Libraries are collections of information, typically segregated by the type of stored information, such as development, testing, and production-related programs, data, or documentation.
Management should strictly control access to all libraries and the movement of programs and files between libraries. Programming personnel should not move programs into or out of production libraries. Library controls provide ways to manage the movement of programs between development, testing, and production environments. Management should assign librarian functions to independent quality assurance and production control personnel in larger institutions or to supervisory personnel in smaller institutions.
Commensurate with the complexity of their technology environments, organizations should consider using automated change controls. Regardless of the use of automated change control tools, management should strictly control access to production software libraries, particularly in distributed environments.
Management should establish appropriate controls to manage the movement of modified programs between libraries. The controls should include:
- Assignment of library custodian responsibilities;
- Verification of program integrity before programs are transferred to production libraries;
- Approval procedures for promoting programs into production;
- Password controls on all libraries or objects within libraries; and
- Automated library programs that restrict library access and identify who accessed a library and what, if any, changes were made.