Security & Risk Management group) 1. Authentication/authorization decisions 2. System and data access 3. System and application changes, especially privileged changes 4. Data changes (CRUD) 5. Invalid CREATE SELF-SERVICE ACCESS TO TELEMETRY AND INFORMATION RADIATORS i. Spread the information – anyone who wants or needs the information can readily access it without production access or other privileged TESTING INTO OUR RELEASE i. A/B testing requires fast CD to support ii. Use feature toggles to control experiments, cohort creation, etc. iii. Use telemetry to measure outcomes iv. Etsy open-sourced

practices does not guarantee program success, as many variables that affect success lie outside the control of the government program manager and his team. In the government context, Agile represents a good existing enterprise architectures, frameworks, standards, or interfaces?  Can the development team access architecture documents and systems?  Are owners/representatives from these enterprise areas involved dependencies on existing or planned capabilities must be understood. Some programs may use a Change Control Board for some of the larger backlog grooming decisions. In an Agile environment, users often

as Code  Turned over repeatable and automatable tasks to the product team wherever possible. Control our destiny  Started to engineer solutions for issues related to product configuration and deployment Route Adds – requires heightened security access  Database Data Script Execution  Load Balancer Node Disablement  OS and Security Patching  Requesting access to technology specific dashboards and consoles

container security, east/west traffic management, a zero-trust model, a whitelist, Role-Based Access Control (RBAC), continuous monitoring, signature-based continuous scanning using Common Vulnerabilities

advance, and that we have a way to (try to) control them.  The relationship between uncertainty, risk, and change is far too complicated for such control when delivering IT systems, where complexity silos in a way that values skills and contributions. Shadow IT—rogue IT, IT that is out of the control of the IT organization. It is what has saved IT up to this point. It is a powerful phenomenon that that we have not yet learned to take advantage of, caught up as we are in the contractor-control model of IT. Shadow IT is what happens when the IT organization is unable to meet the needs of a part of

environments matched Prod. They fixed forward, but changes not put back into version control. Focused on version control and automated environment creation – time reduced from 8 weeks to 1 day b. ENABLE system are shared in a version control repository ii. Version control is for everyone in the value stream iii. Everything, everything, everything is checked into version control 1. Application code & dependencies includes pre-production and build processes 9. Tools iv. 2014 State of DevOps Report – use of version control by Ops was the highest predictor of both IT performance & organizational performance d. MAKE INFRASTRUCTURE

of the time, the tasks would spend in queue a total of nine hours time the seven steps…” Change Control  “We need to tighten up our change controls… what’s preventing us from getting there?”  “That right.” Lesson: Don’t let your change control process become a change prevention process. Don’t let your change control board become a bottleneck. The change control board is not the place to decide whether whether a change is a good idea, the role of change control board is to ensure changes have been properly coordinated with and agreed to by proper stakeholders. Attributions [1] Amazon, http://www.amazon

integrity and code signing – all contributors should have their own key and sign all commits to version control. All created packages should be signed and hash recorded for auditing h. ENSURE SECURITY OF OUR types of test code) 4. Ensure every CI process is in an isolated container 5. Make the version control credentials of the CI system read-only 3. Ch. 23 – Protecting the Deployment Pipeline a. INTEGRATE demonstrate high success rates and low MTTR iii. Link and provide traceability from planning to version control to production implementation for visibility and auditing c. WHAT TO DO WHEN CHANGES ARE CATEGORIZED

dominated the IT world because it appears to offer predictability, control, and efficiency, the key values of the contractor-control model. But it doesn’t. Requirements: Requirements are a way of controlling used to set boundaries for developers when they began a project. In other words, a vehicle for control. But standardization also imposes costs by:  limiting agility and adding bureaucratic waste: exceptions nevertheless gives all stakeholders good insight into the status of the initiative. It allows me to have control—or at least influence—over the direction of the initiative. It is based on a positive, supportive

GIT is a version control system that is used for software development and other version control tasks. As a distributed revision control system it is aimed at speed, data integrity, and support for