DTS POLICY 4000-0001
Next Review: December 2021
Reviewed Date: December 2020
Reviewed By: Darcie Trimble, DTS Engineering Director
Authority: UCA 63F-1-103
This policy provides the foundation for the State of Utah, Department of Technology Services enterprise application and database deployment process.
The Enterprise Application and Database Deployment Policy will develop and establish essential and proper controls to ensure a clear separation of duties between developing and deploying applications and databases to minimize security risk; to meet due diligence requirements pursuant to applicable state and federal regulations; to enforce contractual obligations; and to protect the State’s electronic information and information technology assets.
This policy applies to all executive branch agencies and administrative subunits of state government. UCA 63F-1-102(6)
In rare circumstances, associates not normally authorized to perform application and database deployments may need to be authorized to perform them. In such instances, a business case for non-compliance must be established and the request for exemption approved in advance through a risk acceptance process where the Chief Information Officer or authorized designee is notified and approval for the exception is granted.
2.1 Separation of Duties
A security principle states no one person should be able to affect a breach of security. Separation of duties requires that people or teams who make changes in production source code or production databases present their changes to another person or team who will deploy the changes into production. Separation of duties restricts the amount of power or influence held by any individual or group of people.
In regards to application and database deployment within the State of Utah, separation of duties will be used to manage and mitigate any conflict of interest or potential of fraud that may exist for any individual or group (collusion). Any person or group responsible for writing or maintaining code or databases will not be the same person or group responsible for deploying changes to the code or database.
All In-house developed and purchased software and databases will be deployed to Production environments following a formally documented process which ensures a clear separation between those who develop the software and datbase, and those who deploy the software and databases, and adheres to the provisions stated within this policy.
3.1 Roles and Responsibilities
Application Development staff to include Programmers, Database Administrators (DBA’s), Contractors etc. will create application code and database tables in support of Agency business systems. They will also install or deploy development and testing tools used in the process of developing application code and databases.
Assigned Operational DBA groups will deploy all in house developed and purchased databases to production environments. They will also work directly with application development staff to schedule and automate database deployment processes.
Enterprise Hosting and Operations will deploy all in-house developed and purchased software to Production environments. They will also work directly with Application Development staff to schedule and automate application deployment processes.
Agency Application Development teams and Campus Hosting and Operations teams will work from an agreed upon documented process.
3.2 Change Management
Every mission-critical production business application and database must follow the DTS Change Management Policy and Process which includes a provision for backing out (rollback) of deployments if they fail.
3.3 Audit and Accountability
Periodic audits will be conducted to ensure the development and database teams’ deployment processes are formally documented and followed.
3.4 Policy Compliance
Systems and protocols should be in place for monitoring, identifying and correcting possible violations. A management environment should exist that is both supportive and encourages compliance. Training should be provided for employees to help ensure compliance.
Violation of this policy may be the basis for discipline including but not limited to termination. Individuals found to have violated this policy may also be subject to legal penalties as may be prescribed by state and/or federal statute, and/or regulation.