CM to improve safety and security

Configuration Management (CM) needs to be a core process in software development and IT service management. In engineering disciplines, the product or service is known to be only as good as the process used to create it or run it. CM focuses on establishing and maintaining consistency, provides the control and tracking throughout the lifecycle, and provides the visibility to demonstrate that processes have been followed. Without this level of control and oversight, and lack of systematic change, any number of issues can be introduced during software, product or service development lifecycle such as:

  • Incorrect requirements being accepted
  • Incorrect designs being implemented
  • Incorrect software tools and languages used for development
  • Testing of the wrong software or software versions
  • Performing the wrong tests of software and services
  • Release of incorrect versions of software
  • Release of upgrades which undo previously fixed issues
  • Wrong staff being recruited and the wrong training provided
  • Incorrect policies and product or service reviews being undertaken
  • Incorrect documentation being supplied

These issues can result in:

  • Wasted effort and money
  • Late delivery of software, solutions and upgrades
  • Failure to meet service level agreements
  • Security flaws introduced which leave data and customers exposed
  • Safety issues introduced or not prevented which lead to personal injury or death

Although this might initially sound over-dramatic to some, a look through history at some of the disasters reported in the media, show this is clearly not the case.  CM originated in the US Department of Defence and is one of the controls to help mitigate against the introduction of safety and security issues. CM includes:

  • Configuration Items – artefacts must be identified along with details of what information will be stored and how it will be controlled
  • Change Management – control of how, when, what and where changes may be performed along with review and oversight.
  • Version Control – controlling access to artefacts and maintaining a history of changes to each artefact.
  • Release Management – focus on the delivery of software, products and services outside of the departments and teams responsible for development
  • Baseline – an identified set of files and directories used for one specific complete configuration of the system. Where version control identifies specific version of individual files, the baseline includes details of the specific version used for the complete system.
  • Branch – identifies the point in time where two independent configurations diverge. From this point, systems evolve independently. Where historical problems are identified and fixed, the fix needs to be applied to multiple branches. Different customers can have different branches depending on the circumstances, and baselines can be applied to different branches.