Skip to content

Latest commit

 

History

History
112 lines (64 loc) · 6.96 KB

File metadata and controls

112 lines (64 loc) · 6.96 KB

FINOS - Incubating CII Best Practices

Compliant Financial Infrastructure

Compliant Financial Infrastructure (CFI) is a project that exists to accelerate the development, deployment and adoption of services provided for infrastructure in a way that meets common regulatory and internal security controls.

Through our three working groups, we provide:

  • Opinionated compliance documentation provided by our service approval accelerators
  • Vetted infrastructure as code that is ready to import to your internal registry
  • CI/CD-friendly runtime validation tests to ensure your deployed resources are compliant

Policy Working Group

This WG exists to define and document best practice and process for implementing compliant infrastructure, while streamlining the process for contributions from financial institutions in a frictionless manner.

Compliance may mean something different from one institution to the next. The goal of CFI is not to create a single solution that all firms must adhere to, instead our goal is to streamline adoption and free up security teams to focus on non-redundant activities.

Detailed documentation in the form of Service Approval Accelerators (SAAs) live within this main CFI repository.

High level objectives

  1. Maintain a knowledge base of up-to-date compliance requirements from member financial institutions (Inputs)
  2. Document how to achieve compliance for different infrastructure resources from a financial perspective (Outputs)

Approach

  • Document opinionated configurations, mitigations, and decisions to accelerate compliance for infrastructure services in SAAs.
  • Ensure all SAAs are informed by industry-wide experience/feedback
  • Ensure CFI communication methods (both inputs and outputs) are streamlined to best serve our community and users

A template Service Approval Accelerator is maintained here.

Contributions

Reproducible Infrastructure Working Group

This WG exists to develop, maintain, and document easily consumable infrastructure as code (IaC) which can be used as a base for deploying systems in highly-regulated environments.

Detailed documentation regarding the process for developing and delivering IaC can be found here.

High level objectives

  1. Create and maintain IaC to deploy services that meet policies as defined by the Policy Working Group

Approach

  • Review Service Accelerators and work with the Policy Working Group to agree on each approach to codify policies
  • Build and maintain the IaC to meet requirements set out in the SAA
    • Where this is not possible then any policy gaps will be documented

Contributions

Runtime Validation Working Group

This WG exists to maintain a suite of tools that may be used to validate that deployed infrastructure is compliant with the documentation provided by the Policy Working Group, and provide actionable information for users who are working toward compliance.

Detailed documentation regarding the process for developing and delivering runtime validation test packs can be found here.

High level objectives

  1. Maintain tests matching each SAA to validate the compliance of any deployed resource
  2. Maintain test harness to streamline approach across all services

Approach

  • Execute tests that match the accelerators provided by the Policy WG (no more, no less)
  • Ensure harnes is easily configurable & can be used for diverse validation purposes
  • Maintain smooth logging functionality for validation and development purposes
  • Ensure common human-readable output format for all test packs

Contributions

Join the Community!

For more information about how to engage with the rest of the community and contribute to the project, view the documentation and links here.

Please feel free to request changes via GitHub Issues.

Everyone is encouraged to join our public community meetings found on the FINOS community calendar, and join us on Slack.

Thank you to our contributors!

License

Distributed under the Apache License, Version 2.0.

SPDX-License-Identifier: Apache-2.0

Security Concerns

If you have any security concerns related to this project, please create an issue on this repository or create an issue on the repository associated with your concern.