How to Ensure IT Compliance Without Compromising Innovation. Nik Teshima, IBM Phil Odence, Black Duck

Similar documents
How to Avoid 5 Common Pitfalls in Open Source Utilization. July 2013

Phil Marshall Black Duck Software ISACA Webinar Program ISACA. All rights reserved.

Comply, Improve, Transform: Regulatory Compliance Management for Software Development. Jim Duggan

Harnessing the power of software-driven innovation. Martin Nally IBM Rational CTO IBM Fellow and VP

Governance, Risk, and Compliance (GRC) White Paper

What Developers, Cars & Banks Have in Common: Best Practices for Open Source Governance

Driving Business Agility with the Use of Open Source Software

Centralized Secure Vault with Serena Dimensions CM

Managing Open Source Code Best Practices

Tools and Methods to Address Complexity at Scale

Bridging Development and Operations: The Secret of Streamlining Release Management

Key Benefits of Microsoft Visual Studio Team System

FAQ. CloudOne. Frequently Asked Doors Next Generation Questions. Do what you do best. We ll do the rest.

2015 IBM Continuous Engineering Open Labs Target to better LEARNING

Serena Dimensions CM. Develop your enterprise applications collaboratively securely and efficiently SOLUTION BRIEF

CARMEN DEARDO DEVOPS TECHNOLOGY LEADER, NATIONWIDE INSURANCE

Global Delivery Excellence Best Practices for Improving Software Process and Tools Adoption. Sunil Shah Technical Lead IBM Rational

Enhance visibility into and control over software projects IBM Rational change and release management software

Managing FDA regulatory compliance with IBM Rational solutions

Best Practices for Building Mobile Web

S24 - Governance, Risk, and Compliance (GRC) Automation Siamak Razmazma

Making Compliance Work for You

Orchestrated. Release Management. Gain insight and control, eliminate ineffective handoffs, and automate application deployments

Enforcing IT Change Management Policy

Using Git with Rational Team Concert and Rational ClearCase in enterprise environments

Achieving Control: The Four Critical Success Factors of Change Management. Technology Concepts & Business Considerations

Agile Development Calls for an Agile Suite Solution

Five CIO challenges addressed by better change management.

An introduction to the benefits of Application Lifecycle Management

SOLUTION BRIEF: CA IT ASSET MANAGER. How can I reduce IT asset costs to address my organization s budget pressures?

Incorporate CMMI with Corporate Governance Using Enterprise Software Change Management Solutions

IMPROVING RISK VISIBILITY AND SECURITY POSTURE WITH IDENTITY INTELLIGENCE

HOW TO UTILIZE OPEN SOURCE IN YOUR CODE BASE AND BUILD PROCESS Black Duck Software, Inc. All Rights Reserved.

Emptoris Contract Management Solution for Healthcare Providers

Modernizing enterprise application development with integrated change, build and release management.

Crossing the DevOps Chasm

ORACLE ENTERPRISE GOVERNANCE, RISK, AND COMPLIANCE MANAGER FUSION EDITION

Solutions for Quality Management in a Agile and Mobile World

Regulatory Compliance Management for Energy and Utilities

DO-178B compliance: turn an overhead expense into a competitive advantage

agility made possible

Leveraging Sarbanes-Oxley (SOX) to Build Better Practices

Solving IT systems management and service management challenges with help of IBM Tivoli Overview

5 Steps for a Winning Open Source Compliance Program

Moving from Paper to Electronic Records: Hardwiring Compliance into Product Development Using technology to incorporate quality system regulation

Enabling Continuous Delivery by Leveraging the Deployment Pipeline

OPTIMUS SBR. Optimizing Results with Business Intelligence Governance CHOICE TOOLS. PRECISION AIM. BOLD ATTITUDE.

Tech-Clarity Insight: Top 5 Misconceptions about Innovation Management Software

Successfully managing geographically distributed development

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into

How To Manage An Open Source Software

Realizing business flexibility through integrated SOA policy management.

Productivity Through Open Source Policy Compliance

Enabling Data Quality

DevOps: Development Challenges and New Approaches

NERC CIP VERSION 5 COMPLIANCE

Certified Identity and Access Manager (CIAM) Overview & Curriculum

Lowering business costs: Mitigating risk in the software delivery lifecycle

Realtests.M questions M IBM Rational IT Sales Mastery Test v2

Business Data Authority: A data organization for strategic advantage

IBM Maximo for Service Providers:

Application Outsourcing: The management challenge

White Paper. An Overview of the Kalido Data Governance Director Operationalizing Data Governance Programs Through Data Policy Management

Application Lifecycle Management: Marriage of Business Management with Software Engineering

OSS LOGISTICS: DRIVING INNOVATIVE SOFTWARE FROM DEVELOPER TO CUSTOMER Alex Bigmore Senior Architect & Open Source Governance Programme Manager SITA

XEROX TALKS BEST PRACTICES FOR OPEN SOURCE GOVERNANCE

Security management solutions White paper. IBM Tivoli and Consul: Facilitating security audit and compliance for heterogeneous environments.

Development Testing for Agile Environments

Choosing the Right Project and Portfolio Management Solution

The Firewall Audit Checklist Six Best Practices for Simplifying Firewall Compliance and Risk Mitigation

Outperform Financial Objectives and Enable Regulatory Compliance

White Paper Achieving GLBA Compliance through Security Information Management. White Paper / GLBA

IBM Rational systems and software solutions for the medical device industry

Challenges and Approaches in Global Development and Delivery

Driving Innovation with Open Source A View from the Automotive Industry. BearingPoint Black Duck Software

For Infrastructure & Operations Professionals

The Value of Vulnerability Management*

How To Ensure Financial Compliance

Shifting Enterprise Development into the Fast Lane

Addressing IT governance, risk and compliance (GRC) to meet regulatory requirements and reduce operational risk in financial services organizations

Integrating Project Management and Service Management

Information & Asset Protection with SIEM and DLP

Requirements Management im Kontext von DevOps

Bringing agility to Business Intelligence Metadata as key to Agile Data Warehousing. 1 P a g e.

E-commerce and Agile Cycle

Practical Approaches to Achieving Sustainable IT Governance

Real-Time Security for Active Directory

Scanning Open Source Software and Managing License Obligations on IBM SmartCloud. Because code travels

State of Oregon. State of Oregon 1

CA Oblicore Guarantee for Managed Service Providers

CA HalvesThe Cost Of Testing IT Controls For Sarbanes-Oxley Compliance With Unified Processes.

An Oracle White Paper January Access Certification: Addressing & Building on a Critical Security Control

White Paper Software Quality Management

Au t o n o m i c s - Ap p l i e d Ap p l i c a t i o n M a n agement

Sarbanes-Oxley: Beyond. Using compliance requirements to boost business performance. An RIS White Paper Sponsored by:

Driving Your Business Forward with Application Life-cycle Management (ALM)

Innovations in Pharma Sales Operations

Agenda. How Process & Decision Management Help to Increase Business Value? WebSphere Business Process Management

San Francisco Chapter. Cassius Downs Network Edge LLC

Transcription:

How to Ensure IT Compliance Without Compromising Innovation Nik Teshima, IBM Phil Odence, Black Duck Black Duck 2013

Speakers Phil Odence VP of Business Development Black Duck Software Nik Teshima Senior Product and Market Manager IBM 2 Black Duck 2013

Agenda The Iron Triangle of Compliance Compliance and Innovation Innovation and Control Elements Software Development Compliance Integrated Open Source Compliance Summary Q&A 3 Black Duck 2013

Black Duck Business 50% of companies will face challenges due to lack of FOSS policy and management FOSS Analysis (Nov. 2011) 4 Black Duck 2013

What Do We Do? Application development cycle Plan Code Build Test Release Open source governance lifecycle Acquire Approve Catalog Audit Monitor Description Version Vulnerabilities Cryptography License Maturity Black Duck Knowledge Base 5 Black Duck 2013

Black Duck and Rational 6+ year relationship Integrations Ready for Rational Black Duck Suite with: Recent Build Forge Rational Team Concert ClearCase Extending Rational compliance solution to include open source management 6 Black Duck 2013

Open Source Faster, Better, Cheaper Cost Schedule Features Open source is a silver bullet that allows simultaneous improvement along all three dimensions of the software iron triangle of cost, schedule, features. Jeffrey Hammond, Forrester 7 Black Duck 2013

The Compliance Iron Triangle Risk (all sorts) Productivity Compliance 8 Black Duck 2013

Agenda The Iron Triangle of Compliance Compliance and Innovation Innovation and Control Elements Software Development Compliance Integrated Open Source Compliance Summary Q&A 9 Black Duck 2013

Accelerating innovation while maintaining appropriate controls IT ORGANIZATIONS Developer Agility and Responsibility Management Governance and Empowerment Integrate early and continuously Collaborate in context across the extended lifecycle Optimize business outcomes Customers Line of Business Software Development Operations Accelerated Delivery 10

Business value Enabling Product and Service Innovation Rational Accelerating innovation to achieve business outcomes For IT clients: Integrate, collaborate and optimize for agility with governance 11 1 Boost productivity of 2 3 software engineering Improve project disciplines performance Maximize the efficient use of resources through automating overhead activities such as documentation, change propagation, status reporting, metrics collection, traceability, audit trails. Design, Development Quality Management Requirements Management Change and Configuration Management Business outcomes Automated status reporting derived from evolving engineering artifacts can improve productivity by 5-10% Valtech increased productivity by more than 40%; reduced defect rates by 75% Increase project predictability and reduce scrap and rework through improved collaboration across teams, geographies, roles and systems. Collaborative lifecycle management Project and Portfolio Management DevOps Multi-platform development Mobile, Multi-Channel Development Business outcomes Collaborating on work items, defects and build errors can reduce late rework by 25-50% Nationwide reduced production defects by 90% Emerging Health IT shortened life cycle delivery from 6 to 8 months to 3 months Improve business outcomes Align software investments to business priorities by leveraging instrumentation to optimize supply chain processes and improve decision-making. Governance, Risk and Compliance Portfolio Management Software Supply Chain Predictive Analytics Value realized Business outcomes Best practices in scope management can improve predictability of project delivery by 20-30% Danske Bank reduced its time-tomarket by 50% with an improved focus on measurement and improved agility Improved time and scope

IT Compliance Today s realities One compliance failure generates $81M in extra costs for firms earning larger than $1B in revenues. Source Demonstrating compliance How do you prove that your products and services are compliant and audit-ready? What s the impact of a regulatory compliance fine if you can t prove that your business applications and products adhere to industry regulatory requirements? How do you improve your ability to demonstrate compliance without slowing down your time to market and eroding your competitive posture? How do you prove your software development process is compliant? Today, Governance, Risk, and Compliance is typically fractured across an organization leading to uncoordinated buying patterns and high risk siloed operations and here s some examples from 2012

The solution is the automation of Internal Controls and Proof of Adherence Implemented in process Configured in CLM and proven by... Dashboards Reports Automated Enforcement 13

Integrated and effective Collaborative Lifecycle Management IBM Rational solution for Collaborative Lifecycle Management Design Requirements Quality Software Change and Configuration Architect Engineer Analyst Developer Quality Professional Deployment Engineer Open Lifecycle Integration Platform + many more

Rational IT Compliance: Three ways we support compliance 1) Planning for Compliance Organize, prioritize and track responses to changing regulatory content 2) Collaborative Compliance Remediation Mandates and Standards Delivery Ensure that the right things are built and tested Project X Project Z Controls Impacts: Business processes, Analytics System configuration Software IT applications 15 Project Y 3) Software and Product Development Compliance Govern how changes are made: Work authorization Segregation of duties Process capture and change control, Audit support and reporting Open Source governance with Black Duck and Rational

Compliance Example 1. Planning for Compliance 2. Collaborative Section 326 of the USA PATRIOT Act Compliance requires banks to have a Remediation Customer Identification Program (CIP) Delivery 3. Software and Product Development Compliance JKE Banking GRC analyzes the mandate, assess the risk of different implementations Procedures are issued for screening anyone applying for an account, including checking the applicant against a Federal Terrorist Watch list and people who have defaulted on loans with 16 JKE Bank. IT determines that there are three systems with online loan application capabilities. After analysis and deciding, two projects are identified in which the CIP will be implemented on these systems. The vendor management team performs an audit on the software development processes to ensure enforcement of the JKE Banking Internal Controls. The two projects progress and are completed using CLM, with complete tracing from the business need to project plans, detailed requirements, test cases and designs. Proper work authorization and segregation of duties are used.

Regulated Software Development Audit Challenges Say what you do Documented evidence of a thorough development process A well communicated and easily understood program Do what you say Prudent use and enforcement of applicable business controls Requirements integrity Tracking of requirements to implementation and test Management of software deliveries to preclude unauthorized changes Ensure the process is enforced (including process validation, audit and automation ) Process integrity: Implementation of change control over the development process and metrics used to monitor and control process execution Make sure developers are using only approved open source components that meet company policies Be prepared to prove it Documented evidence of adherence to internal controls through dashboards, regular reporting and monitoring, as well as independent audit

Software Development Compliance Work Authorization and Requirements Integrity Auditable Requirements review & approval; and authorization to implement them. Segregation of Duties Protect a system from unintended or unauthorized changes through a separation of duties (having more than one person required to complete a task or related set of tasks/activities). Process Change Control Ensure that the internal controls for IT (including software development) governance are enforced and cannot be circumvented. Audit Support and Reports Document how you have implemented the controls then prove that your teams are following them Open Source Governance Leverage the value of open source while minimizing risk with automated and unobstructed monitoring into its usage Defining your specific internal controls, as well as assuring that they meet the regulations to which you are bound and guidelines to which you aspire is the responsibility of your own governance, risk and compliance organization.

Regulated Software Development Work Authorization and Requirements Integrity Challenge Agile and iterative processes must be balanced with auditable authorization gates and change management to ensure only approved work is included in a release to production. User stories that need to be supported As an approval authority, I need the ability to approve the correctness of a specific version of a requirement. As an approval authority, I need the ability to certifiably authorize work to implement, test, deploy, etc. the approved version of the requirement. As an auditor, I need proof that only approved and authorized versions of requirements were implemented, tested, etc. and included in a given release Best practices Different products or combinations of products can be used Requirements Composer with Team Concert RRC to define, review / approve and manage requirements RTC to authorize and manage work assignments with e-signatures Team Concert only Capture, approve, manage and authorize changes and work

Regulated Software Development Segregation of Duties Challenge: Balance the needs for both flexible role definitions including the ability to assign multiple roles to the same individual ensuring no individual can circumvent segregation of duties rules and introduce unintended or unauthorized changes into a system. Auditor wants to see: Checks and balances to ensure that one person could not push changes through Software development best practices to ensure that the integrity of the system is maintained Best practices: Clearly capture segregation of duties rules Capture test cases for process changes Report segregation of duties violations with every build Automate enforcement of segregation of duties

IBM Rational Software Development Compliance Solution Segregation of Duties Three different ways Segregation of Duties is supported: 1. Using Roles and Permissions 2. Automated reporting on violations 3. Automated prevention of violations Cannot be same user

Regulated Software Development Process Change Control Challenge: balancing competing needs: a highly-configurable process ensuring necessary process change controls are enforced and not circumvented. Auditor wants to see: What parts of the process configuration are under change control What changes were made, and by whom, when, who authorized, the previous value and the new value Best practices: Centralized shared process configuration is used for controlling parts of the process configuration across an organization Custom work item type for capturing and approving process changes The process change history recorded by Team Concert

Regulated Software Development Audit Support Challenge: The prove it challenge: How to prove with minimal disruption and cost that the project followed and did not circumvent the documented process and associated internal controls. Auditor wants to see: How the process is communicated That users of the process know it and follow it A history of properly following the process How internal controls (work authorization, segregation of duties, etc.) are implemented Best practices: Generation of audit reports that capture historical proof of adherence to process and compliance rules Traceability from internal controls to implementation and testing of those controls to provide an audit trail

Regulated Software Development Open Source Compliance Management Challenge: Developers do their jobs faster and better by leveraging open source components that are freely available on the Internet But they may not be completely evaluating the code that they use, particularly from a licensing perspective Software Development Organizations Want: Visibility into what open source components their developers are using Assurance that components meet company policy No license violations Best practices: Create a company policy with respect to developers use of open source Implement processes to ensure policy compliance Automate processes to minimize overhead

Open Source Compliance Analysis Features Automated/Integrated with Build Process Identifies Open Source Content Utilizes Complete Industry Leading KnowledgeBase (700K+ OSS Components) Identifies License Conflicts with Company Policies Automatic Work Item Creation Bill of Materials Output Benefits Ensures Policy Compliance Provides Visibility into Software Contents Minimizes Compliance Burden on Developers

Automated Open Source Compliance with Black Duck and RTC Analysis Alert Remediation

Regulated Software Development Say, Do, Prove Implemented in process Configured in CLM and proven by... Dashboards Reports Automated Enforcement

Agenda The Iron Triangle of Compliance Compliance and Innovation Innovation and Control Elements Software Development Compliance Integrated Open Source Compliance Summary Q&A 28 Black Duck 2013

Q&A Any questions? Feel free to contact us after the webinar: Nik Teshima teshiman@ca.ibm.com Phil Odence podence@blackducksoftware.com 29 Black Duck 2013

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information