sep88023 CHANGE CONTROL SOFTWARE PROVIDES COMPREHENSIVE METHODOLOGY FOR MANAGING THE PROGRAM UPDATE CYCLE By Joseph DiMarcantonio Joseph DiMarcantonio is development manager for the LIBRARIAN Change Control Facility with Applied Data Research, Inc. in Princeton, New Jersey. In recent years, the importance of change management and EDP auditing has grown significantly in most data processing installations. Auditing firms routinely inspect their clients' MIS departments to ensure that critical business software systems are sound and secure. If the software responsible for the company's financial transactions and record keeping isn't completely documented and maintained by properly authorized individuals, the organization will be ordered to make changes. Recently, for example, the senior managers of a major southern bank looked at the bank's source code control procedures. They saw a situation that was probably no different from what a majority of sites in the country face in their data centers: little control over the program development cycle. A programmer was updating source modules without authorization. Multiple programmers were updating the same source module and overlaying each other's changes. Many source modules were falling between the cracks of the bank's backup procedures. If a program abended in the middle of the night, it was often difficult to find the source code that generated the production level of the program. After auditors ordered the bank to develop much tighter controls on its investment in software, the bank implemented a change control strategy for managing changes to existing and new source code. The strategy included a change control product which ensured that: o Changes in the code going into production were authorized and verified. o The code stored in the production source library matched what was run in execution libraries. o All changes made to production source were completely audited. Protecting Software Integrity As this example illustrates, a data processing organization must be able to determine the point at which programs are being modified and who is modifying them. If programmers have uncontrolled access to production source code, site management has little chance of preventing unauthorized or unexpected changes that can adversely affect production systems. According to the American Institute of Certified Public Accountants, data processing management must be assured that program changes are implemented as authorized, all authorized changes are made, and unauthorized changes are prevented or detected. To fulfill these requirements, a site must adopt a systematic approach of controlling access to production source modules. The primary purpose of a change control system is to impose management control over the application development environment without affecting productivity. Sites should be able to control the update cycle of production applications without adopting a new set of procedures or changing the way they do business. Ideally, automated change control should reduce a site's administrative overhead. The most effective change control systems are designed around interactive panels that guide users through the change cycle. These panels simplify system operation, provide accountability and reporting facilities, and increase programmer productivity. For sites running multiple operating systems, controlling changes is further complicated by the differences in the library systems of the various environments. Since sharing of libraries across operating systems isn't a native capability of the operating systems, it's difficult to control simultaneous access to modules across multiple environments. To maximize the useful life of an application, sites must be able to track an application's initial development and then document subsequent changes in sufficient detail to support future extensions. Common Control Point A comprehensive change control product must have at its core a comprehensive set of library management facilities. Before effective change management can be implemented, a site's software must be organized, with adequate security and recovery procedures instituted. The change control product should include a library system that can be shared among the various operating systems, providing a common control point for all production change requests. Programmers can then use the library system in a fashion consistent with their existing operating environment. Sites migrating to a new environment don't have to convert their libraries or spend time retraining programmers in its use. Similarly, these sites can use the library system as a program development tool and a repository for production source code. To be an effective development tool, the library system must operate as an integrated part of the user's operating environment. Managers, programmers and auditors should be able to routinely determine the function of programs or program changes by analyzing the source code. Unfortunately, the code stored in the production source library isn't always the source from which the executable module was created. A change control product should manage not only the promotion of source code to production libraries, but the compile and link edit procedures as well. Users should be able to compare executable modules with the corresponding production source to ensure they are synchronized. An overriding concern of management is maintaining the integrity of the organization's mission-critical software, whether developed internally or purchased from an outside vendor. Change control products must work in concert with security tools, allowing management to prevent all modules in the production master file from being updated or accessed without proper authority. By channeling all requests for production source through the change control system, tracking of all activity is guaranteed, thus ensuring management control. Complete Audit Trail An automated change control product must provide management and auditors with a complete audit trail detailing each change to a program's source code, including information on who made the change, when and why. Management and programmers should be able to display or print standard reports detailing change activities, both planned and completed, and the status of work in progress. For managers, this includes reports summarizing open, closed, and assigned change requests, and source modules currently outstanding. Reports detailing change history are invaluable to programmers and systems personnel responsible for debugging and maintaining individual programs. The LIBRARIAN from Applied Data Research, Inc., Princeton, NJ is one product which meets these requirements. The LIBRARIAN's library management facilities consist of a highly sophisticated and flexible storage medium for source code and other types of data, and a collection of service routines for storing and retrieving them. A single LIBRARIAN master file can be simultaneously read and updated from MVS, VSE and CMS, both online and in batch. To maintain the integrity of the user's applications, The LIBRARIAN's statement level archiving facility will keep a complete audit trail of each line of source code that is added, modified or deleted. The audit trail is automatically built as a transparent part of the update process, and the entire history of changes is maintained in the member, making any level immediately accessible online. The LIBRARIAN Access Method (LIB/AM), provides complete integration with the operating environment. Source modules stored on a LIBRARIAN master file and their associated parts (COPY books, MACROs, etc.) can be compiled and linked directly from a master file using standard JCL. The LIBRARIAN Change Control Facility (LIB/CCF) is an interactive, dialog-based application that provides LIBRARIAN users with a comprehensive change control methodology. It extends The LIBRARIAN's control, auditing, and recovery capabilities by providing managers with systematic implementation procedures and a full range of tracking and reporting facilities. LIB/CCF was recently extended to the VSE environment, making it the first product to support change control across any combination of VSE, CMS and MVS. In conclusion, a complete change control system should provide MIS organizations with: o A strategy for managing changes to source and for developing new source code, and complete audit trail of all changes; o Synchronization between load modules and their corresponding source; o Online and batch reporting for individual tasks or the entire project; o Management control over parallel development; o Options for handling control and quality assurance groups. A sound change control methodology should be built on a strong library management system, one that contains the benefits of operating system transparency, programmer productivity and, most importantly, strict management control. /* 1315