Change management
Overview
We are following a modern approach to the Three Lines of Defense (3LoD) risk management framework. We are utilizing practices to remove human blockers and bottlenecks allowing us to operate as cross functional teams, and instead getting major stakeholders and subject matter experts such as product managers and security analysts to define practices and standards up front and enforce these with tooling and testing. We do this by using common principles such as Shift Left, Continuous Delivery (CD), and Automated Testing. How this works:
First Line (Cross-Functional DevOps Teams) → Ownership & Automation
- DevOps teams take ownership of secure coding and compliance.
- Security & compliance are built into the CI/CD pipeline.
- Automated risk controls ensure compliance before deployment.
Second Line (Security & Compliance Enablement) → Guardrails & Policies
- Security/Compliance teams define governance policies.
- Provide or advise on implementing self-service security tools (e.g., Software Composition Analysis, Dynamic Application Security Testing, automated compliance testing).
- Act as advisors, not blockers.
Third Line (Independent Audit & Monitoring) → Continuous Assurance
- Internal auditors validate adherence to regulatory requirements.
- Regular security reviews and automated compliance monitoring.
- Automated and AI-driven runtime monitoring for risk detection.
Change Management Process
This is covered in our SDLC process, but in summary we follow the following steps:
- Planning & Requirement Analysis
- Design & Architecture
- Development (Continuous Integration + Shift Left Testing)
- Automated Testing & Validation (e2e & Synthetic Testing)
- Continuous Delivery (CD)
- Monitoring & Feedback