handout for Part 2 on the Agile4Defense GitHub page at: https://git.io/JeaO2 Risk The presence of uncertainty is the simple reason why Agile approaches work better than plan-driven approaches—it is also the adopting an intelligent attitude toward risk. Risk is the chance of a negative impact resulting from uncertainty. We can reduce risk—often at a cost —but there is generally no way to eliminate it.  Almost all under conditions of tremendous uncertainty, your choices will often turn out to be wrong.Agile and plan-driven models have very different ways of dealing with uncertainty. Plan driven approaches, even

will substitute for the outdated project view in my vision for what IT leadership must become. Uncertainty and Risk: Third, underlying all of these changes – all of the problems with plan-drive approaches approaches, all of the advantages of Agile approaches – is a confusion about how to deal with uncertainty and risk. What I call the “contractor-control paradigm” – is really about trying to make risk go away  What is the value of adhering to a plan that was made at the beginning of a project, when uncertainty was greatest? Business value is destroyed only when we substitute extensive planning for execution

idea that we should make a plan and then stick to it is a terrible idea in an environment of uncertainty and change. It has dominated the IT world because it appears to offer predictability, control time through incremental investments.  Managing the EA asset is an art, just as all strategic management is an art. Just as the CMO must sense market opportunities, weigh tactics for communicating with will turn off my sarcasm engine for a moment. Look—it turns out that the future involves lots of uncertainty. No one knows exactly what the benefit of an investment will be—no one even knows approximately

 working off a single backlog of features, driven by vision and roadmap  product and release management, release planning  program psi objectives  common sprint lengths - system continuous integration  business epics  architectural epics  kanban epic system – limit WIP  program portfolio management, enterprise architect  value streams  investment themes - provide operating budgets for release

Development  Operations (Operational Waterfall)  Infrastructure Ops  Product Ops  Product Management  Every technology under the sun  Solaris, Windows, Linux  Apache, IIS, TCServer, etc.  homogenization and assimilation – no snowflakes  Deployment methodologies, automation, monitoring, and management tested continuously. Steve Barr steve.barr@csgi.com @srbarr1 Overall Quality improvements, “it”

Security Stack enables: correlated and centralized logs, container security, east/west traffic management, a zero-trust model, a whitelist, Role-Based Access Control (RBAC), continuous monitoring, signature-based This can also be used to send notifications when there is anomalous behavior. 4. Vulnerability Management 5. A service mesh proxy to connect to the service mesh 6. Zero Trust down to the container

testing efforts – Part 6: The Technical Practices of Integrating Information Security, Change Management, and Compliance 1. Introduction a. Goal to simultaneously achieve Information Security goals Pipeline a. INTEGRATE SECURITY AND COMPLIANCE INTO CHANGE APPROVAL PROCESSES i. Effective change management recognized different risks associated with different types of changes, to be handled differently

need to tighten up our change controls… what’s preventing us from getting there?”  “That change management tool is impossible to use. There’s a million mandatory fields and most of the time, the drop down

a termination iv. Examples of potentially significant events (Gartner’s GTP Security & Risk Management group) 1. Authentication/authorization decisions 2. System and data access 3. System and application