0

How custom Jenkins plugin Audit trail, per business requirements

1st trying to setup and use Jenkins Audit trail plugin. I have have to keep a audit trail of the following information:

 

 

Auditability Requirements

 

Please note that in addition to the specific elements listed below, to properly associate and report each unique event, the following elements will also need to be captured and reported:

  • Unique APP ID (EAMS/TM ID?)
  • Unique reporting system ID
  • Unique change #
  • Date and time of the event

 

Need to ensure that every log/event source can be uniquely tracked back to its source and the APP/Release being reported on so as to ensure accurate and complete data.

 

Delivery Level Requirements (Standard Changes)

Possible Element to Capture as Evidence

Why

What

Comments

·         Associated approved request or incident #

·         Per Change Control requirements, changes must be done for a documented and approved reason.

Through automation, auditors must be able to ensure that each change is tied to an approved request, incident or normal operational requirement.

Change Management and System Acquisition Development and Maintenance Standards

·         Developer ID

·         Peer Reviewer ID

·         SoD requirement

Through automation, auditors must be able to ensure that the Developer’s code is reviewed and approved by a 2nd person before being merged.

Segregation of Duties Standard

·         Developer ID

·         Test Script Author ID

·         Test Script Approver ID

·         SoD requirement

Through automation, auditors must be able to ensure that the test script used to test the change is either written by someone other than the change developer or reviewed and approved by someone other than the developer.

Segregation of Duties Standard

·         Developer ID

·         Tester ID

·         SoD requirement

Through automation, auditors must be able to ensure that manually tested changes are tested by someone other than the developer.

Segregation of Duties Standard

·         Developer ID

·         Change Approver ID

·         Test Result Summary

·         SoD requirement

Through automation, auditors must be able to ensure that the test results are reviewed and approved by someone other than the developer (Can be combined with next row).

Segregation of Duties and Change Management Standards

·         Developer ID

·         Change Approver ID

·         SoD requirement

·         Owner approval for change deployment.

Through automation, auditors must be able to ensure that the change is approved for distribution by an authorized person who is not the developer (can be combined with previous row).

Segregation of Duties and Change Management Standards

·         Developer ID

·         Deployer ID

·         SoD requirement

Through automation, auditors must be able to ensure that manually deployed changes are deployed by someone other than the developer.

Segregation of Duties Standard

TBD may be excluded from automation

Changes must be validated and requests/incidents not left open.

Evidence that the change was deployed successfully and the tied request or incident (if applicable) is closed.

Called for in SCRP S-Ox testing Requirements. Need to confirm if still required and possible for automation.  Need to look at standardizing change control register to ensure all tickets are handled similarly and can be tracked uniformly.

·         App ID

·         Release ID

·         Vulnerability Scan Summary

·         Secure Coding

Through automation, security scan results (SAST and SCA) must be reported to appropriate teams within Information Security.

Application Security Testing Standard

 

 

Delivery Level Requirements (Emergency Changes)

Possible Element to Capture as Evidence

Why

What

Comments

·         Associated incident #

·         Per Change Control requirements, changes must be done for a documented and approved reason.

Through automation, auditors must be able to ensure that each emergency change is tied to an incident.

Change Management and System Acquisition Development and Maintenance Standards

·         Developer ID

·         Change Approver ID

·         Time after change deployed before approved

·         SoD requirement

·         Owner approval for change deployment.

Through automation, auditors must be able to ensure that the emergency change is approved post distribution by an authorized person who is not the developer.

Segregation of Duties and Change Management Standards

 

 

0 comments

Please sign in to leave a comment.