INTERNATIONAL ISLAMIC UNIVERSITY, ISLAMABAD

FACULTY OF BASIC & APPLIED SCIENCES

DEPARTMENT OF COMPUTER SCIENCE

Of

For CMM Level

Subject:
Software Quality Engineering
Submitted To:
Muhammad Ramzan
Submitted By:
Muhammad Husnain(187 MSSE)
Abdul Rahman(185MSSE)
 Dedication
This whole work is dedicated to

Our Parents
And
Specially

Our Teacher
Who gave us this idea of practical work
Introduction
The Capability Maturity Model (CMM) is a process capability maturity model
which aids in the definition and understanding of an organization's processes. The CMM
was originally intended as a tool for objectively assessing the ability of government
contractors' processes to perform a contracted software project. Though it comes from the
area of software development, it can be (and has been and still is being) applied as a
generally applicable model to assist in understanding the process capability maturity of
organizations in diverse areas. For example, software engineering, system engineering,
project management, software maintenance, risk management, system acquisition,
information technology (IT), personnel management. It has been used extensively for
avionics software and government projects around the world. The CMM involves the
following aspects:

• Maturity Levels: A number of levels in a discipline which gives continuous

process improvement and optimization of organization.
• Key Process Areas: A Key Process Area (KPA) identifies a cluster of related
activities that, when performed collectively, achieve a set of goals considered
important.
• Goals: The goals of a key process area summarize the states that must exist for
that key process area to have been implemented in an effective and lasting way.
The extent to which the goals have been accomplished is an indicator of how
much capability the organization has established at that maturity level. The goals
signify the scope, boundaries, and intent of each key process area.
• Common Features: Common features include practices that implement and
institutionalize a key process area. There are five types of common features:
Commitment to Perform, Ability to Perform, Activities Performed, Measurement
and Analysis, and Verifying Implementation.
• Key Practices: The key practices describe the elements of infrastructure and
practice that contribute most effectively to the implementation and
institutionalization of the KPAs.
Company profile:
Office Info:
Company Name: TRUE MERIDIAN
Website: http://www.truemeridian.com/
Fax: 92 51 2293945
Tel: 92 51 2292462, 92 51 2292460
House# 212, Street# 17, G-10/2, Islamabad-44000

Organization Info:
Offices:
Tempa-USA Office
Lahore-Pak Office
Islamabad-Pak Office

The Owner Dr. Abdul Basit:

Working in the Tempa (USA) state office
Deals contracts with the clients
Major decisions are made by him

CEO Imran
Working in Lahore office
Deals project related issues with the clients
Major decisions regarding office and projects/project managers are made by him
Also plays role of the project manager

CEO Naaman Muasawwir

Working in Islamabad office
Deals project related issues with the clients
Major decisions regarding office and projects/project managers are made by him
Also plays role of the project manager
Each Office has the following hierarchy:
Office wide SQC (software quality control) team
Account Officer
Project Manager for each individual project
One or more S/W Development Teams for each project

Each S/W Development Team has 4 to 8 members:

One Project Manager
One Team Lead-also plays the role of application engineer
One or Two Back-End engineers
Two or Three front-end engineers
Two or three Design engineers-work for system design and architecture.
Note: One of the group members Abdul Rahman is working as a developer in TRUE
MERIDIAN.
The purpose of this document is to analyze TRUE MERIDIAN software house’s
CMM level. This document contains questions by which we can analyze current CMM
level of TRUE MERIDIAN. We also give instructions to improve CMM level by seeing
the performance of TRUE MERIDIAN.

Instructions
The questionnaire has been divided in a number of sections. Each section covers
one of the key process areas of the CMM Level 2. Questions can be answered by marking
one of the possible answers.
1. Answer Yes if:
- The activity is (almost) always performed.
2. Answer Not always if:
- The activity is performed sometimes, or not completely.
3. Answer Never/No if:
The activity is never or hardly ever performed.
4. Another option can be description if:
The activity is can’t be specified by above three options.
Overview of the Gap Analysis:
We have made a questionnaire for the TRUE MERIDIAN and questionnaire is
based on the Capability Maturity Model level 2. CMM level 2 have following Key
Process Areas (KPAs)
 Requirements Management
 Software Project Planning
 Software Project Tracking & Oversight
 Software Subcontract Management
 Software Quality Assurance
 Software Configuration Management.

The questions are organized in sections; each KPA have some questions according to
its requirements in the CMM structure. Each section contains a short overview of the
purpose of each key process area. CEO is expected to fill in the questions based on your
personal experience and knowledge. Answers used by assessment team to conduct the
process assessment and are treated confidentially. At the last we give instructions to the
company by which they can improve their CMM level.

What are CMM Level 2 KPAs and their relevant

questions:

1.Requirements Management
Purpose:
To establish a common understanding between the customer and the software
project of the customer’s requirements that will be addressed by the software project
We have following questions for this KPA.

1. The software engineering group reviews the allocated requirements before

they are incorporated into the software project.
o Yes
o No
2. The software engineering group uses the allocated requirements as the basis for
software plans, work products, and activities.
o Yes
o No
3. Changes to the allocated requirements are reviewed and incorporated into the
software project.
o Yes
o No
4. Written organizational Policy
o Yes
o No
5. Are the Responsibility assigned?
o Yes
o No
6. Are the adequate resources & funding provided?
o Yes
o No
7. Training for requirements management activities
o Yes
o No
8. Are the service commitments documented?
o Yes
o Not always
o Never
9. Are the service commitments evaluated with the customer on both a periodic and
an event-driven basis?
o Yes
o Not always
o Never
 10. Is the actual service delivery evaluated with the customer on both a periodic and
an event-driven basis?
o Yes
o Not always
o Never
11. Activities reviewed with senior management on a periodic basis.
o Yes
o No
12. Activities are reviewed with the project manager on both a periodic and event-
driven basis.
o Yes
o No
13. SQA group reviews/ audits
o Yes but not always
o No
The TRUE MERIDIAN can complete this KPA requirement by doing following
activities:
1. Writing an organizational Policy.
2. Making service commitments documentation.
3. Service delivery evaluation with the customer on both a periodic and an event-
driven basis.
4. SQA group reviews

2. Software Project Planning

Purpose:
To establish reasonable plans for performing the software engineering and for
managing the software project.
We have following questions for this KPA.
1. Software project planning is initiated in the early stages
o Yes
 o No
2. Is the service delivery plan developed according to a documented
procedure?
o Yes
o Not always
o Never
3. Is the service delivery plan documented?
o Yes
o Not always
o Never
4. 4. Are the service delivery activities to be performed identified and
planned according to a documented procedure?
o Yes
o Not always
o Never
Are software and hardware products that are needed to establish and maintain control of
the service delivery identified?
o Yes
o Not always
o Never
5. Are the risks associated with the cost, resource; schedule and technical
aspects of the service identified, assessed, and documented?
o Yes
o No
6. The software engineering group participates with other affected groups in
the overall project planning throughout the project's life.
o Yes
o No
7. Software project commitments made to individuals and groups external to
the organization are reviewed with senior management according to a
documented procedure
o Yes
o No

8. Is there Designated Software Project Manager?

o Yes
o No
9. Documented and approved statement of work
o Yes
o No
o Yes but w/o doc
10. Responsibility for s/w development plan
o Yes
o No
11. Adequate resources and funding for project planning
o Yes
o No
12. Training - estimation & planning
o Yes
o No
13. Periodic senior management review
o Yes
o No
14. Review with project manager on both periodic and event driven basis
o Yes
o No
15. Software Quality Assurance group reviews and /or audits
o Yes
 o No
The TRUE MERIDIAN can complete this KPA requirements by doing following
practices:
1. Writing an organizational Policy.
2. Making Software Engineering Group.
3. Making service delivery plan habitually.
4. Providing Training.
5. SQA group reviews

Software Project Tracking and Oversight

Purpose:
Service delivery is being tracked. The realized service levels are compared with
the specified service levels and are reported to the customer and management on a regular
basis. Corrective actions are taken when actual service delivery deviates from the
specified service levels.
The service provider reports to the customer the actual services delivered, the actual
service levels, and, when relevant, calamities that hindered accurate service delivery. The
service level reports are used as input for the evaluation of service level agreements.
We have following questions for this KPA.
1. A documented software development plan is used for tracking the
software activities and communicating status.
o Yes
o No
2. The project's software development plan is revised according to a
documented procedure.
o Yes
o No
3. Software project commitments and changes to commitments made to
individuals and groups external to the organization are reviewed with
senior management according to a documented procedure.
o Yes
o No
4. Are the service delivery risks associated with cost, resource, schedule and
technical aspects of the services tracked?
o Yes
o Not always
o Never
5. Are actual measurement data and replanning data for the service recorded
and made available?
o Yes
o No
6. SW Development plan documentation?
o Yes (high level plan only not detailed plan)
o No
7. Designated Project Manager?
o Yes
o No
8. Adequate resources provided?
o Yes
o No
9. Training - technical & personnel aspects
o Yes
o No
10. Written Policy?
o Yes
o No
11. Are formal reviews conducted with the customer to address the
accomplishments and results of the services at selected moments
according to a documented procedure?
o Yes
o Never
 12. Review with project manager on both periodic and event driven basis
o Yes
o No
13. Does the service delivery group conducts periodic internal reviews to track
activity status, plans, actual service levels, and issues against the service delivery
plan?
o Yes
o Not always( depends upon nature of project)
o Never
13. Software Quality Assurance group reviews and /or audits
o Yes
o No

The TRUE MERIDIAN can complete this KPA requirements by doing following
practices:
1. Writing an organizational Policy.
2. Making service delivery plan habitually.
3. Providing Training.
4. Service delivery group reviews for each project.
5. SQA group reviews

Software Subcontract Management

Purpose:
The purpose of Subcontract Management is to select qualified IT subcontractors
and manage them effectively.
The service provider can select and hire subcontractors to delegate parts of the
service. If this is the case, the service to be delivered by the subcontractors is laid down
in a service level agreement. The service provider keeps track of the actual services
delivered by the subcontractor and takes corrective actions when the actual service levels
deviate from the specified service levels. There are two types of contracts
1. source providing
2. outsourcing
Source providing:
We provide sources (developers to client) and client pays for those sources. Like we
provide two developers to the client and client pays for those developers.
Out sourcing:
Whole project is given to some other company.
We have following questions for this KPA.
1. Is the service to be subcontracted specified and planned according to a
documented procedure?
o Yes
o Not always (depends upon nature of project and situation)
o Never
2. Is the subcontractor selected, based on an evaluation of the subcontract bidders'
ability to deliver the service, according to a documented procedure?
o Yes
o Not always
o Never
o on personal links basis
3. Is the contractual agreement between the prime contractor and the subcontractor
used as the basis for managing the subcontract?
o Yes (with documentation)
o Not always
o Never
4. Is the documented subcontractor's service delivery plan reviewed and approved
by the prime contractor?
o Yes
o Not always (depends upon nature of project)
 o Never

5. Is the documented and approved subcontractor's service delivery plan used for
tracking the service activities and for communicating status?
o Yes
o Not always
o Never
6. Are changes to the subcontractor's service commitments, service delivery plan,
and other commitments resolved according to a documented procedure?
o Yes
o Not always
o Never
7. Are subcontract service commitments evaluated with the subcontractor on both a
periodic and an event-driven basis?
o Yes
o Not always
o Never
8. Does the prime contractor's service quality assurance group monitor the
subcontractor's service quality assurance activities according to a documented
procedure?
o Yes
o Not always
o Never
9. Does the prime contractor's configuration management group monitor the
subcontractor's configuration management activities according to a documented
procedure?
o Yes
o Not always
 o Never
10. Selecting a software sub-contractor
o Yes
o No

11. Establishing commitments with the subcontractor

o Yes
o No
o depends upon nature of project
12. Tracking and reviewing the subcontractor’s performance and results
o Yes
o No
o depends upon nature of project
13. Written Organizational Policy?
o Yes
o No
The TRUE MERIDIAN can complete this KPA requirements by doing following
practices:
1. Writing an organizational Policy.
2. Subcontractor’s service delivery plan should be reviewed and approved by the
prime contractor.
3. Subcontractor’s service delivery plan should be used for tracking the service
activities and for communicating status.
4. Changes to the subcontractor's service commitments, service delivery plan, and
other commitments should be resolved according to a documented procedure.
5. Subcontract service commitments evaluation with the subcontractor should be on
both a periodic and an event-driven basis.
6. Prime contractor's service quality assurance group should monitor the
subcontractor's service quality assurance activities according to a documented
procedure.
 7. The prime contractor's configuration management group should monitor the
subcontractor's configuration management activities according to a documented
procedure
8. SQA group reviews

Software Quality Assurance

Purpose:
To provide management with appropriate visibility into the process being used
and the products being built.
We have following questions for this KPA.
1.Is a SQA plan prepared for the service delivery according to a documented procedure?
o Yes
o Not always
o Never
2. Are the SQA group's activities performed in accordance with the SQA plan?
o Yes
o Not always
o Never
3. Does the SQA group participate in the preparation and review of the service
commitments and service delivery planning, standards and procedures?
o Yes
o Not always
o Never
4. The SQA group reviews the software engineering activities to verify compliance
o Yes
o No
5. The SQA group audits designated software work products to verify compliance.
o Yes
o No
6. Responsible Group
 o Yes
o No
7. Adequate resources
o Yes
o No

8. Training - SQA activities

o Yes
o No
9. Members of SW project orientation
o Yes
o No
10. Written Policy?
o Yes
o No
11. Does the SQA group conduct periodic reviews of its activities and findings with the
customer's SQA personnel, as appropriate?
o Yes
o Not always
o Never
12. Review with project manager on both periodic and event driven basis
o Yes
o No
The TRUE MERIDIAN can complete this KPA requirements by doing following
practices:
1. Writing an organizational Policy.
2. SQA group participate in the preparation and review of the service commitments
and service delivery planning, standards and procedures
3. SQA group reviews to the software engineering activities to verify compliance
4. SQA group reviews
5.Software Configuration Management

The main purpose of Configuration Management is to establish and maintain the

integrity of products which are subject to or part of the TRUE MERIDIAN.
Configuration Management involves the identification of the relevant hardware and
software components which need to be put under configuration control. This includes
components owned by the customer that are being managed by the service provider,
components owned by the provider that are used by the customer and components owned
by the provider that are used to deliver the service. Changes to the configuration are
evaluated with respect to the service level agreement and with respect to possible risks
for the integrity of the configuration.

Configuration management plan A configuration management plan covers the

configuration management activities to be performed, the schedule of the activities, the
assigned responsibilities, the resources required (including staff, tools, and computer
facilities), the CM requirements and activities to be performed by the service delivery
group and other related groups.
We have following questions for analyzing this KPA.
1. Is a configuration management plan prepared for each service according to a
documented procedure?
o Yes
o Not always
o Never
2. Is a documented and approved configuration management plan used as the basis for
performing the configuration management activities?
o Yes
o Not always
o Never
3. Is a configuration management library system established as a repository for the
configuration baselines?
o Yes
 o Not always
o Never
4. Are the products to be placed under configuration management identified?
o Yes
o Not always
o Never

5. Are action items for all configuration items/units initiated, recorded, reviewed,
approved, and tracked to closure according to a documented procedure?
o Yes
o Not always
o Never
6. Are changes to configuration baselines controlled according to a documented
procedure?
o Yes
o Not always
o Never
7. Are (software) products from the configuration baseline created and released according
to a documented procedure?
o Yes
o Not always
o Never
8. Is the status of configuration items/units recorded according to a documented
procedure?
o Yes
o Not always
o Never
9. Are standard reports documenting the configuration management activities and the
contents of the configuration baselines developed and made available to affected groups
and individuals?
 o Yes
o Not always
o Never
10. Are configuration baseline audits conducted according to a documented procedure?
o Yes
o No

11. Written Policy?

o Yes
o No
12. Periodic senior management review
o Yes
o No
13. Review with project manager on both periodic and event driven basis
o Yes
o No

14. Periodic audits by SCM group?

o Yes
o No
15. SQA review and/or audit
o Yes
o No
The TRUE MERIDIAN can complete this KPA requirements by doing following
practices:
1. Writing an organizational Policy.
2. Documented and approved configuration management should be made for using
as the basis for performing the configuration management activities
3. Changes to configuration baselines should be controlled according to a
documented procedure
4. Periodic audits by SCM group.

5. SQA group reviews.