SoftLanding Addresses 'Separation of Duty' Requirement
Corrected: June 13, 2006
by Alex Woodie
SoftLanding Systems yesterday unveiled a new release of its change management system that addresses the need for "separation of duty" in the lifecycle management processes. With the enhancement to TurnOver version 5.4, the New Hampshire company has delivered the teeth needed to allow managers to enforce specific workflow procedures, and to plug the holes that allow users to bypass checks and hurt the quality of the code, or worse--raise the ire of auditors.
While the United States Congress did not specifically delineate it, the Sarbanes-Oxley Act, in practice, has brought upon American businesses the requirement to implement an enforceable workflow process when dealing with development and deployment of changes to source code, and to separate the duties of user, developer, tester, and administrator. These ideas are central to IT management best practices, as delineated in COBIT and other codes of IT conduct.
According to Steve Gapp, president and CEO of SoftLanding Systems, creating and implementing a tight workflow management process that includes the separation of duty auditing requirement can be one of the toughest tricks to pull off in IT management--and at the same time, one of the most rewarding.
"The iSeries market urgently needs enforced workflow that bridges all groups participating in the development lifecycle, right down to the end users who report issues and perform user acceptance testing," Gapp says. "It is one of the most difficult best practices to achieve, and one that delivers great value in terms of process efficiency."
SoftLanding is delivering this capability in TurnOver, its suite of lifecycle tools for managing the various stages of application development, including version control and object management, quality assurance testing, deployment, issue tracking, reporting, and analysis. SoftLanding supports native OS/400 development as well as PC and Web development through its TurnOverSVN component, and the new workflow control provides enforcement across all supported platforms.
SoftLanding is delivering tighter workflow controls through the new graphical Workflow Designer component of TurnOver, which is used to map out how the new Workflow Definitions will interact with a given company's processes. Managers can use these new tools to define who can advance a task at a given status, and what progression of status changes are available. These "status transition rules" will allow managers to more closely control which steps need to be taken, and by whom, before a given task in the application development lifecycle is complete.
There are various ways managers can use these new tools, SoftLanding says. For example, a manual transition rule might dictate that only a quality assurance tester can change a task status from "in test" to "tested." Similarly, an event-based transition rule may require a task to have "approved" status before an authorized person can deploy changes into production. At this stage, the task status could be considered "completed."
Rules set up under the Workflow Definitions facility are enforced across the system at the database level, no matter which interface users are using. This means they can be using the Eclipse-based client, the WebSphere Development Studio Client (WDSc) or WDSc Lite plug-ins, a browser interface, or traditional 5250 interfaces.
Universal access was a critical design point, Gapp says. "We've got quite a diverse set of potential personnel who may be parties in any given workflow," he says. "We wanted to allow the green-screeners to participate in the workflow. We didn't want them to have to invoke a different piece of software."
Neither will companies have to rip out any process control systems they already have in place to use the new workflow enforcement capabilities in TurnOver, he says. "We allow you to take the steps, and sit it on top of what's already there," he says. Workflows for multiple applications can be set up and managed using TurnOver.
Users can configure the enforcement of their workflows as tightly or as loosely as it suits their needs, Gapp says. "It's very flexible in terms of how you can configure the solution to meet the various processes that typically take place in an IT environment," he says.
The new workflow enforcement facility is an optional component. All TurnOver licensees get the capability, but it's up to them to configure and use it. TurnOver users that are required to abide by Sarbanes-Oxley--and the company has sold many TurnOver licenses over the last few years on the threat of Sarbanes-Oxley alone--would do well to implement the new capabilities. However, some companies, especially private companies that aren't working to comply with the new law, may not have a need for workflow enforcement at all.
SoftLanding opted to deliver the new Workflow Designer graphical modeler and workflow Definitions logic as a regular application update, as opposed to a full release. The fact that these new features were not shipped as a new release does not detract from the significance of the new features, the company says. For more information, please visit www.softlanding.com.
This article has been corrected. SoftLanding's workflow enforcement works with all platforms supported by TurnOver, not just OS/400. IT Jungle regrets the error.