Chef: Compliance @ Velocity
- 4. Regulatory compliance frameworks
OFAC USA PATRIOT Act Gramm-Leach-Bliley Act Red Flags Rule
Bank Secrecy Act Sarbanes-Oxley Regulation E Dodd-Frank
False Claims Act HIPAA
European Central Bank
regulations
Prudential Regulation
Authority
Financial Conduct
Authority
HITECH PCI DSS
All of these entail action by IT Security, Internal
Audit, IT Audit and Compliance officers.
- 6. 4 Rule Types
Now Later
How
What
Sequence
• Authentication before action
• Authentication in AD and ITSM
• Security review before production
deployment
State
• Customer data and Form data not
logically co-resident
• NTP installed
• SE Linux installed AND Centrify Agent
• Digital Guardian and NOT sudo
Supervision
• Audit trail of changes and approval
Scope
• Third party access via named
accounts.
• Splunk access to global logs only.
- 10. Practical Stuff
1. Identify an initiative that is on your compliance dashboard
2. Scope a narrow pilot to implement policy-as-code
3. Embed appropriate compliance staff in the project
4. Jointly define what you wish to standardize with policy
5. Improve standardization over multiple iterations
6. Re-allocate the team to spawn other policy-as-code
projects in other areas