RE: i5 Youngsters

[PaulMmn <PaulMmn@xxxxxxxxxxxxx>]

Our SOX procedure for PTFs is:

	-Request permission for installation of PTF (or PTF Cume)
	-co-worker agreement
	-manager approval

		above 3 steps are run through a PC task routing 
system (on a portal); don't ask me which one!
		The record of these are the documentation for the 
auditors that it was requested and approved.

	-install on test machine
	-wait a week
	-install on live machine

The auditors have been convinced that the list of PTFs from IBM is 
sufficient documentation; we've explained that it's a package, and 
that we do not pick and choose which ones to install, and that if IBM 
says it's needed, it's needed, and we install it.  Period.

Part of the SOX auditing is to make sure that we have internal 
procedures to handle things like changes.  And that if we've written 
up something as part of the procedure, are we following our own 
rules.  We got dinged because our procedures specified that changes 
to production data would be requested on the Official Change Live 
Data Request Form, and we had some changes that, although signed by 
the same people who sign the Official Form, were not on the Official 
Form.  We re-wrote the procedure to say Official Form or other piece 
of paper.  *sigh*

--Paul E Musselman
PaulMmn@xxxxxxxxxxxxxxxxxxxx




At 8:25 AM -0600 1/16/08, Jones, John (US) wrote:
> Change management is much, much more than a log of the change.  It
> includes the request for the change, an approval of the change, the
> implementation of the change, verification that the change was done and
> that it works as advertised, and a back out plan in case the change has
> to be un-done.  Ideally it includes a testing phase where the change is
> tested in a non-production environment.