A service manager, a risk manager and an auditor walk into a bar......Devops and Separation of Duties
Recently colleagues and I were discussing topics such as ITIL Change Management, Continuous Delivery, Devops and Separation of Duties. Stone (2009) stated "the general premise of separation of duties is to prevent one person from having both access to assets and responsibility for maintaining the accountability of those assets." In IT Change Management, the premise is to prevent a developer from deploying untested code into production or modifying it once in production without testing. As an ITSM team, we had established clear guidance on separation of duties for production changes with our manual release processes which satisfied all stakeholders including external auditors. The question from development teams then arose of how will we continue to satisfy the needs of separation of duties with Continuous Delivery and/or Devops? To establish consistent guidance, my team met with counterparts in Risk Management and Internal Audit (and we didn't really wa