuador. An empirical software engineering experiment

The competitiveness of software development companies depends on their ability to offer software products with quality attributes within approved budget and schedule. Most Very Small Entities (VSEs) that develop software do not see the benefits of implementing software standards. Consequently, they limit their potential to be recognised as quality software development entities. In this study, the authors present results obtained through the application of empirical software engineering in an experiment in which the ISO/IEC TR 29110–5–1–2 “Software engineering – Lifecycle profiles for Very Small Entities (VSEs) – Part 5–1–2: Management and engineering guide: Generic profile group: Basic profile” was used. The guide includes two processes: Project Management (PM) process and Software Implementation (SI) process. The objective of the project was the development of a software product for the scheduling of medical appointments for the Student Wellness Center of a university of Ecuador. Four teams of undergraduate students were involved. Two of them (controlled teams) implemented a subset of the SI process, while the other two (non-controlled teams) had freedom to choose development activities that were subsequently mapped with the activities of the standard. All teams developed the software product using the SCRUM framework within the same timeframe. Although the experiment was focused on the SI process, the teams also used a tailored version of the PM process defined by the professors. The experiment execution encountered several difficulties. For example, the timeframe of six weeks established in the design of the experiment was too short since students worked part time in the project. All the teams experienced this difficulty, especially when they had to construct and test the software components. Overall, the teams that used the ISO/IEC TR 29110–5–1–2 guide achieved better scores in the quality evaluation of their software processes.     

A multi-classifier approach to face image segmentation for travel documents

The adoption of face images in machine readable travel documents requires some quality constraints to be fulfilled (e.g., no flash reflections on skin or hair across eyes), as specified in the ISO/IEC 19794-5 standard. Automatically evaluating the compliance of a face image to such requirements needs a precise knowledge of the image structure, intended as the partitioning of the image into its main components (face, hair, clothes and background regions). In this paper a multi-classifier system based on color and texture information is proposed for face image segmentation. Extensive experiments carried out both on the segmentation algorithm and on its application to ISO/IEC 19794-5 standard compliance verification are reported and discussed. The results obtained are encouraging and confirm that: (i) the robustness of the proposed segmentation approach to deal with difficult image characteristics (e.g., uneven illumination or varied background) is satisfactory and (ii) the knowledge deriving from image segmentation is very useful for ISO/IEC 19794-5 standard compliance verification.     

Software processes, assessment and ISO 9000-certification: A user's view

The Austrian Research Centre Seibersdorf and its IT-Department are involved in the development of critical computer systems and in standardization in this field for many years (SAFECOMP '89, '90, '91, '93, IEC SC 65A WG9 and WG10, IEC TC 56, partners in the European initiative ESPITI and the networks ENCRESS and OLOS). The certification process for ISO 9001 started with a pre-audit in December 1993, and the certificate was successfully achieved at the end of June 1994. ISO 9000–3 (somehow more process-related than ISO 9001) and the ESA Software Engineering Standards (lifecycle model, process models) were the key input to the Quality Management (QM) System of the IT-Department. Additionally, the Department of Information Technology has successfully applied for a BOOTSTRAP license early in 1994. Four members of the staff of the IT department are qualified as external BOOTSTRAP assessors at the moment. In preparation for ISO 9000-certification and during BOOTSTRAP-training we learnt much about organizations, process improvement and project management, especially by reviewing our own processes critically as well as reviewing the impact and relevance of the schemes to follow when ISO 9000 certification or BOOTSTRAP licensing is the goal to achieve. Direct as well as indirect business benefits were achieved.     

Enhancing ISO/IEC 15288 with reuse and product management: An add-on process reference model

To support the transformation of system engineering from the project-based development of highly customer-specific solutions to the reuse and customization of ‘system products’, we integrate a process reference model for reuse- and product-oriented industrial engineering and a process reference model extending ISO/IEC 12207 on software life cycle processes with software- and system-level product management. We synthesize the key process elements of both models to enhance ISO/IEC 15288 on system life cycle processes with product- and reuse-oriented engineering and product management practices as an integrated framework for process assessment and improvement in contexts where systems are developed and evolved as products.     

Formal Specification in the Revision of GKS: An Illustrative Example

The first ISO/IEC standard for computer graphics, the Graphical Kernel System (GKS) was published in August 1985. In accordance with ISO/IEC procedures, GKS is now being reviewed and revised. This paper describes how formal specification techniques are being used by the authors to analyse key parts of proposals being made for changes to the framework of GKS to bring the standard into line with the requirements of applications and the operating environment likely to be found in the mid-1990's.     

中国在ISO/ IEC JTC1/ SC2 的活动与中文编码的国际标准化

标准化是实现技术产业化的基础。中文信息处理技术是我国特有的、具有国际领先水平的技术。我国自 20 世纪80 年代参与ISO/ IEC J TC1/ SC2 的活动以来,在中文编码技术的国际标准化工作中取得了显著成绩。本文介绍了ISO/ IEC J TC1/ SC2 的工作领域、工作方式和组织结构;我国参与ISO/ IEC J TC1/ SC2 及其下属该组织活动的方式;国际标准ISO/ IEC 10646 的大致情况和我国在参与此国际标准研制工作中取得的成绩、当前的工作和未来工作的计划。本文论述了我国参与本文ISO/ IEC J TC1/ SC2 活动的意义,以及我国在ISO/ IEC J TC1/ SC2 活动中的作用、地位和影响。作者还提出了对未来工作的建议。     

Mapping of improvement models as a risk reduction strategy: a theoretical comparison for the aerospace industry

Organizations involved on process improvement programs need to deal with different process improvement and assessment models. As not all the process improvement and assessment models have an equivalent scope, the selection of a particular model to guide the improvement strategy may result in a partial, constrained view of the areas where the organization may obtain competitive advantages. As a mitigation strategy, organizations should have a detailed understanding of the differences in the scope of the available models. Whatever the model they adopt, companies should be aware of relevant areas that may be missed or treated with more or less detail in the models under consideration. In addition, the need of dealing with different assessment models is usually found in second- and third-party assessments, when prospects or potential contractors decide to conduct an assessment of the subcontractor’s capabilities using a model that may not be the same as the reference model selected by the target subcontractor. In these situations, companies are at risks of overlooking relevant processes and practices. This paper describes a case study developed for the aerospace industry, based on the mapping of two assessment models widely deployed in this activity sector: CMMI-DEV and SPICE for Space, a variant of ISO/IEC 15504. A detailed gap analysis is provided identifying those aspects that should be considered both as potential improvement areas and as sources of risks. An extended assessment activity methodology is proposed that considers the results of model traceability analysis as a key factor for conducting the assessments.     

BOOTSTRAP 3.0—A SPICE1 Conformant Software Process Assessment Methodology

BOOTSTRAP methodology was initially developed in an ESPRIT project together with European industry. After February 1993, the methodology has been managed and further developed by a European Economic Interest Group, called BOOTSTRAP Institute. BOOTSTRAP methodology version 3.0 was released in September 1997. It is compliant with the ISO/IEC software engineering standard number 15504, the emerging standard on software process assessment. The core of the methodology consists of an assessment model and method. The assessment model of the methodology version 3.0 was updated to align with the ISO 12207 life-cycle and 15504 reference model requirements. In addition to the Process and Capability dimensions, it contains a Technology dimension. The Process dimension contains 33 different processes organised in six clusters: Organisation, Life Cycle Dependent, Management, Support, Customer-Supplier, and Process Related. The Capability dimension consists of six levels, each level consisting of one or more process attributes, adopted from ISO 15504. An assessment is conducted at SPU and project levels. The BOOTSTRAP Institute organises and co-ordinates assessor training and registration scheme. BOOTSTRAP methodology is being used in two European projects: SPAM and PROFES.     

Validating the ISO/IEC 15504 measure of software requirementsanalysis process capability

ISO/IEC 15504 is an emerging international standard on software process assessment. It defines a number of software engineering processes and a scale for measuring their capability. One of the defined processes is software requirements analysis (SRA). A basic premise of the measurement scale is that higher process capability is associated with better project performance (i.e., predictive validity). The paper describes an empirical study that evaluates the predictive validity of SRA process capability. Assessments using ISO/IEC 15504 were conducted on 56 projects world-wide over a period of two years. Performance measures on each project were also collected using questionnaires, such as the ability to meet budget commitments and staff productivity. The results provide strong evidence of predictive validity for the SRA process capability measure used in ISO/IEC 15504, but only for organizations with more than 50 IT staff. Specifically, a strong relationship was found between the implementation of requirements analysis practices as defined in ISO/IEC 15504 and the productivity of software projects. For smaller organizations, evidence of predictive validity was rather weak. This can be interpreted in a number of different ways: that the measure of capability is not suitable for small organizations or that the SRA process capability has less effect on project performance for small organizations     

Efficient identity-based GQ multisignatures

ISO/IEC 14888 specifies a variety of digital signature mechanisms to sign messages of arbitrary length. These schemes can be applied to provide entity authentication, data origin authentication, non-repudiation, and data integrity verification. ISO/IEC 14888 consists of three parts under the general title Information technology—Security techniques—Digital signatures. Part II, or ISO/IEC 14888-2 specifies the general structure and the fundamental procedures for the generation and verification of an identity-based signature (IBS) mechanism for messages of arbitrary length. Particularly, the IBS scheme of Guillou and Quisquater (GQ) is described in Clauses 6–8. In this paper, an efficient identity-based multisignature (IBMS) scheme is proposed for the GQ IBS scheme, which allows multiple users using the ISO/IEC 14888-2 standard GQ scheme to generate multisignatures. The scheme is efficient in the sense that both the length and the verification time of the multisignatures are fixed. The proposed ID-based multisignature scheme is also secure against forgeability under adaptive chosen-message attack and adaptive chosen-identity attack in random oracle model.     

一种支持构件化过程开发方法和分级管理机制的过程管理工具

开发符合组织规范和项目特征的软件过程模型,并对其进行持续地改进,是困扰软件组织的难点问题．一种支持构件化过程开发方法和分级管理机制的过程管理工具一青鸟过程管理（JBPM）系统借鉴CMM中“组织-项目”两级的层次化过程管理思想,引入了ISO／IEC 12207标准和IEEE 1517标准中的软件过程的需求规约,将基于构件的开发方法引入到软件过程的开发中,并为此提供工具支持,为过程管理问题提供了较好的解决方案．     

Understanding the gap between software process practices and actual practice in very small companies

This paper reports on a grounded theory to study into software developers’ use of software development processes in actual practice in the specific context of very small companies. This study was conducted in three very small software product companies located in Ecuador. The data collection was based on semi-structured qualitative interviews with software project managers, focus group with software developers and was supplemented by the literature and document studies. We interviewed two types of participants (managers and developers), so as to ensure that we elicited a holistic perspective of how they approached the software development process in actual practice. The goal was to study what practices are actually used and their opinion and attitude toward the potential adopting of an international standard (ISO/IEC 29110) specifically designed for very small companies. With the collected data, we performed an analysis utilizing grounded theory coding techniques, as this methodology promotes the focus on uncovering the real concerns of the participants. This study highlighted three areas of concern: customer, software product and development tasks coordination and tracking. The findings in this study give an insight toward the work products as they relate to software development process practices in very small companies and the important factors that must be considered to assist project success.     

The impact of inadequate and dysfunctional training on Agile transformation process: A Grounded Theory study

ContextTraining is an essential facilitator in moving from traditional to Agile software development.ObjectiveThis paper addresses the importance of adequate and functional training in Agile transformation process, the causes of inadequate and dysfunctional training, and the heuristic strategies that can be used in software companies for dealing with this phenomenon.MethodA Grounded Theory study was conducted with participation of 35 Agile experts from 13 different countries.ResultsThis research discovered that inadequate and dysfunctional training was one of the critical issues that affected Agile transformation process. This study shows that comprehensive and functional training is not often provided to support Agile transformation. This paper shows the primary causes of inadequate and dysfunctional training, its adverse consequences on the transformation process, and the heuristic and ad-hoc treatments as the strategies used by Agile teams to cope with this challenge.ConclusionComprehensive training is important in Agile transformation process. Inadequate and dysfunctional training causes several challenges and problems for software companies and development teams when moving to Agile. Several ad-hoc strategies identified by this study can be employed to help software teams and companies facing similar problems.     

Defining stakeholder relationships

Jointly developed by the ISO and IEC in 1995, the ISO/IEC 12207 standard, Software Life Cycle Processes, provides specific guidance in defining the roles and responsibilities of various stakeholders in the life cycle of a software project, product, or service. And the software community is beginning to take heed. The standard itself is relatively brief, detailing 17 processes in less than 40 pages. The 17 processes are divided into three main process groups: primary processes include acquisition, supply, development, operation, and maintenance; supporting processes include documentation, configuration management, quality assurance, verification, validation, joint review, audit, and problem resolution; organizational processes include management, infrastructure, improvement, and training. Each process breaks down into relevant activities and tasks that reflect a clear plan-do-check-act cycle. One further process, tailoring, specifies the activities and tasks to follow in adapting the standard to a particular situation or application. But just how useful is this standard? Based upon personal mentoring experiences, the author describes two case studies that demonstrate the standard's importance and versatility: Haldex Traction AB of Landskrona, Sweden, the supplier of a safety-critical automotive component; and Cambiot Healthcare Systems AB of Linkoping, Sweden, the supplier of a medical information system for hospitals and clinics. In these two cases, ISO/IEC 12207 has provided important value-added guidance in both systems and software engineering     

Assurance and IT Development Paces and Challenges

ISO/IEC 15408, “Evaluation criteria for IT security”, was initially published almost twenty years ago. Originating from a number of governmental certification bodies, the standard has gained international acceptance. However, the needs for IT security certification are evolving and at the same time there is more demand than ever before. ISO/IEC 15408 is currently under revision, and many of the current needs are being taken into account in the new design of the standard that is expected to be published in 2020.     

A framework for estimating information security risk assessment method completeness

In general, an information security risk assessment (ISRA) method produces risk estimates, where risk is the product of the probability of occurrence of an event and the associated consequences for the given organization. ISRA practices vary among industries and disciplines, resulting in various approaches and methods for risk assessments. There exist several methods for comparing ISRA methods, but these are scoped to compare the content of the methods to a predefined set of criteria, rather than process tasks to be carried out and the issues the method is designed to address. It is the lack of an all-inclusive and comprehensive comparison that motivates this work. This paper proposes the Core Unified Risk Framework (CURF) as an all-inclusive approach to compare different methods, all-inclusive since we grew CURF organically by adding new issues and tasks from each reviewed method. If a task or issue was present in surveyed ISRA method, but not in CURF, it was appended to the model, thus obtaining a measure of completeness for the studied methods. The scope of this work is primarily functional approaches risk assessment procedures, which are the formal ISRA methods that focus on assessments of assets, threats, vulnerabilities, and protections, often with measures of probability and consequence. The proposed approach allowed for a detailed qualitative comparison of processes and activities in each method and provided a measure of completeness. This study does not address aspects beyond risk identification, estimation, and evaluation; considering the total of all three activities, we found the “ISO/IEC 27005 Information Security Risk Management” to be the most complete approach at present. For risk estimation only, we found the Factor Analysis of Information Risk and ISO/IEC 27005:2011 as the most complete frameworks. In addition, this study discovers and analyzes several gaps in the surveyed methods.