Compliance @ Velocity
Justin Arbuckle VP EMEA, Chief Enterprise Architect - CHEF
The promise of the coded business
journey time
qual
ity
std.
SCALE
VELO
CIT
YCONSISTENCY
Transformation to high-velocity through standards
std.
Regulatory compliance frameworks
OFAC USA PATRIOT Act Gramm-Leach-Bliley Act Red Flags Rule
Bank Secrecy Act Sarbanes-Oxley Regulation E Dodd-Frank
False Claims Act HIPAA European Central Bank regulations
Prudential Regulation Authority
Financial Conduct Authority HITECH PCI DSS
All of these entail action by IT Security, Internal Audit, IT Audit and Compliance officers.
The compliance cycle
4 Rule Types
Now Later
How
What
Sequence • Authentication before action • Authentication in AD and ITSM • Security review before production
deployment
State • Customer data and Form data not
logically co-resident • NTP installed • SE Linux installed AND Centrify Agent • Digital Guardian and NOT sudo
Supervision • Audit trail of changes and approval
Scope • Third party access via named
accounts. • Splunk access to global logs only.
Reconciling compliance and velocity
changing stereotypes of compliance / audit / security
Chicken Pig
Interpret Express
Periodic Continuous
A single accelerated cycle
Practical Stuff
1. Identify an initiative that is on your compliance dashboard 2. Scope a narrow pilot to implement policy-as-code 3. Embed appropriate compliance staff in the project 4. Jointly define what you wish to standardize with policy 5. Improve standardization over multiple iterations 6. Re-allocate the team to spawn other policy-as-code
projects in other areas
@dromologue #CATV #Compliance@Velocity