IT Governance for Lotus Notes: Segregation of Duties--Part 1
Bookmark :
One of the key tenants of many IT governance initiatives is something called segregation of duties. The basic concept is that there should never be a single person who has control of any single process. In the Notes development world the most common place this shows up is when you want to deploy some new design changes to production applications. There are usually a number of things that have to happen during this process, the most important being to prepare the template, move the template, and then update all the designs for the applications based on that template. In the past, this process is usually handled by development. Development knows what the changes are so they can just apply the changes directly to the applications (assuming they haven't already just been developing in production, which is a completely different problem). Sometimes these changes may go beyond the design and affect the scheduling of agents and what roles different people get in the ACL. Segregation of duties in this case is usually seen as straight forward to implement--developers will not have design or manager rights to those applications in production and the administration staff can do the deployment. However, this just shifts the problem from one group to another. The problem wasn't that the development staff was applying the changes, the problem was that they were in control of the entire process. The risk is that whichever group is doing it, other changes could be made at the same time that were not authorized. You can't just have the administration team do it as they could be doing the same thing.
In the second part of this post, I will talk more about what you should be doing to actually make segregation of duties work. IT Governance for Lotus Notes: Segregation of Duties--Part 2