Information Security: Software Change Controls at the Social Security Administration [open pdf - 52KB]
"This letter summarizes the results of our recent review of software change controls at the Social Security Administration (SSA). Controls over access to and modification of software are essential in providing reasonable assurance that system-based security controls are not compromised. […]In January 1998, GAO reported2 that SSA had established a goal to achieve a level 2, or repeatable, software process maturity based on the Carnegie Mellon University Software Engineering Institute's Capability Maturity Model for Software3 as part of its initiative to improve software processes. SSA's software process improvement initiatives include several activities related to improving software change controls. The software maintenance activity process will be improved. A process for assessment and implementation of software tools to manage software through its life cycle and control movement of program code will be established. A Configuration Control Board process and procedures will be developed."
Government Accountability Office (GAO): http://www.gao.gov/