IT Management

Change Happens: Compliance and You

Considering the various accounting scandals and irregularities over the past few years, it’s easy to see how compliance and accountability at the Clevel (i.e., CEO, CFO, CIO, etc.) became mandatory (see Figure 1). As a result, regulatory bodies now mandate controls that encompass everything from financial statements at the high-level to the operating system at the low-level (see Figure 2).

This isn’t restricted to the regulations in the U.S., such as the Securities and Exchange Commission (SEC), the Healthcare Information Portability and Accountability Act (HIPAA), and the Sarbanes-Oxley Act (SOX). In the European Union, IT is affected by the Data Protection Act and Model Requirement for the Management of Electronic Records (MoReq); in the U.K., it’s the Metadata Framework and Public Records Office. Around the globe, various regulatory bodies have requirements that affect IT and its operation.

Unfortunately, responsibility flows downhill. Becoming compliant is one of the “joys” of your life. The business and financial applications need to have processes in place that satisfy government regulations and auditing requirements while the operating system software that drives the applications, such as MVS, z/OS, DB2 and CICS, must meet those same objectives.

More than ever, systems specialists and their managers are being held personally accountable for the accuracy of their change control processes, audit reporting capabilities, and the security of the systems software running on their mainframes. As a result, these specialists are increasingly seeking solutions to effectively tackle all these needs and more. They need to be able to ward off the type of unauthorized change that leads to fraud and systems downtime, costing corporations millions of dollars annually. Even outsourced data centers require solutions since they remain under the jurisdiction of compliance regulations.

Perhaps this “dark cloud of compliance” has a silver lining. If you consider the similarities between compliance and business resiliency or disaster recovery, you can discover an opportunity to streamline processes. In several ways, compliance has the same objective as business resiliency: keeping the business operational regardless of what happens.

Failure to achieve this goal results in loss of customer confidence, loss of revenue, and the final insult: fines. Compliance, like business resiliency, is an ongoing process—once started, never ended—with the objective being sustainable compliance. How does one achieve compliancy for operating system software?

Hiring additional people to perform paper audit trails and the tedious job of bulletproofing “best practices” are costly, unattractive solutions for modern data centers. Therefore, organizations are looking to invest in more reliable, automated solutions. These days, solutions in the area of operating system software change management can provide organizations with automatic, transparent compliance that meets the mandates of various regulations, regardless of company or country affiliation.

There are several change management products available. Most, however, are for application development and weren’t designed to work at the level of granularity needed for operating systems change management. The good news is there are solutions available that can provide the type of change management necessary for operating systems software—down to the member level—where that may be the only change made.

Part of the challenge is documenting a change: who, why, when, how and where. This doesn’t mean Big Brother is watching; rather, keeping track of changes helps you and the overall corporate business. Do you remember why a colleague who retired months ago made a change? Do you really remember what changes you made a year ago and why? The time it takes to research and document why something was changed is counterproductive and distracts you from performing other, more important tasks. Worse, remediation of non-compliance involves major costs. The monies required to correct the inadequacies can add up to a significant portion of the overall budget. In addition, it distracts senior-level executives; they’re now watching you and your staff to ensure compliance is maintained when they really need to be focused on the overall business.

Developing a process to manage change at the systems level can make your life easier. Considering that many enterprises have multiple Logical Partitions (LPARs) and system complexes (sysplexes), the amount of change involved with each environment can be a daunting task. In some cases, no one environment is exactly like another, so this adds to the complexity of the task at hand. Centralized systems change management can alleviate many of these pain points in that only one operating system has the original changes performed, documented and tested. Once these changes are validated, they can be bundled into one or more packages and rolled out to other systems—in their entirety or as a subset— with all the associated documentation of those changes.

Successful application of those changes should be reported back to the originating LPAR so that it’s also documented. In this way, the rollout of a new product or maintenance is simplified, saving you time and effort while helping you be cost-effective and compliant. By using a centralized change management process, you’re also simplifying and consolidating the reporting and auditing of change: one repository contains all the changes across the enterprise.

Like it or not, compliance is here to stay. Weaving the procedures into the fabric of your everyday activities starts with a simple step. The benefits will certainly outweigh the initial cost and planning effort. The results ensure your side of the house is compliant. It also can pay dividends with your business resiliency or disaster recovery initiatives by ensuring only the personnel allowed to make changes can do so. Additionally, with selective bundling of changes, only those changes truly necessary to the recovery site are applied.

Whether you choose a centralized or decentralized change management philosophy, or a formal or informal change request process, knowing you have to go to only one place to find, report or bundle changes will simplify your life. You probably have a change management solution for the application side of the house; shouldn’t you have one for the system resources that drive those applications, too?