patternMinor
DevOps SOX Compliance
Viewed 0 times
soxcompliancedevops
Problem
I'm coming from the dark side, compliance, and am looking to gain better knowledge on DevOps & how to implement SOX controls on these processes. I'm hoping to build a good knowledge base in order to be able to recommend controls that will provide good assurance to the auditors while minimizing the impact on the actual operations. Also, so that when I meet with our internal DevOps teams, I can speak knowledgably on this.
I've done some research through ISACA whitepapers and various other sources:
Do you have any other suggestions on resources for building control frameworks for DevOps workflows? Or just DevOps in general?
I've done some research through ISACA whitepapers and various other sources:
- https://www.oreilly.com/learning/compliance-as-code
- https://www.oreilly.com/webops-perf/free/devopssec.csp?intcmp=il-webops-free-product-na_new_site_compliance_as_code_text_cta
- https://www.contino.io/insights/why-devsecops-is-an-auditors-best-friend
- https://start.jcolemorrison.com/
Do you have any other suggestions on resources for building control frameworks for DevOps workflows? Or just DevOps in general?
Solution
what you are looking for is compliance and security for containers. There are companies that can do this out the box for you, and even though I'm not advocating for either you can see what they offer and use that as a template.
https://www.twistlock.com/platform/container-compliance/
https://www.aquasec.com/use-cases/container-auditing-compliance/
As a HIPAA security officer and DevOps manager, I've been reviewing these processes. The way to think of DevOps in your sense is probably the automation and culture of ship fast, fail early and fail often. The goal is to not disrupt the pipeline from security and compliance. Technically this looks like adding automated compliance checks in the pipeline before, during and after go live. As automation gets built, you can replace the automation with a manual process'. You can check out subjects like DevSecOps which is the same concept of ensuring compliance and probably closer to what you'll need to do.
here's an AWS diagram that might help https://aws.amazon.com/blogs/devops/implementing-devsecops-using-aws-codepipeline/
https://www.twistlock.com/platform/container-compliance/
https://www.aquasec.com/use-cases/container-auditing-compliance/
As a HIPAA security officer and DevOps manager, I've been reviewing these processes. The way to think of DevOps in your sense is probably the automation and culture of ship fast, fail early and fail often. The goal is to not disrupt the pipeline from security and compliance. Technically this looks like adding automated compliance checks in the pipeline before, during and after go live. As automation gets built, you can replace the automation with a manual process'. You can check out subjects like DevSecOps which is the same concept of ensuring compliance and probably closer to what you'll need to do.
here's an AWS diagram that might help https://aws.amazon.com/blogs/devops/implementing-devsecops-using-aws-codepipeline/
Context
StackExchange DevOps Q#4173, answer score: 3
Revisions (0)
No revisions yet.