Software Development Compliance - Overview
Cindy Van Epps, IBM Rational software
Nick Norris, IBM Rational software
Last updated: September 28, 2012
Build basis: IBM Rational Collaborative Lifecycle Management (CLM) v3.0.1.x, v4.0.x (Rational Team Concert, Rational Requirements Composer, Rational Quality Manager), Rational Publishing Engine 1.1.2
Introduction and Overview
For software development organizations in regulated industries, the ability to demonstrate compliance with a complex and dynamic set of regulations, including internal control of software development processes, can be costly and challenging. IBM’s Collaborative Lifecycle Management (CLM) solution provides the foundational capabilities software development organizations and teams can use to effectively and efficiently overcome their software development compliance challenges. IBM’s CLM solution provides software development process definition and enactment with lifecycle traceability capabilities which are necessary to support and build a compliant software development organization. This article summarizes the context and motivators for software development compliance and introduces general software development compliance concerns around work authorization, segregation of duties, audit report generation and process change control. Related and subsequent articles in this article series cover these concerns in detail and how the IBM CLM solution supports them.
Business Problem and Context
Regulated software development, that is, the rules and standards that affect how organizations describe, implement, and deploy software systems, varies by industry and geo-political boundaries. In highly regulated industries such as automotive, a standard like ISO 26262, for example, is very prescriptive about the phases of embedded software development and testing as well as specific safety requirements to be implemented and tested. Companies publicly traded on the United States stock exchanges must comply with the Sarbanes-Oxley Act (SoX) which requires management and external auditors to report on the adequacy of the company’s internal controls on financial reporting. One of the specific components of SoX is that companies must define how they will safeguard financial data and the systems used to manage and report on that data from being compromised. Companies must then also prove that the defined processes and internal controls were both implemented and sufficient. These and most other regulations and standards do not focus solely on software development, and usually apply to a broader IT service context and/or a broader enterprise-level control framework. Where the regulations are more principle-based than prescriptive, frameworks such as COBIT have been established to provide prescriptive guidance.
Despite the morass of regulation and interpretation, we can distill some of the basics of software development compliance into four key categories of concern with which software development organizations and teams must implement to be compliant:
- Work authorization – ensuring that someone is accountable for approving the changes being introduced in a software system release, approving the delivery of the release into production, etc.
- Segregation of Duties – ensuring that multiple people are involved in a business task in order to prevent fraud and error. In software development, this means implementing roles, permissions, and responsibilities such that one person cannot by themselves introduce a change into a software system.
- Process Change Control – ensuring that the enforcement of compliance controls in an automated process definition and enactment can not be changed to allow circumventing the controls.
- Audit Support – proving the consistent adherence to the compliance controls over time and providing forensic evidence of how the process was enacted over the life of a project and/or system.
The flexibility, configurability and extensibility of the IBM CLM solution provides tremendous value for software development teams (vis a vis “ Five Imperatives of Application Lifecycle Management”). One of the questions that naturally arises in an agile and adaptive software development context is “Can a team be agile, execute on the Five Imperatives AND work within a compliance-constrained process?” The answer is “Absolutely!” In fact, being agile AND compliant is one of the eight scaling factors (regulatory compliance) in the Agile Scaling Model. One of the objectives of this article series is to help you and your organization understand and get started using IBM’s CLM solution to become more agile and compliant.
We will dive deeper into these software development compliance categories of concern in this series of articles that will examine different options as well as current limitations in IBM’s CLM solution's support for them.
References and related links
- Work Authorization and Requirements Integrity
- Segregation of duties in Regulated Software Development
- Process change control
- Internal control audits
- Support for Capability Maturity Model Integration
- Open Source Policy Compliance
- Sarbanes-Oxley Act
About the authors
As an Industry Solutions Lead for Rational, Cindy VanEpps leads several initiatives that tie together an integrated set of Rational tools to support specific scenarios. She recently led the effort to create a solution for the Financial Services Sector to support planning for compliance based on portfolio management and collaborative lifecycle management. Creating simplicity and elegance from the complex and horrendous is her passion. She can be contacted at email@example.com.
Nick Norris is a Solution Architect in the IBM Rational software development organization. He is an IBM certified Executive IT Specialist currently working as IBM Rational's Governance, Risk and Compliance lead architect as well the lead architect for IBM Rational's Financial Services Sector solutions including the Rational Compliance for Financial Services Sector accelerator. In these roles he works with numerous clients around the world to understand their needs and how best to use IBM solutions to help them. He can be contacted at firstname.lastname@example.org.
Copyright © 2012 IBM Corporation