What is Code Change Management and why does it matter?

What are key code change controls and their relationship?

What are some common code change control gaps?

Part 5 - Evaluating Code Change Management Processes

The goal of code change management is to provide a disciplined process for introducing required code changes into the IT environment securely and with minimal disruption to ongoing operations.

Purpose of Management of Code Change Review

Development – Testing – Production environments should be separated

Staging environment for user acceptance testing

Code Change Environments

Control migration between environments Maintain segregation of duties

Code Environment Migrations

Management of Code Changes’ Equation

Request/System Development Methodology (SDM) –Initiated through a controlled request and/or SDM process

Tested –IT and/or functional users perform documented testing of functionality and stability

Approved – Functional and/or IT owners approve prior to being moved into production.

Monitored – Systems and processes are monitored to confirm code changes follow the controlled process

Four Components of a Strong Code CM Process

Prevention controls – Testing and Approval/Authorization

Detection controls – Monitoring

Efficiency controls - Request/SDM

Control Types: Prevention & Detection

Segregation of Duties (SOD) – Separation of activities that prevent users from making inappropriate/unauthorized changes

Systematic and organizational

SOD required

Code Change Management -Segregation of Duties

Prevention controls require SOD:• Development access ≠ access to migrate to

production (i.e., Change Coordinator)

• Development access ≠

code change approver

Segregation of Duties – Prevention Controls

Detection (monitoring) controls SOD:

Segregation of Duties –Detection Controls

◦Development/Migration ≠ Monitoring of code change

◦Development/Migration ≠ access to the code change log or to enable/disable logging

Environment Segregation of Duties and Roles

Source code - program instructions usable by developers

Source code compiles into object code/executable

Compilation may occur in any environment NOT all code must compile (e.g., asp)

Migration Process Revisited – Source vs. Executable

Migration Process – Source vs. Executable Diagram

When to Compile –Environments & Segregation of Duties

Making Change

How was timing of compiling significant? What was the problem with the developer

having access only to the source code in Test or Production?

What could be a problem if the unit tester and developer are the same individual?

Change Demonstration - Lessons Learned

Source Code Escrow Agreement A third party holder of source code Provides source in the event software is no

longer supported Only required if source code not available

Must confirm what code change processes exist for ALL change types

Example code change types:• Program Development/Acquisition - Projects• Program Code Change – Enhancement • Program Code Change – Bug Fix• Maintenance - Technical changes• Emergency Code Changes• Configuration/Parameter Code Changes

Types of Code Changes

Emergency code change procedures should still maintain some SOD

Full review and approvals post implementation

Emergency Code Changes

Testing of ‘unrelated’ functionality with test data Required for larger enhancements or projects Conducted in test or staging environment

Regression Testing

Find the Findings

Scenario Game!!

What strategies seemed to identify the most controls/findings?

What made your scenario an effective/ ineffective code change management environment?

What control(s) could have been added?

Scenario Game - Lessons Learned

1. A culture that embraces change management

2. Monitor, audit, and document all changes

3. Zero tolerance for unauthorized changes

4. Specific, defined consequences for unauthorized changes

5. Test all changes in a preproduction environment before implementing into production

6. Ensure preproduction environment matches production environment

7. Track and analyze change successes and failures to make future change decisions

Seven Habits of Highly Effective IT Organizations