Normal changes and will require approval from at least a subset of the change advisory board before deployment.
We must ensure that any submitted change requests are as complete and accurate as possible, giving the change advisory board everything they need to properly evaluate our change
Automate the creation of complete and accurate RFCs, populating the ticket with details of exactly what is to be changed
Describe the context of the change: why we are making the change, who is affected by the change, and what is going to be changed.
Share the evidence and artifacts that give us confidence that the change will operate in production as designed.
As complexity and deployment frequency increase, performing production deployments successfully requires everyone in the value stream to quickly see the outcomes of their actions.
Avoid using separation of duties as a control. Instead, choose controls such as pair programming, continuous inspection of code check-ins, and code review.
Send all data into our telemetry systems, such as Splunk or Kibana. This way auditors can get what they need, completely self-serviced. They log into Kibana, and then search for audit evidence they need for a given time range.