View
78
Download
0
Category
Tags:
Preview:
DESCRIPTION
Establishing IT governance and compliance practices is essential for organizations that have regulatory or audit requirements. The good news is that you can be agile and still comply with Sarbanes-Oxley, CFR 21, HIPAA, and other regulatory imperatives. Done well, IT controls actually help you improve both productivity and quality. Bob Aiello describes how to implement IT controls in frameworks such as ISACA Cobit and ITIL v3 that many regulatory frameworks require-while maintaining agile practices. Bob's guidance includes specific examples of establishing IT controls: separation of duties, work-item to change-set traceability, physical and functional configuration audits, and more. Bob explains how these practices help government, defense, and corporations scale agile practices where audit and regulatory compliance is a must. In fact, Bob attests to the fact that a disciplined approach to agile can improve the productivity and quality of most all agile development efforts.
Citation preview
AW6 Concurrent Session 11/7/2012 2:15 PM
"IT Governance and Compliance in an Agile World"
Presented by:
Bob Aiello CM Best Practices Consulting
Brought to you by:
340 Corporate Way, Suite 300, Orange Park, FL 32073 888‐268‐8770 ∙ 904‐278‐0524 ∙ sqeinfo@sqe.com ∙ www.sqe.com
Bob Aiello CM Best Practices Consulting
Bob Aiello is a consultant, editor-in-chief of CM Crossroads, and author of Configuration Management Best Practices: Practical Methods that Work in the Real World, Bob Aiello is a consultant and software engineer specializing in software process improvement, including software configuration and release management. He has more than twenty-five years of experience as a technical manager at top New York City financial services firms, where he held company-wide responsibility for configuration management. He is vice chair of the IEEE 828 Standards Working Group on CM Planning and a member of the IEEE Software and Systems Engineering Standards Committee (S2ESC) Management Board. Contact Bob at Bob.Aiello@ieee.org, via LinkedIn, or visit cmbestpractices.com.
1
IT Governance and Compliance in an Agile World
Bob Aiello, Principal Consultant and Author of Configuration Management Best Practices : Practical Methods that Work in the Real World
htt // li k di /i /B bAi ll
1
http://www.linkedin.com/in/BobAiellohttp://cmbestpractices.com
CM Best Practices Consulting © 2012
Who am I?
• CM Lead & Consultant for over 25 years• Editor in Chief at CM Crossroads• Editor-in-Chief at CM Crossroads• Author of CM Best Practices• IEEE Management Board • Tools and process agnostic
The guy the auditors call on!• The guy the auditors call on!
2 November 7, 2012 http://cmbestpractices.com © 2012
2
Books, Articles & Webcasts
• Mike Huetterman – Agile ALM• Mario Moreira – Adapting Configuration p g gManagement for Agile Teams• Agile Journal• Developerworks• CM Journal• ALM Journal• ITSM Portal
3 November 7, 2012 http://cmbestpractices.com © 2012
Published on Audit for AgileAdapting Configuration Management for Agile Teams: Balancing Sustainability and Speed byTeams: Balancing Sustainability and Speed by Mario Moreira
CM that is adapted to suit the continuous nature of change that Agile provides without
ifi i th l f CM
4
sacrificing the values of CM.
http://cmbestpractices.com © 2012 November 7, 2012
3
Agile Configuration Management
Individuals and interactions over processes and toolsp
Working software over comprehensive documentation
Customer collaboration over contract negotiation
Responding to change over following a plan
5http://cmbestpractices.com © 2012 November 7, 2012
Agile World
• Focus on individuals and interactions• Working software• Working software• Customer collaboration• Welcome change even late in the process• Rapid iterative development
6 November 7, 2012 http://cmbestpractices.com © 2012
4
Agile Works!
• Avoid documenting requirements we do t ( t) d t dnot (yet) understand
• Managing risk• Decisions at last responsible moment• Honesty regarding what we know
7 November 7, 2012 http://cmbestpractices.com © 2012
Test Cases at the NYSE
• POS Displaybook used by the Specialist• Challenged the user rep to write test• Challenged the user rep to write test cases• The first hour we determined that “what we have asked for is not what we want”• Examining milestone releases while• Examining milestone releases while writing test cases is essential!
8 November 7, 2012 http://cmbestpractices.com © 2012
5
Agile Misconceptions
C di ith t i t• Coding without requirements• Lack of processes & tools• Lack of documentation• No contracts• No plans
9
• No plans
http://cmbestpractices.com © 2012 November 7, 2012
Goals of Agile CM
R idl b ild k d d l• Rapidly build, package and deploy• Reliable and repeatable process• Traceability and forensics• Emergence of DevOps
10http://cmbestpractices.com © 2012 November 7, 2012
6
Characteristics of Agile CM• Customer-centric (which one?)
R id it ti d l t• Rapid iterative development• Pragmatic approach to requirements• Support for testing• Collaborative communication • Role in the SCRUM
11
• Role in the SCRUM
November 7, 2012 http://cmbestpractices.com © 2012
Knight Capital
A t 1st t• August 1st outage • Erroneously purchased 7 billon dollars of stock• Loss of 440 Million dollars• Old software that was left on the system
12
• Old software that was left on the system• Lack of DevOps
http://cmbestpractices.com © 2012 November 7, 2012
7
Batman and Superheros
L i F B t b t• Lucious Fox warns Batman about a possible malfunction in autopilot for the “Bat”• Batman’s own life depends upon the autopilot
13
autopilot• Patch was documented by Bruce Wayne
http://cmbestpractices.com © 2012 November 7, 2012
SEC Investigation
L k f t l• Lack of controls• Proper testing & process• Impact to shareholders• Impact to market
14http://cmbestpractices.com © 2012 November 7, 2012
8
Banks
C li ith SOX• Compliance with SOX• Office of the Currency - Treasury • FFIEC – Federal Financial Institutions Council
15
And government agencies…
http://cmbestpractices.com © 2012 November 7, 2012
GAO
FDIC it d• FDIC cited• Numerous government agencies cited• Lack of controls• Failing internal audit
16http://cmbestpractices.com © 2012 November 7, 2012
9
Agile Focus
P d ti it• Productivity • Quality• Did we mention working software?• Agile testing
17http://cmbestpractices.com © 2012 November 7, 2012
Deming – Build Quality In
• Verification – meeting requirementsV lid ti th i t• Validations – are the requirements
correct?• Agility helps us build quality in from the beginning• Test cases and scripts are valuable
18
• Test cases and scripts are valuable artifacts
http://cmbestpractices.com © 2012 November 7, 2012
10
IT Governance• IT Governance needs to be in alignment with corporate governancealignment with corporate governance• Provides transparency• Helps senior management make the right decisions• Educate your boss!
19
• Educate your boss!
http://cmbestpractices.com © 2012 November 7, 2012
ISACA Board Briefing on ITG
F d t ll IT iFundamentally, IT governance is concerned about two things:• IT’s delivery of value to the business• Mitigation of IT risks
20
Source www.isaca.org
http://cmbestpractices.com © 2012 November 7, 2012
11
Compliance• Usually to regulatory requirements• Interpreted based upon frameworks• Interpreted based upon frameworks such as Cobit• Financial reports need to be accurate
21http://cmbestpractices.com © 2012 November 7, 2012
Examples• Separation of controls• Steps are logged including results• Steps are logged - including results• Traceable to the Change Request• Security measures to prevent unauthorized changes• Audit in place for intrusion detection
22
• Audit in place for intrusion detection
http://cmbestpractices.com © 2012 November 7, 2012
12
What Are the Regs?
S ti 404 f th S b O l• Section 404 of the Sarbanes-Oxley Act of 2002• HIPPA and CFR 21• SSAE 16 (formerly SAS 70)• Audit requirements
23
• Audit requirements
http://cmbestpractices.com © 2012 November 7, 2012
What is Agile Process Maturity?
Adh t th i i l ( it )• Adherence to the principles (purity)• Scalability (Scrum of Scrums)• Transparency and traceability• Coexistance with Non-Agile• Consider the items on the right
24
• Consider the items on the right
http://cmbestpractices.com © 2012 November 7, 2012
13
Agile Process Maturity
R t bl• Repeatable process• Tools matter• Adequate documentation• Contracts required• Gotta have a plan
25
• Gotta have a plan
http://cmbestpractices.com © 2012 November 7, 2012
Emergence of DevOps
A il S t Ad i i t ti• Agile Systems Administration• Critical with rapid iterative development• Development is not taking over Ops• Synergy of development and Ops
26
• Synergy of development and Ops
http://cmbestpractices.com © 2012 November 7, 2012
14
Moving Upstream
D l i t t d b ild k• Developing automated build, package and deployment early in the process• Starting in development• Developing the automation is a project itself
27
project itself• Using Agile principles
http://cmbestpractices.com © 2012 November 7, 2012
Virtual Build Engineer
S t B ild E i A t• Separate Build Engineer Account• Completely automated• Provides traceability• Logging and reporting
28http://cmbestpractices.com © 2012 November 7, 2012
15
Agile Views
Wh t f th i f th iWhat are some of the views of others in the Agile Community ?
29http://cmbestpractices.com © 2012 November 7, 2012
Agile Release Train (ART)
Making each product a successful and ti t t th t i i d droutine event – an event that is indeed
planned and eagerly anticipated, yet one that happens almost on autopilot
Dean Leffingwell’s Agile Software
30
Dean Leffingwell s Agile Software Requirements, p. 299
http://cmbestpractices.com © 2012 November 7, 2012
16
Deployment PipelineA deployment pipeline is … an
t t d i l t ti fautomated implementation of your application’s build, deploy, test and release process
Jez Humble and David Farley’s
31
Jez Humble and David Farley s Continuous Delivery, p 3.
http://cmbestpractices.com © 2012 November 7, 2012
Aim of the Pipeline• Makes building, deploying, testing and releasing software visible to everyone involved
I f db k th t bl• Improves feedback so that problems are identified, and so resolved, as early in the process as possible• Enables teams to deploy and release any version of their software to any environment at ywill through a fully automated process (p. 4)
32http://cmbestpractices.com © 2012 November 7, 2012
17
Antipatterns• Deploying Software Manually
D l i t P d ti lik• Deploying to Production-like environment only after Development is complete• Manual Configuration of Production Environments
33
EnvironmentsContinuous Deployment, p. 7 – 10
http://cmbestpractices.com © 2012 November 7, 2012
Devops
• Synergy of Agile & ITILy gy g• Full lifecycle approach • Good communication to all stakeholders• Break down barriers• Don’t forget separation of rolesDon t forget separation of roles
http://cmbestpractices.com © 2012 34 November 7, 2012
18
Dev/QA Focus• Development
QA & T ti• QA & Testing• Operations• Self-Managing/Organizing Teams
35http://cmbestpractices.com © 2012 November 7, 2012
Sox Compliance• Section 404 of the Sarbanes-Oxley Act of 2002Act of 2002• Using ISACA Cobit 4.1 • 34 high level IT controls• PCI compliance• SSAE 16 (formerly SAS-70)
36
SSAE 16 (formerly SAS 70)
http://cmbestpractices.com © 2012 November 7, 2012
19
ISO 9001• Establishes the quality management system (QMS)system (QMS)• ISO 90003 is the software standard in the 9000 family of standards • Uses ISO 12207 (or 15288) to specify lifecycle processes
37
lifecycle processes• ISO 10007 for CM• IEEE 828, EIA 649-B, Mil Std coming!
http://cmbestpractices.com © 2012 November 7, 2012
Which Standards?• IEEE 828 – CM Planning• EIA 649 A Non compliance• EIA 649-A – Non-compliance• ISO 90003 to support QMS• Full lifecycle ISO 12207
Tailor !
38
Tailor !
http://cmbestpractices.com © 2012 November 7, 2012
20
Moving Upstream• Dev to CM to QA to Ops
C f ti l f• Cross-functional focus• Speed up development• Build a great deployment architecture• Give it to Devs as a service!
39http://cmbestpractices.com © 2012 November 7, 2012
Frameworks• ITIL v3 including CMDBs, federated CMDBs CMS DMLCMDBs, CMS, DML…• Cobit for SOX• CMMI ->>>> Agile
40http://cmbestpractices.com © 2012 November 7, 2012
21
Configuration Management• Configuration Identification
St t A ti• Status Accounting• Change Control• Configuration Audit
Tracking and Controlling Changes to
41
Tracking and Controlling Changes to Configuration Items
http://cmbestpractices.com © 2012 November 7, 2012
Your Agile Process• Should be Lean• Processes need to be reviewed• Processes need to be reviewed• Tailor down or tailor up• More collaboration and consensus building• Use standards and frameworks
42
• Use standards and frameworks
November 7, 2012 http://cmbestpractices.com © 2012
22
Assessment• First step is to assess current practices “As Is”practices - As-Is• Compare to industry standards and frameworks• Determine “To-Be” • Create a plan for improving your CM
43
• Create a plan for improving your CM processes
November 7, 2012 http://cmbestpractices.com © 2012
Plan for Improvement• Improve training and use case for source code managementsource code management• Improve build automation• Set up or improve continuous integration• Automate package and deployment
44
• Automate package and deployment• Create procedures for configuration audit
November 7, 2012 http://cmbestpractices.com © 2012
23
IT Governance and Compliance in an Agile World
Bob Aiello, Principal Consultant and Author of Configuration Management Best Practices : Practical Methods that Work in the Real World
htt // li k di /i /B bAi ll
45
http://www.linkedin.com/in/BobAiellohttp://cmbestpractices.com
CM Best Practices Consulting © 2012
Recommended