Credit Suisse For internal use only

P-00309 Policy
CS Global IT Solution Delivery Policy

Valid from Issuing Unit Author Contact References Replaces Original Language Scope/Recipients

01-OCT-2007 KO (IT COO) Philippe Landucci KOAM, IT Methodology and Quality Management none English Credit Suisse IT

Version 1.0

Summary This Global IT Solution Delivery Policy defines minimum global requirements for Solution Delivery (IT Application and Infrastructure Development). The purpose of the Policy is to ensure that the Solution Delivery projects will follow a consistent and managed path. The Policy regulates roles and responsibilities in the area of project management, software engineering, and related functional management. Changes None. This is a new policy. Minimum Global Standards The following MGS apply to the present policy: All regulations stated in this policy: G_GOV-01 to G_GOV-06 G_PM-01 to G_PM-20 G_DEV-01 to G_DEV-19 shall serve as global minimum standards.

1/8

Credit Suisse Policy CS Global IT Solution Delivery Policy Version 1.0

P-00309
Table of contents 1. 2. 3. 4. 5. 6. 7. Introduction Scope General Management Project Management Application and Infrastructure Development Abbreviations and Terms Change History

1.

Introduction The CS P-00309 is based on industry standards and relevant regulations1. This document defines the policy covering Solution Delivery (IT Application and Infrastructure Development). It extends the divisional or regional lifecycle models, like "SDLC+" and "IT Project Procedure". Adherence to the Policy will ensure the Solution Delivery projects will follow a consistent and managed path. Scope This policy applies to every Solution Delivery project with a planned or actual to-date total IT effort of more than 110 person-days. It requires a project plan which accounts for the applicable divisional or regional lifecycle model. It requires monitoring the project execution to identify potential problems and take appropriate corrective actions in a timely manner. It obviously also requires completion of the work defined in the plan to accomplish the project's requirements and to deliver high-quality technology solutions to the business. The controls specified in this document give a high-level guidance on how to follow this policy. They may also be applied within other projects at their discretion. This policy is a mandatory standard for Credit Suisse IT, and does not replace any regulations or standards already in place within Credit Suisse. Business area- or region-specific policies may supersede this standard providing they contain the full scope of the global Policy. They may however be more comprehensive or specific.

2.

"Capability Maturity Model Integration (CMMI"), "IT Infrastructure Library (ITIL)", "Project Management Body of Knowledge (PMBOK, Guide to)", "Software Engineering Body of Knowledge (SWEBOK, Guite to)", SOX/CSG General Computer Controls (CSG GCCs).
1

2/8

Credit Suisse Policy CS Global IT Solution Delivery Policy Version 1.0

P-00309
3. General Management Generic Practices / Institutionalization 1
G_GOV-01

2
G_GOV-02

3
G_GOV-03

4
G_GOV-04

5
G_GOV-05

6
G_GOV-06

The Chief Information Officer (CIO) of Credit Suisse IT owns, maintains, communicates and enforces this policy. The CIO will review this policy on a regular basis, or when major changes in the organizational strategy or changes in the regulatory environment are made. All managers shall be responsible for the compliance of their organizational units with this policy. They shall provide the quality management resources necessary to identify noncompliances and track their resolution to closure and they provide the project resources necessary to resolve the said non-compliances. Managers shall regularly report to their direct managers on the resolution of non-compliances. The CIO of the IT business area performing the majority of the project-related development effort shall determine the mandatory development lifecycle of a crossbusiness area or -regional project. Such projects shall comply to platform-specific Change Control requirements associated with the platforms that will be impacted by components and/or systems deployed by the project. Project managers shall bring all work packages within a project s active phase or lifecycle that cannot be mapped to a named resource to the attention of their immediate supervisor. The project manager s immediate supervisor shall be responsible for facilitating the reconciliation of necessary resources to planned work. Project team members shall be trained on process, methodology and supporting tools as required to fulfill their assigned roles.

4.

Project Management Project Planning 1

G_PM-01

2
G_PM-02

3
G_PM-03

4
G_PM-04

5
G_PM-05

6
G_PM-06

7
G_PM-07

8
G_PM-08

Project managers are responsible and accountable for planning and managing the execution of their projects. Project managers shall define project roles and assign said roles to adequately skilled project team members; in particular, project managers shall assign team members to fill requirements engineering and configuration management roles. Project managers shall define the roles and identify dedicated resources for all reviewing and testing activities. The progressive elaboration of requirements shall serve as an input to project planning activities, including development of the project s work breakdown structure (WBS). Project managers shall develop a WBS based on input from relevant project team members and stakeholders. They shall decompose the WBS to a level that enables reasonable effort, cost and scheduling estimates to be made. Project managers shall develop a project schedule based on input from relevant project team members and stakeholders. They shall ensure that the schedule is traceable to the WBS. Project teams shall maintain a list of planned and/or completed external acquisitions including products, components, and services. If acquisition alternatives exist, relevant stakeholders shall establish and confirm selection criteria prior to the final selection of any supplier and/or product.

3/8

Credit Suisse Policy CS Global IT Solution Delivery Policy Version 1.0

P-00309
9
G_PM-9

10
G_PM-10

11
G_PM-11

12
G_PM-12

13
G_PM-13

Project teams shall plan for the integration of acquired products with respect to: 1. transfer of the product to the project; 2. training; and, 3. maintenance and support. Project managers may initially map each work package in the WBS to a responsible generic role, but they must map all work packages that are due to be completed within the project s active or current lifecycle phase to a named human resource who shall be responsible for delivery of said work package. Project managers shall create and maintain a project communications plan that details project stakeholders' responsibilities to the project, and also details project stakeholders' communication preferences. Project managers shall maintain a quality assurance plan, including effort estimation for all reviewing and testing activities. Project managers shall obtain commitment to the WBS and the project schedule from team members and providers of resources.

Project Execution & Project Monitoring and Control 14

G_PM-14

15
G_PM-15

16
G_PM-16

17
G_PM-17

18
G_PM-18

19
G_PM-19

20
G_PM-20

Project managers shall document supplier and/or product selections. Documentation shall include the following: 1. a list of possible suppliers, 2. selection criteria, and, 3. evaluation results and rationale behind the decision made. Project managers shall document formal agreements for each project-related external acquisition. For acquisitions that are critical for the success of the project, agreements shall include the list of deliverables and the respective acceptance criteria, a breakdown of effort and/or cost, a schedule, and a list of risks and respective mitigation plans. Project managers shall track progress of internal and external suppliers regularly, at least monthly. This includes milestone tracking and progress reviews. In case of significant deviations from the agreed plan the project teams shall take appropriate corrective actions. Project managers shall develop and maintain a list of project risks based on input from relevant project team members and stakeholders. They shall document a mitigation plan for all risks that are deemed to pose a serious threat. The project s senior stakeholders shall review and approve this plan in advance so that the plan can be acted upon should the risk manifest into an issue requiring resolution. Project managers shall lead a project status meeting involving all key project stakeholders no less than once a month. At a minimum, the following items will be discussed: 1. changes to project scope; 2. progress against the current monthly milestone; 3. progress against the overall schedule; 4. project risks; 5. project issues; 6. resource demand versus resource availability or capacity; and, 7. updates to the project communications plan. Project managers shall maintain copies of the meeting agendas, attendance records and minutes of said meetings. Project managers shall hold one-on-one project status meetings with their immediate supervisor no less than once a month. Project managers shall maintain copies of the meeting agendas and minutes of said meetings. Project teams shall conduct reviews to ensure the consistency of work products and deliverables and the completion of significant milestones such as phase exits and major deployments. Project managers shall document the results of the review along with action items and decisions.

4/8

Credit Suisse Policy CS Global IT Solution Delivery Policy Version 1.0

P-00309
5. Application and Infrastructure Development Requirements Engineering 1
G_DEV-01

2
G_DEV-02

3
G_DEV-03

Designated project team members shall ensure that the requirements received or generated by the project are gathered and documented and a unique identifier is assigned to each requirement. Designated project team members shall analyze and negotiate requirements with the requirements providers and the project team in order to obtain a common understanding and agreement. They shall document commitments and decisions. They shall negotiate changes to existing commitments before project participants commit to the requirements. The project sponsor shall sign-off the requirements. Project teams shall follow a communicated project change request procedure for all changes to agreed requirements and log all requirements changes. They shall analyze the impact of requirements changes on commitments, project plans and work products. For approved requirements changes the project manager shall update the project plans and work products accordingly. Project teams shall verify the project plan and all work products against the agreed requirements on a regular basis and initiate corrective actions if appropriate.

4
G_DEV-04

5
G_DEV-05

Configuration & Change Management 6

G_DEV-06

7
G_DEV-07

8
G_DEV-08

9
G_DEV-09

Designated project team members shall establish and maintain a list of select configuration items and place them under configuration management including version control. Project teams must document changes to configuration items and baselines. Project teams shall create, document, and release baselines of configuration items for project internal use and for delivery to the project's customers. Project teams shall systematically record, control and track project change requests to closure according to the project's change request procedure. Project teams shall record, control and track changes due to defects. Project teams shall analyze and document the impact of project change requests on configuration items.

System Development and Implementation 10

G_DEV-10

11
G_DEV-11

12
G_DEV-12

Project teams shall determine which products or components will be purchased, reused or developed. They shall conduct the make-or-buy decision using an appropriate evaluation approach. Project teams shall develop and maintain technical documentation throughout the entire lifecycle of the product or component. They shall update technical documentation to reflect any changes in the system. Project teams shall develop and maintain appropriate documentation for installation, ongoing operational support and maintenance tasks to be performed for the developed system, as well as user documentation and/or online help.

5/8

Credit Suisse Policy CS Global IT Solution Delivery Policy Version 1.0

P-00309
Quality Assurance 13
G_DEV-13

14
G_DEV-14

15
G_DEV-15

16
G_DEV-16

17
G_DEV-17

18
G_DEV-18

19
G_DEV-19

Designated project team members shall perform tests and reviews to verify that functional and non-functional requirements as well as business objectives are met. This includes user and operational requirements. Designated project team members shall review system designs against functional and non-functional requirements, especially performance, security and control requirements. Designated project team members shall ensure that production environments are at least logically segregated from development and testing environments. Designated project team members shall perform unit testing and system testing for each module or application. Acceptance testing shall be performed and the test results shall be documented and retained. There shall be formal confirmation that testing has been performed according to the test plan. The sponsor, or the person responsible for the project within the client's reporting line, and by the decision body responsible for Change Control shall make "Go live" decisions for the system based, among other criteria, on test results.

6/8

Credit Suisse Policy CS Global IT Solution Delivery Policy Version 1.0

P-00309
6. IT-PV Abbreviations and Terms "IT-Projektvorgehen" (IT Project Procedure) Standard Project Lifecycle model mandatory for medium to large development projects on CS' Swiss Banking IT Platform. Standard project lifecycle model mandatory within CS Investment Banking IT, and within Corporate Systems outside Switzerland. Work Breakdown Structure - A deliverable-oriented hierarchical decomposition of the work to be executed by the project team to accomplish the project objectives and create the required deliverables. The deliverable orientation of the hierarchy includes both internal and external deliverables. Requests to expand or reduce the project scope, modify policies, processes, plans, or procedures, modify costs or budgets, or revise schedules. Requests for a change can be direct or indirect, externally or internally initiated, and legally or contractually mandated or optional. Only formally documented requested changes are processed and only approved change requests are implemented. A single product- and project-related work product or an aggregation of these, that are designated for configuration management and seen as single entity in the configuration management process. Examples of configuration items are documents (project plan, design document, requirement specification, test concept, risk list etc.) as well as code elements. May be a contract, a license, or a memorandum of agreement between the project and a supplier. A project change request is a need or request that impacts the existing baselined products or components in the IT assets of the organization. It can be for example a change in an existing baselined requirement. The person or persons responsible for carrying out the project management tasks of a project or a program. A deviation which, when left unresolved, may preclude the project from meeting its objectives. The customer of the project, the person who provides the budget for the project to be executed.

SDLC+ WBS

Change Request

Configuration item

Formal agreement Project change request Project manager Significant deviation Sponsor

For further terms and explanations, refer to the central CS IT Glossary under http://itglossary.csintra.net/glossary/

7/8

Credit Suisse Policy CS Global IT Solution Delivery Policy Version 1.0

P-00309
7. Change History
Version V1.0 Date 25-Jan-07 Author, Org. Unit Ph. Landucci, KOAM Status Final Comment / Description of change Approved by the IT Senior Management Team on January 25th, 2007.

Tom Sanzone Credit Suisse CIO sig.

8/8