SpringWolf Designs - Regulatory Compliance

Segregation Of Duties

~ Services | Tips & Tricks | Compliance | Helpful Links | Home ~

Segregation Of Duties
Segregation of Duties (SOD) is one of the biggest issues to hit IT organizations. Especially for those that have been in business for 40 years or more. Many of these organizations have open environments that have relied on developers to implement new code straight into production. Many organizations have no change management or change control tools to help strengthen and secure their development to production processes.

Compliance initiatives have done away with the same ole procedures and now require organizations to maintain stronger and more strict control over their IT environments. Those that don’t make efforts for control, end up with significant deficiencies called out by their auditors.

Accountability
All IT Organizations

Policy
All organizations will implement a SOD structure for managing infrastructure and application at The Company. SOD roles and responsibilities are broken into two categories, one specific to Application groups and one specific to Infrastructure groups.

Application Roles & Responsibilities:

Developers
A person who designs, writes and tests computer programs and their associated components. Developers have access to development and unit test environments. Developers are restricted from UAT and Production environments.
Maintenance
A person who designs, writes and tests computer programs and their associated components for applications already in a production.
Testers
A person who performs the final UAT testing prior to production implementation for an application and it’s components scheduled for deployment. This role covers activities for development, maintenance enhancements, or hotline fixes. Testers have access to test and release environments only. If designated by management as an implementer, a tester may also have access to production for deployment efforts.
Implementer
A person who has been designated to deploy requested application objects to production from UAT. Implementers have access to release and production environments only. This role covers activities for development, maintenance enhancements, or hotline fixes.

Infrastructure Roles & Responsibilities:

Requestor / Developer A person who submits a request for service to an infrastructure team. This role might be filled by a vendor (as the developer of infrastructure software).
Infrastructure Engineer A person who manages infrastructure components from a system administration perspective. These people are responsible for maintaining infrastructure hardware, software, environment set up and security. May have access to all lifecycle environments.
Testers A person who tests infrastructure changes prior to deployment.
Deployer An Infrastructure Engineer (IEng) who deploys changes to a production environment.

SOD Role Implementations
No one person can fill all the roles and responsibilities listed above. There must be at least 2 people assigned to a task to comply with these regulatory requirements. A developer cannot test their own code in UAT and then deploy that code. A developer can hand off their code to a tester who will perform the final UAT test prior to production deployment. And that same person filling the role of a tester can deploy those components to production once deployment approval has been achieved.

Infrastructure changes for applications or users must have a corresponding request. Infrastructure changes that affect the baseline components established for a platform must be accompanied with a project plan established through The Company’s project management methodology.

Infrastructure projects must follow the same guidelines defined for application updates. At least 2 different people must be assigned to a task to comply with these regulatory requirements. IEngs who install and configure hardware and software, cannot perform the final test of those items prior to deployment. Final tests must be accomplished by another independent IEng and/or a designated application representative that may be affected by the implementation of the product(s).

Infrastructure updates in support of application deployments must be tested by the application requester.

SOD Reporting:
All segregation of duties assignments must be recorded for ALL production changes in the corporate approved change management system. Assignments must be clearly defined in the notes of the change ticket, AND in the implementation and back out plans, which also must be attached to the change ticket.

Exemptions
Changes to application data through the use of a product or application transaction(s) are exempt from this process. Ie: using a console to manage job scheduling activities.