1 / 22

Part 5 - Evaluating Code Change Management Processes

Part 5 - Evaluating Code Change Management Processes. What is Code Change Management and why does it matter? What are key code change controls and their relationship? What are some common code change control gaps?. Purpose of Management of Code Change Review.

maia
Download Presentation

Part 5 - Evaluating Code Change Management Processes

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Part 5 - Evaluating Code Change Management Processes • What is Code Change Management and why does it matter? • What are key code change controls and their relationship? • What are some common code change control gaps?

  2. Purpose of Management of Code Change Review • The goal of code change management is to provide a disciplined process for introducing required code changes into the IT environment securely and with minimal disruption to ongoing operations.

  3. Code Change Environments • Development – Testing – Production environments should be separated • Staging environment for user acceptance testing

  4. Code Environment Migrations • Control migration between environments • Maintain segregation of duties

  5. Management of Code Changes’ Equation

  6. Four Components of a Strong Code CM Process • Request/System Development Methodology (SDM) –Initiated through a controlled request and/or SDM process • Tested–IT and/or functional users perform documented testing of functionality and stability • Approved– Functional and/or IT owners approve prior to being moved into production. • Monitored– Systems and processes are monitored to confirm code changes follow the controlled process

  7. Control Types: Prevention & Detection • Prevention controls – Testing and Approval/Authorization • Detection controls – Monitoring • Efficiency controls - Request/SDM

  8. Code Change Management -Segregation of Duties • Segregation of Duties (SOD)– Separation of activities that prevent users from making inappropriate/unauthorized changes • Systematic and organizational SOD required

  9. Segregation of Duties – Prevention Controls • Prevention controls require SOD: • Development access ≠ access to migrate to production (i.e., Change Coordinator) • Development access ≠ code change approver

  10. Segregation of Duties –Detection Controls • Development/Migration ≠ Monitoring of code change • Development/Migration ≠ access to the code change log or to enable/disable logging • Detection (monitoring) controls SOD:

  11. Environment Segregation of Duties and Roles

  12. Migration Process Revisited – Source vs. Executable • Source code - program instructions usable by developers • Source code compiles into object code/executable • Compilation may occur in any environment • NOT all code must compile (e.g., asp)

  13. Migration Process – Source vs. Executable Diagram

  14. Making Change When to Compile – Environments & Segregation of Duties

  15. Change Demonstration - Lessons Learned • How was timing of compiling significant? • What was the problem with the developer having access only to the source code in Test or Production? • What could be a problem if the unit tester and developer are the same individual?

  16. Source Code Escrow Agreement • A third party holder of source code • Provides source in the event software is no longer supported • Only required if source code not available

  17. Types of Code Changes • Must confirm what code change processes exist for ALL change types • Example code change types: • Program Development/Acquisition - Projects • Program Code Change – Enhancement • Program Code Change – Bug Fix • Maintenance - Technical changes • Emergency Code Changes • Configuration/Parameter Code Changes

  18. Emergency Code Changes • Emergency code change procedures should still maintain some SOD • Full review and approvals post implementation

  19. Regression Testing • Testing of ‘unrelated’ functionality with test data • Required for larger enhancements or projects • Conducted in test or staging environment

  20. Scenario Game!! Find the Findings

  21. Scenario Game - Lessons Learned • What strategies seemed to identify the most controls/findings? • What made your scenario an effective/ ineffective code change management environment? • What control(s) could have been added?

  22. Seven Habits of Highly Effective IT Organizations • A culture that embraces change management • Monitor, audit, and document all changes • Zero tolerance for unauthorized changes • Specific, defined consequences for unauthorized changes • Test all changes in a preproduction environment before implementing into production • Ensure preproduction environment matches production environment • Track and analyze change successes and failures to make future change decisions

More Related