Rolling Meadows, IL, USA (12 August 2015)—DevOps—the integration of development and operations teams to eliminate conflicts and barriers—often leads to more features in business applications, developed in a faster time and with greater efficiencies. But the very features that make DevOps attractive to organizations can cause concern for assurance, security and governance practitioners. A new guide from global IT association ISACA outlines 10 key controls companies need to consider as they embrace DevOps to achieve reduced costs and increased agility.
According to DevOps Practitioner Considerations, those controls are:
- Automated software scanning
- Automated vulnerability scanning
- Web application firewall
- Developer application security training
- Software dependency management
- Access and activity logging
- Documented policies and procedures
- Application performance management
- Asset management and inventorying
- Continuous auditing and/or monitoring
“DevOps can introduce new risk but, done right, it also mitigates other risk. Looking at risk holistically means understanding both sides of that equation and making the right choice for a particular company based on its climate, risk tolerance, culture, project scope and other factors,” said Bhavesh Bhagat, CISM, CGEIT, CEO of EnCrisp.
Because DevOps adoption changes the environment and often impacts a company’s carefully crafted control environment and accepted level of risk, governance, security and assurance professionals need to play a key role:
- The governance decisions relating to risk, including decisions made in the past, may require rethinking, and performance metrics on which business decisions are based may need to be adjusted.
- Many security controls that are intertwined with the development process may be compromised.
- Assurance practitioners will have to address a particularly significant area of impact: separation of duties.
Dev Ops Practitioner Considerations is available as a free download at www.isaca.org/devops-practitioner-considerations.
ISACA (isaca.org) helps global professionals lead, adapt and assure trust in an evolving digital world by offering innovative and world-class knowledge, standards, networking, credentialing and career development. Established in 1969, ISACA is a global nonprofit association of 140,000 professionals in 180 countries. ISACA also offers the Cybersecurity Nexus (CSX), a holistic cybersecurity resource, and COBIT, a business framework to govern enterprise technology.
LinkedIn: ISACA (Official), http://linkd.in/ISACAOfficial
Joanne Duffer, +1.847.660.5564, [email protected]
Rachel Acevedo, +1.847.660.5617, [email protected]