CSQA Software Certifications CSQA Certified Software Quality Analyst Free Practice Exam Questions (2025 Updated)

Baselines should be quantitative even if it is a subjective measure, but quantitatively subjective. For example, because quality conformance and nonconformance must be defined by people, we are looking for ways to put this information into a quantifiable format. This does not convey a lot of information, but it is indicative of a problem. However, if we develop a five-point scale for unresponsiveness, and ask your dissatisfied customer to complete that scale, we now have conveyed a lot more information. If our scale rates “1” as very poor service, and “5” as very good service, there is a great deal of difference between a “1” rating and a “3” rating for dissatisfaction.

Target Audience

The target audience for ISO/IEC 12207 is:

Organizations acquiring a system that contains software or a stand-alone software product

Organizations that supply software products

Organizations involved in software operation or software maintenance

The standard is especially applicable for acquisitions, as it recognizes the distinct roles of acquirer and supplier. Its intended use is for the two parties of an agreement or contract that defines the development, maintenance, or operation of software. It does not apply to the purchase of commercial off-the-shelf software products. It is also intended for use with trained, experienced developers, managers, and acquirers of software.

Views of Software Development

Given the target audience, ISO/IEC 12207 includes several different points of view regarding software development:

Acquirers and suppliers see a contract view, which includes the acquisition and supply processes and begins with a contractual relationship to supply software. Depending on the contract, the supply process may use the development process to create new software, the operation process to provide software operation services, or the maintenance process to repair or improve the software.

Operators see an operating view, which includes the operations process. The operations process may use the maintenance process.

Developers and maintainers see the engineering view, which includes the maintenance and development processes. The maintenance process may also use the development process.

The employer of supporting processes sees the supporting view, which includes the eight supporting processes.

Managers see the corporate view, which includes the four organizational processes.

To map processes, executive management (Quality Council) must have identified the organization's mission, long and short-term goals, organizational structure, and deliverables. If formal strategic planning is not regularly performed, identifying an organization's mission and goals is difficult.

Processes should be mapped to mission and goals, to functional units (people), and to deliverables in separate matrices. The following generic process can be used for each mapping:

1. Create a matrix.

2. List processes across the top of the matrix.

3. On the left side of the matrix, list the goals, functional units or roles or deliverables.

4. Identify the linkages between the rows and columns, as follows:

A process may support multiple goals. Put an X in the intersection to acknowledge a linkage only if the stability or quality of the process could influence meeting goals. If all processes contribute to all goals, decompose the mission and goals further. The resulting Manage-by-Process matrix is a process map.

Processes have primary owners, suppliers and customers. Identify a linkage in this matrix by using “O”, “S” or “C” in the intersection to distinguish between the roles.

Deliverables can be internal such as design specifications, or external such as user manuals. In this matrix indicate the usage of the deliverable by placing a “C”, “R”, “U” and/or “D” in the intersection. “C” is used when the deliverable is created, or the service is provided through the process. “R” indicates the deliverable is referenced or used as input to the process. “U” indicates the deliverable is updated or revised in the process. “D” means the deliverable is deleted, or retired, etc.

5. For mission and goal mapping, look for gaps where goals are not supported by processes. Consider removing any processes that do not support goals, as they do not add value. For functional unit mapping, look for gaps where units do not have processes. For deliverable mapping, look for gaps where deliverables do not have processes or vice versa.

6. If the mapping identified any new processes, add them to the inventory.

Reduce the Number of Vendors

Requiring statistical evidence of quality control in the purchase of hardware and software will mean, in most companies, drastic reduction in the number of vendors with whom they deal. Companies will have to consider the cost of having two or more vendors for the same item. A company will be lucky to find one vendor that can supply statistical evidence of quality. A second vendor, if they cannot furnish statistical evidence of their quality, will have higher costs than the one that can furnish the evidence, or they will have to chisel on their quality, or go out of business. A person that does not know his/her costs or whether today's distribution of quality can be repeated tomorrow is not a good business partner.

Use Statistical Methods to Find Sources of Trouble

Which are user faults? Which faults belong to IT? Put responsibility where it belongs. Do not rely on judgment because it always gives the wrong answer on the question of where the fault lies. Statistical methods make use of knowledge of the subject matter where it can be effective, but supplant it where it is a hazard.

Constantly improve the system. This obligation never ceases. Most people in management do not understand that the system (their responsibility) is everything not under the governance of a user.

Institute Modern Aids to Training on the Job

Training must be totally reconstructed. Statistical methods must be used to learn when training is finished, and when further training would be beneficial. A person once hired and trained and in statistical control of his/her own work, whether it be satisfactory or not, can do no better. Further training cannot help. If their work is not satisfactory, move them to another job, and provide better training there.

The checklist must contain the following items to determine necessary management security controls placed over online software systems:

Ensure that staff knows who does what relative to security—the security dos and do nots.

Ensure that staff has sufficient resources and skills to exercise its security responsibilities.

Ensure that security is considered in job performance appraisals and results in appropriate rewards and disciplinary measures.

Ensure awareness of the need to protect information; provide training to operate nformation systems securely and be responsive to security incidents.

Ensure that security is an integral part of the systems development life cycle process and explicitly addressed during each phase of the process.

Ensure that staff with sensitive roles has been vetted.

Ensure that the organization is not dependent on one individual for any key security task (i.e., appropriate segregation of duties).

Ensure that privacy and intellectual property rights, as well as other legal, regulatory, contractual and insurance requirements, have been identified with respect to security and processes in your area of responsibility.

Ensure that applicable security measures have been identified and implemented (e.g., effective backup, basic access control, virus detection and protection, firewalls, intrusion detection and adequate insurance coverage).

Ensure that a suitable technical environment is in place to support security measures

The relationship of probability and impact are not linear, and the magnitude of the risk typically makes a difference. For example, consider the risk of spending $1 for a 50/50 chance to win $5, vs. the risk of spending $1,000 for a 50/50 chance of winning $5,000 vs. the risk of spending $100,000 for a 50/50 chance of winning $500,000. In this example, the probability of loss is all the same (50%) yet the opportunity cost of losing is much greater.

IT Management- IT management must plan for quality and develop an IT policy that documents the objectives for the quality function.

Management committees(also called Process Management Committees) are composed of middle managers and/or key staff personnel, and are responsible for deploying quality management practices throughout the organization. One or more committees may be needed depending on the organization’s size and functional diversity. Committees should represent all the skills and functions needed to work on the specific processes or activities.

The users of the processknow the strengths and weaknesses of the process; they know the type of process changes that can facilitate the use of the process.

Quality Assurance Managerassures the overall process to maintain quality. He/she also manages and maintain a group of quality assurance professionals who have the task of maintaining quality and assuring quality.

Quality Control Function- The method used in your IT organization to acquire tools is two-fold. First, tool vendors send you information about new tools and/or call to explain the tools to you. Second, requests from IT staff members are an important input in determining whether or not to acquire tools. Once acquired, the determination for tool usage is left to the project and/or individual.