|
Booklet:
Development
and Acquisition Section: Maintenance Subsection: Library Controls |
|||||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||||
Libraries
are collections of information, typically segregated by the type of stored
information, such as development, testing, and production-related programs,
data, or documentation.
Management should strictly control access to all libraries and the movement
of programs and files between libraries. Programming personnel should
not move programs into or out of production libraries. Library controls
provide ways to manage the movement of programs between development, testing,
and production environments. Management should assign librarian functions
to independent quality assurance and production control personnel in larger
institutions or to supervisory personnel in smaller institutions.
Commensurate with the complexity of their technology environments, organizations
should consider using automated change controls. Regardless of the use
of automated change control tools, management should strictly control
access to production software libraries, particularly in distributed environments.
Management should establish appropriate controls to manage the movement
of modified programs between libraries. The controls should include:
|
|
Assignment of library custodian responsibilities; |
|
|
Verification of program integrity before programs are transferred to production libraries; |
|
|
Approval procedures for promoting programs into production; |
|
|
Password controls on all libraries or objects within libraries; and |
|
|
Automated library programs that restrict library access and identify who accessed a library and what, if any, changes were made. |
