Continuous Exploration

Introduction

Continuous Exploration (CE) is an aspect of the Continuous Delivery Pipeline that drives innovation and fosters alignment on what should be built by continually exploring the market and customer needs, defining a vision, roadmap, and set of epics for a solution.

Continuous Exploration (CE) is the first aspect of the four-part Continuous Delivery Pipeline (CDP), which also includes Continuous Integration (CI), Continuous Deployment, and Release on Demand.

Quick Links

Continuous Exploration Continuous Integration Release On Demand Iteration Zero

Continuous Exploration- Workflow

Control ID	Control Description	Coverage in CE
ITGC01.Information Security Policies and Standards	An Information Security Management System (ISMS) plan and policy exists and has been approved by Executive Management. Control activities: Information Security policies and standards are documented/updated and reviewed/signed-off by Executive Management on a periodic basis Information Security policies and standards are communicated to the appropriate personnel and training is conducted	Highlighted actions are covered in Continuous Exploration
ITGC04.Application Controls	The solution development methodology through architectural and security practices includes requirements that information systems are designed with to include application controls that support complete, accurate, authorized and valid transaction processing. Control activities: Requirements for configuration/calculation/exception handling application and system controls are defined and built into solutions that support complete, accurate, authorized and valid transaction processing	Highlighted action is covered in Continuous Exploration
ITGC06.Compliance with Development Methodology	The organization has a solution development methodology that contains a set of requirements, which includes security and processing integrity controls, that are adhered to throughout the system development lifecycle. Control activities: In-house IT developments (including infrastructure) and/or procured systems comply with the solution development methodology	Highlighted action is covered in Continuous Exploration
ITGC05.User Involvement	The enterprise has a solution development methodology that defines and maintains business functional and technical requirements that are endorsed by all stakeholders. Control activities: Product/business owner(s) review and authorize/approve all work/requirements as part of quarterly planning. Product/business owner(s) review and authorize/approve the final choice of solution, acquisition approach and high-level design, aligned to the desired business outcome. This is achieved through the quarterly planning process. Product/business owner(s) review and authorize/approve User Acceptance Testing (UAT) results.	Highlighted actions are covered in Continuous Exploration Third action will be covered in Continuous Deployment
ITGC09.Promotion to Production	A process is established to restrict access to authorized individuals functions only for the migration of accepted solutions/software releases into production. Control activities: Promotion to production process/procedures are documented/updated and reviewed/signed-off by the IT owner(s) on a periodic basis, for each system with a procedural SOD in place Proper segregation of duties is established between staff functions responsible for program development, promoting changes to production, and IT operational support	Highlighted actions are covered in Continuous Exploration Second action will be covered in Continuous Deployment & Release on Demand
ITGC10.Testing Strategy	A test strategy must be followed which includes testing scope, goals, approach, tools, roles, environments, test exit criteria and timing of test activities. It takes into consideration testing requirements including security, architectural design, internal controls and privacy. Control activities: Testing artificats are prepared which include test design, test cases/steps, test coverage, test issues, expected and actual results.	Highlighted actions are covered in Continuous Exploration
ITGC11.System Interfaces	A test strategy must be followed which includes systems interface testing and is established to ensure data transmissions are complete, accurate and valid. It takes into consideration environments, security, internal controls and privacy. Control activities: Systems interface testing artificats are prepared which include test design, test cases/steps, test coverage, test issues, expected and actual results Systems interface testing is conducted in non-production environments (source and destination), testing artifacts are retained and test results are reviewed and authorized/approved by the business and IT owner(s) prior to production implementation	Highlighted actions are covered in Continuous Exploration Action 2 is covered in CI
ITGC12.Data Conversion and Migration	Control activities: Data conversion/migration testing artifacts are prepared which include test design, test cases/steps, test coverage, test issues, expected and actual results. Data conversion/migration testing which includes comparing original and converted/migrated data (e.g. record counts, validation of financial integrity, etc.) is conducted, testing artifacts are retained and test results are reviewed and authorized/approved by the business owner(s) prior to production data conversion/migration	Highlighted actions are covered in Continuous Exploration Action 2 is covered in CI