Faster and more flexible business methodologies require equally adaptive risk strategies. While IT Development and Operations have been evolving into a continuous loop of development at many innovative organizations (aka DevOps and Agile), most IT control frameworks have remained rooted in the linear, or sequential, “waterfall” mindset of traditional software engineering — with cascading steps beginning with requirements and design and flowing “downward” through implementation, verification and maintenance. This mismatch has created a few challenges, most notably:
- Control/compliance failures
- Slow-downs and workarounds, impacting productivity and efficiency
- Devaluing the business case for adopting DevOps
Ignoring compliance requirements is obviously not an option. Regulations such as Sarbanes-Oxley and standards such as NIST, ISO27001, SOC2 and numerous others require effective IT controls, including formal change management processes for ensuring changes made to production environments are appropriate. While IT may be changing the way it develops and distributes software, the accepted compliance approaches are not moving nearly fast enough to accommodate that change.
Many software developers are realizing that a different approach to controls needs to be applied to DevOps and Agile environments — a DevSecOps approach in industry jargon — that embeds controls, risk management and regulatory compliance into the operating environment without impeding speed and interrupting the continuous integration/continuous deployment (CI/CD) pipeline. In such an environment, many traditionally manual verification and approval processes can be automated. Examples include:
- Automated comparison of releases against artifact repositories with discrepancy reporting
- Automated testing scripts to verify the integrity and functionality of approved code (pre-release)
- “Build and release” orchestration tools to manage the deployment process and enforce separation of duties
In our work with clients, we’ve encountered those challenges and have developed a methodology to help organizations meet regulatory demands and address risk in the context of a continuous improvement environment. The methodology starts with understanding the current-state DevOps processes, identifies the logical control points in the process (as well as improvement opportunities), and helps establish methods for continually monitoring, testing and improving the process and controls, utilizing a cycle similar to the development process itself. We describe the methodology in more detail, including examples of how to design specific controls, in a new Protiviti white paper, Regulation at the Speed of Innovation, available as a free download from our website.
The value of this approach is that it is highly collaborative, builds on existing DevOps tools and practices, and empowers organizations to achieve their own continuous improvement process, rather than having one imposed from the outside. Current DevOps tools are highly accountable, with version control and artifact repositories, virtualization, containerization and continuous integration, as well as on-demand provisioning that addresses many of the access control and segregation concerns of regulators.
DevOps and regulatory control requirements have long been at odds with each other, but they no longer need to be. The continuous improvement tools and technology that define DevOps can be adapted to align a company’s risk strategy to the software development cycle, sometimes with benefits extending downstream to the users. Read how one Protiviti client and leader in the DevOps space was able to achieve this goal, leading to not just to improved controls but improved efficiencies in the development and release process.
As always, we are interested in your thoughts and questions, here and on our website. Download the white paper and start the conversation.