search

bcgov / cloud-custodian-policies

Apache License 2.0
1 stars 2 forks source link

Add missing compliance audit file #3

Open repo-mountie[bot] opened 3 years ago

repo-mountie[bot] commented 3 years ago

TL;DR 🏎️

Your repo is missing a compliance audit file so I've created this PR with a template that you can update with the correct PIA and STRA status (status options in the table below). If you'd like me to do this for you, skip to the commands section below.

Compliance

Projects in our organization (bcgov) need to complete a Privacy Impact Assessment (PIA) and Security Threat & Risk Assessment (STRA) before they go live in production. Since every ministry has their own way of doing both the STRA and PIA we don't enforce that projects do them, only that they report on the current status.

To help with reporting, I've added a compliance audit file as part of this pull request. Please checkout this branch and edit update status as needed. Here is a table of possible states:

Status Description
TBD If you're surprised by this news, use this state. I'll let you talk to your MISO and check back later.
in-progress Use this state when your assessment(s) are underway.
completed Use this state when your assessment(s) are completed. 🙌 🎉
not-required You have consulted with your MISO or Privacy Officer and they agree that no PIA or STRA is required.

Here is what a completed audit file might look like:

name: compliance
description: |
  This document is used to track a projects PIA and STRA
  compliance.
spec:
  - name: PIA
    status: in-progress
    last-updated: '2019-11-22T00:03:52.138Z'
  - name: STRA
    status: completed
    last-updated: '2019-11-22T00:03:52.138Z'

For more information check out the BC Policy Framework for GitHub.

Pro Tip 🤓

Commands 🤖

I can update the status of the PIA and STRA for you; you'll just need to merge the PR when I'm done. You can find the available status values in the table above. Below are some commands I understand:

Command Description
@repo-mountie help You're freaking out and want to talk to a person.
@repo-mountie update-pia STATUS You want me to update the PIA status.
@repo-mountie update-stra STATUS You want me to update the STRA status.

Examples

@repo-mountie update-pia completed
@repo-mountie update-stra in-progress
bluemel-gov commented 3 years ago

@repo-mountie update-stra in-progress

bluemel-gov commented 3 years ago

@repo-mountie update-pia in-progress

sheaphillips commented 3 years ago

@bluemel-gov I think status should be "not-required" as we won't be creating compliance artifacts for this repo individually.

bluemel-gov commented 3 years ago

@sheaphillips, let's chat about this, I had wanted to review the compliance for this next sprint, but would like to hear your point of view. Also it's (a) bluemel-gov, you tagged a stranger:)

sheaphillips commented 3 years ago

maybe create a ticket and it can be reviewed in refinement/planning. My point is that I can say with high confidence that we won't be creating a PIA/STRA/etc. for this repo specifically. I don't know how to reflect that in the compliance audit file, but I also know the compliance audit file is meant to be a nudge for teams to think about these things - it does not create a requirement or provide guidance. The ticket should not be about this repo but about if/how we account for the disparate set of codebased we use/create in compliance artifacts.

and "doh!" re: tagging wrong human. fixed now.

On Wed, Jun 2, 2021 at 8:37 AM Bluemel @.***> wrote:

@sheaphillips https://github.com/sheaphillips, let's chat about this, I had wanted to review the compliance for this next sprint, but would like to hear your point of view. Also it's (a) bluemel-gov, you tagged a stranger:)

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/bcgov/cloud-custodian-policies/pull/3#issuecomment-853131782, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAFKSIUPU63PEQD5BEF75YLTQZF2PANCNFSM4WQDFX6Q .

repo-mountie[bot] commented 3 years ago

Hey, its been 120 days since this PR was last updated. I'm sure everyone is busy, however, it would be appreciated if someone from the team puts this issue to bed. Thanks in Advance.

repo-mountie[bot] commented 2 years ago

Hey, its been 120 days since this PR was last updated. I'm sure everyone is busy, however, it would be appreciated if someone from the team puts this issue to bed. Thanks in Advance.

repo-mountie[bot] commented 2 years ago

Hey, its been 120 days since this PR was last updated. I'm sure everyone is busy, however, it would be appreciated if someone from the team puts this issue to bed. Thanks in Advance.

repo-mountie[bot] commented 2 years ago

Hey, its been 120 days since this PR was last updated. I'm sure everyone is busy, however, it would be appreciated if someone from the team puts this issue to bed. Thanks in Advance.

repo-mountie[bot] commented 1 year ago

Hey, its been 121 days since this PR was last updated. I'm sure everyone is busy, however, it would be appreciated if someone from the team puts this issue to bed. Thanks in Advance.

repo-mountie[bot] commented 1 year ago

Hey, its been 120 days since this PR was last updated. I'm sure everyone is busy, however, it would be appreciated if someone from the team puts this issue to bed. Thanks in Advance.

repo-mountie[bot] commented 1 year ago

Hey, its been 120 days since this PR was last updated. I'm sure everyone is busy, however, it would be appreciated if someone from the team puts this issue to bed. Thanks in Advance.