Part 5 - Evaluating Code Change Management Processes
description
Transcript of Part 5 - Evaluating Code Change Management Processes
![Page 1: Part 5 - Evaluating Code Change Management Processes](https://reader036.fdocuments.us/reader036/viewer/2022062309/568151c0550346895dbff469/html5/thumbnails/1.jpg)
What is Code Change Management and why does it matter?
What are key code change controls and their relationship?
What are some common code change control gaps?
Part 5 - Evaluating Code Change Management Processes
![Page 2: Part 5 - Evaluating Code Change Management Processes](https://reader036.fdocuments.us/reader036/viewer/2022062309/568151c0550346895dbff469/html5/thumbnails/2.jpg)
The goal of code change management is to provide a disciplined process for introducing required code changes into the IT environment securely and with minimal disruption to ongoing operations.
Purpose of Management of Code Change Review
![Page 3: Part 5 - Evaluating Code Change Management Processes](https://reader036.fdocuments.us/reader036/viewer/2022062309/568151c0550346895dbff469/html5/thumbnails/3.jpg)
Development – Testing – Production environments should be separated
Staging environment for user acceptance testing
Code Change Environments
![Page 4: Part 5 - Evaluating Code Change Management Processes](https://reader036.fdocuments.us/reader036/viewer/2022062309/568151c0550346895dbff469/html5/thumbnails/4.jpg)
Control migration between environments Maintain segregation of duties
Code Environment Migrations
![Page 5: Part 5 - Evaluating Code Change Management Processes](https://reader036.fdocuments.us/reader036/viewer/2022062309/568151c0550346895dbff469/html5/thumbnails/5.jpg)
Management of Code Changes’ Equation
![Page 6: Part 5 - Evaluating Code Change Management Processes](https://reader036.fdocuments.us/reader036/viewer/2022062309/568151c0550346895dbff469/html5/thumbnails/6.jpg)
Request/System Development Methodology (SDM) –Initiated through a controlled request and/or SDM process
Tested –IT and/or functional users perform documented testing of functionality and stability
Approved – Functional and/or IT owners approve prior to being moved into production.
Monitored – Systems and processes are monitored to confirm code changes follow the controlled process
Four Components of a Strong Code CM Process
![Page 7: Part 5 - Evaluating Code Change Management Processes](https://reader036.fdocuments.us/reader036/viewer/2022062309/568151c0550346895dbff469/html5/thumbnails/7.jpg)
Prevention controls – Testing and Approval/Authorization
Detection controls – Monitoring
Efficiency controls - Request/SDM
Control Types: Prevention & Detection
![Page 8: Part 5 - Evaluating Code Change Management Processes](https://reader036.fdocuments.us/reader036/viewer/2022062309/568151c0550346895dbff469/html5/thumbnails/8.jpg)
Segregation of Duties (SOD) – Separation of activities that prevent users from making inappropriate/unauthorized changes
Systematic and organizational
SOD required
Code Change Management -Segregation of Duties
![Page 9: Part 5 - Evaluating Code Change Management Processes](https://reader036.fdocuments.us/reader036/viewer/2022062309/568151c0550346895dbff469/html5/thumbnails/9.jpg)
Prevention controls require SOD:• Development access ≠ access to migrate to
production (i.e., Change Coordinator)
• Development access ≠
code change approver
Segregation of Duties – Prevention Controls
![Page 10: Part 5 - Evaluating Code Change Management Processes](https://reader036.fdocuments.us/reader036/viewer/2022062309/568151c0550346895dbff469/html5/thumbnails/10.jpg)
Detection (monitoring) controls SOD:
Segregation of Duties –Detection Controls
◦Development/Migration ≠ Monitoring of code change
◦Development/Migration ≠ access to the code change log or to enable/disable logging
![Page 11: Part 5 - Evaluating Code Change Management Processes](https://reader036.fdocuments.us/reader036/viewer/2022062309/568151c0550346895dbff469/html5/thumbnails/11.jpg)
Environment Segregation of Duties and Roles
![Page 12: Part 5 - Evaluating Code Change Management Processes](https://reader036.fdocuments.us/reader036/viewer/2022062309/568151c0550346895dbff469/html5/thumbnails/12.jpg)
Source code - program instructions usable by developers
Source code compiles into object code/executable
Compilation may occur in any environment NOT all code must compile (e.g., asp)
Migration Process Revisited – Source vs. Executable
![Page 13: Part 5 - Evaluating Code Change Management Processes](https://reader036.fdocuments.us/reader036/viewer/2022062309/568151c0550346895dbff469/html5/thumbnails/13.jpg)
Migration Process – Source vs. Executable Diagram
![Page 14: Part 5 - Evaluating Code Change Management Processes](https://reader036.fdocuments.us/reader036/viewer/2022062309/568151c0550346895dbff469/html5/thumbnails/14.jpg)
When to Compile –Environments & Segregation of Duties
Making Change
![Page 15: Part 5 - Evaluating Code Change Management Processes](https://reader036.fdocuments.us/reader036/viewer/2022062309/568151c0550346895dbff469/html5/thumbnails/15.jpg)
How was timing of compiling significant? What was the problem with the developer
having access only to the source code in Test or Production?
What could be a problem if the unit tester and developer are the same individual?
Change Demonstration - Lessons Learned
![Page 16: Part 5 - Evaluating Code Change Management Processes](https://reader036.fdocuments.us/reader036/viewer/2022062309/568151c0550346895dbff469/html5/thumbnails/16.jpg)
Source Code Escrow Agreement A third party holder of source code Provides source in the event software is no
longer supported Only required if source code not available
![Page 17: Part 5 - Evaluating Code Change Management Processes](https://reader036.fdocuments.us/reader036/viewer/2022062309/568151c0550346895dbff469/html5/thumbnails/17.jpg)
Must confirm what code change processes exist for ALL change types
Example code change types:• Program Development/Acquisition - Projects• Program Code Change – Enhancement • Program Code Change – Bug Fix• Maintenance - Technical changes• Emergency Code Changes• Configuration/Parameter Code Changes
Types of Code Changes
![Page 18: Part 5 - Evaluating Code Change Management Processes](https://reader036.fdocuments.us/reader036/viewer/2022062309/568151c0550346895dbff469/html5/thumbnails/18.jpg)
Emergency code change procedures should still maintain some SOD
Full review and approvals post implementation
Emergency Code Changes
![Page 19: Part 5 - Evaluating Code Change Management Processes](https://reader036.fdocuments.us/reader036/viewer/2022062309/568151c0550346895dbff469/html5/thumbnails/19.jpg)
Testing of ‘unrelated’ functionality with test data Required for larger enhancements or projects Conducted in test or staging environment
Regression Testing
![Page 20: Part 5 - Evaluating Code Change Management Processes](https://reader036.fdocuments.us/reader036/viewer/2022062309/568151c0550346895dbff469/html5/thumbnails/20.jpg)
Find the Findings
Scenario Game!!
![Page 21: Part 5 - Evaluating Code Change Management Processes](https://reader036.fdocuments.us/reader036/viewer/2022062309/568151c0550346895dbff469/html5/thumbnails/21.jpg)
What strategies seemed to identify the most controls/findings?
What made your scenario an effective/ ineffective code change management environment?
What control(s) could have been added?
Scenario Game - Lessons Learned
![Page 22: Part 5 - Evaluating Code Change Management Processes](https://reader036.fdocuments.us/reader036/viewer/2022062309/568151c0550346895dbff469/html5/thumbnails/22.jpg)
1. A culture that embraces change management
2. Monitor, audit, and document all changes
3. Zero tolerance for unauthorized changes
4. Specific, defined consequences for unauthorized changes
5. Test all changes in a preproduction environment before implementing into production
6. Ensure preproduction environment matches production environment
7. Track and analyze change successes and failures to make future change decisions
Seven Habits of Highly Effective IT Organizations