DELIVERABLE PINS+ Checklist For Agile Projects

Product Backlog
* Product ..
* Product ..
* Product ..
* Product ..
* Product ..
* Product ..
* Product ..
* Product ..
* Product ..
* Product ..
* Product ..
* Product ..
* Product ..
* Product ..
* Product ..
* Product ..
* Product ..
.......
Release 1
Sprint 1
Product Product
Product ...
............................
Sprint 2
Product Product
Product ...
Generic Points
1. Service transition manager is present when release planning is done.

Together with ITS-BAU STM determines the priority of the transition related
products
2. Time required to be ready for BAU (PINS deliverables)
Release 2 determines the Release X
earliest point for go live.
3. In principle End of Release is handover support to BAU. If BAU is not ready,
handover can be moved to the next release
Sprint 1 Sprint 1
Product Product Product Product
Product ... Product ...
............................ ............................
Sprint 2 Sprint 2
Product Product Product Product
Product ... Product ...
When Criteria
Project Startup
Initial creation of product backlog Identify the Solution Center the project fits into
Initial creation of product backlog Plan for Solution Center involvement
Release Planning
Release Plan Agree deliverables in release
Release Plan Identify the point(s) in time for handover to BAU Support (at
every release/ after release X )
Release Plan Agree for SAC ITS to be built in to release acceptance criteria
Release Plan Get SAC for the service line in which the project lands added to
the Release Plan (DoD for Release)
Get SAC for other involved service units (ie service desk) added
Release Plan to the Release Plan (DoD for Release)
Release Plan Get Security Checklist added to the release plan
Release Plan Add to the Release Acceptance: BAU Readiness
For product backlog of each release
Add product at the start of the Release. Product description:

Product Backlog Initial Support Model to be updated with the support
requirements for the various groups
Product Backlog Add a product for building/adjusting the BAU organisation
Product Backlog Add product for KT material in every release (*)
Add product for Support Model acceptance to BAU in every

Product Backlog release (*)
Product Backlog Add product for KT to BAU in every release (*)
Product Backlog Add or update product for Customer Information Document

(SDD type)
Product Backlog Add or update product for DR and BCP
Product Backlog Add product for support contracts with external suppliers
In the Release
Every Product's DoD/acceptance

criteria to contain KT material update
Every Product's DoD/acceptance

criteria to contain Support Model update
Every Product's DoD/acceptance Documentation references captured (for STM)
criteria to contain
Project Closure
Project Closure
Left Over list
(*) When that release is handed over to BAU to support

Who How Method
STM involved!
STM meeting with AV & IB ; where required
Discuss with SA&I to ensure logical fit is Service Architecture to contact the various
STM chosen Solution Centers to find the right home
Standard model for including in existing
SolCtr
or
Standard model for building Sol Ctr
STM capability
STM impact
Release Plan
Plan the Release PINS+ deliverables (as

defined below). Agree when they will be
STM (with PM) delivered.
Get agreement between the Project and
BAU on when this can land. Input from Note: Earliest go live date is dependent on
STM around requirements before impacted BAU organisation (service desk/solution
handover (ie KT/SAC and other involved center etc. lead time)
PM/STM/ColCtr mgr parties
STM work with Solution Center to get the

STM/PM delivery of SAC included


STM work with PM to get the Security

STM/PM Checklist included
release can only be handed to BAU when

the BAU organisation is ready. STM to
ensure a service readiness plan is used
PM to test BAU readiness (end to end)
User Story' :
The service transition manager needs to
get this Initial Support Model elements
clarified so that he can engage with the
various support parties and prepare them
PM/ProductOwners/STM for the support fo live. build during the various products in the sprints
User Story:
IT Services needs the BAU organisation to
be fully ready to support the release that is
handed over to the for support. In order to
achieve this the following elements need
to be covered:
* People in place
* Processes updated (support processes
and business processes)
* Cost Model in place (clarity on
cost,recharges)
* Warranty (model for handover from
project. option: staged handover)
* service reporting embedded in the ITS
reporting
** see details in the section Requirements
for ITS BAU in the TAB Compliance
PM Checklist early on in the release
' User Story': The STM requires an

overview of the content of the release so
that he can organise the appropriate KT Project to deliver material
PM 'sessions.
User Story': The BAU organisation - build during the various products in the sprints
consisting of all involved support parties -
must have the full support model so that
they understand their role in the support
flow. This Support Model is also used in
PM the KT sessions. signoff support model
' User Story': The BAU - consisting of all
involved support parties - must get to
understand the product delivered and the
possible incidents and anticipated type of
changes, so that they are prepared to STM to make the KT plan and organise the KT
support the business once the project sessions between BAU and Project
PM hands over the support responsibility KT to be done close to handover to BAU
product can be used, how they can update
its usage, how it is supported and how the
processes around the product work, so
that they can benefit from the product. The
information needs to be stored for future
PM reference by new users.
User Story: The ITS organisation needs to

know if and how business continuity is
arranged so that they can support the
business to get up and running within a
PM/Business/BAU User Story:
defined The ITS
timeframe, Organisation
should needs
the solution fail.
to have signed support contracts with 3rd
party support providers before the service
responsibility can be handed over from
project to ITS..
Acceptance Criteria:
* Must be in line with standards MSA (if
new this MSA can be supplied by legal)
* Must have Service Levels in line with the
BAT Standard (fit into E2E agreement with
customer)
* Check contract requirements in the
Compliance Checklist TAB
PM
The ITS support organisation needs to
have visibility of the remaining product
backlog at project end so that the
support organisation can agree with the
business if, how and when the residuals
will be addressed.
Also issues list
Business Release Plan (Maintenance

Cycle)
Product
IB early
March
Plan for introduction

in Sol ctr
IB early
March
SIP (Service
Introduction Plan)
Support Model for
the Release
Source/Type Area Requirement/Standard
IT company planning Tool

guidelines Service Desk Tool Ticketing Tool (triole or alternative)
Used for assessing the support model
IT company planning Function:

guidelines Service Desk Services Fujitsu

guidelines Datacenter (hosting) HCL or TSY

guidelines Global Network BT
COD compliance
IT company planning Function: TSS compliance
guidelines IT Security BIA
Wipro
Function: * Any firewalls must come under governance/management of
IT company planning IT Security (MSSP) (SIEM, MSSP
guidelines Firewall,EPP) * Assess if logsources (SIEM) need to be added
Tool:
IT company planning Application Access
guidelines Management IAM: Access Provisioning must be integrated in IAM
Function:
Function Application Support Wipro
Externally hosted systems
(incl saas) must comply with
IT company planning the Externally Hosted
guidelines Systems standard
1 (allowed) Known geography: the data is stored on a server
where the physical location is known, e.g. a web server in a
London Data Centre.
from SaaS implementation 2 (avoid) True cloud: the data is stored in a location that is
Guidelines Assess Storage type unknown to either British American Tobacco or, potentially, the
provider. This can be the case with infrastructure such as Amazon
Any integration
ECC/S3 points and interfaces with BAT systems should
or Google.
be compliant with the Enterprise Integration Bus.
from SaaS implementation

Guidelines Evaluate Integration
Have robust controls that guarantee isolation of British American
Tobacco’s software & data from other customers some cases
depending on the sensitivity of the information or nature of the
service the provider should have obtained IT Security Certification
to an industry standard or have a clear certification roadmap
from SaaS implementation Requirement on SaaS
Guidelines suppliers
SaaS --> Policies and Processes
Have a sub-contractor governance & control model if sub-

contractors are used to deliver services.

Conduct regular independent control auditing in their
environment. Any independent service auditor reports should be
available to customers for review

Be insured by a 3rd party against losses and litigation. The
from SaaS implementation Requirement on SaaS insurance level should provide adequate coverage
Agree to permit customer’s rights to conduct onsite audits more
from SaaS implementation Requirement on SaaS detailed list of required cloud provider IT Security controls refer
Guidelines suppliers to the ‘BAT Cloud Provider IT Security Control Specification’.
any SaaS solution should follow the “SaaS Governance
Framework” created by IT Security

Compliance to external industry-wide standards
Guidelines Interoperability
British American Tobacco’s IT Security Policies

( http://techzone/display/SecSC/Control+Objective+Documents
Guidelines mandatory policies )

Guidelines mandatory policies Global Data Protection Policy

Guidelines mandatory policies BAT Cloud Provider IT Security Control Specification

Guidelines mandatory policies “SaaS Governance Framework” created by IT Security
Generic BAU Landing Determine Ownership of the solution (in the business)
Generic BAU Landing Determine Ownership in ITS
Guidelines Business Case Full TCO
Can the destination URL be reached by all British American
from SaaS implementation Tobacco end markets over the existing network and security
Guidelines Evaluate Integration infrastructure?
Requirements for ITS (BAU)
Can the proposed SaaS solution use pass-through authentication

from an internal British American Tobacco system.
Guidelines Evaluate Integration
Can users self-provision? Or is there a mechanism of data
from SaaS implementation exchange from existing people repositories (eg SAP HR, Active
Guidelines Evaluate Integration Directory)?
Guidelines Support model (ITS) SDD & entry in service catalogue mandatory

Guidelines Support model (ITS) Service Level (assess end to end for customers)

Guidelines Support model (ITS) Incident & Problem Management process

Guidelines Support model (ITS) Change and Request management

Guidelines Support model (ITS) Service and Business continuity

Guidelines Support model (ITS) Service reporting process

Guidelines Support model (ITS) Service improvement process
from SaaS implementation Comply with British American Tobacco User Experience
Guidelines Support model (ITS) Guidelines

Guidelines Assess Risk Loss of transaction data/records

Guidelines Assess Risk Loss of administration data
Risk assessment
SaaS:
Application functionality loss

Guidelines Assess Risk
Guidelines Assess Risk Loss of Community
from SaaS implementation Ensure that you always have access to current data backups.
Guidelines Key contractual point
Define precisely in the contract what constitutes a continuity

from SaaS implementation breach and what the penalties are.
f the SaaS vendor is using 3rd party cloud infrastructure, then
from SaaS implementation ensure that the vendor contracts directly with the 3 rd party to
Guidelines Key contractual point support the solution in event of their demise.
Negotiate a contractual right to access the solution, the

from SaaS implementation configuration, and the data.
Contractual Requirements
Negotiate the right to run the solution yourself should this need
from SaaS implementation ever arise.
from SaaS implementation Contractual : Exit Address --> Data Ownership & Transfer
Guidelines Management
from SaaS implementation Contractual : Exit

Guidelines Management Address --> Transfer of access information (UID/PW)
from SaaS implementation Contractual : Exit

Guidelines Management Address --> re-establish B2B connectors
Arrangement for pay out of Service Credits / Unused Monies if

from SaaS implementation Contractual : Exit applicable
Guidelines Management
· SLA-tracking: monthly - how is the service performing

from SaaS implementation Contractual: Reporting against the agreed SLAs including Service Availability
Guidelines requirements
· Usage: monthly – how much is the service being used

from SaaS implementation Contractual: Reporting compared to contractual terms
· Support: monthly – what are the support / helpdesk

from SaaS implementation Contractual: Reporting tickets raised, how are they being resolved
· Service improvement (if part of contract): quarterly – what

from SaaS implementation Contractual: Reporting improvements to the service are planned
· Relationship: quarterly – relationship management status

from SaaS implementation Contractual: Reporting report with vendor
Where true SaaS, these are dictated by the supplier/market. Else

BAU considerations
Service Levels refer to generic SL standards

Contract - Service
Management Standard sample available when not true SaaS
Contract - Governance Model Standard sample available when not true SaaS & for SaaS
SaaS:
Solution Center fit true SaaS --. TBC
End to End service Ensure true Service Integrator model

Vital Business processes to be must be clearly defined (SDD)
documented
must be clearly defined (SDD)

Critical Service periods
Documentation available for
Compliant reference Non compliant
Compliance to be assessed
pending
Vendor Manager/Service
Owner/Contact Relevance Consequence/Risk of non-compliance
John Eustace Onboarding process available 1. Cannot measure and report on ITS KPI
1. No integration with other BAT support

units
2. not part of global services around
change management
3. not automatically part of MIM process
4. not automatically part of Notification
process (service advisory etc)
5. Unplanned and extended service
interruption due to non aligment with BAT
processes
John Eustace Onboarding process available
1. We achieve poor commercial terms as

we don’t leverage our true global scale.
2. Data and information is held outside the
corporate firewall in unknown and
unmanaged locations with the potential
for loss, damage, or unwanted access
and/or disclosure.
3. Duplication of business data and
information leading to complexity in our
business and reduced effectiveness.
Marcel Malan (HCL) 4. Difficulty in integration to other British
American Tobacco systems.
1. We achieve poor commercial terms as

Thomas Heartel (TSY) we don’t leverage our true global scale.
Eric Daumieres/London/GB/BAT (?)
John Taylor? COD/TSS available
Yeoh Tjean Na/Kuala

Lumpur/AP/BAT@BAT 1. Denial of service – either through
Ahmed AbdelAzim Onboarding process available service provider failure or targeted attacks
Ahmed AbdelAzim Onboarding process available
Yeoh Tjean Na/Kuala

Lumpur/AP/BAT@BAT
Jimmy Ho Sek Loong/Kuala 1. We achieve poor commercial terms as
Lumpur/AP/BAT@BAT Onboarding process available we don’t leverage our true global scale.
http://interact/interact/it/sb_techzo
ne.nsf/
(0)/AB3B03D6B170F7AD65257B5100
345BBCXXX/$file/BAT%20Externally
%20Hosted%20Solutions%20Security
%20Requirements%20v1.3a.docx
Legal issues when true cloud.
Difficulty in integration to other British

American Tobacco systems.
standard requested from kevin
no guaranteed data protection
The objective of the model is to ensure

that all parties directly involved in
providing the service operate according to
the same standards
compliance with our Audit requirements
“SaaS Governance Framework”

pending from Kevin
NOTE: the only applicable British

American Tobacco IT Security
standard to SaaS is the
Management of Third Parties COD.
Management of Third Parties COD.
Data and information is held outside the
corporate firewall in unknown and
unmanaged locations with the potential
for loss, damage, or unwanted access
and/or disclosure.
Global Data Protection Policy
BAT Cloud Provider IT Security

Control Specification
SaaS Governance Framework

1. unpredictable forecast of ITS costs
This is an important aspect as it ensures

that users do not have to manage multiple
different login ids and passwords for a
whole variety of systems?
where possible aligned to BAT TOM

Unplanned and extended service
interruption due to inadequate supplier
where possible aligned to BAT TOM Business Continuity Planning.
British American Tobacco User

Experience Guidelines 1. impacts performance consistency
mitigation: regular backups
mitigation: monthly extracts (ie

user and pws)
Mitigate this by;

a. Ensuring that there is an exit plan
for data and application
functionality in such an event
b. Have a plan, and the
infrastructure, to migrate to on-
premises solution
c. If the SaaS vendor is sub-
contracting cloud services from a
larger organisation (e.g. niche
player, leveraging Amazon cloud)
then have a plan to migrate directly
to the larger organisation
an alternative multi-community
solution
Available
TBC TBC TBC

This is to avoid the solution center
becomes the glue between the services
(platform/application) in BAU
Implementation
Assessment by R A C I
SA
BAU (service
SDM/STM project manager EUS center/solution center)
SA
BAU (service
SDM/STM project manager EUS center/solution center)
SA
BAU (service
SDM/STM project manager ITS-TS (Datacenter) center/solution center)
SA BAU (service
SDM/STM project manager ITS-TS (GWAN) center/solution center)
Security Compliance Manager (Daniel Security Compliance

Delgado) Manager (Daniel
Delgado) project manager - SDM/STM
SA Security Compliance
Manager (Daniel
Delgado) project manager - IT Sec Ops
SA/Technical Architect
IAM Owner project manager IAM Support Team SDM/STM
SA
SDM/STM project manager Vendor Manager Vendor Manager
Security Compliance Manager (Daniel
Delgado)
Security Compliance
Manager (Daniel
TAB Security Compliance

Manager (Daniel
? project manager Delgado) SDM/STM

Manager (Daniel
TAB
Security Compliance
Manager (Daniel
TAB
Security Compliance
Manager (Daniel
TAB
Security Compliance
Manager (Daniel
Security Compliance
TAB Manager (Daniel
Security Compliance
TAB Manager (Daniel

Manager (Daniel
Security Compliance
TAB Manager (Daniel
TAB
Security Compliance
Manager (Daniel
TAB
Security Compliance
Manager (Daniel
Security Compliance
TAB Manager (Daniel
Security Compliance
TAB Manager (Daniel
SA
Project manager Project manager Project Board SDM/STM
SA SA
SDM/STM Project manager ITSLT '-
Service line ;
SDM/STM Project manager ITS Finance
Security Compliance
TAB Manager (Daniel
TAB
Security Compliance
Manager (Daniel
Technical Architect
SDM/STM project manager SaaS supplier -
SDM/STM or
Service Line project manager Service Line SDM/STM
SDM/STM project manager ITS Service Line
SDM/STM SA -
SDM/STM project manager
SDM/STM SA -
SDM/STM SA -
SDM/STM SA -
SDM/STM SA -
tbc
tbc tbc tbc tbc


Enterprise Architect
Project Manager
Design Authority
(project) Solution Center Mgr
Maintenance DA (BAU) (BAU) SDM/STM
tbc
tbc tbc tbc tbc
technical
technical architect/service architect architect/service solution center/service
architect project manager line SDM/STM
technical
technical architect/service architect technical

architect/service solution center/service
technical
technical
technical
technical
technical
technical
technical
technical
technical
technical
technical
project manager project manager SaaS supplier SDM/STM

info
info info info info
info
info info info info
SA
SA or SDM/STM project manager ITS SDM/STM
tbc
tbc tbc tbc tbc
Business owner project manager - SDM/STM
Business owner project manager - SDM/STM

DELIVERABLE PINS+ Checklist For Agile Projects

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

DELIVERABLE PINS+ Checklist For Agile Projects

Uploaded by

Copyright:

Available Formats

Product Backlog

1. Service transition manager is present when release planning is done.

Initial creation of product backlog Plan for Solution Center involvement

Release Plan Agree deliverables in release

Release Plan Get Security Checklist added to the release plan

Release Plan Add to the Release Acceptance: BAU Readiness

For product backlog of each release

Add product at the start of the Release. Product description:

Product Backlog Add product for KT material in every release (*)

Add product for Support Model acceptance to BAU in every

Product Backlog Add product for KT to BAU in every release (*)

Product Backlog Add or update product for Customer Information Document

Product Backlog Add or update product for DR and BCP

Every Product's DoD/acceptance

Every Product's DoD/acceptance

Left Over list

(*) When that release is handed over to BAU to support

Plan the Release PINS+ deliverables (as

STM work with Solution Center to get the

STM work with Solution Center to get the

STM work with Solution Center to get the

STM work with PM to get the Security

release can only be handed to BAU when

' User Story': The STM requires an

User Story: The ITS organisation needs to

Also issues list

Business Release Plan (Maintenance

Plan for introduction

IT company planning Tool

IT company planning Function:

IT company planning Function:

IT company planning Function:

from SaaS implementation

Have a sub-contractor governance & control model if sub-

from SaaS implementation Requirement on SaaS

from SaaS implementation Requirement on SaaS

from SaaS implementation Requirement on SaaS

British American Tobacco’s IT Security Policies

from SaaS implementation

from SaaS implementation

from SaaS implementation

Can the proposed SaaS solution use pass-through authentication

from SaaS implementation

from SaaS implementation

from SaaS implementation

from SaaS implementation

from SaaS implementation

from SaaS implementation

from SaaS implementation

from SaaS implementation

Application functionality loss

from SaaS implementation

Define precisely in the contract what constitutes a continuity

Negotiate a contractual right to access the solution, the

from SaaS implementation Contractual : Exit

from SaaS implementation Contractual : Exit

Arrangement for pay out of Service Credits / Unused Monies if

· SLA-tracking: monthly - how is the service performing

· Usage: monthly – how much is the service being used

· Support: monthly – what are the support / helpdesk

· Service improvement (if part of contract): quarterly – what

· Relationship: quarterly – relationship management status

Where true SaaS, these are dictated by the supplier/market. Else