Software Development Compliance – Work Authorization and Requirements Integrity
Nick Norris, IBM Rational software
Last updated: February 08, 2013
Build basis: IBM Rational Collaborative Lifecycle Management (CLM) v3.0.1.x, v4.0.x (Rational Team Concert, Rational Requirements Composer)
This is the second in a series of articles on how the Rational solution for Collaborative Lifecycle Management (CLM) support software development compliance. It is highly recommended you first read the overview article in the series before proceeding.
Business Problem and Context
This article details several options for work review, approval and formal authorization. Some regulations that impact software development, like the FDA CFR 21, part 11 require electronic signature. Others, like Sarbanes Oxley, require implementation of internal controls to prevent unauthorized changes to systems that are material to the business. One of the implications of this is organizations must have controls in place to ensure no unauthorized changes are being made to systems that deal with the organization’s financial data (work authorization). Part of the change and development process for many software systems involves requirements: their definition, review/approval, implementation, and validation. This also involves ensuring and proving the integrity of the requirements: that approved requirements are not changed by unauthorized persons and/or that the approved version of the requirement is the one that has actually been implemented and validated (requirements integrity). Companies must also prove that the defined processes and internal controls were implemented and sufficient. There are other regulations or standards that impose similar mandates on the development, delivery, deployment, and maintenance of software systems.
Required capabilities of Work Authorization and Requirements Integrity solution
Required capabilities of Requirements Integrity and Work Authorization solution:
- As an approval authority, I need the ability to approve the correctness of a specific version of a requirement.
- As an approval authority, I need the ability to certifiably authorize work to implement, test, deploy, etc. the approved version of the requirement.
- As an auditor, I need proof that only approved and authorized versions of requirements were implemented, tested, etc. and included in a given release ere is a sample image:
Work Authorization and Requirements Integrity solution configuration(s)
Different IBM Rational products or combination of products can be used to provide a Requirements Integrity and Work Authorization solution as part of a broader compliant software development solution. These include, but are not necessarily limited to:
- Integrated RRC/RTC: RRC is used to define, review/approve, and manage requirements. RTC is used to authorize and manage work linked to the RRC requirements.
- RTC only: Use RTC work items to capture, approve, manage, and authorize changes and work. For example, RTC User Story, Enhancement, or Defect types of work items.
- Integrated DOORS/RTC: DOORS to define, manage, and sign-off on requirements. RTC work items to manage and authorize work assignments to implement, verify, deploy, etc. the requirements in a release.
- DOORS: DOORS to define, manage, and sign-off on requirements.
Every organization will have its own criteria to decide which product(s) to use to provide these capabilities and solution. This article focuses on the RRC/RTC solution, examining different ways that agreement on project artifacts can be captured and the work to proceed at a given point in the process can be authorized:
- Review and approval of a collection of requirements by requirements stakeholders
- Electronic signature authorization to implement a reviewed and approved collection of requirements by business authority
- Multi-level approvals of a build for release into a user acceptance testing environment.
Detailed steps and screen shots demonstrating these capabilities are provided in the attached .pdf file.
For more information
- Segregation of duties in Regulated Software Development
- Process change control
- Internal control audits
- Support for Capability Maturity Model Integration
- Open Source Policy Compliance
About the author
Nick Norris is a Solution Architect in the IBM Rational software development organization. He is an IBM certified Executive IT Specialist currently working as IBM Rational’s Governance, Risk and Compliance lead architect as well the lead architect for IBM Rational’s Financial Services Sector solutions including the Rational Compliance for Financial Services Sector accelerator. In these roles he works with numerous clients around the world to understand their needs and how best to use IBM solutions to help them. He can be contacted at firstname.lastname@example.org.
Copyright © 2012 IBM Corporation