It’s interesting: “large” (Fortune 500) companies with IT depts, each of them have their own way of doing things, their own policies and procedures, etc.
Unisys was a bit “loosey-goosey” with the app I worked on, allowing the developers to move new code into production (I.e., having privileged / admin access). While, both Wells Fargo and USPS, definitely did NOT and do NOT allow this to be done (aka: IT 101, separation of duties – an auditing requirement – to prevent programmers from putting in code that will either 1., crash the system if said programmer is fired, or 2., take a penny out of each account, each day, and place it into said programmers checking account – if you have a million customer accounts, it adds up).
Well, without mentioning the name of this new company I’m work for, it seems there isn’t a policy of “separation of duties” (in the dept. I’m in), and the developers there can move code into production, delete existing code (by accident or on purpose), and/or add new data, modify or delete existing data (again, by accident or on purpose).
Pretty scary stuff, if you think about it. While at USPS, the policy of “separation…” caused enormous red-tape, and was one of the many reasons why I left. But, it’s necessary – you don’t want any of the above situations happening.
Not going to say anything yet (don’t want to “make waves”), but will be mentioning this to the manager perhaps at the end of the contract and/or when/if I get hired.
Last thought on this subject: the app at Unisys was supported by the “help desk” dept., who had their own team of developers/admins, instead of it being supported by the IT application dept. At USPS, the app was supported by the IT app dept., which is why they had more rigorous controls in place. This new firm: the app isn’t supported by IT applications people, it’s supported by a “user” dept within IT, much like Unisys.
More later on this topic, once I can figure out how to mention it, without pissing off my team lead. Kinda surprised the auditors haven’t picked up on this yet.
[this is just a theoretical posting – all companies mentioned by name or not, were only theoretical examples of how IT depts at different companies may or may not handle things.]