Comprehensive distributed software management policy and standards

10 pts.
Tags:
Compliance checklist
IT Compliance - Policies
Security management
Software Management
Could anyone share or provide input on a comprehensive distributed software management policy and standards that prohibit non-developer access to source code and prohibit developers from creating executable code and placing it in migration folders (which then can be moved to test and production)?

Software/Hardware used:
ClearCase, BMS, Endevor
ASKED: November 16, 2010  12:40 PM
UPDATED: November 17, 2010  4:48 PM

Answer Wiki

Thanks. We'll let you know when a new response is added.

Most companies have a ‘change control’ policy & procedure
to stop programmers form promoting programs (executables) without authorization.

But this has been a place of contention in all of the years I’ve been in this field. Someone always objects.

No, I cannot share our policies or our procedures.

We use the security packages in place on our different platforms to control programmer access to source code. (Years and years ago when I worked as an application programmer, I did share some source code with the user community. It was sort of a learning / teaching type of thing.)

The production level load modules (executables) need to reside in secure libraries / directories. Programmers should not have the ability to move programs into production. Programmers might place the executable into a ‘staging’ area, but only after proper approval by “change control” (meeting, signatures, user sign-off etc) does someone else (call this person ‘production control’) then move the program from the staging area into promotion / migration area (library, directory).

At the same time that the executable modules is moved, the source code is then checked back into the source code production library. Again, maybe by “production control”.

change control
separation of duties
no one single person can make a change

programmers are people. Can we all be trusted? Ever make mistakes? Intentional harm? Remember, most data thefts occur from INSIDE the organization.

Setting up these procedures is not trivial. But it must be done.

Discuss This Question:  

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following