IT Governance for Lotus Notes: Segregation of Duties--Part 1
One of the key tenants of many IT governance initiatives is something called segregation of duties. The basic concept is that there should never be a single person who has control of any single process. In the Notes development world the most common place this shows up is when you want to deploy some new design changes to production applications. There are usually a number of things that have to happen during this process, the most important being to prepare the template, move the template, and then update all the designs for the applications based on that template. In the past, this process is usually handled by development. Development knows what the changes are so they can just apply the changes directly to the applications (assuming they haven't already just been developing in production, which is a completely different problem). Sometimes these changes may go beyond the design and affect the scheduling of agents and what roles different people get in the ACL. Segregation of duties in this case is usually seen as straight forward to implement--developers will not have design or manager rights to those applications in production and the administration staff can do the deployment. However, this just shifts the problem from one group to another. The problem wasn't that the development staff was applying the changes, the problem was that they were in control of the entire process. The risk is that whichever group is doing it, other changes could be made at the same time that were not authorized. You can't just have the administration team do it as they could be doing the same thing.
In the second part of this post, I will talk more about what you should be doing to actually make segregation of duties work. IT Governance for Lotus Notes: Segregation of Duties--Part 2
In the second part of this post, I will talk more about what you should be doing to actually make segregation of duties work. IT Governance for Lotus Notes: Segregation of Duties--Part 2
Category IT Governance
| Permalink |
|
|
|
|
|
Comments
Can I make a suggestion for an article/blog? I'd like to know what is considered good pracice in setting up a Dev & UAT (and/or staging) environments. How much separation should there be? Should there by cross-certification anywhere? At what level? Should devs be allowed to develop using their production ID's in the dev environment? Or should they switch ID's? Where should CIAO configuration sit? Should there be any mail routing to the real-world from dev/uat/staging?
I'd like to know how TS would implement this.
Posted by Nathan Chandler At 10:51:31 PM On 02/01/2009 | - Website - |
We actually have a huge number of documents like this, covering general practices to specific implementations of Teamstudio and other tools.
For general good practices, we have a set of documents called 'Policy Guides'. These cover everything from requirements gathering to development/testing practices, to build and deployment, to production controls. We are planning on putting these on our web site shortly, but until then I would be happy to send you a copy, just drop me an email. These documents do mention Teamstudio tools like CIAO, but show how tools like that can be implemented. As a compliment to the policy guides we have published a book called 'Just enough governance for Notes' which is available on amazon { Link } .
The for Teamstudio specific tools we many documents that can be helpful, but a lot this depends on what you are trying to achieve and what goals you have. For example, here in the US we have a lot of companies that have Sarbanes-Oxley requirements which can affect how you setup tools like CIAO to make sure that auditors can get what they need. Other companies just want to get development out of production, or comply with an internal requirement. Each situation is different and sometimes implementations can be inappropriate or counter productive if not applied correctly. For that reason, it might be best to contact your local Teamstudio office and speak to one of our Technical Directors. They can send you documents that are geared more towards your requirements. We also have services where we can give you recommendations tailored to you exact needs.
In any case, please do contact either myself directly or your local Teamstudio office! We are here to help!
Craig
Posted by Craig Schumann At 09:53:26 AM On 02/03/2009 | - Website - |