9.0 Analysis Phase
A minimum number of alternate solutions must be reviewed before a solution for the business need is chosen. Internal development, acquisition, or external development should be weighed as a solution against cost, resource availability, and maintainability.
All alternatives must be reviewed by stakeholders.
Where a solution exceeds the technical information requirements must be documented.
Stakeholders should rate the alternative solutions using metrics that consider risks, quality, quantity, and scheduling requirements. Scores should be justified where possible.
All alternatives must meet technical information requirements including essential business functionality, security, and required maintainability.
The staff that review the alternatives must have proper skill levels for the task.
The business risks of each alternative including integrity vulnerabilities must be considered. Alternatives which are considered must have proper checks to guarantee accuracy and completeness of data and transactions to meet the business need.
The data structure of each alternative must be considered and its impact on the enterprise methods of managing, storing, and controlling data must be taken into account.
The security levels of the solution's data must be considered based on the organization's data classification method. A review of access controls used by operating systems, databases, or other products must be performed to be sure the alternative meets the minimum security requirements.
If the organization has a data dictionary which is metadata that defines data elements, the alternative's impact on the data structure must be assessed and considered.
A formal cost and benefit analysis must be conducted before the project is initiated or canceled.
The leader of the cost and benefit analysis team must assemble expertise in the areas of business operation, budget, procurement, systems development, statistics, and information technology infrastructure.
The cost and benefit analysis must consider costs over the life of the system. the end of the system life must be defined which may be replacement or phase out.
The cost analysis must not consider cost savings already realized through previous changes or projects and must not consider past costs not relative to the current system or current project.
Any cost and benefit assumptions must be justified and explained.
All costs and benefits must be assigned a qualitative value rating or a specific value or cost.
Interest rates used for the cost and benefit analysis must be documented.
The accuracy and weight of the factors which affect the cost and benefit analysis must be properly assessed. A method to test these factors should be considered and the factors which most greatly affect the cost or benefits should be most strongly considered.
The cost of implementing mitigating controls for each risk to all alternatives must be determined and considered in the cost benefit analysis. The amount of risk reduction for each mitigating control must be included.