Skip to main content

Phase 6: Operations & Maintenance (BAU)

Once a solution is live, it enters the Operations and Maintenance phase, also known as Business As Usual (BAU). For the Osborn project, this phase is focused on ensuring the ongoing security, stability, and integrity of the application in the production AWS environment through continuous monitoring and periodic reviews.

Key Activities

1. Security Operations and Administration

  • Routine Security Tasks: Routine security activities, including periodic risk assessments, must be performed throughout the solution's life cycle.
  • Vulnerability Scanning: The Omnicom Security Operations vulnerability scanning process (DAST) is configured for the Osborn application and recurs at the standard frequency.
  • Penetration Testing: The Osborn application is included in the Omnicom annual penetration testing program.
  • Change Management: All changes to the production environment are controlled by the Omnicom Change Management Process, which for Osborn is implemented via the Jira and Bitbucket workflow.

2. Operational Assurance and Monitoring

  • Application Performance Monitoring (APM): The Osborn project uses tools like Sentry, New Relic, or Datadog for error tracking and performance monitoring, as detailed in the Backend Best Practices.
  • Security Control Validation: Operational systems are reviewed to ensure that all security controls (both automated and manual) are functioning correctly.
  • Log Management:
    • Operational system logs are periodically reviewed to evaluate the system's security.
    • All application system logs from the Django backend and other AWS services are fed into Omnicom's SIEM (Security Information and Event Management) tool, Devo, via a proper integration.
  • System and User Monitoring: Ongoing monitoring of systems and users is implemented to detect security incidents and unauthorized changes.
  • Access Reviews: User access to the application must be reviewed at least quarterly. This is especially critical in Osborn's multi-tenant environment to ensure that user privileges are correctly scoped and that accounts of unauthorized users have been removed, as per the Access Control Policy on IT Central.

This continuous monitoring and assurance process ensures that the application remains secure and compliant throughout its operational life, feeding back into the lifecycle for any future changes, patches, or enhancements.