Brian Henerey, profile picture
Uploaded byBrian Henerey
PPTX, PDF1,007 views

DevOpsDays Chicago 2014 - Controlling Devops

Brian Henerey discusses how DevOps practices require different controls than traditional IT approaches when conducting a SOC2 audit. He explains that SOC2 reports assess controls related to security, availability, confidentiality, processing integrity, and privacy. While controls aim to mitigate risk, they can be overly optimized for speed in DevOps. The talk provides examples of how to structure controls around common criteria and risks, while still honoring DevOps principles like autonomy, collaboration, and minimizing bureaucracy. Controls should leverage existing DevOps tools and processes to avoid busywork.

Embed presentation

Download to read offline
Brian Henerey Director of Technology & Operations, OpinionLab bhenerey@gmail.com | @bhenerey | October 2014 Controlling Devops
Me • Working in tech since 1998 • Discovered Puppet – 2006 • Discovered Devops – 2010 • First Devopsdays – TODAY!
Trust us, we’re Engineers! • Did you delete those users accounts? • Do those automated backups work? • Do you know what code was released to Prod? • Who authorized those changes? • Who reviewed them? • Are people ssh-ing into Prod? Did they make any changes? • How many people have access to customer data?
Trust, Actually • Trust is a core element of Devops • We want to trust and empower our people, that’s why we hired them • Yet, we need some controls in place…
This Talk... • I’m going to briefly describe what a SOC2 is and how it works • I’m going to tell how to rub some Devops on one
SOC(2) it to me A Report on the Controls at a Service Organization Relevant to: – Security – Availability – Confidentiality – Processing Integrity – Privacy These are called ‘Trust Services Principles’. Defined here: http://en.wikipedia.org/wiki/Service_Organization_Controls American Institute of CPAs (AICPA)
Why would you want one? • To assert that your company meets all the criteria of the Trust Services Principles • You want an external auditor to make a statement that you’ve done this
Who has SOC2 reports? • SaaS’s • Datacenters • AWS (http://blogs.aws.amazon.com/security/blog/tag/SOC+2)
How does a SOC2 work? You/Your Org • Write System Description • Write Controls • Write Policies based on Controls • Write Assertion about your System Auditor • Helps you prepare the above • Performs audit for 3-12 months • Produces Auditor’s report
What does the have to do with Devops? 1. Accountants are more familiar with traditional IT practices – Devops practices require different controls 2. A SOC2 is driven by mitigating risk. – So is DevOPs
What about ITIL? • ITIL is the baby that got thrown out with the bathwater. • This is just my experience.
Over-optimized for speed • There’s a ton more emphasis on speed of feature delivery than creating operable systems • You can not wish the operational pain away • So let’s put some controls in place at the start
Getting started with Controls TSP Criteria Risk Example Control Your Control Evidence
What is a Control? • Your organization’s practice for mitigating specific risks • Tip: You’re better off with multiple controls to address each Risk
What kind of Controls are there? • AICPA introduced the ‘common criteria’ which cover: – Organization and management – Communications – Risk management and design and implementation of controls – Monitoring of controls – Logical and physical access of controls – System Operations – Change Management
Example Control • Risk: “Breaches and incidents recur because preventive measures are not implemented after a previous event. “ • Control: “At least monthly, the Technology Management Team meet to review the Operations Review Register and discuss plan for resolution of issues, or recap of resolved issues.”
Evidence of Control Performing Well • “Monthly meeting minutes OR checklist of categories of issues/projects discussed at meetings, attendees, date, and indication if any projects/issues need to be communicated to other employees.” • Tip: this is what you want automated or baked into your processes as much as possible. No one likes busy work
Is a Control a Policy? No. • Controls are used only by the auditor • Policies and Procedures are written for employees with clear instructions on how to perform their jobs.
How do I write a control? Auditor interviews me Auditor writes Review together
How many controls will I need? • Around 200 – Maybe 20% of these are duplicates. The means the same control addresses multiple risks. • I spent 50-60 hours with the auditor writing controls over 2-3 months
These are your Controls! • Start off by writing what your company actually does • The most valuable part of writing these controls is discovering areas to improve
What do Accountants like? • Clarity • Hierarchy-based Approval • Consistency • Ownership • Accountability
How is Devops different? • More collaboration • More autonomy • Less segregation of responsibilities • Broader range of impact – Systems, code, security, networks, databases • More bottom-up leadership
Devops Criteria for writing Controls • Lightweight • Minimal impact to workflow • No bureaucracy • No busy work • Automate/bake-in all the evidence • Team members empowered to do their jobs
Up-front versus Back-end Controls • Up-front control is more powerful, but more stifling – People cheat the system in favor of ‘getting things done’ • Devops controls are on the back-end: The team is trusted to make changes. We’ll review what changed after the fact. – Need multiple controls to increase the effectiveness
Don’t fear the policy • Okay, maybe fear it a bit.
Leverage your ticketing system • Already has history • Already can create reports • Easy to add approval to it • Can automate ticket creation for weekly/monthly/quarterly tasks • Easy to add screenshots or attachments as evidence
Leverage your version control • Name your branches/commits based on Ticket- ID • Can review list of commits after deployment to make sure changes were approved/intended
Leverage your tools + logging • Have your tools create log events – Who’s using the tool – Datestamp – What change was made – i.e. Chef-handler for logstash • https://github.com/lusis/logstash_handler
Side benefit of doing this • The more you think about your organization, you’ll probably find things you should really be doing but aren’t. • You’ll also find you aren’t consistent in your behavior, which is why you need layers of Control.
Example: Alert fatigue • You probably already have a policy on responding to alerts • If you’re not following this process, perhaps it’s because you have too many alerts, or they’re un-actionable • If it’s hard to follow your process, it’s because you have debt in your system which should be paid down
Detailed example of a Control Common Criteria 5.6 “Logical access security measures have been implemented to protect against security, availability, or confidentiality threats from sources outside the boundaries of the system.”
CC5.6 continued Risk “Threats to the system are obtained through external points of connectivity”
CC5.6 Control examples 1 “For VOC system infrastructure components, logical access is controlled through each component's native security using group/role based permissions when possible. The Windows network is further protected by a 3rd party multi- factor authentication system.” Evidence: Network diagram that includes VOC infrastructure components
CC5.6 Control example 2 “For VOC custom developed applications, logical access is controlled through role-based security with configurations stored in the applications' underlying database. For the 3rd party reporting tool that is integrated with the VOC custom developed applications, logical access is controlled through that tool's native security.” Evidence: Diagram or documentation that identifies the software/applications that comprise the VOC system
CC5.6 Control example 3 “Firewalls are initially setup as deny all and then configured to allow access for approved services. At least quarterly, the configuration of each firewall is reviewed by the Technology Operations Team and updated as deemed necessary according to industry best practices.” Evidence: Quarterly review of firewall configuration indicating who reviewed, date reviewed, and steps taken (e.g. firewall rules updated to…).
CC5.7 Control example 4 “Remote access to VOCF systems and infrastructure components requires single factor VPN authentication followed by a second factor authentication at the server or network level. Certain VOCF system component require two factor authentication.” Evidence: VPN configuration screen prints
Thanks!! Questions? Special thanks to Mike Becker Partner-in-charge, Risks and Controls @ FGMK
Judge a man by his questions rather than his answers -Voltaire

More Related Content

PDF
Taking the fire drill out of making firewall changes
byAlgoSec
 
PPTX
5 Clear Signs You Need Security Policy Automation
byTufin
 
PDF
Security a Revenue Center: How Security Can Drive Your Business
byshira koper
 
PDF
5 things you didnt know you could do with security policy management
byAlgoSec
 
PDF
Effective Patch and Software Update Management
byQuest
 
PDF
Predicting the Future of Endpoint Management in a Mobile World
byQuest
 
PDF
Ensuring Rock-Solid Unified Endpoint Management
byQuest
 
PDF
Vulnerability and Patch Management
byn|u - The Open Security Community
 
Taking the fire drill out of making firewall changes
byAlgoSec
 
5 Clear Signs You Need Security Policy Automation
byTufin
 
Security a Revenue Center: How Security Can Drive Your Business
byshira koper
 
5 things you didnt know you could do with security policy management
byAlgoSec
 
Effective Patch and Software Update Management
byQuest
 
Predicting the Future of Endpoint Management in a Mobile World
byQuest
 
Ensuring Rock-Solid Unified Endpoint Management
byQuest
 
Vulnerability and Patch Management
byn|u - The Open Security Community
 

What's hot

PPTX
How important is IT auditing
byLepide USA Inc
 
PPTX
2011 09 19 LSPE Dev Ops Cookbook 1a
byGene Kim
 
PDF
Cloud-based vs. On-site CTMS - Which is Right for Your Organization?
byPerficient
 
PPTX
2019 01-30 Firewalls Ablaze? Put Out Network Security Audit & Compliance Fires
byLiraz Goldstein
 
PPT
Ahmed
byAhmed Abd Elhamed
 
PPTX
Automating Enterprise IT Management
byJohn Gilligan
 
PDF
Security Change Management: Agility vs. Control
byAlgoSec
 
PDF
Its Not You Its Me MSSP Couples Counseling
byAtif Ghauri
 
PDF
MBT Webinar: Does the security of your business data keep you up at night?
byJorge García
 
PDF
Dell Endpoint Systems Management Solutions
byCTI Group
 
PPTX
Automating Enterprise IT Management by Leveraging Security Content Automation...
byJohn Gilligan
 
PDF
The What, Why, and How of DevSecOps
byCprime
 
PPTX
4 Best Practices for Patch Management in Education IT
byKaseya
 
PPTX
Cyber security - It starts with the embedded system
byRogue Wave Software
 
PDF
Reducing Human Error in GMP with Automation
bySafetyChain Software
 
PPTX
Patch Management: 4 Best Practices and More for Today's Healthcare IT
byKaseya
 
PPTX
Tying cyber attacks to business processes, for faster mitigation
byMaytal Levi
 
PDF
CNIT 121: 17 Remediation Introduction (Part 1)
bySam Bowne
 
PPTX
Upgrading St. Luke's telecommunication system
byJames Keener
 
PPTX
TDi Technologies - IT Foundation Management (IT Operations)
byTDiTechnologies
 
How important is IT auditing
byLepide USA Inc
 
2011 09 19 LSPE Dev Ops Cookbook 1a
byGene Kim
 
Cloud-based vs. On-site CTMS - Which is Right for Your Organization?
byPerficient
 
2019 01-30 Firewalls Ablaze? Put Out Network Security Audit & Compliance Fires
byLiraz Goldstein
 
Ahmed
byAhmed Abd Elhamed
 
Automating Enterprise IT Management
byJohn Gilligan
 
Security Change Management: Agility vs. Control
byAlgoSec
 
Its Not You Its Me MSSP Couples Counseling
byAtif Ghauri
 
MBT Webinar: Does the security of your business data keep you up at night?
byJorge García
 
Dell Endpoint Systems Management Solutions
byCTI Group
 
Automating Enterprise IT Management by Leveraging Security Content Automation...
byJohn Gilligan
 
The What, Why, and How of DevSecOps
byCprime
 
4 Best Practices for Patch Management in Education IT
byKaseya
 
Cyber security - It starts with the embedded system
byRogue Wave Software
 
Reducing Human Error in GMP with Automation
bySafetyChain Software
 
Patch Management: 4 Best Practices and More for Today's Healthcare IT
byKaseya
 
Tying cyber attacks to business processes, for faster mitigation
byMaytal Levi
 
CNIT 121: 17 Remediation Introduction (Part 1)
bySam Bowne
 
Upgrading St. Luke's telecommunication system
byJames Keener
 
TDi Technologies - IT Foundation Management (IT Operations)
byTDiTechnologies
 

Similar to DevOpsDays Chicago 2014 - Controlling Devops

PDF
DevOps & Security from an Enterprise Toolsmith's Perspective
bydev2ops
 
PPTX
Is DevOps Braking Your Company?
byconjur_inc
 
PPTX
DevSecCon Keynote
byShannon Lietz
 
PPTX
DevSecCon KeyNote London 2015
byShannon Lietz
 
PDF
SOC 2 Compliance Checklist By InfosecTrain
bypriyanshamadhwal2
 
PPTX
From reactive to automated reducing costs through mature security processes i...
byNetIQ
 
PPTX
Elizabeth Lawler - Devops, security, and compliance working in unison
byDevSecCon
 
PPTX
PACE-IT, Security+ 2.1: Risk Related Concepts (part 1)
byPace IT at Edmonds Community College
 
PPTX
Lets talk about soc2s, baby! BSidesLV 2021
byWendy Knox Everette
 
PPTX
DevOps and Audit
byJeff Gallimore
 
PDF
Operations as a Service: Because Failure Still Happens
byRundeck
 
PPTX
Cybersecurity Frameworks and You: The Perfect Match
byMcKonly & Asbury, LLP
 
PPT
How much does it cost to be Secure?
bymbmobile
 
PPTX
Stop Chasing the Version: Compliance with CIPv5 through CIPv99
byTripwire
 
PPTX
Chapter 3 security part i auditing operating systems and networks
byjayussuryawan
 
PPTX
ISACA Ireland Keynote 2015
byShannon Lietz
 
PPTX
Full course that Prymehat uploads for you version 2
byOhenebaManu1
 
PPTX
Chapter 3 security part i auditing operating systems and networks
byTommy Zul Hidayat
 
PDF
Building Security Teams
byAstera Esther Schneeweisz
 
PPT
Itpi metricon 0906a final
byGene Kim
 
DevOps & Security from an Enterprise Toolsmith's Perspective
bydev2ops
 
Is DevOps Braking Your Company?
byconjur_inc
 
DevSecCon Keynote
byShannon Lietz
 
DevSecCon KeyNote London 2015
byShannon Lietz
 
SOC 2 Compliance Checklist By InfosecTrain
bypriyanshamadhwal2
 
From reactive to automated reducing costs through mature security processes i...
byNetIQ
 
Elizabeth Lawler - Devops, security, and compliance working in unison
byDevSecCon
 
PACE-IT, Security+ 2.1: Risk Related Concepts (part 1)
byPace IT at Edmonds Community College
 
Lets talk about soc2s, baby! BSidesLV 2021
byWendy Knox Everette
 
DevOps and Audit
byJeff Gallimore
 
Operations as a Service: Because Failure Still Happens
byRundeck
 
Cybersecurity Frameworks and You: The Perfect Match
byMcKonly & Asbury, LLP
 
How much does it cost to be Secure?
bymbmobile
 
Stop Chasing the Version: Compliance with CIPv5 through CIPv99
byTripwire
 
Chapter 3 security part i auditing operating systems and networks
byjayussuryawan
 
ISACA Ireland Keynote 2015
byShannon Lietz
 
Full course that Prymehat uploads for you version 2
byOhenebaManu1
 
Chapter 3 security part i auditing operating systems and networks
byTommy Zul Hidayat
 
Building Security Teams
byAstera Esther Schneeweisz
 
Itpi metricon 0906a final
byGene Kim
 

Recently uploaded

PDF
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
PDF
apidays Paris 2025 | Zero Trust By Design
byapidays
 
PPTX
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
PDF
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
 
PPTX
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
PDF
final.pdf
byomarbishtawi04
 
PDF
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
PPTX
The Transformative Technology in Contemporary Businesses
bygreyaudrina
 
PDF
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 
PDF
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
PPTX
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
PDF
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
PDF
From Hallucinations to High-Confidence AI with Data Enrichment.pdf
byPrecisely
 
PDF
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
PPTX
Celonis Optimizing your future with process
bydevjeremyappleyard
 
PDF
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
PDF
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
 
PDF
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab | A. Jacobs
 
PDF
apidays New York 2025 | AI in Application Security
byapidays
 
PDF
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
apidays Paris 2025 | Zero Trust By Design
byapidays
 
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
 
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
final.pdf
byomarbishtawi04
 
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
The Transformative Technology in Contemporary Businesses
bygreyaudrina
 
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
From Hallucinations to High-Confidence AI with Data Enrichment.pdf
byPrecisely
 
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
Celonis Optimizing your future with process
bydevjeremyappleyard
 
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
 
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab | A. Jacobs
 
apidays New York 2025 | AI in Application Security
byapidays
 
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 

DevOpsDays Chicago 2014 - Controlling Devops

  • 1.
    Brian Henerey Director ofTechnology & Operations, OpinionLab bhenerey@gmail.com | @bhenerey | October 2014 Controlling Devops
  • 2.
    Me • Working intech since 1998 • Discovered Puppet – 2006 • Discovered Devops – 2010 • First Devopsdays – TODAY!
  • 3.
    Trust us, we’reEngineers! • Did you delete those users accounts? • Do those automated backups work? • Do you know what code was released to Prod? • Who authorized those changes? • Who reviewed them? • Are people ssh-ing into Prod? Did they make any changes? • How many people have access to customer data?
  • 4.
    Trust, Actually • Trustis a core element of Devops • We want to trust and empower our people, that’s why we hired them • Yet, we need some controls in place…
  • 5.
    This Talk... • I’mgoing to briefly describe what a SOC2 is and how it works • I’m going to tell how to rub some Devops on one
  • 6.
    SOC(2) it tome A Report on the Controls at a Service Organization Relevant to: – Security – Availability – Confidentiality – Processing Integrity – Privacy These are called ‘Trust Services Principles’. Defined here: http://en.wikipedia.org/wiki/Service_Organization_Controls American Institute of CPAs (AICPA)
  • 7.
    Why would youwant one? • To assert that your company meets all the criteria of the Trust Services Principles • You want an external auditor to make a statement that you’ve done this
  • 8.
    Who has SOC2reports? • SaaS’s • Datacenters • AWS (http://blogs.aws.amazon.com/security/blog/tag/SOC+2)
  • 9.
    How does aSOC2 work? You/Your Org • Write System Description • Write Controls • Write Policies based on Controls • Write Assertion about your System Auditor • Helps you prepare the above • Performs audit for 3-12 months • Produces Auditor’s report
  • 10.
    What does thehave to do with Devops? 1. Accountants are more familiar with traditional IT practices – Devops practices require different controls 2. A SOC2 is driven by mitigating risk. – So is DevOPs
  • 11.
    What about ITIL? •ITIL is the baby that got thrown out with the bathwater. • This is just my experience.
  • 12.
    Over-optimized for speed •There’s a ton more emphasis on speed of feature delivery than creating operable systems • You can not wish the operational pain away • So let’s put some controls in place at the start
  • 13.
    Getting started withControls TSP Criteria Risk Example Control Your Control Evidence
  • 14.
    What is aControl? • Your organization’s practice for mitigating specific risks • Tip: You’re better off with multiple controls to address each Risk
  • 15.
    What kind ofControls are there? • AICPA introduced the ‘common criteria’ which cover: – Organization and management – Communications – Risk management and design and implementation of controls – Monitoring of controls – Logical and physical access of controls – System Operations – Change Management
  • 16.
    Example Control • Risk:“Breaches and incidents recur because preventive measures are not implemented after a previous event. “ • Control: “At least monthly, the Technology Management Team meet to review the Operations Review Register and discuss plan for resolution of issues, or recap of resolved issues.”
  • 17.
    Evidence of ControlPerforming Well • “Monthly meeting minutes OR checklist of categories of issues/projects discussed at meetings, attendees, date, and indication if any projects/issues need to be communicated to other employees.” • Tip: this is what you want automated or baked into your processes as much as possible. No one likes busy work
  • 18.
    Is a Controla Policy? No. • Controls are used only by the auditor • Policies and Procedures are written for employees with clear instructions on how to perform their jobs.
  • 19.
    How do Iwrite a control? Auditor interviews me Auditor writes Review together
  • 20.
    How many controlswill I need? • Around 200 – Maybe 20% of these are duplicates. The means the same control addresses multiple risks. • I spent 50-60 hours with the auditor writing controls over 2-3 months
  • 21.
    These are yourControls! • Start off by writing what your company actually does • The most valuable part of writing these controls is discovering areas to improve
  • 22.
    What do Accountantslike? • Clarity • Hierarchy-based Approval • Consistency • Ownership • Accountability
  • 23.
    How is Devopsdifferent? • More collaboration • More autonomy • Less segregation of responsibilities • Broader range of impact – Systems, code, security, networks, databases • More bottom-up leadership
  • 24.
    Devops Criteria forwriting Controls • Lightweight • Minimal impact to workflow • No bureaucracy • No busy work • Automate/bake-in all the evidence • Team members empowered to do their jobs
  • 25.
    Up-front versus Back-endControls • Up-front control is more powerful, but more stifling – People cheat the system in favor of ‘getting things done’ • Devops controls are on the back-end: The team is trusted to make changes. We’ll review what changed after the fact. – Need multiple controls to increase the effectiveness
  • 26.
    Don’t fear thepolicy • Okay, maybe fear it a bit.
  • 27.
    Leverage your ticketingsystem • Already has history • Already can create reports • Easy to add approval to it • Can automate ticket creation for weekly/monthly/quarterly tasks • Easy to add screenshots or attachments as evidence
  • 28.
    Leverage your versioncontrol • Name your branches/commits based on Ticket- ID • Can review list of commits after deployment to make sure changes were approved/intended
  • 29.
    Leverage your tools+ logging • Have your tools create log events – Who’s using the tool – Datestamp – What change was made – i.e. Chef-handler for logstash • https://github.com/lusis/logstash_handler
  • 30.
    Side benefit ofdoing this • The more you think about your organization, you’ll probably find things you should really be doing but aren’t. • You’ll also find you aren’t consistent in your behavior, which is why you need layers of Control.
  • 31.
    Example: Alert fatigue •You probably already have a policy on responding to alerts • If you’re not following this process, perhaps it’s because you have too many alerts, or they’re un-actionable • If it’s hard to follow your process, it’s because you have debt in your system which should be paid down
  • 32.
    Detailed example ofa Control Common Criteria 5.6 “Logical access security measures have been implemented to protect against security, availability, or confidentiality threats from sources outside the boundaries of the system.”
  • 33.
    CC5.6 continued Risk “Threats tothe system are obtained through external points of connectivity”
  • 34.
    CC5.6 Control examples1 “For VOC system infrastructure components, logical access is controlled through each component's native security using group/role based permissions when possible. The Windows network is further protected by a 3rd party multi- factor authentication system.” Evidence: Network diagram that includes VOC infrastructure components
  • 35.
    CC5.6 Control example2 “For VOC custom developed applications, logical access is controlled through role-based security with configurations stored in the applications' underlying database. For the 3rd party reporting tool that is integrated with the VOC custom developed applications, logical access is controlled through that tool's native security.” Evidence: Diagram or documentation that identifies the software/applications that comprise the VOC system
  • 36.
    CC5.6 Control example3 “Firewalls are initially setup as deny all and then configured to allow access for approved services. At least quarterly, the configuration of each firewall is reviewed by the Technology Operations Team and updated as deemed necessary according to industry best practices.” Evidence: Quarterly review of firewall configuration indicating who reviewed, date reviewed, and steps taken (e.g. firewall rules updated to…).
  • 37.
    CC5.7 Control example4 “Remote access to VOCF systems and infrastructure components requires single factor VPN authentication followed by a second factor authentication at the server or network level. Certain VOCF system component require two factor authentication.” Evidence: VPN configuration screen prints
  • 38.
    Thanks!! Questions? Special thanks to MikeBecker Partner-in-charge, Risks and Controls @ FGMK
  • 39.
    Judge a manby his questions rather than his answers -Voltaire