Making Compliance Work for You

Transcription

1 white paper Making Compliance Work for You with application lifecycle management Rocket bluezone.rocketsoftware.com

2 Making Compliance Work for You with Application Lifecycle Management A White Paper by Rocket Software Version 2. 0 Revised March 2012 Rocket Aldon Application Lifecycle Management s formal, automated services and application development processes improve quality and delivery, reduce costs, and ensure compliance. By installing a regimen of internal controls over IT, today s savvy businesses are using compliance as an opportunity to significantly improve productivity and quality and go after that holy grail of true business-it integration. This white paper examines how corporations can align business initiatives and increase ROI through IT compliance Rocket Software, Inc.. All rights reserved. Rocket and Rocket Software logos are registered trademarks of Rocket Software, Inc. Other product and service names might be trademarks of Rocket Software or other companies LSIDSV1

3 introduction In addition to the traditional challenge of remaining competitive, today s organizations must also contend with growing regulatory requirements just to remain in business. Fortunately, while achieving regulatory compliance is challenging, doing so can offer significant and unexpected rewards for the enterprise. Mastering compliance gives companies a springboard to a myriad of process improvements that can directly and positively impact a company s bottom line. In this white paper, we examine regulatory compliance requirements, their effects on IT and the business, and how Application Lifecycle Management (ALM) can not only simplify the task, but can also turn those compliance efforts into a powerful business advantage. what s all the uproar about compliance? The demand for IT governance is a direct result of numerous legislative initiatives that were signed into law in reaction to financial and other business crises. The resulting mandates typically require companies to examine and prove their ability to accurately audit practices in numerous operational areas of their business. In this environment, IT s classic mode of frenetic chaos was untenable. Since most changes must be reflected in IT systems, IT became an obvious point to monitor. It quickly became evident that IT needed more structured management and control. 1

4 Companies can be forgiven for believing compliance is a millstone around their necks. From Sarbanes-Oxley (SOX) for publicly traded companies, Basel II in the banking industry, FSA regulations and PCI Compliance in financial services and retail, and 21 CFR Part 11 and HIPAA in pharmaceutical and healthcare, sorting out reporting requirements can be overwhelming and confusing. To further complicate matters, many organizations are tasked with ensuring their efforts meet not only one, but multiple mandates. For example, a United Statesbased financial services firm might need to comply with requirements from Gramm- Leach-Bliley (GLBA), Sarbanes-Oxley (SOX), and various U. S. Securities and Exchange Commission (SEC) regulations. But what is really being asked? Thankfully, the regulatory bodies share many requirements. For example, one overarching recommendation common to all of the mandates is that organizations implement documented and repeatable business processes and that those processes introduce appropriate controls to prevent error or fraud. This holds true for software development for business critical applications. According to regulations, IT must not only ensure that changes in software development are made in a controlled and auditable fashion, but it must also flag for management any changes that will have a significant impact on the business. To meet this requirement, IT must: Understand the internal control program and the reporting process; Identify risks related to IT; Design and implement controls to mitigate risk and continuously monitor them for effectiveness; Document and test IT controls; and Ensure that IT controls are updated as necessary to correspond to changes in financial reporting processes. Clearly, control is the operative word here. The main regulatory bodies require management to define and establish procedures to ensure that software is developed in a controlled manner. Yet, it is important that the controls not interfere with IT s ability 2

5 to respond quickly to the needs of the business. Consequently, it is recommended that these controls be automated. Automation reduces the time, expense, and disruption of IT audits. In a nutshell, repeatable and measurable processes structured, defined, implemented, and enforced are key to effectively and easily comply with regulatory requirements. Sound, comprehensive records of these corporate controls must be kept so that an external auditor can attest to the effectiveness of the controls. At the same time, these controls should be automated so that IT remains responsive and productive. enter best practice methodologies Often, meeting compliance requirements is really just a matter of implementing existing IT best practices. The top best practice frameworks stress automated, structured, repeatable processes within IT the very thing the regulations demand. Six Sigma, COSO, COBIT, ITIL, and CMMI, to name a few, all strive to make software development and frequent service delivery true business processes that can be tracked, measured, and controlled. In most cases, a single IT control will address compliance requirements for a number of different regulations and standards. Therefore, smart organizations are using regulatory compliance to justify automating inefficient manual processes, a boon for business efficiency and quality. Further, the regulations are giving companies permission to dedicate resources to acquiring the tools and expertise to address compliance and best practices. With increasing demand for innovative software applications, IT is becoming more and more valuable to the business. IT now has a rare opportunity to examine and improve internal processes for the benefit of all. Best practices are giving companies a way to achieve compliance, but even more importantly, the improved processes create a significant competitive advantage for companies wishing to further integrate IT and the business. As a result, best practice methodologies are taking the development world by storm. application lifecycle management (alm), compliance, and best practices So how do enterprises implement best practices and comply with control objectives 3

6 without creating so much bureaucracy that work comes to a grinding halt? As we ve seen, both compliance and best practice frameworks stress standardizing and automating comprehensive, internal controls. However, organizations need support as they implement IT governance solutions to turn regulatory compliance into a business advantage. Automated application lifecycle management solutions are often critical to the success of these efforts. As software systems become more complex and interdependent, the need for application lifecycle management (ALM) increases dramatically. ALM solutions provide support by allowing organizations to capture and implement their business processes within automated systems. They eliminate the need for many complex, time-consuming, and error-prone manual processes. By targeting process maturity in software development, ALM offers companies a way to encapsulate best practices and regulatory compliance within their ALM system. At the same time, ALM empowers IT to realize its full value to the organization by increasing productivity, quality, responsiveness, and the availability of management information. Key aspects of ALM include IT services management, requirements management, project and portfolio management, change and configuration management, and deployment. ALM covers all application development phases, from issue creation, change request, and project initiation through requirements, approvals, development, testing, and deployment. By delivering process efficiency, automation, and manageability into the IT development environment, ALM enables businesses to control application development, ensure process repeatability, and improve responsiveness to user needs and requests. ALM meets a critical need for improved visibility and traceability and offers teams a way to collaborate across silos and operational areas regardless of geographic location. A strong ALM system should: Provide a collaborative communication infrastructure that ensures IT services and software initiatives support overall business goals; Reduce IT development costs by ensuring project teams build the application correctly the first time around; Automatically control services delivery and software development through 4

7 auditable, repeatable processes; Enable communication between stakeholders of all changes in projects, and ensure appropriate notification, reviews, and approvals; Ensure dependable levels of quality and security in support of Service Level Agreements (SLAs); Provide a secure, visible repository of all application artifacts. simplifying alm for compliance and best practices We are highly regarded in the industry for providing process-centric change governance solutions for application lifecycle management to companies that wish to gain control of IT. Our proactive approach to change improves efficiency, quality, and delivery, and increases profits and competitive advantage. We automate the entire application development lifecycle, reducing the burden of regulatory compliance and the associated administrative cost for IT and the business. Further, Rocket Aldon Application Lifecycle Manager (LM) contributes to improved IT-business integration by making business processes visible, traceable, auditable, and repeatable. Streamlined, managed development processes improve predictability, shorten development cycles, and remove complexity. With our solution, IT services become strategically integrated with business efforts, leading to improved performance by the entire company. Customers choose us when they want: Predictable, controlled software development: We help IT organizations improve the way they deliver services and develop software. By standardizing IT processes, we automate many of the core operations that run today s enterprises. Through our integrated communication infrastructure a central repository of information we eliminate silos, align people and efforts, and coordinate technological components and their interdependencies. Our automated services, development process, and internal controls such as approval tracking and management reduce the complexities of today s IT environment. Software productivity, quality, and business-it integration are improved while compliance standards are met. 5

8 To adapt to new technologies: New and enabling technologies are one driver of ALM adoption. SOA and web services offer the promise of seamless integration and reusability for disparate software parts. Our solution enables components developed for one process to be efficiently identified and reused for another. Users can easily explore the relationships among services through our logical application explorer. Greater visibility and management of IT business processes, people, and assets: Our process control and traceability allow enterprises to enjoy a single integrated business perspective. Centralized management and visibility of IT assets, personnel, and projects speed project completion and fulfill compliance requirements. And corporate IT assets are all secured against loss and unauthorized movement. We give businesses a tool with which to visualize and understand how changes relating to regulatory compliance will affect the organization before they happen. A centralized repository: Our products provide a central repository for the ideas, designs, discussions, requirements, tasks, and other information that team members must readily access. All valuable intellectual property from programs in the wide variety of languages available today such as Java, RPG, Cobol, C++, XML, Fortran, Visual Basic, C, HTML, JCL, and.net to a diversity of modules, graphics, views, documents, tables, stored procedures, triggers, and project files are secured within a repository to prevent loss and unauthorized access. A consolidated inventory ensures synchronization between platforms, reduces management overhead, and defines a manageable and repeatable process. Ongoing regulatory and standards compliance: Our software provides detailed audit trails and reports on all system transactions and activities, supporting control objectives found within the ITIL, COBIT, CMMI, and ISO frameworks. Progress metrics can be quickly checked via dashboards, while standard reports provide history for analysis and auditing. Standard SQL can be used to capture information and to create a variety of reports. Audit logs store detailed histories to simplify and comply with auditing needs. And management has the visibility and information needed to judge the return of IT projects. Coordination and synchronization: LM synchronizes the delivery of dependent change components across 6

9 platforms and teams; tracks and verifies service level agreements; and boosts compliance efforts. In coordinating all elements of IT service delivery, LM offers a vital process maturity strategy. LM also improves efficiency and control when building and delivering development projects. With our products, even remote software development is easily coordinated with local development efforts, resulting in seamless project management. Integrated monitoring, tracking, auditing, reports, and dashboards all help managers keep projects on schedule. Release management: When a team begins managing applications that impact the entire enterprise, it is useful and often necessary to manage different versions or releases that might be in development at the same time. Our products allow an enterprise to manage multiple software versions and releases simultaneously. Market validation: In fact, we have been guiding companies through compliance for years, from meeting ISO standards to industry-specific issues such as HIPAA and 21CFR Part 11. The majority of our customers occupy the following highly-regulated industries: Banking and Financial Services; Communications; Insurance; Manufacturing; Medical and Pharmaceutica;l Retail; Transportation conclusion Technology continues to accelerate the rate of change in organizations of all kinds. Companies must detect and respond to new opportunities and threats quickly and effectively. Such responsiveness can only be achieved by harnessing the power of IT with application lifecycle management for best practices and compliance. ALM helps IT to be responsive, and in turn allows the business to react quickly and wisely to changing business conditions. ALM eases the burden of compliance on the development organization and offers business benefits across the organization through increased agility, competitiveness, and overall business efficiency. Our formal, automated services and application development processes improve quality and delivery, reduce costs, and ensure compliance. By installing a regimen of internal controls over IT, today s savvy businesses are using compliance as an opportunity to significantly improve productivity and quality and go after that holy grail of true business-it integration. 7

10