What is Code Change Management and why does it matter? What are key code change controls and their relationship? What are some common code change control gaps? Part 5 - Evaluating Code Change Management Processes
The goal of code change management is to provide a disciplined process for introducing required code changes into the IT environment securely and with minimal disruption to ongoing operations. Purpose of Management of Code Change Review
Development – Testing – Production environments should be separated Staging environment for user acceptance testing Code Change Environments
Control migration between environments Maintain segregation of duties Code Environment Migrations
Management of Code Changes’ Equation
Request/System Development Methodology (SDM) –Initiated through a controlled request and/or SDM process Tested –IT and/or functional users perform documented testing of functionality and stability Approved – Functional and/or IT owners approve prior to being moved into production. Monitored – Systems and processes are monitored to confirm code changes follow the controlled process Four Components of a Strong Code CM Process
Prevention controls – Testing and Approval/Authorization Detection controls – Monitoring Efficiency controls - Request/SDM Control Types: Prevention & Detection
Segregation of Duties (SOD) – Separation of activities that prevent users from making inappropriate/unauthorized changes Systematic and organizational SOD required Code Change Management - Segregation of Duties
Prevention controls require SOD: Development access ≠ access to migrate to production (i.e., Change Coordinator) Development access ≠ code change approver Segregation of Duties – Prevention Controls
Detection (monitoring) controls SOD : Segregation of Duties – Detection Controls ◦ Development/Migration ≠ Monitoring of code change ◦ Development/Migration ≠ access to the code change log or to enable/disable logging
Environment Segregation of Duties and Roles
Source code - program instructions usable by developers Source code compiles into object code/executable Compilation may occur in any environment NOT all code must compile (e.g., asp) Migration Process Revisited – Source vs. Executable
Migration Process – Source vs. Executable Diagram
When to Compile – Environments & Segregation of Duties Making Change
How was timing of compiling significant? What was the problem with the developer having access only to the source code in Test or Production? What could be a problem if the unit tester and developer are the same individual? Change Demonstration - Lessons Learned
Source Code Escrow Agreement A third party holder of source code Provides source in the event software is no longer supported Only required if source code not available
Must confirm what code change processes exist for ALL change types Example code change types: Program Development/Acquisition - Projects Program Code Change – Enhancement Program Code Change – Bug Fix Maintenance - Technical changes Emergency Code Changes Configuration/Parameter Code Changes Types of Code Changes
Emergency code change procedures should still maintain some SOD Full review and approvals post implementation Emergency Code Changes
Testing of ‘unrelated’ functionality with test data Required for larger enhancements or projects Conducted in test or staging environment Regression Testing
Find the Findings Scenario Game!!
What strategies seemed to identify the most controls/findings? What made your scenario an effective/ ineffective code change management environment? What control(s) could have been added? Scenario Game - Lessons Learned
1. A culture that embraces change management 2. Monitor, audit, and document all changes 3. Zero tolerance for unauthorized changes 4. Specific, defined consequences for unauthorized changes 5. Test all changes in a preproduction environment before implementing into production 6. Ensure preproduction environment matches production environment 7. Track and analyze change successes and failures to make future change decisions Seven Habits of Highly Effective IT Organizations