Statement of Work

From Square Root

Contents 1 Introduction 1.1 Purpose 1.2 Audience 1.3 Scope of document 2 Project Overview 2.1 Business Drivers 2.2 Project Scope 2.3 Technical Constraints 2.4 Scope Limitations 3 Project Resources 3.1 Projected End of Phase Dates 4 Responsibilities 4.1 Square Root 4.2 Client 5 Deliverables 6 Points of Contact 7 Change Management Process 8 Basic Assumptions 9 Reference

Introduction

Purpose

The purpose of this document is to establish an agreement between Nancy Mead from CERT, hereafter referred to as the client; and the members of the Master of Software Engineering (MSE) Square Root Team at Carnegie Mellon University, hereafter referred to as Square Root.

While the Statement of Work (SOW) is not legally binding, by accepting this document, both parties express their willingness to observe the terms and conditions of this document in good faith.

Audience

This document is intended for the members of Square Root, the client, and the mentors. Additionally, this document, like all information on this wiki, is released under a Creative Commons Attribution Share-Alike License so that any interested secondary parties may benefit from the knowledge it contains.

Scope of document

The provisions of this document are effective for the duration of the MSE studio project from August 20, 2008 to December 11, 2009. Following the conclusion of this project, no member of Square Root will be responsible for the maintenance or upkeep of documents, code, or other artifacts produced during the project for the client or otherwise.

Project Overview

Security is an important software quality attribute but it is usually treated as an implementation afterthought leaving many software projects inadequately secured against threats. The goal of SQUARE is to help requirements engineers think about security requirements both earlier in the software development lifecycle and also in a more complete and methodical way.

This project aims to create a web-based tool that guides SQUARE adopters though successful completion of the SQUARE process so that they are able to easily collect security and privacy requirements. The SQUARE Tool will also help users analyze requirements collected during the process.

Business Drivers

The SQUARE process has several business drivers which the tool should support.

Education

The tool should help educate users about the SQUARE process and software security.

Research

The tool should help SQUARE researchers gain further understanding of SQUARE in the context of software security and privacy requirements elicitation.

Adoption

The tool should help spread SQUARE and make it easier for those interested security requirements to adopt SQUARE.

Project Scope

The project scope is controlled by three parameters. Items higher in the list have a constraining effect on items lower in the list. For example, given the option between adding features or improving the quality of existing features, Square Root will improve the quality of the existing features.

1. Time - all work must be completed within the resource constraints outlined in the Project Resources of this SOW. Deliverable artifacts will be delivered according to the time line specified in the Deliverables section of this SOW.
2. Quality - the project will be guided by the business drivers and corresponding quality attributes. At a minimum, all "Critical" bugs will be resolved. Bugs are assigned priority based on client's conveyed input and the team's assessment of the specified requirements, available resources, technical impact, and other factors.
3. Features - Square Root will deliver as many features as possible within time constraints of the project. All project requirements will be stored and maintained in this wiki. Requirements will be captured using a variety of methods including use cases, prototypes, and prose.
   • Changes - All changes are recorded in the wiki. The high level requirements are considered frozen at the conclusion of our Inception Phase. The low level requirements are considered frozen at the conclusion of our Elaboration Phase. Once the requirements have been frozen, any changes must go through a controlled change process and will require a reestimation and rescoping of the project.
   • Prioritization - Features will be implemented according to priority with higher priority features implemented before lower priority features. Priority is assigned based on input from the client and team and may take into account such information as business needs, technical risks, dependencies, or resource constraints.

Technical Constraints

Since the project consists of a web application the minimum requirements for target platforms (both client and server) should be defined. Any software Square Root builds for the client must support the following platforms.

The target web server is Apache 2.2 running on Microsoft Windows Server 2008.

The target browsers are Firefox 3, IE7, and Safari all running on Microsoft Windows Vista and Windows XP.

Any server side languages or language frameworks chosen by the team may be used in the project. The client requires that any technologies chosen be "widely-used" and preferably open-source.

Scope Limitations

The following tasks are considered to be outside the scope of the project:

• Formal training for users
• Any tasks occurring after the completion of the project (December 11, 2009)
• Any research activities on SQUARE, privacy, or security

Project Resources

Square Root will supply the following developer resources.

	Start	End	Weeks	Hours/week	Number of Developers	Total Hours	Vacation/Holidays
Fall 2008	August 25, 2008	December 12, 2008	15	9	5	675 hours	Thanksgiving (1 week)
Spring 2009	January 12, 2009	May 8, 2009	16	12	5	960 hours	Spring break, March 9 - 13 (1 week)
Summer 2009	May 18, 2009	August 7, 2009	12	48	5	2,760 hours	Each member gets 24 hours holiday time to use as they please
Fall 2009	August 24, 2009	December 11, 2009	15	12	5	900 hours	Thanksgiving (1 week)

Projected End of Phase Dates

Square Root is using the Agile Unified Process process framework to guide project development. AUP phases end once specific criteria are met. Those criteria will be identified in this wiki as the project progresses. The projected dates on which Square Root expects phases to end is listed. The team will use the identified exit criteria to determine when a phase has been completed which may differ from the dates presented here.

Phase	Projected end date
Inception	December 12, 2008
Elaboration	May 8, 2009
Construction	August 7, 2009
Transition	December 11, 2009

Responsibilities

Square Root

The Square Root team will fulfill the following responsibilities.

• Develop a SQUARE tool that implements all "Must Have" requirements.
• Provide the client with unlimited read access to this wiki.
• Provide all deliverables specified in this SOW.
• Provide a meeting agenda for client meetings at least 12 hours in advance of the meeting. Read ahead material for meetings must be sent at least 36 hours in advance.
• Provide access to a "live demo" of the software hosted by Square Root demonstrating the most up-to-date release.
• Obtain and maintain a development server similar but not necessarily identical to the client's production server.
• Square Root is not responsible for installing or maintaining any software on the client's servers.

Client

The client has the following responsibilities with regards to this project.

• Respond to questions and other requests for information within 3 business days of their being sent unless other arrangements are made. The primary means of communication is email.
• Approve acceptance criteria proposed by SQUARE Root by which the tool will be judged by the client.
• Be available for a minimum of one face-to-face meeting during each semester of the project.
• Assist in identifying and discovering project risks.
• Assist in defining Quality Attributes for the software to be developed.
• Comply with the Change Request Process specified in this wiki for all artifacts that become "frozen" during the project lifecycle.
• Arrange for installation of releases of the tool on client servers for acceptance testing and providing access to those servers in the event that errors are discovered that are not reproducible on Square Root servers.

Deliverables

Square Root will deliver the following artifacts to the client at the conclusion of the project.

• All source code for the developed software tool
• All developed unit and functional tests
• A static copy of this wiki
• An installation guide for the developed software
• A user's guide
• The following documents in complete PDF's
  • All requirements
  • Architecture
  • Design
  • Acceptance test plan
  • Final acceptance test report

Points of Contact

Email will serve as the primary means of communication. Phone calls, when used, should only occur during normal business hours (9-5).

Square Root may be contacted at any time through the team mailing list: squareruut@googlegroups.com. The team member most qualified to respond will answer the email. Phone numbers for individual team members will be provided directly to the client.

Nancy Mead may be reached at any time through email: nrm@sei.cmu.edu. A primary phone number will be provided directly to the team.

Change Management Process

Significant changes in the external interfaces of the project will trigger a change in SOW. The changes may be as a result of the requirements change process described above, or other unforeseen factors. The external interfaces include

1. Change in scope of project.
2. Change in resources or schedule.
3. Changes in project deliverables.
4. Change in point of contacts.
5. Change of stakeholders.

For Square Root to initiate a change in the SOW, the intent has to be first conveyed to the client. Then, the team holds a meeting with the customer to work out the details of the change. The discussion should cover the impact on deliverables, schedule changes, and scope changes. Once an agreement has been reached, a new appendix to the SOW is created detailing the changes to the concerned sections of the SOW. Written approval of the Appendix is obtained and this approved Appendix is included with the current SOW. The Change Request Process will be further detailed in this wiki.

For the client to initiate a change in the SOW, the intent has to be conveyed to Square Root. Then, the team works with the customer to understand the details of the change. The team then performs an impact analysis of the change and decides if the change is feasible. If found to be infeasible, the decision and reasons are conveyed to the client by email. If the team finds the change feasible, a second discussion is held with the client to discuss changes to the SOW. The discussion should cover the impact on deliverables, schedule changes, and scope changes. Once an agreement has been reached on the particulars, a new appendix to the SOW is created detailing the changes to the concerned sections of the SOW. Written approval of the Appendix is obtained and this approved Appendix is included with the current SOW.

This SOW will be reviewed at the end of each project phase to make ensure the SOW is being followed and is still relevant. Changes may be made to the SOW at that time with permission of all parties. Written agreement is sufficient for making the changes.

Basic Assumptions

This section outlines the basic assumptions under which this SOW was created. Any violation of these assumptions will necessitate a renegotiation of any plans or other arrangements made between Square Root and the client.

• Square Root consists of five team members who are available on a full time basis for the duration of the project as defined in the resource table in the Project Resources section of the SOW.
• Nancy Mead will be reasonably available throughout the duration of the project.

Reference

1. Zen Team SOW
2. Lingua Franca SOW (Word .doc)
3. Pangea SOW (Word .doc)
4. Sultan's of Sim SOW (Word .doc)