IT Governance and Compliance in an Agile World

1,015 views
777 views

Published on

Establishing IT governance and compliance practices is essential for organizations that have regulatory or audit requirements. The good news is that you can be agile and still comply with Sarbanes-Oxley, CFR 21, HIPAA, and other regulatory imperatives. Done well, IT controls actually help you improve both productivity and quality. Bob Aiello describes how to implement IT controls in frameworks such as ISACA Cobit and ITIL v3 that many regulatory frameworks require-while maintaining agile practices. Bob's guidance includes specific examples of establishing IT controls: separation of duties, work-item to change-set traceability, physical and functional configuration audits, and more. Bob explains how these practices help government, defense, and corporations scale agile practices where audit and regulatory compliance is a must. In fact, Bob attests to the fact that a disciplined approach to agile can improve the productivity and quality of most all agile development efforts.

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,015
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
18
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

IT Governance and Compliance in an Agile World

  1. 1.           AW6 Concurrent Session  11/7/2012 2:15 PM                "IT Governance and Compliance in an Agile World"       Presented by: Bob Aiello CM Best Practices Consulting               Brought to you by:        340 Corporate Way, Suite 300, Orange Park, FL 32073  888‐268‐8770 ∙ 904‐278‐0524 ∙ sqeinfo@sqe.com ∙ www.sqe.com
  2. 2. Bob Aiello CM Best Practices Consulting Bob Aiello is a consultant, editor-in-chief of CM Crossroads, and author of Configuration Management Best Practices: Practical Methods that Work in the Real World, Bob Aiello is a consultant and software engineer specializing in software process improvement, including software configuration and release management. He has more than twenty-five years of experience as a technical manager at top New York City financial services firms, where he held company-wide responsibility for configuration management. He is vice chair of the IEEE 828 Standards Working Group on CM Planning and a member of the IEEE Software and Systems Engineering Standards Committee (S2ESC) Management Board. Contact Bob at Bob.Aiello@ieee.org, via LinkedIn, or visit cmbestpractices.com.  
  3. 3. IT Governance and Compliance in an Agile World Bob Aiello, Principal Consultant and Author of  Configuration Management Best Practices :  Practical Methods that Work in the Real World http://www.linkedin.com/in/BobAiello htt // li k di /i /B bAi ll http://cmbestpractices.com 1 CM Best Practices Consulting © 2012 Who am I? • CM Lead & Consultant for over 25 years • Editor in Chief at CM Crossroads Editor-in-Chief • Author of CM Best Practices • IEEE Management Board • Tools and process agnostic • The guy the auditors call on! http://cmbestpractices.com © 2012   2 November 7, 2012 1
  4. 4. Books, Articles & Webcasts • Mike Huetterman – Agile ALM • Mario Moreira – Adapting Configuration p g g Management for Agile Teams • Agile Journal • Developerworks • CM Journal • ALM Journal • ITSM Portal http://cmbestpractices.com © 2012   3 November 7, 2012 Published on Audit for Agile Adapting Configuration Management for Agile Teams: Balancing Sustainability and Speed by Mario Moreira CM that is adapted to suit the continuous nature of change that Agile provides without sacrificing the values of CM. ifi i th l f CM http://cmbestpractices.com © 2012   4 November 7, 2012  2
  5. 5. Agile Configuration Management Individuals and interactions over processes and tools p Working software over comprehensive documentation Customer collaboration over contract negotiation Responding to change over following a plan http://cmbestpractices.com © 2012   5 November 7, 2012  Agile World • Focus on individuals and interactions • Working software • Customer collaboration • Welcome change even late in the process • Rapid iterative development http://cmbestpractices.com © 2012   6 November 7, 2012 3
  6. 6. Agile Works! • Avoid documenting requirements we do not (yet) understand t ( t) d t d • Managing risk • Decisions at last responsible moment • Honesty regarding what we know http://cmbestpractices.com © 2012   7 November 7, 2012 Test Cases at the NYSE • POS Displaybook used by the Specialist • Challenged the user rep to write test cases • The first hour we determined that “what we have asked for is not what we want” • Examining milestone releases while writing test cases is essential! http://cmbestpractices.com © 2012   8 November 7, 2012 4
  7. 7. Agile Misconceptions • C di without requirements Coding ith t i t • Lack of processes & tools • Lack of documentation • No contracts • No plans http://cmbestpractices.com © 2012   9 November 7, 2012  Goals of Agile CM • R idl b ild package and d l Rapidly build, k d deploy • Reliable and repeatable process • Traceability and forensics • Emergence of DevOps http://cmbestpractices.com © 2012   10 November 7, 2012  5
  8. 8. Characteristics of Agile CM • Customer-centric (which one?) • R id it ti d Rapid iterative development l t • Pragmatic approach to requirements • Support for testing • Collaborative communication • Role in the SCRUM http://cmbestpractices.com © 2012   11 November 7, 2012  Knight Capital •A August 1st outage t t • Erroneously purchased 7 billon dollars of stock • Loss of 440 Million dollars • Old software that was left on the system • Lack of DevOps http://cmbestpractices.com © 2012   12 November 7, 2012  6
  9. 9. Batman and Superheros •L i Lucious F warns B t Fox Batman about a b t possible malfunction in autopilot for the “Bat” • Batman’s own life depends upon the autopilot • Patch was documented by Bruce Wayne http://cmbestpractices.com © 2012   13 November 7, 2012  SEC Investigation • L k of controls Lack f t l • Proper testing & process • Impact to shareholders • Impact to market http://cmbestpractices.com © 2012   14 November 7, 2012  7
  10. 10. Banks •C Compliance with SOX li ith • Office of the Currency - Treasury • FFIEC – Federal Financial Institutions Council And government agencies… http://cmbestpractices.com © 2012   15 November 7, 2012  GAO • FDIC cited it d • Numerous government agencies cited • Lack of controls • Failing internal audit http://cmbestpractices.com © 2012   16 November 7, 2012  8
  11. 11. Agile Focus  • P d ti it Productivity • Quality • Did we mention working software? • Agile testing http://cmbestpractices.com © 2012   17 November 7, 2012  Deming – Build Quality In • Verification – meeting requirements • V lid ti Validations – are th requirements the i t correct? • Agility helps us build quality in from the beginning • Test cases and scripts are valuable artifacts http://cmbestpractices.com © 2012   18 November 7, 2012  9
  12. 12. IT Governance • IT Governance needs to be in alignment with corporate governance • Provides transparency • Helps senior management make the right decisions • Educate your boss! http://cmbestpractices.com © 2012   19 November 7, 2012  ISACA Board Briefing on ITG Fundamentally, IT governance is F d t ll i concerned about two things: • IT’s delivery of value to the business • Mitigation of IT risks Source www.isaca.org http://cmbestpractices.com © 2012   20 November 7, 2012  10
  13. 13. Compliance • Usually to regulatory requirements • Interpreted based upon frameworks such as Cobit • Financial reports need to be accurate http://cmbestpractices.com © 2012   21 November 7, 2012  Examples • Separation of controls • Steps are logged - including results • Traceable to the Change Request • Security measures to prevent unauthorized changes • Audit in place for intrusion detection http://cmbestpractices.com © 2012   22 November 7, 2012  11
  14. 14. What Are the Regs? • S ti 404 of th S b Section f the Sarbanes-Oxley O l Act of 2002 • HIPPA and CFR 21 • SSAE 16 (formerly SAS 70) • Audit requirements http://cmbestpractices.com © 2012   23 November 7, 2012  What is Agile Process  Maturity? • Adh Adherence t th principles (purity) to the i i l ( it ) • Scalability (Scrum of Scrums) • Transparency and traceability • Coexistance with Non-Agile • Consider the items on the right http://cmbestpractices.com © 2012   24 November 7, 2012  12
  15. 15. Agile Process Maturity •R Repeatable process t bl • Tools matter • Adequate documentation • Contracts required • Gotta have a plan http://cmbestpractices.com © 2012   25 November 7, 2012  Emergence of DevOps • A il S t Agile Systems Ad i i t ti Administration • Critical with rapid iterative development • Development is not taking over Ops • Synergy of development and Ops http://cmbestpractices.com © 2012   26 November 7, 2012  13
  16. 16. Moving Upstream •D Developing automated b ild package l i t t d build, k and deployment early in the process • Starting in development • Developing the automation is a project itself • Using Agile principles http://cmbestpractices.com © 2012   27 November 7, 2012  Virtual Build Engineer •S Separate Build E i t B ild Engineer A Account t • Completely automated • Provides traceability • Logging and reporting http://cmbestpractices.com © 2012   28 November 7, 2012  14
  17. 17. Agile Views What Wh t are some of th views of others in f the i f th i the Agile Community ? http://cmbestpractices.com © 2012   29 November 7, 2012  Agile Release Train (ART) Making each product a successful and routine event – an event that is indeed ti t t th t i i d d planned and eagerly anticipated, yet one that happens almost on autopilot Dean Leffingwell’s Agile Software Leffingwell s Requirements, p. 299 http://cmbestpractices.com © 2012   30 November 7, 2012  15
  18. 18. Deployment Pipeline A deployment pipeline is … an automated implementation of your t t di l t ti f application’s build, deploy, test and release process Jez Humble and David Farley’s Farley s Continuous Delivery, p 3. http://cmbestpractices.com © 2012   31 November 7, 2012  Aim of the Pipeline • Makes building, deploying, testing and releasing software visible to everyone involved •I Improves feedback so th t problems are f db k that bl identified, and so resolved, as early in the process as possible • Enables teams to deploy and release any version of their software to any environment at y will through a fully automated process (p. 4) http://cmbestpractices.com © 2012   32 November 7, 2012  16
  19. 19. Antipatterns • Deploying Software Manually • D l i t P d ti lik Deploying to Production-like environment only after Development is complete • Manual Configuration of Production Environments Continuous Deployment, p. 7 – 10 http://cmbestpractices.com © 2012   33 November 7, 2012  Devops • Synergy of Agile & ITIL y gy g • Full lifecycle approach • Good communication to all stakeholders • Break down barriers • Don’t forget separation of roles Don t http://cmbestpractices.com © 2012 34 November 7, 2012  17
  20. 20. Dev/QA Focus • Development • QA & Testing T ti • Operations • Self-Managing/Organizing Teams http://cmbestpractices.com © 2012   35 November 7, 2012  Sox Compliance • Section 404 of the Sarbanes-Oxley Act of 2002 • Using ISACA Cobit 4.1 • 34 high level IT controls • PCI compliance • SSAE 16 (formerly SAS-70) SAS 70) http://cmbestpractices.com © 2012   36 November 7, 2012  18
  21. 21. ISO 9001 • Establishes the quality management system (QMS) • ISO 90003 is the software standard in the 9000 family of standards • Uses ISO 12207 (or 15288) to specify lifecycle processes • ISO 10007 for CM • IEEE 828, EIA 649-B, Mil Std coming! http://cmbestpractices.com © 2012   37 November 7, 2012  Which Standards? • IEEE 828 – CM Planning • EIA 649-A – Non compliance 649 A Non-compliance • ISO 90003 to support QMS • Full lifecycle ISO 12207 Tailor ! http://cmbestpractices.com © 2012   38 November 7, 2012  19
  22. 22. Moving Upstream • Dev to CM to QA to Ops •C Cross-functional focus f ti lf • Speed up development • Build a great deployment architecture • Give it to Devs as a service! http://cmbestpractices.com © 2012   39 November 7, 2012  Frameworks • ITIL v3 including CMDBs, federated CMDBs, CMS, DML… CMDBs CMS DML • Cobit for SOX • CMMI ->>>> Agile http://cmbestpractices.com © 2012   40 November 7, 2012  20
  23. 23. Configuration Management • Configuration Identification • St t A Status Accounting ti • Change Control • Configuration Audit Tracking and Controlling Changes to Configuration Items http://cmbestpractices.com © 2012   41 November 7, 2012  Your Agile Process • Should be Lean • Processes need to be reviewed • Tailor down or tailor up • More collaboration and consensus building • Use standards and frameworks http://cmbestpractices.com © 2012   42 November 7, 2012  21
  24. 24. Assessment • First step is to assess current practices - “As Is” As-Is • Compare to industry standards and frameworks • Determine “To-Be” • Create a plan for improving your CM processes http://cmbestpractices.com © 2012   43 November 7, 2012  Plan for Improvement • Improve training and use case for source code management • Improve build automation • Set up or improve continuous integration • Automate package and deployment • Create procedures for configuration audit http://cmbestpractices.com © 2012   44 November 7, 2012  22
  25. 25. IT Governance and Compliance in an Agile World Bob Aiello, Principal Consultant and Author of  Configuration Management Best Practices :  Practical Methods that Work in the Real World http://www.linkedin.com/in/BobAiello htt // li k di /i /B bAi ll http://cmbestpractices.com 45 CM Best Practices Consulting © 2012 23

×