IT Governance and Compliance in an Agile World · · 2013-08-25IT Governance and Compliance in an...

AW6 Concurrent Session 11/7/2012 2:15 PM

"IT Governance and Compliance in an Agile World"

Presented by:

Bob Aiello CM Best Practices Consulting

Brought to you by:

340 Corporate Way, Suite 300, Orange Park, FL 32073 888‐268‐8770 ∙ 904‐278‐0524 ∙ [email protected] ∙ www.sqe.com

Bob Aiello CM Best Practices Consulting

Bob Aiello is a consultant, editor-in-chief of CM Crossroads, and author of Configuration Management Best Practices: Practical Methods that Work in the Real World, Bob Aiello is a consultant and software engineer specializing in software process improvement, including software configuration and release management. He has more than twenty-five years of experience as a technical manager at top New York City financial services firms, where he held company-wide responsibility for configuration management. He is vice chair of the IEEE 828 Standards Working Group on CM Planning and a member of the IEEE Software and Systems Engineering Standards Committee (S2ESC) Management Board. Contact Bob at [email protected], via LinkedIn, or visit cmbestpractices.com.

1

IT Governance and Compliance in an Agile World

Bob Aiello, Principal Consultant and Author of Configuration Management Best Practices : Practical Methods that Work in the Real World

htt // li k di /i /B bAi ll

1

http://www.linkedin.com/in/BobAiellohttp://cmbestpractices.com

CM Best Practices Consulting © 2012

Who am I?

• CM Lead & Consultant for over 25 years• Editor in Chief at CM Crossroads• Editor-in-Chief at CM Crossroads• Author of CM Best Practices• IEEE Management Board • Tools and process agnostic

The guy the auditors call on!• The guy the auditors call on!

2 November 7, 2012 http://cmbestpractices.com © 2012

2

Books, Articles & Webcasts

• Mike Huetterman – Agile ALM• Mario Moreira – Adapting Configuration p g gManagement for Agile Teams• Agile Journal• Developerworks• CM Journal• ALM Journal• ITSM Portal


Published on Audit for AgileAdapting Configuration Management for Agile Teams: Balancing Sustainability and Speed byTeams: Balancing Sustainability and Speed by Mario Moreira

CM that is adapted to suit the continuous nature of change that Agile provides without

ifi i th l f CM

4

sacrificing the values of CM.

http://cmbestpractices.com © 2012 November 7, 2012

3

Agile Configuration Management

Individuals and interactions over processes and toolsp

Working software over comprehensive documentation

Customer collaboration over contract negotiation

Responding to change over following a plan

5http://cmbestpractices.com © 2012 November 7, 2012

Agile World

• Focus on individuals and interactions• Working software• Working software• Customer collaboration• Welcome change even late in the process• Rapid iterative development


4

Agile Works!

• Avoid documenting requirements we do t ( t) d t dnot (yet) understand

• Managing risk• Decisions at last responsible moment• Honesty regarding what we know


Test Cases at the NYSE

• POS Displaybook used by the Specialist• Challenged the user rep to write test• Challenged the user rep to write test cases• The first hour we determined that “what we have asked for is not what we want”• Examining milestone releases while• Examining milestone releases while writing test cases is essential!


5

Agile Misconceptions

C di ith t i t• Coding without requirements• Lack of processes & tools• Lack of documentation• No contracts• No plans

9

• No plans


Goals of Agile CM

R idl b ild k d d l• Rapidly build, package and deploy• Reliable and repeatable process• Traceability and forensics• Emergence of DevOps


6

Characteristics of Agile CM• Customer-centric (which one?)

R id it ti d l t• Rapid iterative development• Pragmatic approach to requirements• Support for testing• Collaborative communication • Role in the SCRUM

11

• Role in the SCRUM

November 7, 2012 http://cmbestpractices.com © 2012

Knight Capital

A t 1st t• August 1st outage • Erroneously purchased 7 billon dollars of stock• Loss of 440 Million dollars• Old software that was left on the system

12

• Old software that was left on the system• Lack of DevOps


7

Batman and Superheros

L i F B t b t• Lucious Fox warns Batman about a possible malfunction in autopilot for the “Bat”• Batman’s own life depends upon the autopilot

13

autopilot• Patch was documented by Bruce Wayne


SEC Investigation

L k f t l• Lack of controls• Proper testing & process• Impact to shareholders• Impact to market


8

Banks

C li ith SOX• Compliance with SOX• Office of the Currency - Treasury • FFIEC – Federal Financial Institutions Council

15

And government agencies…


GAO

FDIC it d• FDIC cited• Numerous government agencies cited• Lack of controls• Failing internal audit


9

Agile Focus

P d ti it• Productivity • Quality• Did we mention working software?• Agile testing


Deming – Build Quality In

• Verification – meeting requirementsV lid ti th i t• Validations – are the requirements

correct?• Agility helps us build quality in from the beginning• Test cases and scripts are valuable

18

• Test cases and scripts are valuable artifacts


10

IT Governance• IT Governance needs to be in alignment with corporate governancealignment with corporate governance• Provides transparency• Helps senior management make the right decisions• Educate your boss!

19

• Educate your boss!


ISACA Board Briefing on ITG

F d t ll IT iFundamentally, IT governance is concerned about two things:• IT’s delivery of value to the business• Mitigation of IT risks

20

Source www.isaca.org


11

Compliance• Usually to regulatory requirements• Interpreted based upon frameworks• Interpreted based upon frameworks such as Cobit• Financial reports need to be accurate


Examples• Separation of controls• Steps are logged including results• Steps are logged - including results• Traceable to the Change Request• Security measures to prevent unauthorized changes• Audit in place for intrusion detection

22

• Audit in place for intrusion detection


12

What Are the Regs?

S ti 404 f th S b O l• Section 404 of the Sarbanes-Oxley Act of 2002• HIPPA and CFR 21• SSAE 16 (formerly SAS 70)• Audit requirements

23

• Audit requirements


What is Agile Process Maturity?

Adh t th i i l ( it )• Adherence to the principles (purity)• Scalability (Scrum of Scrums)• Transparency and traceability• Coexistance with Non-Agile• Consider the items on the right

24

• Consider the items on the right


13

Agile Process Maturity

R t bl• Repeatable process• Tools matter• Adequate documentation• Contracts required• Gotta have a plan

25

• Gotta have a plan


Emergence of DevOps

A il S t Ad i i t ti• Agile Systems Administration• Critical with rapid iterative development• Development is not taking over Ops• Synergy of development and Ops

26

• Synergy of development and Ops


14

Moving Upstream

D l i t t d b ild k• Developing automated build, package and deployment early in the process• Starting in development• Developing the automation is a project itself

27

project itself• Using Agile principles


Virtual Build Engineer

S t B ild E i A t• Separate Build Engineer Account• Completely automated• Provides traceability• Logging and reporting


15

Agile Views

Wh t f th i f th iWhat are some of the views of others in the Agile Community ?


Agile Release Train (ART)

Making each product a successful and ti t t th t i i d droutine event – an event that is indeed

planned and eagerly anticipated, yet one that happens almost on autopilot

Dean Leffingwell’s Agile Software

30

Dean Leffingwell s Agile Software Requirements, p. 299


16

Deployment PipelineA deployment pipeline is … an

t t d i l t ti fautomated implementation of your application’s build, deploy, test and release process

Jez Humble and David Farley’s

31

Jez Humble and David Farley s Continuous Delivery, p 3.


Aim of the Pipeline• Makes building, deploying, testing and releasing software visible to everyone involved

I f db k th t bl• Improves feedback so that problems are identified, and so resolved, as early in the process as possible• Enables teams to deploy and release any version of their software to any environment at ywill through a fully automated process (p. 4)


17

Antipatterns• Deploying Software Manually

D l i t P d ti lik• Deploying to Production-like environment only after Development is complete• Manual Configuration of Production Environments

33

EnvironmentsContinuous Deployment, p. 7 – 10


Devops

• Synergy of Agile & ITILy gy g• Full lifecycle approach • Good communication to all stakeholders• Break down barriers• Don’t forget separation of rolesDon t forget separation of roles

http://cmbestpractices.com © 2012 34 November 7, 2012

18

Dev/QA Focus• Development

QA & T ti• QA & Testing• Operations• Self-Managing/Organizing Teams


Sox Compliance• Section 404 of the Sarbanes-Oxley Act of 2002Act of 2002• Using ISACA Cobit 4.1 • 34 high level IT controls• PCI compliance• SSAE 16 (formerly SAS-70)

36

SSAE 16 (formerly SAS 70)


19

ISO 9001• Establishes the quality management system (QMS)system (QMS)• ISO 90003 is the software standard in the 9000 family of standards • Uses ISO 12207 (or 15288) to specify lifecycle processes

37

lifecycle processes• ISO 10007 for CM• IEEE 828, EIA 649-B, Mil Std coming!


Which Standards?• IEEE 828 – CM Planning• EIA 649 A Non compliance• EIA 649-A – Non-compliance• ISO 90003 to support QMS• Full lifecycle ISO 12207

Tailor !

38

Tailor !


20

Moving Upstream• Dev to CM to QA to Ops

C f ti l f• Cross-functional focus• Speed up development• Build a great deployment architecture• Give it to Devs as a service!


Frameworks• ITIL v3 including CMDBs, federated CMDBs CMS DMLCMDBs, CMS, DML…• Cobit for SOX• CMMI ->>>> Agile


21

Configuration Management• Configuration Identification

St t A ti• Status Accounting• Change Control• Configuration Audit

Tracking and Controlling Changes to

41

Tracking and Controlling Changes to Configuration Items


Your Agile Process• Should be Lean• Processes need to be reviewed• Processes need to be reviewed• Tailor down or tailor up• More collaboration and consensus building• Use standards and frameworks

42

• Use standards and frameworks


22

Assessment• First step is to assess current practices “As Is”practices - As-Is• Compare to industry standards and frameworks• Determine “To-Be” • Create a plan for improving your CM

43

• Create a plan for improving your CM processes


Plan for Improvement• Improve training and use case for source code managementsource code management• Improve build automation• Set up or improve continuous integration• Automate package and deployment

44

• Automate package and deployment• Create procedures for configuration audit


23

IT Governance and Compliance in an Agile World

Bob Aiello, Principal Consultant and Author of Configuration Management Best Practices : Practical Methods that Work in the Real World

htt // li k di /i /B bAi ll

45

http://www.linkedin.com/in/BobAiellohttp://cmbestpractices.com

CM Best Practices Consulting © 2012

IT Governance and Compliance in an Agile World · · 2013-08-25IT Governance and Compliance in an...

Documents

Transcript of IT Governance and Compliance in an Agile World · · 2013-08-25IT Governance and Compliance in an...