Michael Solomon, CISSP PMP CISM
|
|
|
- Janis Andrews
- 5 years ago
- Views:
Transcription
1 How to Make Auditors Happy (and You Happy Too) Michael Solomon, CISSP PMP CISM
2 Session Agenda Overview All about auditing and what fun it is (or not) What auditing demands and the ideal solution Selecting the right tools Version Control vs. Software Configuration Management How SCM can make both you and your auditors happy Questions 2011 Tugboat Software. All rights reserved. 2
3 All about auditing and what fun it is (or not) 2011 Tugboat Software. All rights reserved. 3
4 Auditing is about managing risk For Enterprise Resource Management (ERM), auditing is a process, effected by an entity s board of directors, management, and other personnel,applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. - The Committee of Sponsoring Organizations of the Treadway Commission 2011 Tugboat Software. All rights reserved. 4
5 Governance is a necessary step Governance essentially provides monitoring of ERM Monitors both risk events and responses Risks are not always negative Governance includes responding to positive events Strategic in nature Requires that organizations show how activities support objectives 2011 Tugboat Software. All rights reserved. 5
6 Auditing is a part of that step It s purpose is to ensure the organization is on track. Similar to GPS Tracking 1. Preplan a route to a destination. 2. During the trip, detect current location. 3. Display current location. 4. If location is not on the selected route: update the route ( recalculating ) Tugboat Software. All rights reserved. 6
7 Auditing benefits you Compares performance to goals Each organization adheres to different types of goals Policies Standards Regulations Best Practices Auditing helps organizations understand how well they meet goals Auditors are just looking for evidence of what happened 2011 Tugboat Software. All rights reserved. 7
8 Our perception of auditing Poorly perceived Frustrating - points out deficiencies and failures Painful - uncomfortable to expose weaknesses Interruption takes time away from producing a product 2011 Tugboat Software. All rights reserved. 8
9 Skewed perception to myths 1. Regulatory compliance is the key outcome Compliance is only a small part of audit goals Meeting organizational goals is the real target 2. Audit results are only pass/fail Fine-grained results are more valuable 3. Auditing implies advanced technology Sometimes the simple solutions work best 4. Risks are separate from opportunities Important to identify both 2011 Tugboat Software. All rights reserved. 9
10 The reality of auditing Done well, auditing can be positive Reduces overall risk Identifying problems early makes addressing them easier Identifies opportunities Auditing results can help identify new productive directions Identifies variances from goals, both positive and negative Crucial for continuous improvement Necessary to reduce negative variances 2011 Tugboat Software. All rights reserved. 10
11 The benefits of auditing Improves Product quality Product visibility Product control Customer confidence Decreases Rework Confusion Project risk 2011 Tugboat Software. All rights reserved. 11
12 What auditing demands and the ideal solution 2011 Tugboat Software. All rights reserved. 12
13 What auditing demands 1. Audit Objective Identification What are you trying to do? In our context, manage software development process 2. Control Selection What tools will you use to reduce risk Software Configuration Management tools 3. Audit Procedures What information will the auditors need? 4. Audit Evidence Evaluation How will auditors verify the controls meet the objectives? 2011 Tugboat Software. All rights reserved. 13
14 The ideal solution A proactive audit response that avoids redundancy Tugboat Software. All rights reserved. 14
15 A proactive audit response Understand your organization s goals Policies Regulatory requirements Best practices Be ready to provide evidence of performance You should already have project progress documentation This is the key! Just show how you met goals Know how to show you are on track Project management helps here More than just being on schedule 2011 Tugboat Software. All rights reserved. 15
16 that avoids redundancy Capture evidence in the process Fresher information Quicker and more accurate Don t revisit completed work Takes time to recall what was done in the past Use tools that collect evidence automatically Avoid any user interaction when possible Evidence should be a by product of normal process Avoid adding new processes just to create evidence 2011 Tugboat Software. All rights reserved. 16
17 Version Control vs. Software Configuration Management 2011 Tugboat Software. All rights reserved. 17
18 Selecting the right tools Does the final product meet its goals? Features Performance Cost Did the process meet its goals? Risk Quality 2011 Tugboat Software. All rights reserved. 18
19 Change management tools Many version control tools; fewer SCM tools Most common tools for OpenEdge development (ordered from most basic to sophisticated solution) CVS - version control Subversion - version control Mercurial - distributed source code control Roundtable TSMS software configuration management 2011 Tugboat Software. All rights reserved. 19
20 Version control Version control (also known as source code control) is a process of tracking changes to source code. This is typically done by checking objects to be worked on out of a centralized repository and then back in when work is completed. Version control is one aspect of software configuration management Tugboat Software. All rights reserved. 20
21 Software configuration management Software Configuration Management is the discipline of managing the entire lifecycle of a software project. It creates a structure based on the principles of the manufacturing industry that delivers repeatable, high-quality production of software applications. Whereas version control is a check-in / check-out system; SCM is an assembly line for application development. As an assembly line, it can streamline and provide controls for (and evidence from) all stages in the development lifecycle, making it an ideal tool to satisfy auditors Tugboat Software. All rights reserved. 21
22 How SCM works Defines the process Applies controls Manages changes Who? What? When? Why? Revert back. Audits results 2011 Tugboat Software. All rights reserved. 22
23 applied to every level Development Environment Test Environment Pre-production Environment Partner source code (when applicable) Custom Environment Deployment 2011 Tugboat Software. All rights reserved. 23
24 What a SCM solution offers SCM tools ease the process of evidence collection SCM process requires creating evidence auditors need Configuration identification information Version information for changes Change grouping to associate multiple changes with higher level requests Build management and process flow evidence SCM tracks answers to most questions auditors ask 2011 Tugboat Software. All rights reserved. 24
25 How a SCM solution can make both you and your auditors happy 2011 Tugboat Software. All rights reserved. 25
26 Case study One choice Culligan chose Roundtable TSMS: A full-featured SCM solution (much more than just version control) Integrates evidence collection into ongoing processes it manages the flow of all activities throughout the development lifecycle Provides many features, views, and reports for auditors, as well as for developers and managers 2011 Tugboat Software. All rights reserved. 26
27 Case study One choice Culligan also got these benefits : OpenEdge integration Schema management Easily extensible - Integrated bug tracking system with Roundtable Controlled promotion process: development, testing, production Tracks change responsibility and reason Robust security model to restrict activities 2011 Tugboat Software. All rights reserved. 27
28 RTB Tasks Roundtable tasks promote good workflow practices Tracking work done Check-in groups of objects Visibility to management Keep track of concurrent work Visibility of other, related work 2011 Tugboat Software. All rights reserved. 28
29 Task Lifecycle Tasks follow structured lifecycle Task lifecycle steps Create task Checkout/create objects Modify objects Compile objects Check-in objects Complete task 2011 Tugboat Software. All rights reserved. 29
30 RTB Object Checkout 2011 Tugboat Software. All rights reserved. 30
31 RTB Development 2011 Tugboat Software. All rights reserved. 31
32 RTB History View 2011 Tugboat Software. All rights reserved. 32
33 SCM Records SCM Plan high-level document that includes responsibilities, process, and configuration descriptions Schedule list of scheduled SCM activities Change Request Plan procedure for handling all change requests Change Configuration Board operating procedures and minutes Audit results How evidence supports, or is in contrast to, goals Ongoing communication s, reports, etc.) 2011 Tugboat Software. All rights reserved. 33
34 Case study - Results Happy auditors On-demand reports of all changes Separation of roles 2011 Tugboat Software. All rights reserved. 34
35 Case study - Results Happy managers Controlled schema Work in process visibility Bug tracking integration means easy to relate bugs to fixes Simpler code promotion process Happy developers Easier to avoid conflicts with multiple programmers working Easy to get tons of information about objects 2011 Tugboat Software. All rights reserved. 35
36 Summary Happy auditors don t have to create their own input The process is more like a check-up than an attack Prepare for an audit in every activity You will create better evidence You will create clear procedures Select the tools that Support and enhance your process Create the evidence auditors want 2011 Tugboat Software. All rights reserved. 36
37 Questions For more information about Roundtable TSMS, visit Tugboat Software. All rights reserved. 37