ATTENTION PLEASE READ::
COMPUTER SECURITY
ITEM 1
During our review of application change management utilized by the Texas Lottery, we
noted the following weaknesses:
Ø
Although procedures exist relating to change management of applications, these are
neither formalized nor completely documented by management;
Ø
Programmers have the ability to migrate code directly into the production
environment;
Ø
Controls regarding the segregation of the logical development, test and production
environments are not completely effective and need improvement;
Ø
Emergency fixes are performed directly into the production environment without
subsequent controlled review;
Ø
Formal procedures that would detect an unauthorized migration into the production
environment do not exist; and
Ø
Management does not regularly or methodically review code changes moved into
production.
RISK 1
Strong change management policies and procedures help management ensure that only
requested, authorized, and tested changes are moved into the production processing
environment. The lack of formalized procedures increase the risk that managements
intentions and wishes related to production program changes are not known or followed.
In addition, without the strict and monitored segregation of development, test and
production environments, there is an increased risk that either an unauthorized user can
access the sensitive production applications or an unauthorized change can be introduced
into the production environment causing potential undesired dvents such as data loss or
sensitive data release.
RECOMMENDATION 1
The Texas Lottery should develop a strong change management methodology governing
all critical production applications. This methodology should, at a minimum, ensure a
segregation of the development, test, and production environments, and should enforce a
strict procedure for the migration of code into the production environment. This
methodology should also include provisions to detect unauthorized code attempting to be
migrated into the production environment as well as the periodic and methodical review by
management of the change management process. Finally, this methodology should also
contain provisions relating to the procedures and controls relating to emergency bug fixes.