cncf / financial-user-group

💰💸☁️ For those interested in running Kubernetes in highly regulated environments, particularly financial services
Apache License 2.0
302 stars 65 forks source link

How to define the lowest common legal/ regulatory ground for our int. Group? #6

Open Co-Schwertner opened 5 years ago

Co-Schwertner commented 5 years ago

On of the major problems we are going to face will probably be our divers legal/regulatory grounds.

A common ground that is (a) sufficiently detailed / comprehensive on the one hand but (b) agnostic to local or specific legal/regulatory provisions on the other hand will be crucial to make any progress on common solutions IMO.

Therefore I would like to ask if some member already knows / uses the Cloud Security Alliance Cloud Controls Matrix (CCM) 3.0.1 (latest release date: 11/12/2018) _(see: https://cloudsecurityalliance.org/group/cloud-controls-matrix/#_overview)_.

The best thing about this matrix is, that a 300 x 300 standardises Q&A catalogue is - via a matrix overview - linked to all relevant international and common security standards (e.g. NIST, NZISM, ISO, or e.g. from a Germany perspective even the requirements by the Federal Office of Information Security, etc.). Relying on this matrix, you can solve/answer a requirement once, but can link the solution to all kinds of standards' requirements, you might be faced with from different auditors.

I would be interested to hear, if you agree with me, that maybe this Matrix could help us to define our common legal/ regulatory ground as an international Financial User Group? Or if someone knows/ uses other tools / sources to solve the mentioned (a) + (b) contradiction.