My notes from the DevOps Handbook

by Gene Kim, Jez Humble, Patrick Debois, John Willis

68. What to do when changes are categorized as normal changes

Normal changes and will require approval from at least a subset of the change advisory board before deployment.

We must ensure that any submitted change requests are as complete and accurate as possible, giving the change advisory board everything they need to properly evaluate our change

Automate the creation of complete and accurate RFCs, populating the ticket with details of exactly what is to be changed

Describe the context of the change: why we are making the change, who is affected by the change, and what is going to be changed.

Share the evidence and artifacts that give us confidence that the change will operate in production as designed.

Reduce reliance on separation of duty

As complexity and deployment frequency increase, performing production deployments successfully requires everyone in the value stream to quickly see the outcomes of their actions.

Avoid using separation of duties as a control. Instead, choose controls such as pair programming, continuous inspection of code check-ins, and code review.

Ensure documentation and proof for auditors and compliance officers

Send all data into our telemetry systems, such as Splunk or Kibana. This way auditors can get what they need, completely self-serviced. They log into Kibana, and then search for audit evidence they need for a given time range.