Fed regs and the return of the IT audit
- By Linda L. Briggs
- March 31, 2005
One trend in software configuration and change management tools is what Gartner
analyst Jim Duggan calls “the rediscovery of the IT audit as something
you have to worry about.”
New corporate regulations such as Sarbanes-Oxley, which mandate greater
corporate accountability, have fallen heavily on IT departments. Those
regulations, along with increased security requirements since Sept. 11, 2001,
are affecting how companies manage software development.
The ability to trace the trail of software changes was important during the
days of mainframe-only development, Duggan says, but that emphasis faded as
distributed computing grew. Companies are rediscovering its importance today.
That means they’re looking for tools to help monitor, store and recall
facts such as when and why a software change was made, who made it, who approved
it, and when it went into production.
“We’ve gone through a 15-year period where distributed computing
has grown in importance, and suddenly we’re reminded, either by the government
or by stockholders, that this is important,” Duggin says.
Corporations are just starting to feel the effects of Sarbox, for example.
Although many large companies scrambled to meet the new law’s
requirements in 2004 through manual processes, they may be looking for more
automated, cost-effective ways to comply in future years. Several SCM
companies are aware of that, and are pushing to convince customers that SCM
products can be useful for compliance management.
One example is MKS, according to IDC research director Melissa Webster. “Generally,
I think MKS has done a very good job connecting their solution…to the
needs of IT organizations that are putting the IT controls in place to ensure
compliance with [Sarbanes-Oxley] regulations. MKS was out of the gate early
with a compliance message, and it appears to have brought them mind-share,”
Webster says. Other companies addressing compliance needs in their marketing
messages include Serena Software, Mercury Interactive, and Cybermation.
The importance of a tool to help audit and trace software development can vary
according to industry. It may be a key SCM feature, for example, for shipping
companies, which are especially concerned with security since new fed regs were
enacted after Sept. 11.
At a large freight company based in the South, Ben Carr, senior production
control analyst, says the need for better audit tools was one reason that the
company moved to more robust change management products.
Carr’s company is using three change and configuration management products,
all from Serena Software: Serena ChangeMan ZMF, ChangeMan DS, and ChangeMan
ZOS for mainframe code. The company also uses Serena’s defect tracking
system TeamTrack, which the company brought in to combine its change request
and problem tracking system.
According to Carr, the fact the products are from the same vendor and
therefore can be tied together is important, because it allows information to
be dispersed among its 140 developers more efficiently.
Audit features were key to the company’s choice of SCM software, Carr
says. “We need to be able to follow any one single piece of code back
to its origin, including what was changed line by line,” he says. That
apparently was possible, but more difficult, with a Computer Associates product
called Change Control Facility the company replaced. ”We didn’t
like how they handled history and accountability,” he says.
Serena’s products also handle temporary emergency changes well, Carr
says, along with planned temporary and permanent changes, and unplanned temporary
changes. “We can keep those temporary libraries around forever but not
in the execution path,” he says. “The software also allows
the company to control the changes developers can make, another important audit
and control feature.”
Back to feature: Software
Configuration Management: New Tools to Streamline Development
Linda Briggs is a freelance writer based in San Diego, Calif. She can be reached at [email protected].