Comments (3)
Just my .02, I actually think of regulatory compliance as a separate domain/concern apart from secure access or technical policy controls/features. It orchestrates and considers all the human activities surrounding and interacting with a software system.
Regulatory compliance can often be accomplished with manual human and paperwork processes (for good or ill) outside the software controls, whereas security is the interaction of various attributes and decisions concretely defined and embodied in the system architecture, design, code and behavior.
They certainly can and should reinforce each other, but I think they should be decoupled explicitly and managed separately. Put another way, I wouldn't want to design the safety and security of software with regulatory requirements as the primary goal; nor would I want to declare regulatory compliance by only mapping a set of security features/configurations to specific regulatory requirements without considering all the human workflows surrounding the system.
A mapping between security features/intents vs specific regulatory compliance requirements is a start and a helpful roadmap. My recommendation for scope would be to provide a common vocabulary of terms across various features and intents that can be cross mapped to all the many different regulatory frameworks (most of which are not container aware today!) That said HITRUST has mapped to CSA and I have done some work to map PCI and HIPAA.
from tag-security.
This issue has been automatically marked as inactive because it has not had recent activity.
from tag-security.
This is reflected on the Roadmap & planning FY21-22, this issue is being closed
from tag-security.
Related Issues (20)
- [Security Self-Assessment] OpenKruise HOT 1
- [Unconference] some descriptive title
- [Security Self-Assessment] KubeVirt HOT 2
- [Security Self Assessment] emissary-ingress / emissary
- [Security Self-Assessment] Antrea HOT 1
- [Security Self-Assessment] Jaeger
- Do we want feedback buttons on pages of the site? HOT 1
- [Presentation] Auto VEX generation for projects with Kubescape Operator HOT 3
- Supply Chain Security Policy Writeup HOT 5
- vSphere CSI Driver Overview
- [Security Review] Compliance TAG process and artifacts progress HOT 3
- Compliance Working Group in TAG Security HOT 12
- Automated Governance Reference Architecture HOT 28
- [Presentation] OpenCRE.org and CNCF, standard harmonization usecases for the modern cloud HOT 3
- Software Supply Chain Best Practices v2 HOT 4
- GH actions are always failing to Git safe directory error, but returning success
- [Proposal] Implementation Initiatives WG HOT 5
- Conference Talk Proposal HOT 1
- List of Conference Talks to submit CFP HOT 1
- CloudNativeSecurityCon 2024
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from tag-security.