Segregation of Duties (SOD) is one of the biggest issues to hit IT organizations. Especially for those that have been in business for 40 years or more. Companies typically start out with open environments that relied on developers to implement new code straight into production. Many organizations have no change management or change control tools to help strengthen and secure their development, testing, implementation into production and subsequent maintenance changes and emergency fix processes.
Compliance initiatives have done away with the same ole procedures and now require organizations to maintain stronger and more restrictive control over their IT environments. Those that don’t make efforts for control, end up with significant deficiencies called out by their auditors.
All IT Organizations
All organizations will implement a SOD structure for managing infrastructure and application management support processes at The Company.
Application Roles & Responsibilities
SOD roles and responsibilities are broken into two categories, one specific to Application groups and one specific to Infrastructure groups.
A person who designs, writes and tests computer programs and their associated components. Developers have access to development and unit test environments. Developers are restricted from User Access Test(UAT) and Production environments.
A person who designs, writes and tests computer programs and their associated components for applications already in a production.
A person who performs the final UAT testing prior to production implementation for an application and it’s components scheduled for deployment. This role covers activities for development, maintenance enhancements, or hotline fixes. Testers have access to test and release environments only. If designated and monitored by management as an implementer, a tester may also have access to production for deployment efforts.
A person who has been designated to deploy requested application objects to production from UAT. Implementers have access to release and production environments only. This role covers activities for development, maintenance enhancements, or hotline fixes.
Infrastructure Roles & Responsibilities
- Requestor / Developer
A person who submits a request for service to an infrastructure team. This role might be filled by a vendor (as the developer of infrastructure software).
- Infrastructure Engineer (IEng)
A person who manages infrastructure components from a system administration perspective. These people are responsible for maintaining infrastructure hardware, software, environment set up and security. May have access to all lifecycle except production environments. If designated and monitored by management as a Deployer, an IEng may also have access to production for deployment efforts.
A person who tests infrastructure changes prior to deployment.
An Infrastructure Engineer who deploys changes to a production environment. This role covers activities for development, maintenance enhancements, or hotline fixes.
SOD Role Implementations
No one person can fill all the roles and responsibilities listed above. There must be at least 2 people assigned to a task to comply with these regulatory requirements. A developer cannot test their own code in UAT and then deploy that code to production. A developer can hand off their code to a tester who will perform the final UAT test prior to production deployment. And that same person filling the role of a tester can deploy those components to production once deployment approval has been achieved.
Infrastructure changes for applications or users must have a corresponding request. Infrastructure changes that affect the baseline components established for a platform must be accompanied with a project plan established through The Company’s project management methodology.
Infrastructure projects must follow the same guidelines defined for application updates. At least 2 different people must be assigned to a task to comply with these regulatory requirements. IEngs who install and configure hardware and software, cannot perform the final test of those items prior to deployment. Final tests must be accomplished by another independent IEng and/or a designated application representative that may be affected by the implementation of the product(s).
Infrastructure updates in support of application deployments must be tested by the application requester.
All segregation of duties assignments must be recorded for ALL production changes in the corporate approved change management system. Assignments must be clearly defined in the notes of the change ticket, AND in the implementation and back out plans, which also must be attached to the change ticket.
Changes to application data through the use of a product or application transaction(s) are exempt from this process. Ie: using a console to manage job scheduling activities.
© 1997-2014 Springwolf, D.D., Ph.D., Springwolf’s Creations. All Rights Reserved.