System Development and Change Management

Strong controls are required surrounding the development, and implementation of new software code/programs. Whether programs are developed “in-house”, or outsourced to a third-party, many risks regarding preserving the confidentiality, integrity, and availability of data remain.

To conduct an assessment of the adequacy of controls surrounding code management, areas such as those below may be addressed:

• Are documented development/change management policies and procedures in place?
• Is a risk analysis conducted regarding weaknesses introduced by an outsourced software development process? (as applicable)
• Are Test and Production environments properly segregated, as applicable, both logically and physically?
• Is a risk assessment and an associated change impact analysis conducted/appropriately documented, for each code change?
• Is the code change request/authorization process adequate for the complexity of the development/patch management environment in place?
• Are automated code control systems utilized, to ensure that version control/accountability can be properly maintained?
• Are backout procedures adequately documented, to ensure seamless rollback, should problems be encountered upon code installation?
• Are code testing strategies/plans sufficiently documented, and approved, prior to testing activities? Additionally, as appropriate, are results adequately reviewed by testing and management personnel?