Report on the Description of the National Settlement Depository Controls, Suitability of Controls Design and Operating Effectiveness,
12 October, 2015
30
Objective 6. Controls provide reasonable assurance that changes to existing systems and applications are authorized, tested,
approved, properly implemented, and documented
Ref # Control procedure
Testing performed
Results of tests
6.1
The development, testing and production environments are
separated.
Observed IP addresses of development, testing and productive
environments for the systems and noted that environments are
separated.
No exceptions noted
6.2
Before being developed all future requests for system changes
are approved and combined into releases by the Products and
Projects Committee (CPP).
For a sample of changes inspected
the CPP protocols and
ensured that all changes were approved before being developed.
No exceptions noted
6.3
Release management is performed based on a release schedule
plan for the year approved by the CPP.
Observed release managing process and noted that all releases
were planned according to the release schedule plan.
No exceptions noted
6.4
Before being implemented into the production environment all
developed changes are subject to all required tests (system,
module, stress, integration, etc.) by business users and IT.
If exceptions in test results are identified, changes are sent to
re-development.
For a sample of changes inspected
testing procedure and
ensured that all changes were tested before being completed.
No exceptions noted
6.5
Before being implemented to the production environment all
changes to the systems are agreed with the Change Committee.
For a sample of changes inspected
the Change Committee
protocols and ensured that all changes were agreed before being
implemented.
No exceptions noted
