Comply, Improve, Transform: Regulatory Compliance Management for Software Development. Jim Duggan

Transcription

1 Comply, Improve, Transform: Regulatory Compliance Management for Software Development Jim Duggan

2 You Can Offset the Costs of Compliance! Complexity Drives Cost UP Sarbanes-Oxley HIPAA EPA Basel II M&A Globalization Siloed Projects Heterogeneity Direct Costs Indirect Costs New Risk Exposure Business Process Architecture IT Process and Governance Compliance Management Best Practices Drive Cost DOWND 2006 Gartner, Inc. All Rights Reserved.

3 Roles and Views Set Different Targets Audience CEO CFO Challenges Regulatory Compliance Visibility and Alignment Operational Efficiency Risk Minimization CIO VP IT VP OPS Management Processes and Audit Performance Explicit, Repeatable and Enforceable Traceable, Secure Development, Project, Operations Managers Project and Operational Execution Coordination, Control, Integration 2006 Gartner, Inc. All Rights Reserved.

4 Foundations of Excellence: Repeatable Processes Governance Management Assess, Prioritize and Charter Operate and Monitor Development Design, Develop, Enhance and Integrate Assure and Deliver Production Acceptance 2006 Gartner, Inc. All Rights Reserved.

5 Regulatory Compliance Processes Will Entwine IT Control and Risk Frameworks SAS 70 (Service Org. Controls) ITIL (Best Practices) ISO (Security Policies and Controls) COBIT (Key Processes for Internal Audits ) PMBoK, Prince2 (Project Management) CMMi (Capability Maturity Model Integration) 2006 Gartner, Inc. All Rights Reserved.

6 Regulatory Compliance Processes Will Entwine IT Control and Risk Frameworks CobiT Processes for Regulatory Compliance 2006 Gartner, Inc. All Rights Reserved. Manage Operations Manage Risks and Controls Manage Reliability Manage Records and Data Manage Systems Manage Change DS 2 Manage third-party services DS 7 Educate and train users DS 13 Manage operations PO 9 Assess risks PO 8 Ensure external compliance M1 Monitor M2 Assess internal-control adequacy DS 10 Problems and incidents DS 5 Ensure system security DS 11 Manage data PO 2 Define IT architecture DS 9 Manage the configuration PO 5 Manage the IT investment AI 4 Develop and maintain procedures AI 6 Manage change PO 11 Manage quality AI 5 Install and accredit systems

7 Change Request Initiation and Control (AI 6.1) Ensure that all requests for changes, system maintenance and supplier maintenance are standardized and are subject to formal change management procedures. Categorize and prioritize changes. Put specific procedures in place to handle urgent matters. Keep change requestors informed about request status. Originators Service Desk Change Board Implementers 2006 Gartner, Inc. All Rights Reserved.

8 Impact Assessment (AI 6.2) Ensure that all requests for change are assessed in a structured way for all possible impacts on the operational system and its functionality. Business units, development (or other implementers) and production have to be involved in impact assessments Governance processes have to balance the legitimate interests of all parties Resource constraints have to be explicitly recognized Application portfolio management can significantly enhance capabilities 2006 Gartner, Inc. All Rights Reserved. Risk Value

9 Control of Changes (AI 6.3) Properly integrate change management and software control and distribution with a comprehensive configuration management system. Automate the system used to monitor changes to application systems to support the recording and tracking of changes made to large, complex information systems. VERSION + TRACK AND NOTIFY + AUTOMATE 2006 Gartner, Inc. All Rights Reserved.

10 Emergency Changes (AI 6.4) Establish parameters defining emergency changes. Establish procedures to control these changes when they circumvent the normal process of technical, operational and management assessment prior to implementation. Record the emergency changes and have them authorized by IT management prior to implementation. Monitor the proportion of emergencies Police the use of the emergency process Capture afterward in normal processes 2006 Gartner, Inc. All Rights Reserved.

11 Documentation and Procedures (AI 6.5) Whenever system changes are implemented, ensure that the associated documentation and procedures are updated accordingly. Causes of Unplanned Application Downtime Operator Errors 40% 20% 40% Technology Failures Application Failures 2006 Gartner, Inc. All Rights Reserved.

12 Authorized Maintenance (AI 6.6) Ensure that maintenance personnel have specific assignments and that their work is properly monitored. Control system access rights to avoid risks of unauthorized access to automated systems. Responsibility Traceability Separation of Duties Develop or Assemble Development Process Test and Integration Acceptance Process Production Preproduction 2006 Gartner, Inc. All Rights Reserved. Development Production

13 Software Release Policy (AI 6.7) Ensure that the release of software is governed by formal procedures ensuring signoff, packaging, regression testing, handover, etc. Responsibility Traceability Separation of Duties Develop or Assemble Development Process Test and Integration Acceptance Process Production Preproduction 2006 Gartner, Inc. All Rights Reserved. Development Production

14 Recommendations Seek excellence in software development processes (eg. change and configuration management) to reduce the cost of compliance. Promote process discipline from a service-level issue to a corporate risk issue. Understand that IT management needs will accelerate the convergence of control and administration. Plan for audit standards, particularly in regulated industries, to be elevated as best attainable practice is identified Gartner, Inc. All Rights Reserved.

15 Comply, Improve, Transform: Regulatory Compliance Management for Software Development Jim Duggan

16 Business Unit or Product Name Comply, Improve, Transform: Regulatory Compliance Management for Software Development Robyn Gold Market Manager, Rational Compliance Solutions 2004 IBM Corporation

17 Business Unit or Product Name Before we begin... IBM s customer is responsible for ensuring its own compliance with legal requirements. It is the customer s sole responsibility to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law. CORPORATE OVERVIEW 2003 IBM Corporation

18 Business Unit or Product Name Compliance for software development organizations Say what you do Establish a compliant development process Business controls and workflow Technical controls and workflow Approvals, authorizations, quality gates, separation of duties Do what you say Automate enforcement of your process Process guidance, automated workflow, tooldirected behavior Be able to prove it Automate the generation of audit documentation Leverage compliance for business advantage Analyze project metrics and process metrics Iteratively improve CORPORATE OVERVIEW 2003 IBM Corporation

19 Business Unit or Product Name A Sample Compliant Project Flow CEO CIO/ Portfolio Mgr. Business Business Issue Issue Raised Raised by by Audit Audit Risks Risks Assessed Assessed Proposal Proposal Defined Defined Project Project Estimated Estimated and and Approved Approved Architect Solution Solution Designed Designed Development Manager Release Release Scheduled Scheduled Team Lead Developer Functionality Functionality Built Built Quality Manager Release Completed Audit Evaluate Evaluate Audit Audit Package Package sign-off Release Deployed For Test sign-off Release Verified sign-off sign-off Business CORPORATE OVERVIEW Development Operations 2003 IBM Corporation

20 Business Unit or Product Name Step one: Define a compliant development process Project Governance Questions How do projects get approved? Funded? What criteria is used to prioritize, save and kill projects? What authorizations are required, by whom, and when? Who assigns resources? Technology Governance Questions Who is authorized to access technical assets? How do software changes get approved? How is software validated? By whom? When? What approvals are required, where and by whom? What are audit package requirements? Where is the change package stored, and for how long? CORPORATE OVERVIEW 2003 IBM Corporation

21 Business Unit or Product Name Defining a compliant process Rational Method Composer and Portfolio Manager 6.2 Process Engineer Rational Unified Process Practitioner Project Manager Rational Portfolio Manager Process Advisor Method Library Published Configurations Process Templates CORPORATE OVERVIEW 2003 IBM Corporation

22 Business Unit or Product Name Step two: Do what you say Create an audit-ready infrastructure that minimizes developer burden and maximizes team collaboration Automated workflow Make it easy to do the right thing Enforce separation of duties Build in quality and approval gates Traceability Verify that validated requirements drive results Auditability Capture the Who, what, when, why of all software deliverables Ensure that only authorized personnel have contributed to software updates Support forensic analysis Validation Validate that deliveries meet requirements Verify completeness and accuracy of software builds New GUI button Enhanced Bug 849 audit trail 1. Select activity 2. Checkout & edit files 3. Compile and link IBM Rational Software Development Platform 5. Check in changes 4. Test changes CORPORATE OVERVIEW 2003 IBM Corporation

23 Business Unit or Product Name Step 3: Be able to prove it Project proposal submitted for planning and assessment Project approval authorizes effort Audit report confirms delivery steps Compliance is like the emperor s wife: you must not only be virtuous, but be seen to be virtuous. CORPORATE OVERVIEW 2003 IBM Corporation

24 Business Unit or Product Name Compliance: The foundation for good IT governance IT Executive Value Manage Risk Prioritize Compliance Initiatives Evaluate and Mitigate Risks Reducing regulatory compliance risk is the first step toward establishing a strategic framework for IT governance. Monitor Remediation Track Development / Compliance Metrics Instantiate Controls Operationalize Best Practices Minimize Overhead Automate Compliant Development Flows Enable Business Transformation Restructure Processes Optimize Execution Time IBM Rational Portfolio Manager CORPORATE OVERVIEW 2003 IBM Corporation

25 Business Unit or Product Name Summary Compliance is a software development imperative Mandates both business and technology controls over the software lifecycle Best controls = least intrusive Controls provide the foundation for IT governance Compliance is both a requirement and an opportunity to drive fundamental improvements in software development maturity. CORPORATE OVERVIEW 2003 IBM Corporation

26 Business Unit or Product Name Customer success Volkswagen AG TTI Telecom Unisys Acuity Viveo ToolObject Assurant Health Ludwig Gortz Thomson Financial 20% productivity increase Improved time-to-market by 50% Estimated savings of $2 million per year 25-40% improvement in cycle time % improvement in productivity 25-60% cost savings 15% higher profitability 46% higher employee productivity 60% reduction in development cycles Projects delivered on-time 30% under budget 25% increase in employee satisfaction Pilot project costs reduced 50% CORPORATE OVERVIEW 2003 IBM Corporation

27 Business Unit or Product Name For more information IBM Rational Compliance Solutions software/info/developer/solutions/compliance Success stories Datasheets and brochures Whitepapers Demos How to contact an IBM Rational representative software/info/developer/solutions CORPORATE OVERVIEW 2003 IBM Corporation