Presentation is loading. Please wait.

Presentation is loading. Please wait.

 What is Code Change Management and why does it matter?  What are key code change controls and their relationship?  What are some common code change.

Published bySarah Bond Modified over 9 years ago

Similar presentations

Presentation on theme: " What is Code Change Management and why does it matter?  What are key code change controls and their relationship?  What are some common code change."— Presentation transcript:

1  What is Code Change Management and why does it matter?  What are key code change controls and their relationship?  What are some common code change control gaps? Part 5 - Evaluating Code Change Management Processes

2  The goal of code change management is to provide a disciplined process for introducing required code changes into the IT environment securely and with minimal disruption to ongoing operations. Purpose of Management of Code Change Review

3  Development – Testing – Production environments should be separated  Staging environment for user acceptance testing Code Change Environments

4  Control migration between environments  Maintain segregation of duties Code Environment Migrations

5 Management of Code Changes’ Equation

6  Request/System Development Methodology (SDM) –Initiated through a controlled request and/or SDM process  Tested –IT and/or functional users perform documented testing of functionality and stability  Approved – Functional and/or IT owners approve prior to being moved into production.  Monitored – Systems and processes are monitored to confirm code changes follow the controlled process Four Components of a Strong Code CM Process

7  Prevention controls – Testing and Approval/Authorization  Detection controls – Monitoring  Efficiency controls - Request/SDM Control Types: Prevention & Detection

8  Segregation of Duties (SOD) – Separation of activities that prevent users from making inappropriate/unauthorized changes  Systematic and organizational SOD required Code Change Management - Segregation of Duties

9  Prevention controls require SOD: Development access ≠ access to migrate to production (i.e., Change Coordinator) Development access ≠ code change approver Segregation of Duties – Prevention Controls

10  Detection (monitoring) controls SOD : Segregation of Duties – Detection Controls ◦ Development/Migration ≠ Monitoring of code change ◦ Development/Migration ≠ access to the code change log or to enable/disable logging

11 Environment Segregation of Duties and Roles

12  Source code - program instructions usable by developers  Source code compiles into object code/executable  Compilation may occur in any environment  NOT all code must compile (e.g., asp) Migration Process Revisited – Source vs. Executable

13 Migration Process – Source vs. Executable Diagram

14 When to Compile – Environments & Segregation of Duties Making Change

15  How was timing of compiling significant?  What was the problem with the developer having access only to the source code in Test or Production?  What could be a problem if the unit tester and developer are the same individual? Change Demonstration - Lessons Learned

16 Source Code Escrow Agreement  A third party holder of source code  Provides source in the event software is no longer supported  Only required if source code not available

17  Must confirm what code change processes exist for ALL change types  Example code change types: Program Development/Acquisition - Projects Program Code Change – Enhancement Program Code Change – Bug Fix Maintenance - Technical changes Emergency Code Changes Configuration/Parameter Code Changes Types of Code Changes

18  Emergency code change procedures should still maintain some SOD  Full review and approvals post implementation Emergency Code Changes

19  Testing of ‘unrelated’ functionality with test data  Required for larger enhancements or projects  Conducted in test or staging environment Regression Testing

20 Find the Findings Scenario Game!!

21  What strategies seemed to identify the most controls/findings?  What made your scenario an effective/ ineffective code change management environment?  What control(s) could have been added? Scenario Game - Lessons Learned

22 1. A culture that embraces change management 2. Monitor, audit, and document all changes 3. Zero tolerance for unauthorized changes 4. Specific, defined consequences for unauthorized changes 5. Test all changes in a preproduction environment before implementing into production 6. Ensure preproduction environment matches production environment 7. Track and analyze change successes and failures to make future change decisions Seven Habits of Highly Effective IT Organizations

Download ppt " What is Code Change Management and why does it matter?  What are key code change controls and their relationship?  What are some common code change."

Similar presentations

Course Material Overview of Process Safety Compliance with Standards

Course Material Overview of Process Safety Compliance with Standards
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
ITIL: Service Transition

ITIL: Service Transition
Software Quality Assurance Inspection by Ross Simmerman Software developers follow a method of software quality assurance and try to eliminate bugs prior.

Software Quality Assurance Inspection by Ross Simmerman Software developers follow a method of software quality assurance and try to eliminate bugs prior.
Pertemuan 11-12 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
Office of Inspector General (OIG) Internal Audit

Office of Inspector General (OIG) Internal Audit
NIST framework vs TENACE Protect Function (Sestriere, 21-23 Gennaio 2015)

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
Managing Project Risk.

Managing Project Risk.
Pertemuan 17-18 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
Purpose of the Standards

Purpose of the Standards
Session 3 – Information Security Policies

Session 3 – Information Security Policies
BRIEFING TO THE PORTFOLIO COMMITTEE ON THE DPSA’S RISK MANAGEMENT STRATEGY PRESENTATION TO THE PORTFOLIO COMMITTEE 12 MAY 2010 1.

BRIEFING TO THE PORTFOLIO COMMITTEE ON THE DPSA’S RISK MANAGEMENT STRATEGY PRESENTATION TO THE PORTFOLIO COMMITTEE 12 MAY
Security Assessments FITSP-M Module 5. Security control assessments are not about checklists, simple pass-fail results, or generating paperwork to pass.

Security Assessments FITSP-M Module 5. Security control assessments are not about checklists, simple pass-fail results, or generating paperwork to pass.
Introduction to Computer Technology

Introduction to Computer Technology
Workshop Summary ISPS Drills & Exercises Workshop Port Moresby 2006.

Workshop Summary ISPS Drills & Exercises Workshop Port Moresby 2006.
1 LOGICAL ACCESS FOR University Medical Group Saint Louis University Click the Speaker Icon for Audio.

1 LOGICAL ACCESS FOR University Medical Group Saint Louis University Click the Speaker Icon for Audio.
What is Business Analysis Planning & Monitoring?

What is Business Analysis Planning & Monitoring?
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
“Here’s why you need the new wheels, too…” Shawn and Steve Image from

“Here’s why you need the new wheels, too…” Shawn and Steve Image from
The Key Process Areas for Level 2: Repeatable Ralph Covington David Wang.

The Key Process Areas for Level 2: Repeatable Ralph Covington David Wang.

Similar presentations

Ads by Google