5.1.1.1.7 Procedures in place to evaluate when changes are needed to current software
The repository shall have procedures in place to evaluate when changes are needed to current software.
This is necessary to ensure that the repository has the capacity to make informed and timely decisions when information indicates the need for new software.
Evaluation procedures in place; documented staff expertise in each software technology subsystem.
Given information from technology watches or other technology monitoring notification systems, the repository should have procedures and expertise to evaluate this data and make sound decisions regarding the need for new software. The objective is to track when technology providers have developed software infrastructure that minimizes risk, or that minimizes cost, or that improves performance. This is necessary to track emerging technologies, and plan for upgrades before capacity limits occur. The evaluation should identify when the risk of using new technology outweighs the expected benefit, and when the new technology is sufficiently mature to minimize risk.
APTrust has multiple methods available for monitoring the performance of software, and evaluating when changes are needed.
At the application level, where APTrust is responsible, Cloud Native tool on AWS called Cloudwatch provides both log aggregation for all application activities to be tracked. This includes database activity, and some of the related services. Cloudwatch also provides monitoring via Container Insights of the container infrastructure that APTrust is responsible for. Container resourcing, lifecycles, scaling, and network activity can all be tracked to verify if changes are necessary.
At the platform level, such as ECS Fargate, AWS is responsible for any software changes, and the related procedures. Should an action be required by APTrust to do an update, a notification is sent with detailed information on impacts.
In each of the above cases, the APTrust technical staff – software engineer and devops engineer – create tickets in Trello to plan and test any related changes before implementation in production.
Update processes and monitoring documentation and define a review process to cover the current processes listed above.