I agree with Christopher; SOD is not specified by ITIL and so doesn't necessarily need to be enforced by default by the application supporting the processes. SOD is a policy decision. That said, it would be nice if Change Management had the ability to support policies like this. And that said, from my recollection SARBOX is more about policy, procedures and auditing. The tools don't need to enforce the process policies so long as you can show at audit time that you have controls in place in your process to check for these cases and help prevent them - or take action when something does happen - and if you can show by your auditing that you have been following your process. On that front, I believe CM does support that. Approvals and changes can store audit information, so you have the information you need to show that you are following your process policies with regard to SOD.
Lyle From: Action Request System discussion list(ARSList) [mailto:[email protected]] On Behalf Of Guillaume Rheault Sent: Monday, March 29, 2010 8:42 AM To: [email protected] Subject: Re: Change Manager - Change Implementor ** Now, the ironic thing, is that for organizations to be SARBOX compliant, they need to implement a change mgmt process (and tool therefore), which would be ITIL compliant. but OOTB, the ITIL tool is not SARBOX complaint!! so we're coming full circle. Ironic isn't it? ________________________________ From: Action Request System discussion list(ARSList) [[email protected]] on behalf of Guillaume Rheault [[email protected]] Sent: Monday, March 29, 2010 10:41 AM To: [email protected] Subject: Re: Change Manager - Change Implementor ** Financial applications are defined in our environment as Application CIs. These applications run on databases and servers which are also in the CMDB. So here is a very simple scenario: If you follow Sarbanes Oxley rules, you cannot approve and implement changes for financial applications: these two duties (or roles) need to be segregated If you make a change against a database that stores the data for financial applications, same thing. If you make a change for a server that runs financial applications, same thing So issue is not ITIL "proper", it is the regulations that need to be adhered to such as Sarbanes Oxley. Guillaume ________________________________ From: Action Request System discussion list(ARSList) [[email protected]] on behalf of strauss [[email protected]] Sent: Monday, March 29, 2010 10:15 AM To: [email protected] Subject: Re: Change Manager - Change Implementor ** Where do SOD (segregation of duties??) rules come from?? It looks like it is from the financial world, not ITIL, since there is no mention of them whatsoever in the book I am reading on "Implementing ITIL Change and Release Management" by Larry Klosterboer. ITIL does not appear to prohibit people from having multiple roles, so it is not surprising that an ITIL-compliant app like ITSM would not prohibit them either. If you are trying to get ITSM to enforce rules that are beyond the scope of ITIL, then I would expect that you would have to customize the application. Maybe BMC could add it as a configuration item - locking roles in some manner, but most IT organizations would have to be able to keep them unlocked since our staff members typically function in many different roles. Christopher Strauss, Ph.D. Call Tracking Administration Manager University of North Texas Computing & IT Center http://itsm.unt.edu/ From: Action Request System discussion list(ARSList) [mailto:[email protected]] On Behalf Of Guillaume Rheault Sent: Monday, March 29, 2010 8:45 AM To: [email protected] Subject: Re: Change Manager - Change Implementor ** Actually, the same person can be the change requester, change manager, change assignee and change implementer (or task implementer), on top of approving/rejecting the change request. This very "open" OOTB design and lack of rules has created issues for us, and we had to create customizations to make it more restrictive, to adhere to SOD rules. I wish BMC would take a look at this and make the Change Mgmt application more compliant with SOD OOTB. Guillaume ________________________________ From: Action Request System discussion list(ARSList) [[email protected]] on behalf of Roger Justice [[email protected]] Sent: Friday, March 26, 2010 10:50 AM To: [email protected] Subject: Re: Change Manager - Change Implementor ** All 3 roles can be the same person. The problem is who is responsible for the Change who is responsible for the work and who does the work. -----Original Message----- From: John Kelley <[email protected]> To: [email protected] Sent: Fri, Mar 26, 2010 10:01 am Subject: Change Manager - Change Implementor List Just a conversation to understand Segregation of duties Can a Change Manager be a Change Implementor without breaking the rules? I guess the Manager could approve the request and implement that change. Is it morally right? The Change assignee is someone different so there is an other person involved. JK ************************************************************* This e-mail message, including any attachments, is for the sole use of the addressee(s) to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Dunkin' Brands Inc. makes no warranty that this e-mail is error or virus free. _attend WWRUG10 www.wwrug.com ARSlist: "Where the Answers Are"_ _attend WWRUG10 www.wwrug.com ARSlist: "Where the Answers Are"_ _attend WWRUG10 www.wwrug.com ARSlist: "Where the Answers Are"_ _attend WWRUG10 www.wwrug.com ARSlist: "Where the Answers Are"_ _attend WWRUG10 www.wwrug.com ARSlist: "Where the Answers Are"_ NOTICE: This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug10 www.wwrug.com ARSlist: "Where the Answers Are"
