EDUCATION · SYSTEM ANALYSIS

🔍 System analysis - visual examples

Five systemanalyses with diagrams: SDLC phases, stakeholders, hierarchy of requirements, Use Case and gap analysis. Examples are fictional, intended for teaching.

Life cycle of software development

SDLC - Seven Phases (Waterfall vs. Iterative)

SDLC seven phases Septiņas SDLC fāzes - planning, requirements, design, implementation, testing, deployment, maintenance. SDLC - Systems Development Life Cycle Septiņas fāzes ar Agile atgriezeniskās saites cilpu 1. Planning feasibility + scope 2. Requirements SRS · NFR use cases 3. Design architecture UI · data 4. Implementation coding code review 5. Testing unit · integ UAT 6. Deployment release rollout 7. Maintenance patches support ⇢ Agile / Iterative feedback loop ▶ Waterfall (lineārā secība) ⇢ Agile / Iterative (atgriezeniskā saite) ISO/IEC/IEEE 12207:2017

Application

To sort out the development of software. Waterfall der when requirements are clear and unchanged. Agile - when requirements change and value wants to be delivered in instalments.

References

ISO/IEC/IEEE 12207:2017 · NIST SP 800-64 Rev. 2 · CMMI v2.0 · ISO/IEEE 15288:2023 (Systems life cycle).

Security integration

Safety needs to be considered in phase 2, not only in the end. The "Secure by Design' (NIST SSDF) principle includes security checks in all phases.

Analysis of interested parties

Stakeholder Power/Interest Matrix (Mendelow 1991)

Stakeholder power/interest matrix Mendelow 2x2 matrix mapping stakeholder power against interest level. Stakeholder Power / Interest Matrix Mendelow 2×2 sadalījums pēc varas un intereses līmeņa POWER · varas līmenis → INTEREST · intereses līmenis → KEEP SATISFIED augsta vara · zema interese MANAGE CLOSELY augsta vara · augsta interese MONITOR zema vara · zema interese KEEP INFORMED zema vara · augsta interese Padome / Sponsori Regulators (CERT.LV) Projekta vadītājs Galvenais klients Plašā sabiedrība Gala lietotāji Domēna eksperti Mendelow A. (1991) - Stakeholders of the Organization · saskaņots ar PMI PMBOK 6 (13.1.2.6) un IIBA BABOK v3 (10.7).

Application

At the beginning of the project, before the requirements are collected. Review again when the organisation or priorities change.

References

PMI PMBOK Guide v6 (Chapter 13) · ISO 21500:2021 (Project management) · IIBA BABOK Guide v3 (10.7 Stakeholder List).

Safety stakeholder

DPO, CERT.LV and regulator are usually in the corner of the "Keep Satisfied" - big influence, but little involvement in everyday life. They shall be formally informed of the change (NIS2: 24/72 h).

Hierarchy of requirements

Functional vs Non-Functional Requirements (IEEE 830)

Requirements hierarchy pyramid 4-layer pyramid: Business → User → Functional → Non-Functional, with cyb3r.help examples. Prasību hierarhija IEEE 830-1998 · ISO/IEC/IEEE 29148:2018 · 4 abstrakcijas līmeņi Business User Requirements Functional Requirements Non-Functional (NFR) FURPS+ · ISO/IEC 25010 Kāpēc? Kam? Ko? Cik labi? PIEMĒRS · cyb3r.help Business Atvieglot drošības speciālistu atrašanu User Meklēšana pēc kategorijas un reģiona Functional Atslēgvārds → 20 rezultāti/lpp. Non-Functional <300ms · 99.9% uptime · MFA · NIS2 FURPS+ (Grady 1992) · ISO/IEC 25010:2023 papildina ar Security · Compatibility · Portability. NIS2 21. p.: drošība (auth · šifrēšana · audit) - explicit NFR prasību fāzē, ne pēc deploy.

Application

Creating a claim document (SRS) before architecture. Hierarchy gives a common language to business, users and developers.

References

IEEE 830-1998 · ISO/IEC/IEEE 29148:2018 (Requirements engineering) · ISO/IEC 25010:2023 (System quality model) · FURS+ (Grady 1992).

NFR and safety

Authentication, encryption and audit log are non-functional requirements (NFR), not functions. They are often forgotten, but the NIS2 21 requires a clear record.

Use event diagram

UML Use Case - an example of an advert platform

Use case diagram 3 actors with inheritance, 8 use cases inside system boundary. UML Use Case Diagram cyb3r.help - sludinājumu platformas aktori un to interakcijas cyb3r.help (sistēma) Apmeklētājs Reģistrēts lietotājs «extends» Admin Skatīt sludinājumus Meklēt pēc kategorijas Reģistrēties Publicēt sludinājumu Apmaksāt plānu Komentēt Vērtēt sniedzēju Moderēt saturu «include» stick → aktors · ellipse → use case · taisne → asociācija · ─▷ → «extends» (mantojums) · ─⬞→ «include» (atkarība)

Application

Collecting requirements when determining who (s) and how the system is used. The picture is more understandable than a long text - it is easier to check with users.

References

UML 2.5.1 (OMG 2017) · Cockburn A. (2001) - Writing Effective Use Cases · Jacobson I. (2011) - Use Case 2.0 (slices, narratives).

Missuse cases

The chart is supplemented by the 'misuse cases' - how an attacker could abuse the system. This is the basis for security thinking.

Gap analysis

Gap Analysis - Current (AS-IS) → Preferred (TO-BE)

Gap analysis diagram 3 equal-width columns: AS-IS, GAP (actions + resources), TO-BE - with transition arrows. Gap Analysis - AS-IS → TO-BE Pašreizējā vs vēlamā stāvokļa salīdzinājums ar darbībām un resursiem plaisas slēgšanai AS-IS (pašreizējais stāvoklis) ✗ Manuāls Excel reģistrs ✗ Nav vienota kataloga ✗ MFA tikai 30% kontiem ✗ Bez audit log ✗ Maksājumi pa e-pastu ✗ Tikai LV valoda ✗ Backup 1×nedēļā ✗ Nav incidenta plāna ✗ Nav NIS2 atbilstības ✗ Sertifikāti manuāli GAP (plaisas slēgšanas plāns) ⚙ DARBĪBAS → Argon2id + MFA visiem → Auditlog (12 mēn. glabāš.) → Klix maksājumi (RSA paraksts) → NIS2 21. p. compliance plāns → Backup PITR + ikdienas 💰 RESURSI → Laiks: ~3 mēneši → 2 FTE inženieri → ~5 k EUR infra/gadā → 0.5 FTE apmācība/mēn. → ~3 k EUR audits → DPO outsource: ~2 k/gadā TO-BE (vēlamais stāvoklis) ✓ Wagtail CMS + DB ✓ Vienots LV/EN katalogs ✓ MFA 100% adminiem ✓ django-auditlog ✓ Klix maksājumi ✓ LV + EN (GT widget) ✓ Backup 1×dienā (PITR) ✓ IR runbook + Sentry ✓ NIS2 21. p. ievēroti ✓ Auto SSL renewal Saskaņots ar Lewin K. (1947) - Force Field Analysis · McKinsey 7S · SWOT · PEST. NIS2 atbilstības gap analīze: salīdzina kontroles pret 21. p. 2. punkta a)–j) apakšpunktiem.

Application

Planning strategy or preparing for audit. Shows what is missing, why and how much resources are needed to get to the desired position.

References

IIBA BABOK Guide v3 (6.3 Strategy analysis) · ISO/IEC 27003:2017 (ISM implementation) · McKinsey 7S · Lewin K. (1947) Force Field Analysis.

NIS2 compliance

Gap analysis compares existing controls with the requirements of NIS2 p. 21. For non-compliance can be punished up to 10 M EUR or 2% of annual turnover.