Engineering Services and Testing CMDC Policies and Standards

[mcleo-d]

Engineering Services and Testing CMDC Policies and Standards

This discussion has been introduced to start planning how CDMC Policies and Compliance Standards will be engaged, engineered and tested by the Compliant Financial Infrastructure and Open Compliance for CDMC project teams.

It has been recognised that there is potential for CDMC Policies and Standards to be engineered at the Service Level, i.e. individual services created through Terraform and other IaC means, and at the CSP Infrastructure Level, which is out reach from engineers and requires the CSPs to configure directly.

The following diagrams illustrate the relationship between CDMC and FINOS projects, alongside two diagrams that explain the scenarios above and which propose two potential routes forwards. These potential routes are open for debate, modification and complete reshaping in this discussion.

Scenario 1 : Tested IaC Service Per Cloud Service Provider

Summary

• Cloud service IaC is developed according to Compliant Financial Infrastructure prioritised backlog.
• Probr tests run against individual cloud service providers.
• BDD results aggregated in API reporting system. See Scenario 2.

Scenario 2 : Cloud Service Providers Register Compliance

Summary

• Cloud service providers register their own CDMC compliance against a FINOS / LF hosted reporting API.
• Reports are aggregate with Probr test results from IaC service development and testing.
• Reporting and API System to be determined.

[noelmcloughlin]

Looking at the diagram, CDMC TSWG produce "detailed technical spec for compliance tests".
Usually standards groups issue these as PDF specifications.
What artifacts are in the "BDD Compliance test pack"?
Are they machine readable and agnostic to Compliance Check Service implementation?
I see Terraform specifically mentioned, but to avoid design bias, I'd emphasize "IAC" more generally to avoid decoupling to tools.

[mcleo-d]

Hi @noelmcloughlin - Thanks so much for your questions and feedback. Let me pull @eddie-knight, @peterrhysthomas and @abdullahgarcia into the conversation alongside @CrypticFrog and @gibsocol 👍🏻

[mcleo-d]

Hi @noelmcloughlin - I have added this discussion to the Compliant Financial Infrastructure agenda for further discussion on Friday 3rd December at 3pm GMT / 10am ET if you would like to join the call ... #173

[eddie-knight]

What artifacts are in the "BDD Compliance test pack"?

All artifacts produced by the test packs will be created by a shared SDK, which will ensure that they are harmonized and machine readable independent of which pack is being run.

[tcraigjohnson]

As Friday was my first time with the call I have some questions, please.

• What are the time scales for finishing the project/tool set itself and the standards?

• Are the standards based on any existing standards like AWS CIS or other similar?

• How do regulators (whether internal or external) want to consume the verification of compliance?

Thanks in advance.

Tj

[mcleo-d]

Hi @tcraigjohnson - Thanks so much for your questions. Let me pull @eddie-knight, @peterrhysthomas and @abdullahgarcia into the conversation alongside @CrypticFrog and @gibsocol 👍🏻

[mcleo-d]

Hi @tcraigjohnson - I have added this discussion to the Compliant Financial Infrastructure agenda for further discussion on Friday 3rd December at 3pm GMT / 10am ET if you would like to join the call ... #173

[mcleo-d]

This is the answer to this issue @thinkl33t