How to Ensure IT Compliance Without Compromising Innovation Nik Teshima, IBM Phil Odence, Black Duck Black Duck 2013
Speakers Phil Odence VP of Business Development Black Duck Software Nik Teshima Senior Product and Market Manager IBM 2 Black Duck 2013
Agenda The Iron Triangle of Compliance Compliance and Innovation Innovation and Control Elements Software Development Compliance Integrated Open Source Compliance Summary Q&A 3 Black Duck 2013
Black Duck Business 50% of companies will face challenges due to lack of FOSS policy and management FOSS Analysis (Nov. 2011) 4 Black Duck 2013
What Do We Do? Application development cycle Plan Code Build Test Release Open source governance lifecycle Acquire Approve Catalog Audit Monitor Description Version Vulnerabilities Cryptography License Maturity Black Duck Knowledge Base 5 Black Duck 2013
Black Duck and Rational 6+ year relationship Integrations Ready for Rational Black Duck Suite with: Recent Build Forge Rational Team Concert ClearCase Extending Rational compliance solution to include open source management 6 Black Duck 2013
Open Source Faster, Better, Cheaper Cost Schedule Features Open source is a silver bullet that allows simultaneous improvement along all three dimensions of the software iron triangle of cost, schedule, features. Jeffrey Hammond, Forrester 7 Black Duck 2013
The Compliance Iron Triangle Risk (all sorts) Productivity Compliance 8 Black Duck 2013
Agenda The Iron Triangle of Compliance Compliance and Innovation Innovation and Control Elements Software Development Compliance Integrated Open Source Compliance Summary Q&A 9 Black Duck 2013
Accelerating innovation while maintaining appropriate controls IT ORGANIZATIONS Developer Agility and Responsibility Management Governance and Empowerment Integrate early and continuously Collaborate in context across the extended lifecycle Optimize business outcomes Customers Line of Business Software Development Operations Accelerated Delivery 10
Business value Enabling Product and Service Innovation Rational Accelerating innovation to achieve business outcomes For IT clients: Integrate, collaborate and optimize for agility with governance 11 1 Boost productivity of 2 3 software engineering Improve project disciplines performance Maximize the efficient use of resources through automating overhead activities such as documentation, change propagation, status reporting, metrics collection, traceability, audit trails. Design, Development Quality Management Requirements Management Change and Configuration Management Business outcomes Automated status reporting derived from evolving engineering artifacts can improve productivity by 5-10% Valtech increased productivity by more than 40%; reduced defect rates by 75% Increase project predictability and reduce scrap and rework through improved collaboration across teams, geographies, roles and systems. Collaborative lifecycle management Project and Portfolio Management DevOps Multi-platform development Mobile, Multi-Channel Development Business outcomes Collaborating on work items, defects and build errors can reduce late rework by 25-50% Nationwide reduced production defects by 90% Emerging Health IT shortened life cycle delivery from 6 to 8 months to 3 months Improve business outcomes Align software investments to business priorities by leveraging instrumentation to optimize supply chain processes and improve decision-making. Governance, Risk and Compliance Portfolio Management Software Supply Chain Predictive Analytics Value realized Business outcomes Best practices in scope management can improve predictability of project delivery by 20-30% Danske Bank reduced its time-tomarket by 50% with an improved focus on measurement and improved agility Improved time and scope
IT Compliance Today s realities One compliance failure generates $81M in extra costs for firms earning larger than $1B in revenues. Source Demonstrating compliance How do you prove that your products and services are compliant and audit-ready? What s the impact of a regulatory compliance fine if you can t prove that your business applications and products adhere to industry regulatory requirements? How do you improve your ability to demonstrate compliance without slowing down your time to market and eroding your competitive posture? How do you prove your software development process is compliant? Today, Governance, Risk, and Compliance is typically fractured across an organization leading to uncoordinated buying patterns and high risk siloed operations and here s some examples from 2012
The solution is the automation of Internal Controls and Proof of Adherence Implemented in process Configured in CLM and proven by... Dashboards Reports Automated Enforcement 13
Integrated and effective Collaborative Lifecycle Management IBM Rational solution for Collaborative Lifecycle Management Design Requirements Quality Software Change and Configuration Architect Engineer Analyst Developer Quality Professional Deployment Engineer Open Lifecycle Integration Platform + many more
Rational IT Compliance: Three ways we support compliance 1) Planning for Compliance Organize, prioritize and track responses to changing regulatory content 2) Collaborative Compliance Remediation Mandates and Standards Delivery Ensure that the right things are built and tested Project X Project Z Controls Impacts: Business processes, Analytics System configuration Software IT applications 15 Project Y 3) Software and Product Development Compliance Govern how changes are made: Work authorization Segregation of duties Process capture and change control, Audit support and reporting Open Source governance with Black Duck and Rational
Compliance Example 1. Planning for Compliance 2. Collaborative Section 326 of the USA PATRIOT Act Compliance requires banks to have a Remediation Customer Identification Program (CIP) Delivery 3. Software and Product Development Compliance JKE Banking GRC analyzes the mandate, assess the risk of different implementations Procedures are issued for screening anyone applying for an account, including checking the applicant against a Federal Terrorist Watch list and people who have defaulted on loans with 16 JKE Bank. IT determines that there are three systems with online loan application capabilities. After analysis and deciding, two projects are identified in which the CIP will be implemented on these systems. The vendor management team performs an audit on the software development processes to ensure enforcement of the JKE Banking Internal Controls. The two projects progress and are completed using CLM, with complete tracing from the business need to project plans, detailed requirements, test cases and designs. Proper work authorization and segregation of duties are used.
Regulated Software Development Audit Challenges Say what you do Documented evidence of a thorough development process A well communicated and easily understood program Do what you say Prudent use and enforcement of applicable business controls Requirements integrity Tracking of requirements to implementation and test Management of software deliveries to preclude unauthorized changes Ensure the process is enforced (including process validation, audit and automation ) Process integrity: Implementation of change control over the development process and metrics used to monitor and control process execution Make sure developers are using only approved open source components that meet company policies Be prepared to prove it Documented evidence of adherence to internal controls through dashboards, regular reporting and monitoring, as well as independent audit
Software Development Compliance Work Authorization and Requirements Integrity Auditable Requirements review & approval; and authorization to implement them. Segregation of Duties Protect a system from unintended or unauthorized changes through a separation of duties (having more than one person required to complete a task or related set of tasks/activities). Process Change Control Ensure that the internal controls for IT (including software development) governance are enforced and cannot be circumvented. Audit Support and Reports Document how you have implemented the controls then prove that your teams are following them Open Source Governance Leverage the value of open source while minimizing risk with automated and unobstructed monitoring into its usage Defining your specific internal controls, as well as assuring that they meet the regulations to which you are bound and guidelines to which you aspire is the responsibility of your own governance, risk and compliance organization.
Regulated Software Development Work Authorization and Requirements Integrity Challenge Agile and iterative processes must be balanced with auditable authorization gates and change management to ensure only approved work is included in a release to production. User stories that need to be supported As an approval authority, I need the ability to approve the correctness of a specific version of a requirement. As an approval authority, I need the ability to certifiably authorize work to implement, test, deploy, etc. the approved version of the requirement. As an auditor, I need proof that only approved and authorized versions of requirements were implemented, tested, etc. and included in a given release Best practices Different products or combinations of products can be used Requirements Composer with Team Concert RRC to define, review / approve and manage requirements RTC to authorize and manage work assignments with e-signatures Team Concert only Capture, approve, manage and authorize changes and work
Regulated Software Development Segregation of Duties Challenge: Balance the needs for both flexible role definitions including the ability to assign multiple roles to the same individual ensuring no individual can circumvent segregation of duties rules and introduce unintended or unauthorized changes into a system. Auditor wants to see: Checks and balances to ensure that one person could not push changes through Software development best practices to ensure that the integrity of the system is maintained Best practices: Clearly capture segregation of duties rules Capture test cases for process changes Report segregation of duties violations with every build Automate enforcement of segregation of duties
IBM Rational Software Development Compliance Solution Segregation of Duties Three different ways Segregation of Duties is supported: 1. Using Roles and Permissions 2. Automated reporting on violations 3. Automated prevention of violations Cannot be same user
Regulated Software Development Process Change Control Challenge: balancing competing needs: a highly-configurable process ensuring necessary process change controls are enforced and not circumvented. Auditor wants to see: What parts of the process configuration are under change control What changes were made, and by whom, when, who authorized, the previous value and the new value Best practices: Centralized shared process configuration is used for controlling parts of the process configuration across an organization Custom work item type for capturing and approving process changes The process change history recorded by Team Concert
Regulated Software Development Audit Support Challenge: The prove it challenge: How to prove with minimal disruption and cost that the project followed and did not circumvent the documented process and associated internal controls. Auditor wants to see: How the process is communicated That users of the process know it and follow it A history of properly following the process How internal controls (work authorization, segregation of duties, etc.) are implemented Best practices: Generation of audit reports that capture historical proof of adherence to process and compliance rules Traceability from internal controls to implementation and testing of those controls to provide an audit trail
Regulated Software Development Open Source Compliance Management Challenge: Developers do their jobs faster and better by leveraging open source components that are freely available on the Internet But they may not be completely evaluating the code that they use, particularly from a licensing perspective Software Development Organizations Want: Visibility into what open source components their developers are using Assurance that components meet company policy No license violations Best practices: Create a company policy with respect to developers use of open source Implement processes to ensure policy compliance Automate processes to minimize overhead
Open Source Compliance Analysis Features Automated/Integrated with Build Process Identifies Open Source Content Utilizes Complete Industry Leading KnowledgeBase (700K+ OSS Components) Identifies License Conflicts with Company Policies Automatic Work Item Creation Bill of Materials Output Benefits Ensures Policy Compliance Provides Visibility into Software Contents Minimizes Compliance Burden on Developers
Automated Open Source Compliance with Black Duck and RTC Analysis Alert Remediation
Regulated Software Development Say, Do, Prove Implemented in process Configured in CLM and proven by... Dashboards Reports Automated Enforcement
Agenda The Iron Triangle of Compliance Compliance and Innovation Innovation and Control Elements Software Development Compliance Integrated Open Source Compliance Summary Q&A 28 Black Duck 2013
Q&A Any questions? Feel free to contact us after the webinar: Nik Teshima teshiman@ca.ibm.com Phil Odence podence@blackducksoftware.com 29 Black Duck 2013