Program Development Policy

Program Development

Scope

The Essex Program Development policy covers any in-house or outsourced development activities to in-scope applications and systems. The Program Development policy does not apply to systems and applications that are in the development or test stages.
The Program Development policy explicitly does cover 'SDLC' – the Software Development Life Cycle. Because the rate of development is low and infrequent, each development project shall have a separate project plan to document the applicable SDLC steps and implementation. Development that has a direct impact on the corporate application is managed using the Project Grading and Requirements. CONTROL PD1

 

Documenting the Request

CONTROL PD2

A request for development that will affect an in-scope application or system should always begin with a helpdesk ticket that is given a classification of "Program Development". The project plans, reviews and approvals should always be attached to the ticket and the ticket should be considered as the authoritative archive for all activities pertaining to the development cycle.

Approval Authorization & Segregation of Duties

The principals of segregation of duties must apply to all matters of Program Development and program development. Essentially, all requests relating to Program Development must be approved by a manager at least one layer higher (or more) than the requestor. In addition, the approver must not be the person who performs the program or system modification.

Process

  1. A ticket is opened in the Essex Helpdesk System with the details of the change, and the type set to Program Development.
  2. The scope of the change is determined by IT and requisite testing is performed by the appropriate person(s).
  3. If it is determined that the change will have a direct impact on general ledger data, an appropriate plan for validating the changes is developed and attached to the ticket.
  4. After testing has successfully concluded, final approval is noted by through CAB approval. 
  5. If the change does not have a simple rollback procedure (uninstall application, restore old files, etc), a detailed rollback procedure should be noted in the ticket.
  6. After moving the change to production, the ticket is left open for a period to record rollback, if needed.

Development Environment

Program development must not be practiced on production servers. There must be a separate system set aside for any program development activities and this development system must have very limited access. For any major project, or project with high risk, there must be a formal testing plan attached to the helpdesk ticket. Any issues that are discovered during the testing process must be documented in the master helpdesk ticket for the development project.
Where appropriate standard test protocols such as Unit, System, Stress, and User Acceptance tests will be employed and evaluated at each step in the development project. Final test results will be submitted to the helpdesk ticket along with managements review and approval of the test process results.

Approval

Major/High-Risk projects require formal approval by IT Management. It Management will access the potential impact of the proposed project on production operations and will review and approve of the proposed testing plan.  Successful testing by the responsible persons indicates approval. Final approval must be given and documented through CAB before migrating changes from test to production and must be duly recorded in the ticket.

Last updated: September 15, 2017

September 15, 2017