3.4.10 IT Project Management
| No: 43028139 | Date(g): 4/11/2021 | Date(h): 29/3/1443 |
Effective from 2021-11-04 - Nov 03 2021
To view other versions open the versions tab on the right
Principle
Formal process should be defined, approved and implemented to effectively manage IT project and related risks throughout the lifecycle of the project.
Control Requirements
| 1. | The IT project management process should be defined and approved by the Member Organizations. | |
| 2. | The IT project management process should be governed with a formally defined and approved IT project management framework, policy and procedure to manage IT project lifecycle from initiation till closure. | |
| 3. | The effectiveness of the IT project management process should be monitored, measured and periodically evaluated. | |
| 4. | All IT projects should be provided with detail project plan, which include the following, but not limited to: | |
| a. | detail scope of work including activities for a project or each phase of the project; | |
| b. | priorities, milestones and timelines associated with project or each phase of the project; | |
| c. | deliverables; | |
| d. | roles and responsibilities; and | |
| e. | risks associated with any IT projects. | |
| 5. | Necessary documentations for the IT project should be defined, approved and maintained for future reference purposes including but not limited to following: | |
| a. | project charter; | |
| b. | requirement analysis, business information flow and technical information flow; | |
| c. | feasibility as well as cost-benefit analysis; and | |
| d. | detail project plan. | |
| 6. | IT project steering committee should be established having representation from relevant business and technical teams to oversee plan, progress and risks associated with the IT projects. | |
| 7. | All IT projects should be assessed for the risks that could impact the scope, timeline and quality of the projects. Any identified risks should be mitigated and monitored throughout the project lifecycle. | |
| 8. | Any significant risks associated with the IT project should be reported to IT project steering committee and to senior management or board of directors of the member organization in a timely manner. | |
| 9. | All project deliverables should be reviewed by an independent quality assurance function or an independent person provided with such responsibly prior commencing project to the production environment. | |
| 10. | Post-implementation reviews should be planned and executed to determine whether IT projects delivered the expected benefits, met business/user requirements, and complied with the IT project management framework. | |
| 11. | The Member Organizations should inform 'General Department of Cyber Risk Control' for any major IT transformation projects, such as core system implementation, after the approval from the senior management. | |
| 12. | Cyber security should be involved during various phases of the IT project management lifecycle in line to the control considerations provided in SAMA Cyber Security Framework. | |