Governance Checks

This Toolkit for Governance Checks provides example checklists and questions to help you deliver no-code applications with speed; while still insuring you haven’t ignored governance requirements. Conducting proper governance checks are crucial for ensuring that a development project is compliant with laws and regulations, adheres to industry standards, manages risks effectively, engages stakeholders, and delivers high-quality outcomes. This Toolkit outlines critical considerations and guidance on how to properly prepare for the checks, apply governance practices efficiently, and seek ways to automate governance where possible.

The outcome of this stage should be a validated end-to-end no-code app that has passed all governance checks and is ready to begin final release go-live activities (which will be addressed in the next stage).

The primary inputs to this stage are as follows:

• No-code Application: The primary input to this stage is the no-code app itself. The Prototype to MVP stage (Chapter 12), will have been completed and validated using the concurrent Feedback Loop (Chapter 13).

• Completed Testing: At this point the application should have undergone testing and validation to ensure the app meets the desired business and functional requirements; only when you have completed these steps should you actually begin executing governance checks as you want to make sure the checks are performed against the completed version of the application (to ensure the checks reflect as close as possible the final Go-Live release of the app).

• Governance Preparation: The planning and preparation for the Governance checks should have started much earlier – these can have a long lead time and may require involvement from a variety of internal functions or groups. So even in the earliest stages of your project (Business Use Case), you should have started to identify if internal or external regulatory/security/compliance/data governance restrictions need to be taken into account so you can begin to plan; this will help you identify and assign the SMEs that should be involved during Stage 7 and who will help define and execute the necessary governance checks. It will also help ensure that during the definition of MVP plan in Project Assignment (Stage 4), you have sufficiently estimated the effort and time related to the Governance Checks.

• Security Preparation: Finally, as discussed earlier, it’s recommended to engage with your IT / DevSecOps teams and Data Stewards during Design activities (Stage 5), so that they can advise on app design considerations. It also will help you prepare/conduct security or data privacy training within the no-code team that can be important to improving awareness on compliance and security best practices.

The first step is preparing for Governance Checks by identifying the necessary policies and then mapping out the associated controls.

Step 1: Identify/Review the Necessary Governance Policies

• The first step is to ensure you have identified and reviewed the necessary governance policies for your development project. Governance policies are high-level statements or guidelines that outline an organization’s intentions, objectives, and principles regarding compliance and governance. They serve as the foundation for establishing a compliance framework and provide a framework for decision-making.

• Policies typically address broad areas and set the direction for an organization’s compliance efforts. Earlier in the chapter we introduced four categories of governance:

  • External compliance checklists to assess compliance with external laws, guidelines, or regulations imposed by external governments, industries, and organizations. This includes examples such as GDPR, HIPAA, KYC, PCI, etc.

  • Internal compliance checklists imposed by internal audit teams or committees to enforce adherence to rules, regulations, and practices as defined by internal policies and access controls;

  • Security checklists to protect your corporate information resources from external or internal attacks; and

  • Data governance checks to assess how sensitive corporate data is managed and secured.

• There are many online websites and resources that can help identify which governance and compliance rules apply, including Regulatory Agency Websites, Industry Associations and Organizations, and Government Portals and Databases. However, these resources can be complex for the average No-code team to navigate. If your No-code team (especially DIY teams), lacks the necessary expertise to determine which policies may apply, you should engage subject matter experts who can assist with the assessment and validation process. It’s strongly recommended to involve the No-code Architect and Governance Officer to ensure your application will not break any conduct and will not result in financial loss for the company.

• As suggested above, it’s highly recommended to begin the process in the early stages of the No-code project (during Stages 1 or 2). However, if this has not occurred it’s never too late to start! (It just may lengthen this stage as you may be having to pause Go-Live activities for a longer period of time while you are identifying checks and securing resources.

Step 2: Determine the Criteria/Controls for Each Governance Check

• While policies are high-level, controls on the other hand are specific measures or mechanisms implemented to ensure compliance with policies and regulatory requirements. They are operational in nature and serve as the practical safeguards that organizations put in place to achieve the desired compliance outcomes outlined in their policies. They should be specific so you can evaluate whether the project has met the governance requirements.

• The following checklists may be used to help ascertain the most common governance checks.

Check areas	Example criteria/controls
Compliance with Laws and Regulations	Do we have specific laws and regulations the application needs to comply with? -Have we identified all potential legal and regulatory risks associated with the application? Have we established/do we need procedures for monitoring compliance with relevant laws and regulations? Have we ensured that all data collected and processed by the application comply with relevant data protection and privacy laws (GDPR, CCPA, etc.)? Are there any accessibility requirements the application must meet? Is the application designed to comply with relevant security and confidentiality requirements? Have we conducted a thorough risk assessment of the application to identify any potential vulnerabilities or weaknesses? Are all third-party vendors and suppliers involved in the development and operation of the application in compliance with relevant laws and regulations? Have we implemented/do we need appropriate controls and procedures to ensure ongoing compliance with relevant laws and regulations?
Internal Policies and Procedures	What are the internal policies and procedures that the application needs to comply with? How does the application support and enforce the company's code of conduct and ethics? Does the application adhere to the company's standards for data protection, privacy, and confidentiality? How does the application ensure compliance with company policies related to security, such as access controls and authentication mechanisms? Are there any specific internal policies related to software development or application design that the application needs to comply with? How does the application support the company's disaster recovery and business continuity plans? Does the application support the company's change management policies and procedures? How does the application ensure compliance with the company's vendor management policies and procedures? Are there any internal compliance audits or assessments the application needs to pass?
Risk Management	What are the risk management policies the application needs to comply with? How does the application identify and assess risks associated with its use, such as data breaches or system failures? What risk mitigation measures are in place to reduce the likelihood and impact of identified risks? How does the application support incident management and response, including reporting and investigation procedures? Does the application align with the company's risk appetite and tolerance levels? How does the application ensure compliance with legal and regulatory requirements related to risk management, such as data protection laws? How does the application support the company's business continuity and disaster recovery plans? Are there any specific risk management standards or frameworks that the application needs to comply with, such as ISO 31000 or COSO ERM? How does the application support the company's risk management culture and awareness, such as training programs for employees? Are there any risk management audits or assessments the application needs to pass?
Quality Assurance	What are the quality assurance policies and standards the application needs to comply with? How does the application ensure it meets the required quality standards, such as performance and reliability? What are the testing and validation procedures in place to ensure the application's functionality, usability, and security? How does the application ensure it meets the company's design and development standards and procedures? What documentation is in place to support quality assurance compliance, such as test plans and validation reports? Does the application align with the company's quality management policies and procedures, such as ISO 9001 or Six Sigma? What are the corrective and preventive actions the application takes to address quality issues and prevent their recurrence? How does the application ensure compliance with legal and regulatory requirements related to quality assurance (e.g. - FDA guidelines for medical devices)? How does the application support continuous improvement and innovation in its design and development processes? Are there any quality assurance audits or assessments the application needs to pass?

Next, you will actually perform the Governance Checks by using the questionnaire built in the prior steps to evaluate the project’s compliance.

Step 3: Evaluate the No-code Project

The checks may be performed by various individuals or teams, depending on the organization's structure and resources. Here are some potential stakeholders involved in conducting governance checks:

• No-code Team: The team responsible for building and maintaining the no-code application might perform initial governance checks if they have sufficient skills. In this model, the No-code Architect may be the one responsible for reviewing the application's security measures, code quality, and adherence to best practices.

• Security Team: Organizations often have dedicated security teams responsible for assessing and ensuring the security of their applications. The security team can perform security assessments, penetration testing, vulnerability scanning, and code analysis to identify and mitigate security risks.

• Compliance and Legal Experts: Internal compliance and legal experts with expertise in relevant regulations and standards can assist in performing governance checks. They can help ensure the application complies with industry-specific regulations, data protection laws, privacy requirements, and other applicable standards.

• Data Protection Officer (DPO): If the no-code application handles sensitive user data, organizations may have a designated Data Protection Officer (DPO). The DPO can provide guidance on data protection requirements, oversee privacy compliance, and participate in governance checks related to data security and privacy.

• External Auditors or Consultants: In some cases, organizations may engage external auditors or consultants with expertise in governance and compliance to conduct independent assessments. These auditors can provide an unbiased review of the application's governance controls and offer recommendations for improvement.

• Management or Governance Committee: Depending on the organization's structure, a management or governance committee may be responsible for overseeing governance checks. This committee can provide guidance, set policies, review audit findings, and ensure appropriate actions are taken to address any gaps or non-compliance issues.

It's important to adopt a collaborative approach, involving multiple stakeholders with the necessary expertise to conduct comprehensive governance checks for a no-code application. If the organization has implemented a Center of Excellence (CoE), the CoE will often play a key role in facilitating the involvement and collaboration of internal and external governance stakeholders.

Step 4: Revise and Update

Use the results of the questionnaire to revise and update the checklists and governance practices as necessary. Keep in mind that Governance checks should not be one-time activities, but instead treated as a continuous cycle. While this may be the first time you have gone through the process, you should keep in mind you are also laying the foundation for a process for regularly reviewing and updating the no-code application's governance controls. You will also need over time to ensure that someone (perhaps in the CoE or IT), is monitoring changes in standards and regulations and ensure ongoing compliance.

While it’s possible to test Governance checks in a completely manual fashion, this can result in having to plan for significant manual testing and validation steps with each release. Commonly this can result in delays, or may result in teams skipping Governance checks entirely in the hurry to speed an app to production. However, cutting corners on Governance will ultimately expose the project to risks and may mean that the project fails to meet the necessary standards, requirements, and expectations.

Though still only available from some leading no-code vendors, it's highly recommended to start to consider automation of your Governance checklists. The Governance automation capabilities can help accelerate your efforts by providing a base set of Data Governance, Operational Governance, and User Access and Security policies; however, you also need to makes sure any pre-built rules can be easily updated and extended to ensure compliance with your specific industry or functional standards

The following examples are a representative sample of the categories of pre-defined controls that should be part of a Governance automation solution. They may not be present in your vendor’s no-code platform; but represent a key set of critical capabilities that should be part of their roadmap.

Data Governance

• Restrict access for ‘All portal users’ for data object with sensitive content

• Data object must be accessible for at least one user

• Data Archiving

• Sensitive data change log

• Sensitive data mapping

• Records administration for data with sensitive content

• Columns administration for data with sensitive content

• Operations administration for data with sensitive content

• Restrict column/record administration access on data objects with sensitive content

• Restrict administrative operations access on data objects with sensitive content

Operational Governance

• License expiration control

• Package schema publication error

• Secure SVN Integration on production environment

• Custom package usage

• Disable business process tracing

• Disable business process element logging

• Restrict employee self-management

• Manager assignment for employees

• Manager is empty for CEO

• Unpublished changes in package configuration schema

Security Governance

• Redis access control

• Security headers for HTTPS connection control

• HTTPS enforcement

• File upload restrictions

• Disable development in file system on production environment

• Exclusion of development applications in production environment

• Debug mode enablement

• Enable security context in business processes

User Access Governance

• Passwords breach control

• Suspicious authentication attempts control

• Access for data export

• User password change policy

• System administrator rights

• Password complexity

• Whitelist for Test Users

• LDAP Authentication for Users

• User deactivation for terminated employees

• User Activation for Working Employees