ASP.NET deployment and regulatory compliance (SOX, et al)

Question

I have a customer who is being dogged pretty hard by SOX auditors regarding the deployment practices of our ASP.NET applications. Care is taken to be sure to use appropriate file- and folder-level security and authorization. Only those few with deployment privileges can copy an up to the product server (typically done using secure FTP).

However, the file/folder-level security and the requirement of secure FTP isn't enough for the bean counters. They want system logs of who deployed what when, what version replaced what version (and why), and generally lots of other minutiae designed to keep the business from being Office Spaced (the bean counters apparently want the rounded cents all to themselves).

What are your suggestions for making the auditors happy? We don't mind throwing some dollars at this (in fact, I think we would probably throw big dollars at a good enough solution).

Answer 1

You might want to take a look at the auditing features provided by NTFS.

Answer 2

You probably want to look at an automated deployment solution and you are going to need a formal change control process. We use anthill pro. It can track what version and when it was deployed.

To satify sox we had a weekly meeting of what was getting deployed when. It had to be approved by compliance manager and each deployment needed to have a form filled out explaining what, why and how something was being changed. Once the form was filled out a third person had to be involved (not the person requesting or approving, neither of them can have access to the production environment, because of the seperation of duties rule you have to follow) to make the change and the change was based off of what was in the "change document" no outside communication from the person making the request. Once deployed, all people had to sign off that it was done and when.

Answer 3

It shouldn't be too hard to meet the requirements, it might require some changes to your development processes but it's definately possible.

What you need is:

• A task tracking system, showing descriptions of work, and approvals
• The ability to link documents, as well as packages to this system.
• A test system to test your deployments onto.
• Finally all deployments must be done via installation packages, and other scripted means.
• Any manual changes must be documented and approved too.

Also turn on auditing, run regular security tests, and document almost everything.

All of this is possible with a number of systems, the biggest change is the changes to your internal processes.