Scope Measurement on Large IT Projects in Texas: A Position Paper

Herb Krasner, University of Texas at Austin (ret.), CISQ Advisory Board member


A new Texas state law adds specific monitoring requirements for large IT projects in Texas state agencies. It requires regular monitoring and reporting on IT project performance indicators of: schedule, cost, scope, and quality. IT scope measurement is the focus of this new report.


Download it here: Scope Measurement on Large IT Projects in Texas: A Position Paper


IT scope metrics are used to define and deliver the right product or system to achieve an organization’s project goals and objectives. This paper recommends several specific IT scope metrics that should be used on all large IT projects:

  • Balanced Scorecard (BAL)
  • System/project size and its growth or change
  • System requirements metrics for anomalies, quality, volatility, change impact and satisfaction

How these IT scope metrics are combined to answer the question of are we on track is discussed, along with typical scope challenges and next steps to properly implement the metrics.


For more information, read these related blog entries:

IT Quality: Measurement Implications for Large IT Projects in Texas

Herb Krasner, University of Texas at Austin (ret.), CISQ Advisory Board member


A new law in Texas necessitates the enhanced monitoring of all large IT projects in state agencies. It requires regular measurement and reporting of project performance indicators: schedule, cost, scope, and quality. Quality is believed to be the most challenging of the performance indicators, yet it has the largest potential for driving significant improvement.


To address this, I’ve published a new position paper on IT quality measurement, which outlines the strategic and tactical reasons for doing so, and lays out a definitional framework for implementation of the new law.


Download it here: IT Quality: Measurement Implications for Large IT Projects in Texas


IT quality metrics for the following work products are defined and explained in the report: plan quality, requirements quality, architecture/design quality, software code quality, data quality, test quality, and operational system quality. The larger implications for process maturity, lean and agile development, effective use of industry standards, and cybersecurity measurement are also outlined. The guidelines in this paper are intended to help the state implement this new law, and may be useful to other states traversing the same path to more successful IT projects. The new law goes into effect on Jan. 1, 2018, and the implementation mechanisms are currently under development.


Standards developed by CISQ are included under software code quality and operational system quality.


For more information, read these related blog entries:

Texas Cybersecurity Legislation Passed In 2017 – A Summary

Herb Krasner, University of Texas at Austin (ret.), CISQ Advisory Board member


Here is a summary of the cybersecurity legislation that was passed this year that will have an impact on state agencies and institutions of higher education (all from the 85th regular session of the Tx legislature). The Tx Dept. of Information Resources (DIR) and state agency CISO’s will be the primary actors to make these new laws happen. The 2017 cybersecurity legislation (HB 8, except where noted otherwise) includes the following summarized provisions:

  • Establishment of legislative select committees for cybersecurity in the House and Senate.
  • Establishment of an information sharing and analysis center to provide a forum for state agencies to share information regarding cybersecurity threats, best practices, and remediation strategies.
  • Providing mandatory guidelines to state agencies for the continuing education requirements for cybersecurity training that must be completed by all IT employees of the agencies.
  • Creating a statewide plan (by DIR) to address cybersecurity risks and incidents in the state.
  • DIR will collect the following information from each state agency in order to produce a report due to the Legislature in November of every even numbered year. (SB 532)
    – Information on their security program
    – Inventory of agency’s servers, mainframe, cloud services, and other technologies
    – List of vendors that operate and manage agency’s IT infrastructure
  • The state cybersecurity coordinator shall establish and lead a cybersecurity council that includes public and private sector leaders and cybersecurity practitioners to collaborate on matters of cybersecurity.
  • Establishment of rules for security plans and assessments of Internet websites and mobile applications containing sensitive personal information.
  • Requiring the conduct of a study on digital data storage and records management practices.
  • Each agency shall prepare a biennial report assessing the extent to which all IT systems are vulnerable to unauthorized access or harm, or electronically stored information is vulnerable to alteration, damage, erasure, or inappropriate use.
  • At least once every two years, each state agency shall conduct an information security assessment, and report the results to DIR, the governor, the lieutenant governor, and the speaker of the House of Representatives.
  • Required proof that agency executives have been made aware of the risks revealed during the preparation of the agency ’s information security plan.
  • Requires state agencies to identify information security issues and develop a plan to prioritize the remediation and mitigation of those issues including legacy modernization and cybersecurity workforce development and retention.
  • In the event of a breach or suspected breach of system security or an unauthorized exposure of sensitive information, a state agency must report within 48 hours to their executives and the state CISO. Information arising from an organization’s efforts to prevent, detect, investigate, or mitigate security incidents is defined as confidential.  (SB 532)
  • Requires creating and defining an Election Cyber Attack Study (by Sec. of State).
  • Allowing DIR to request emergency funding if a cybersecurity event creates a need (SB 1910).