Software Development Compliance – Segregation of Duties in Regulated Software Development

Cindy VanEpps, IBM Rational software
Last updated: February 08, 2013
Build basis: IBM Rational Collaborative Lifecycle Management (CLM) v3.0.1.x, v4.0.x (Rational Team Concert, Rational Quality Manager), Rational Publishing Engine 1.1.2

This page describes a usage or software configuration that may not be supported by IBM. The example report templates and custom work item example are not delivered with Rational products.

This is the third in a series of articles on how the Rational solution for Collaborative Lifecycle Management (CLM) support software development compliance. It is highly recommended you first read the overview article in the series before proceeding.

Segregation of duties is a key principle in protecting a system from unauthorized changes. According to Wikipedia, “Separation of duties (SoD) is the concept of having more than one person required to complete a task. In business the separation by sharing of more than one individual in one single task shall prevent from fraud and error. The concept is alternatively called segregation of duties or, in the political realm, separation of powers.” In this article we’ll look at three different ways that Segregation of Duties can be implemented in CLM:

• Using roles and permissions to support segregation of duties is the easiest way to support this principle. It is effective for segregation of duties rules that map easily to the roles and permissions that are configurable in Team Concert.
• Some segregation of duties rules are not easily configured with permissions because they involve multiple roles and a specific process configuration. Violations of these rules can be reported through generation of an audit report. Configuring an audit report template is a bit harder than simply setting up permissions, but our examples help you get started.
• If you want to prevent violation of the rules that cannot be easily configured, the extensibility features of the CLM tools allow you to do that. Our example shows you what is possible, albeit a more advance implementation.

The attached PDF file provides a walk through with screen shots of examples of these implementations. This is a subset of a hands-on lab exercise that walks through the solutions in detail. We also provide the document templates and RTC process template used in the examples to help you get started.

For more information

• Overview
• Work Authorization and Requirements Integrity
• Process change control
• Internal control audits
• Support for Capability Maturity Model Integration
• Open Source Policy Compliance
• Rational Lab Services Extensions for Rational Team Concert contact Luis Quintela

About the author

As an Industry Solutions Lead for Rational, Cindy VanEpps leads several initiatives that tie together an integrated set of Rational tools to support specific scenarios. She recently led the effort to create a solution for the Financial Services Sector to support planning for compliance based on portfolio management and collaborative lifecycle management. Creating simplicity and elegance from the complex and horrendous is her passion. She can be contacted at vanepps@us.ibm.com.

Copyright © 2012 IBM Corporation

Feedback

Was this information helpful? Yes No 2 people rated this as helpful.

Let us know how we can improve this information.