Commit bc7a2c4a authored by Ashish Kuthiala's avatar Ashish Kuthiala

Merge branch 'correct-typos-compliance-page' into 'master'

Corrected several typos present in last iteration of the Financial Services Reg. Compliance page

See merge request gitlab-com/www-gitlab-com!17355
parents b230b54d c72dcbe8
Pipeline #40044746 passed with stages
in 21 minutes
......@@ -44,7 +44,7 @@ Specific controls common amongst these regulations are outlined below, along wit
</tr>
<tr>
<td class="tg-xldj">Segregation of Incompatible Duties (SODs)</td>
<td class="tg-xldj">To protect a system from unauthorized changes and fraud, organizations must establish organization-defined duties and roles, document separation of duties of these indivudlas and roles, and define assocaited system access authorizations to support these separation of duties.</td>
<td class="tg-xldj">To protect a system from unauthorized changes and fraud, organizations must establish organization-defined duties and roles, document separation of duties of these individuals and roles, and define associated system access authorizations to support these separation of duties.</td>
<td class="tg-xldj">* You never merge your own code.<br>* All code needs to be peer reviewed.<br>* Only authorized people can approve the code.<br>* You need a log of who approved it.</td>
<td class="tg-xldj"><a href="https://docs.gitlab.com/ee/user/permissions.html">1. Defined Project Permissions</a><br><a href="https://docs.gitlab.com/ee/user/project/protected_branches.html">2. Protected branches</a><br>
<a href="https://docs.gitlab.com/ee/ci/environments/protected_environments.html">3. Protected environments</a><br>
......@@ -66,7 +66,7 @@ Specific controls common amongst these regulations are outlined below, along wit
<tr>
<td class="tg-xldj">Configuration Management</td>
<td class="tg-xldj">NIST's Configuration Management control as outlined in NIST 800-53, Rev. 4: CM-2 establishes that baseline configurations are documented, formally reviewed and agreed-upon. As baseline configurations serve as a basis for future builds, releases, and/or changes to information systems, it is critical for organizations to have the ability to control changes and evidence the integrity of the deployment process.</td>
<td class="tg-xldj">* Baseline configurations are stored and tracked.<br>* Automated configuration management is employed to remove manual, error-prone processes.<br>* Changes to configurations are approved.<br>* Logs of changes are maintained.</td>
<td class="tg-xldj">* Baseline CI/CD configurations are stored and tracked.<br>* Automated configuration management is employed to remove manual, error-prone processes.<br>* Changes to configurations are approved.<br>* Logs of changes are maintained.</td>
<td class="tg-xldj"><a href="https://docs.gitlab.com/ee/ci/yaml/README.html">1. CI/CD configurations</a><br>
<a href="https://gitlab.com/gitlab-org/gitlab-ce/issues/44041">2. Future: Approval jobs in CI pipelines</a><br>
</td>
......@@ -74,13 +74,13 @@ Specific controls common amongst these regulations are outlined below, along wit
<tr>
<td class="tg-xldj">Configuration Change Control</td>
<td class="tg-xldj">Configuration Change Control is outlined in NIST 800-53, Rev. 4: CM-3: the organization implements approved configuration controlled changes to the information system and retains a record of the configuration controlled-changes - and changes to deployment configurations.</td>
<td class="tg-xldj">* All changes to baseline configurations are stored and tracked.<br>* Changes to configurations of protected branch and environment configurations are stored and tracked.<br>* Logs of changes are maintained.</td>
<td class="tg-xldj"><a href="https://about.gitlab.com/handbook/marketing/product-marketing/demo/cicd-deep/">1. CI/CD pipeline configuration management</a><br><a href="https://docs.gitlab.com/ee/administration/audit_events.html">2. Audit Events</a><br>CI/CD pipeline configurations are tracked in source controls in the same manner as your source code; any changes to these deployment configurations are logged as part of your source code control, thus ensuring that GitLab's release orchestration processes directly support change control best practices.
<td class="tg-xldj">* All changes to baseline orchestration configurations are stored and tracked.<br>* Changes to configurations of protected branch and environment configurations are stored and tracked.<br>* Logs of changes are maintained.</td>
<td class="tg-xldj"><a href="https://about.gitlab.com/handbook/marketing/product-marketing/demo/cicd-deep/">1. CI/CD pipeline configuration management</a><br><a href="https://docs.gitlab.com/ee/administration/audit_events.html">2. Audit Events</a><br>CI/CD pipeline configurations are tracked in source control in the same manner as your source code; any changes to these configurations are logged as part of your source code, thus ensuring that GitLab's release orchestration processes directly support change control best practices.
</td>
</tr>
<tr>
<td class="tg-xldj">Access Restrictions for Changes to Configurations and Pipelines</td>
<td class="tg-xldj">ISO 27002 9 (Access Controls) and NIST 800-53, Rev. 4: CM-5 and AC-3 (Logical Access Enforcement) dictate that organization defines, documents, approves, and enforces logical access restrictions associated with changes to the information system. Any changes to the software can potentially have significant effects on the overall security of the systems. Therefore, organizations permit only qualified and authorized individuals to access information systems for purposes of initiating changes, including upgrades and modifications.</td>
<td class="tg-xldj">ISO 27002 9 (Access Controls) and NIST 800-53, Rev. 4: CM-5 and AC-3 (Logical Access Enforcement) dictate that organizations define, document, approve, and enforce logical access restrictions associated with changes to the information system. Any changes to the software can potentially have significant effects on the overall security of the systems. Therefore, organizations permit only qualified and authorized individuals to access information systems for purposes of initiating changes, including upgrades and modifications.</td>
<td class="tg-xldj">* Controls exist to prevent initiation of pipelines without requisite approvals.<br>* Only authorized users can deploy to production.</td>
<td class="tg-xldj"><a href="https://docs.gitlab.com/ee/user/project/protected_branches.html">1. Protected branches</a><br>
<a href="https://docs.gitlab.com/ee/ci/environments/protected_environments.html">2. Protected environments</a><br>
......@@ -90,8 +90,7 @@ Specific controls common amongst these regulations are outlined below, along wit
<tr>
<td class="tg-xldj">Security</td>
<td class="tg-xldj"> Both the NIST and the ISO security frameworks outline requirements related to developer security testing and evaluation. NIST 800-53, Rev. 4: SA -11 establishes that organization must require the developers of the information system, system component, or information service to implement a security assessment plan, produce evidence of execution of security testing, and correct flaws identified. <br> As a result, business application software needs to support the following: <br>
* Evidence that data has not been modified. <br>
* Role-based access and revocation of accounts.<br>
* Evidence that data has not been modified. <br>
* Auditing and logging of events in systems that process sensitive data.<br>
* Log system changes in a way that those logs are resistant to tampering and accessible only to privileged users.<br>
Note: Application Security Testing can help identify vulnerabilities that enable unauthorized access to data, logic, and reporting. </td>
......@@ -133,7 +132,7 @@ Specific controls common amongst these regulations are outlined below, along wit
href="https://docs.gitlab.com/ee/development/testing_guide/end_to_end_tests.html#testing-code-in-merge-requests">6. Test result retention</a><br>
<a
href="https://gitlab.com/gitlab-org/gitlab-ee/issues/5297">7. Future: Disable squash of commits</a><br>
8. Future: Prevent purge<br></td>
1. Future: Prevent purge<br></td>
</tr>
<tr>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment