Change Management - Enterprise Change - Product Change - Software Development

view process samples: Software Development,  Product Lifecycle Management, Design and Construction

and Business Systems Process Change, (i.e., R3, EMS, CMS, HR and Payroll, e.g. SAP)

No matter the intent or the urgency every technology and event lifecycle must pass the same key control check point known as "change".  In mature organizations, this cannot happen unless proper authorization, documentation, baseline and planned configuration meet established quality indicators.   True change management protects the enterprise.  It's a part of every department and embedded in the culture.  Compliance products align requirements with controls and are means to a controlled and quality business end.   Everything else is noise.

These overview flow diagrams highlight key Change Management processes and controls.  Developed with years of process experience, these represent 90% of any companies change management practice.

This section includes best product suggestion in several distinct areas of Software, Product and Enterprise change management.  We will not list a product unless our clients have used it with success

(Also see: Secure the Configuration and VISOPS for highlights regarding Tripwire and ITPI)

Product Change means Software Change, and with it, unique control procedures:

Lots of communication, skilled technology personnel, prioritization and business thinking go into any software product. Ever wonder why so many fail, while some companies consistently deliver quality code and service?

We have found three companies with products that are MUSTS in enterprise change, software development and network security compliance.   Depending on needs, size, existing resource... clients may use one or more of the products from these three over the top, fantastic vendors.  MKS and Serena are given space in this section, and Tripwire is highlighted in the sections titled Security an Configuration and in areas of ICT Infrastructure Management.

Here are some of the challenges in managing software design.   Triangles have CobiT®.control ID indicators and represent audited control points.

.

Meeting the SDLC challenge:

MKS Integrity Suite 2005 – One Solution, One Architecture, Total Visibility. Distinguished for its flexibility, ease of use and low total cost of ownership, MKS provides a powerful enterprise SCM solution that supports compliance initiatives while delivering practical productivity improvements. “Right-weight” requirements management, a management dashboard for charting, reporting and metrics, electronic signature support, audit logging and continuous process-flow through all stages of the SDLC provide the foundation for global visibility and auditability of the software change process. In addition, MKS offers the most technologically advanced solution for real-time global team collaboration, re factoring and component reuse on the market today.

(We promote MKS because we see our clients building their infrastructure and controlling their development practice, producing quality products and fully managing approval and change lifecycles.  The end users get the product and the implementation is fairly painless.) 

Mitigate Risk with ‘Right Weight’ Requirements Management

• Built as an extension of MKS’s enterprise software configuration management solution and as a core part of the development process
• Seamless connection and real time information flow between business & development
• Automatic triggering of "suspect" requirements and development tasks shows real time impact of requirements change between business users and developers
• Intuitive and easy to use

Flexible Process & Workflow Management

• Adaptable to any methodology or development process
• Increase productivity and repeatability with improved process automation
• Easy and fast implementation with ready made, best practices process templates
• Seamlessly integrated with MKS Source Integrity for process-centric SCM via change packages
• Leverage existing technology investments with multiple platform support, including Windows, UNIX, Linux, iSeries (AS/400), zSeries (mainframe)
• Ease administration of change management and decrease total cost of ownership
• Deep integrations via Open API

Gain Visibility with Management Dashboard, Charting, Reporting and Metrics

• Visibility across your entire IT organization
• Visibility across distributed, iSeries and mainframe platforms
• Visibility across every phase of the development lifecycle
• Drill down into the details from a requirement right through to line of code change
• No manual data entry – detailed metrics flow from day-to-day system use

Real-Time Global Team Collaboration with MKS Federated Server™ Architecture

• Keeps entire team informed of progress and communicating on shared software projects
• Avoids coding conflicts
• Significantly reduces administrative overhead through management of centralized repository
• Enables improved management control over offshore and outsourced projects
• Improves management visibility into global development activities

MKS Build & Deployment

• Reduce costs by using a single tool to deploy across multiple platforms
• Maintain deployment consistency and quality with repeatable processes
• Eliminate errors by automating manual processes
• Save money by leveraging your investment in existing build utilities such as ANT and Openmake

What Auditors LOVE to see

How companies can document and track as a by-product of program responsibilities...

.Serena and specialized services for SAP Roles and Change Control

We've witnessed the power of their success with clients like Siemens US/ AG and AON.

Boost Profitability with Serena's Enterprise Change Management

Case Study: Guardian Life

ECM Products

About ChangeMan™

The Challenge
The software engines that drive today's complex enterprises run in multi-tier, multi-platform environments. Often, you must deploy changes to a diverse network of Web, distributed and legacy systems all at once, and at a faster pace than ever before. If not managed properly, the introduction of complex new applications can be seriously delayed, or worse yet, trigger downtime of existing mission-critical applications. The ability to quickly and automatically deploy software from multiple organizations, sources and contributors - and make them all work together - is vital to your success.

The Solution
In response to these challenges, Serena Software is setting the standard for Enterprise Change Management (ECM)- the management of enterprise application code and Web content changes. Today, Serena leads the way in ECM by providing a single point of control to manage software code and Web content changes throughout the enterprise, from the mainframe to the Web.

Serena Software products are built on an open architecture and were designed from the ground-up for interoperability and platform independence. The products consist of change management solutions for all major operating environments: mainframe, distributed systems and the Web.

The ChangeMan family also includes application lifecycle management solutions and a change portal that provides enterprise-wide search, reporting and approval capabilities over a Web browser. Built to work together as a flexible, integrated solution, the Serena ChangeMan products automate and enforce sound software development processes that have been proven to ensure application integrity.

Why Phoenix Partners with Serena, MKS and Tripwire...

• Audit Compliance [regulatory] - each product has unique benefits based in client needs
• Automating manual processes [productivity]according to approved workflow, and change control automation are minimum requirements for continuous compliance
• Better visibility & control of software change is baseline to all forms of risk management
• Concurrent development challenges [risk management & productivity]
• The need for consolidation of multiple, disparate SCM processes is common to all organizations
• It is necessary for risk management and aligned to achievement in all areas of increased productivity

Why bring in Chartered Accountants from around the world?

Audit specialization is as important as any other form of technical, legal or even medical practice. Be it service automation or a specific financial platform, audit is not for the novice.   It takes industry experience to meet our criteria for platform specific, regulatory specific or technology specific audit.  We meet this challenge via partner organizations.  One such partner is Sify.

SAP Technical Services

• http://www.sifycorp.com/
• http://www.sifycorporate.com
• http://www.sifyelearning.com/

SAP audits include issues of availability and performance as balanced against controls and configuration requirements. Sify offers a range of SAP support services. SAP services from Sify are designed to supplement internal SAP IT resources and the support you get directly from SAP, while leveraging the offshore advantage.

Utilizing SAP and SERENA Change Management application controls, PB&SP can coordinate any form of audit, audit readiness, program or remediation with regard to SAP and IT Audit controls.

Sify’ SAP Technical Services include:

• SAP Security Services
• SAP Netweaver Service

No such thing as change without baseline ...Configuration Management and CMDB  

Cendura - CMDB

Tripwire - Enterprise Infrastructure Change Management

Approva Bizrights - Transaction based financial models, exception and alignment reporting

PB&SP has been participant and witness to stellar SAS 70 reports achieved by organizations with core product involving software development managed largely by Merant products. In addition to Tripwire, MKS and EMC driven compliance programs, TeamTrack and TestDirector (quality management and software test assurance) allowed for rapid process documentation and evidence of controls, test of controls and thresholds for adequate and consistent alignment to measures of highly mature IT programs.  Training and resource overhead appeared minimal and evidence of controls was very easy to ascertain.  Way to go TestDirector.  You make compliance "not so bad".

Using Tripwire to manage compliance and reduce risk as defined by CobiT and COSO...the movie

Compliance Toolbox - Audit Tools

How big is your audit universe?

Controls go far beyond the requirements of the Sarbanes-Oxley Act and they are no longer just an "auditor's problem.". The days of fighting for budget to "Optimize IT" are long gone, and everyone has one single mission: "Compliance"

What is compliance?  If this is the question that strikes fear in your heart, consider "The Perils of Must Read™" as part medicine and anecdote.

Compliance is a universe of constraints enforcing business and technology practice aligned to minimally acceptable product, service and financial benchmarks, consumer and citizen safety, and continuous availability of critical resource as mandated by US and World Governments.   Considerations for HIPAA, the USA Patriot Act, Graham-Leach-Bliley, FISMA/ eGovernment, OMB Circulars (various, such as A-119 and A-130), Executive Directives, DCIDs can't be limited to government, federal and financial programs.   Businesses work in tandem, weaving regulatory issues via ecommerce, outsourcing and third party services, such that any law has implications for across multiple industries and business classifications.  Laws like the Clinger-Cohen Act, the Paper Reduction Act, Basel I and II - European Union privacy laws and Safe Harbor Principles - California Security Breach Notice Law as well as emerging bills with similar guidelines - SEC rule17a-4, NARA regulations for federal records management, SEC CFR 17 Rule no. 16900 affecting Clearing Corporations, the National Strategy to Secure Cyberspace and many associated Public Laws and Government guidelines (especially those affecting Security programs and implementation of appropriate standards such as various FIPS) are all a part of our audit universe.  The PB&SP toolbox is a list of applications and industry tools, with special attention to the better companies and materials, as found most successfully implemented among our clients.

Have you narrowed and refined your RegWatch™?

• Data Management, including evidence and confidentiality protection
• Strategy to align privacy, freedom of information and date driven retention
• Information consolidation via templates, BPEL, lifecycle management, constrained interface, and workflow
• Security policy for people, process and technology
• Effective message and email management
• Data Backup, retrieval and storage  from process to solutions
• Auditing, Internal Auditing, Continuous Audit and Computer Assisted Automation Techniques
• Process and Program Models, Benchmarking and Training
• Conformity Assessment and support in achieving certification
• Service organizations providing long term support for specialized areas (SAP/ PeopleSoft) in compliance management
• Interpreted Dashboards and Compliance reporting tools
• Various Government and Industry Risk Guidelines and models for disclosure

...more links in the security and IT resources section

Special Thanks to Bruce Winters for his article Compliance CHOOSE THE RIGHT TOOLS FOR INTERNAL CONTROL REPORTING Bruce I. Winters New federal regulations require public companies to assess the effectiveness of their internal control structure and financial reporting procedures. Complex software is essential to such analysis. Here’s how to determine what kind is needed and how it should link to—or replace—a company’s existing systems., Dan Swanson, ISACA List Serve Community.  Special Thanks to the IIA and again especially, Dan Swanson, CIA, CMA, CISA, CISSP, CAP, who coauthored with others mentioned on every page of this site in his long and productive career as Director of Professional Practices, The Institute of Internal Auditors. He frequently writes on IT audit, IT security, and various management practices. He is a past Winnipeg chapter president for both The IIA and ISACA and chaired ISACA International's publication committee for two years. Swanson has also been on the Board of Directors of The IIA