Establishing IT Controls for Consistent, Efficient Delivery

[article]
Summary:

Many high-security institutions have guidelines that must be followed in order to comply with industry regulatory requirements. But these best practices can help any company avoid costly mistakes while enabling teams to work faster and more effectively. This article tells you how to get started establishing your own practical and reliable IT controls.

Technology professionals are basking in the success and overwhelming adoption of industry best practices, including continuous integration, continuous delivery, and continuous deployment. But DevOps professionals know configuration management best practices are a required first step for any successful application deployment effort.

If you work in a large bank or other financial services institution, then you probably also know there are guidelines that must be followed in order to comply with industry regulatory requirements. This is also true for medical or pharmaceutical fields, engineering firms, and defense contractors. Many of these best practices help to avoid costly mistakes while enabling your team to work faster and more effectively.

This article will tell you how to get started with establishing your own practical and reliable IT controls.

Agile development and DevOps help accelerate your application delivery lifecycle. Too often, the team is able to deliver code faster but fails to control their speed, only to crash and burn due to costly mistakes.

One of the most important IT controls is for a separation of duties, which commonly requires that the person writing the code is different from the person delivering the code to production. Rather than just being a nuisance, these regulatory requirements actually help your team avoid mistakes and effectively deliver faster. In many companies, the developers are required to hand over their code to operations for deployment. This step allows operations engineers to capture and specify the automation procedures so that deployment becomes a repeatable process. Developers often manage to automate their build, package, and deployment to development test environments using continuous integration servers such as Jenkins or Bamboo. But the more important goal is to have a reliable and repeatable process for deployment to user acceptance testing and production.

The handoff from development to operations can be a great opportunity for sharing knowledge and ensuring that the deployment process is fully understood and completely reliable.

Another essential IT control is independently compiling the source code to binary executables. This task is usually accomplished by the build engineer, who also ensures that the code has been checked into the version control system andlabeled so that the baseline going to production is both identifiable and traceable.

When I play this role, I often find that the build fails the first time I try because it is almost inevitable that the developers have forgotten to check in all their code and fully communicate all the steps required for the build. Invariably, the developer shrugs and suddenly recalls that he had a library on his C: drive hiding in his own home directory.

When development hands off their code to the operations build engineering team, these dependencies are identified and documented by the build engineers. This step ensures that the company has all its essential assets identified and safeguarded. The build engineering team also has the job of ensuring that each component that is built contains a unique and immutable version ID, allowing the operations engineers to verify that the correct components have actually been deployed. This procedure is known as a physical configuration audit and is also a basic regulatory requirement.

Traceability is another common regulatory requirement. There are many industries where there must be a work item created to explain the purpose of the change automatically associated with the atomic change set in the version control system.

Several areas of the delivery lifecycle require traceability, from the change control function to workflow automation. Mistakes can happen, but regulatory authorities want to know that you have complete records that show exactly what occurred. These records should also verify that only authorized accounts were used with the appropriate level of access.

Too many companies allow developers to bypass these rules, which creates an unacceptable level of risk to the firm. While often talented, developers are rarely focused on keeping track of what they did to upgrade software or fix a problem. When companies fail to implement appropriate IT controls, developers can make changes that are not understood by the rest of the team. When these developers, often freelance consultants, move on to the next project, there is a lack of documentation and, more importantly, a lack of expertise left back with the operations folks who are responsible for ensuring that systems are reliable and can be fully maintained.

When your team has the appropriate IT controls, you can pass your audit and accelerate your delivery while avoiding costly mistakes. High-performance teams strive to establish effective IT controls while enjoying the benefits of continuous integration, delivery, and deployment.

How are you implementing IT controls? Tell us in the comments below.

About the author

CMCrossroads is a TechWell community.

Through conferences, training, consulting, and online resources, TechWell helps you develop and deliver great software every day.