Achieving compliance with regulatory frameworks such as SOX, PCI and HIPAA is a nightmare. Many fears the introduction of new risk that they do not have the necessary know-how to navigate the requirements from these regulations in the context of the functional DevOps environment.
This article is a continuation….
Current approaches to Compliance
Customers are taking different approaches.
- Prescriptive
- Descriptive
Components of Risk to Compliance
There are multiple elements that needs to be considered from an audit perspective that need to be addressed as part of the DevOps implementation.
- Governance Domains
- Access controls –
- Scope
- Privacy
- Authorizations
- Approvals
- Separation of duties
- Consistency
- Audit
- Assurance
- Risk Management
- Corrective actions
- Access controls –
DevOps Implementation to achieve Compliance.
We recommend the following considerations and design elements to incorporate into the overall DevOps implementation plan. As with any implementation, the depth and breadth of each of these factors would vary based on the industry, your situation and development organization maturity.
- Automation: You can integrate the automation into the pipeline so automated tests run on every build, only software without known vulnerabilities is used, and hardened infrastructure is deployed into various operating environments
- Integrate Security and Audit dimensions into the process – thoughtful consideration of Security and Audit
- Review Change Management
- Incident Management and response
- Security and Access Management
- CI/CD pipeline for consistent changes
- Near Real-time Management reporting
To enable companies to better manage their Compliance., Invati has developed a proven methodology to rapidly ensure your DevOps practices stay compliant at low cost with minimal disruption. Please talk to us if you need a quick assessment on how you can stay compliant or learn more about leading practices to improve what you have already implemented.