Continuous Deployment

ITGC03.Development Methodology

The organization has a solution development methodology that contains a set of requirements, which includes security and processing integrity controls, that are adhered to throughout the solution development lifecycle.

• The solution development methodology requires initiative closure and acceptance be performed by the business owner for work having a defined start and end date. For work delivered through agile continuous delivery, the business owner accepts all changes and authorizes them at production release.

• The solution development methodology requires defining new and changed IT services and service levels of developed systems/solutions

• The solution development methodology requires planning for the ongoing maintenance of the systems/solutions developed

1. Highlighted action is covered in Continuous Deployment

ITGC04.Application Controls

The solution development methodology through architectural and security practices includes requirements that information systems are designed with to include application controls that support complete, accurate, authorized and valid transaction processing.

Control activities:

1. Requirements for configuration/calculation/exception handling application and system controls are defined and built into solutions that support complete, accurate, authorized and valid transaction processing

2. Interface validation mechanisms are defined and built into solutions to support completeness, accuracy and timeliness of data being transferred between systems

3. Access control mechanisms are defined and built into solutions to ensure that access to systems, functionality and data is restricted to authorized personnel only

1. Highlighted action is covered in Continuous Deployment

2. Third point is not required to be covered under Continuous Delivery Process (CDP)

ITGC05.User Involvement

The enterprise has a solution development methodology that defines and maintains business functional and technical requirements that are endorsed by all stakeholders.

Control activities:

1. Product/business owner(s) review and authorize/approve all work/requirements as part of quarterly planning.

2. Product/business owner(s) review and authorize/approve the final choice of solution, acquisition approach and high-level design, aligned to the desired business outcome. This is achieved through the quarterly planning process.

3. Product/business owner(s) review and authorize/approve User Acceptance Testing (UAT) results.

1. Highlighted action is covered in Continuous Deployment

2. First & second points are covered in Continuous Exploration

ITGC09.Promotion to Production

A process is established to restrict access to authorized individuals functions only for the migration of accepted solutions/software releases into production.
Control activities:

1. Promotion to production process/procedures are documented/updated and reviewed/signed-off by the IT owner(s) on a periodic basis, for each system with a procedural SOD in place

2. Proper segregation of duties is established between staff functions responsible for program development, promoting changes to production, and IT operational support

1. Highlighted action is covered in Continuous Deployment

2. First point are covered in Continuous Exploration

ITGC10.Testing Strategy

A test strategy must be followed which includes testing scope, goals, approach, tools, roles, environments, test exit criteria and timing of test activities. It takes into consideration testing requirements including security, architectural design, internal controls and privacy.

1. Testing is executed in accordance with the test
   strategy, testing artifacts are retained and testing results are reviewed and authorized/approved by the business and IT owners(s) prior to production implemention

1. Highlighted action is covered in Continuous Deployment