Ideally, users with write access to application source code should not have the ability to implement changes to production, and vice versa.
The responsibilities of developers and deployment personnel should be completely segregated to help ensure a common change control object, that unauthorized changes are not made to production application systems, is met. However, some of our smaller clients do not have the benefit of working on a big enough team to segregate these responsibilities.
A file integrity monitoring tool is required when adequate segregation of duties between the development and deployment function is not in place.
A file integrity monitoring tool is required when adequate segregation of duties between the development and deployment function is not in place. The file integrity monitoring tool should be configured to monitor modifications to compiled application files and notify an individual outside of the change control process, such as IT management, when changes occur.
The purpose of this is to detect whether changes to application files are taking place outside of the traditional testing and approval steps in the change control process.
About Schellman
Schellman is a leading provider of attestation and compliance services. We are the only company in the world that is a CPA firm, a globally licensed PCI Qualified Security Assessor, an ISO Certification Body, HITRUST CSF Assessor, a FedRAMP 3PAO, and most recently, an APEC Accountability Agent. Renowned for expertise tempered by practical experience, Schellman's professionals provide superior client service balanced by steadfast independence. Our approach builds successful, long-term relationships and allows our clients to achieve multiple compliance objectives through a single third-party assessor.