mcleo-d
commented
10 months ago James McLeod / FINOS
Closed mcleo-d closed 5 months ago
mcleo-d
commented
10 months ago James McLeod / FINOS
TheFoxAtWork
commented
10 months ago Emily Fox / Red Hat @TheFoxAtWork
pgste
commented
10 months ago Paul Stevenson / Morgan Stanley
d1gital-f
commented
10 months ago Francesco Beltramini / ControlPlane
nas-hub
commented
10 months ago Naseer Mohammad / Google
smendis-scottlogic
commented
10 months ago Sonali Mendis / Scott Logic
eziogas-scottlogic
commented
10 months ago Euthyme Ziogas / Scott Logic
sshiells-scottlogic
commented
10 months ago Steven Shiells / Scott Logic
rgriffiths-scottlogic
commented
10 months ago Robert Griffiths / Scott Logic
eddie-knight
commented
10 months ago :wave: :shipit: Eddie Knight / Sonatype
sosullivan92
commented
10 months ago Steve O'Sullivan/BNY Mellon
rhyddian
commented
10 months ago Rhyddian Olds / Citi 👋
abdullahsaf
commented
10 months ago Abdullah Safdar / Citi
njwilliams
commented
10 months ago Nick Williams / Morgan Stanley
joeschny
commented
10 months ago Jörg Schneider / Bank of New York Mellon
simonzhangbmo
commented
10 months ago Simon zhang/BMO
newtob
commented
10 months ago Ben Newton / LSEG
rgriffiths-scottlogic
commented
10 months ago MITRE UPDATE Regulatory Engagement Update/Plan CSP Control Plane Failure CDMC - What next? Continuous Control Monitoring (CCM)
rgriffiths-scottlogic
commented
10 months ago Scope of CCC
rgriffiths-scottlogic
commented
10 months ago Readme project scope
White paper
ojeb2
commented
10 months ago Oli Bage / LSEG
simonzhangbmo
commented
10 months ago Oil, can you please add the URL to CDMC taxonomy?
mcleo-d
commented
10 months ago 
crawfordchanel
commented
10 months ago Chanel Crawford - Citi
mcleo-d
commented
10 months ago ojeb2
commented
10 months ago Oil, can you please add the URL to CDMC taxonomy? The CDMC v1.1 Spec, Key Controls and Test Script are here: https://github.com/finos/compliant-financial-infrastructure/discussions/174
ojeb2
commented
10 months ago Example of the overlap between CCC DBMS Taxonomy and CDMC Capabilities:
| Taxonomy ID | Feature | Description | CDMC Capability |
|---|---|---|---|
| CCC-RDMS-1 | SQL Support | Properly handle queries in the SQL language. | |
| CCC-RDMS-2 | Vertical Scaling | Users may increase or decrease resource allocation. | |
| CCC-RDMS-3 | Horizontal Scaling | Read replicas of the primary database can be created. | |
| CCC-RDMS-4 | Multi-region | Read replicas can be created in multiple user-specified regions. | |
| CCC-RDMS-5 | Automated Backups | Backups can be automatically created and stored according to user specification. | CDMC-6.1.3 Backups and point-in-time recovery are supported |
| CCC-RDMS-6 | Point in Time Recovery | Backups can be restored on demand to a specific point in time. | CDMC-6.1.3 Backups and point-in-time recovery are supported |
| CCC-RDMS-7 | Encryption at Rest | Data is encrypted at rest, and can be encrypted with user private keys. | CDMC-4.1.1 Encryption policies are defined and enforced for data at rest, in motion, and in use |
| CCC-RDMS-8 | Encryption in Transit | Data is encrypted in transit, and can be encrypted with user private keys. | CDMC-4.1.1 Encryption policies are defined and enforced for data at rest, in motion, and in use |
| CCC-RDMS-9 | Role Based Access Control | Users can be assigned roles with specific permissions. | CDMC-3.1 Data entitlements are managed, enforced and tracked |
| CCC-RDMS-10 | Logging | Configurable logs are available for user inspection. | |
| CCC-RDMS-11 | Monitoring | Configurable metrics are available for user inspection. | |
| CCC-RDMS-12 | Alerting | Configurable alerts can be enabled. |
iMichaela
commented
10 months ago I am not sure how the mapping above will be used, but it might be important for the WG to agree on that before advancing the work.
<!DOCTYPE html>
| Taxonomy ID | Feature | Description | CDMC Capability |
|---|---|---|---|
| CCC-RDMS-9 | Role Based Access Control | Users can be assigned roles with specific permissions. | CDMC-3.1 Data entitlements are managed, enforced and tracked |
Were the CDMC 3.1 Data Entitlements are Managed, Enforced, and Tracked is defined below:
Control Description:
1. Entitlements and Access for Sensitive Data **must** default to creator and owner until explicitly and authoritatively granted.
2. Access **must** be tracked for all sensitive data.
are tangential, (not equivalent, not equal, not subsets, etc). If a representation in OSCAL is needed, It can be done using the OSCAL mapping model (prototype available) but automating the assessment of one side of the mapping (source) will not facilitate any proper assessment and reporting on the other side (target).
I can further analyze the description of the CCC-RDMS-9 (as an example):
Users **can** be assigned roles with specific permissions.And, can means I have a choice (the capability) of assigning roles but if I do not do so, it is OK. It does not say I must/shall or could/should. What will an (automatic) assessment process have to test and report?
eddie-knight
commented
10 months ago Hi @iMichaela, I believe there will be an exploratory session for the potential CDMC+CCC mapping, which is proposed in Oli's table.
regarding this:
And, can means I have a choice (the capability) of assigning roles but if I do not do so, it is OK. It does not say I must/shall or could/should. What will an (automatic) assessment process have to test and report?
The snippet that Oli brought as an example above is from the first iteration of the service-level taxonomy for RDMS (which you can find in the repo). The taxonomy addresses features that must be present on a service for it to be considered ready according to the CCC portability standard. The validation test pack that was demonstrated last week at OSFF looks for the presence of these capabilities.
These are separate from the security/hardening standards that have yet to be proposed into the CCC context.
iMichaela
commented
10 months ago @eddie-knight - Thank you for the detailed explanation. I am sorry I did not see the demo.
mcleo-d
commented
9 months ago Hi @crawfordchanel - Do you have the minutes from this meeting as I am reluctant to close until the actions have been translated into next steps and GitHub issues?
Thanks!
James.
crawfordchanel
commented
7 months ago crawfordchanel
commented
5 months ago Meeting Summary
• We agreed to create a tech/business specification that can be an open-source document. • The way it is intended, a business describes control information. Mapping is complete for ATLAS and for EJIRIA. Whichever you use, you can use the physical names to map back to the control requirement through the CDMC information model. o Could also be used to generate auto control evidence. • CDMC controls data to describe how it operate, the types of risks mitigated and collect evidence of those controls. Meta data definition is available to use and can be put into technical specs.
BMO Maintainer: CDMC I have 2 questions. 1. If we use your taxonomy, is there anything we need to worry about? Do we need to sign up? 2. If CSP asks to participate, how do we respond?
LSEG Maintainer – We need to create another document to put that vocabulary in it. Original specification is 160 pages. It would be much shorter spec. • We will locate exact agreement/specification and supply to group. • What does Cloud Service Provider have to do to participate in CCC? o In public domain they have shown how they can perform the controls and evidence of controls. o Sometimes scripts are built that collect information that are put into a reporting view. Google has a taxonomy that builds off that. o AWS has a mapping – We need to share that. We have relationships with the product managers at the cloud companies. LSEG Maintainer - CCC was a needed control. CDMC gives you a method of collecting evidence. How do we want to certify data mgmt. services? • We have mapping already of the type of control that is required. The type of evidence required when audited demonstrate lineage or sensitive data is being handled according to privacy rules. • We’ve already worked with privacy lawyers and engineers from cloud platforms to identify evidence they produce to comply. • We will follow up on what spec we can put into FINOS or directly into CCC project as a baseline to the taxonomy. o What does the taxonomy need to look like. The second part is doing the actual mapping. o Who is familiar with data mgmt. controls that could work with me?
FINOS Maintainer – Regarding taxonomy. From what I understand, you both have 14 control measures we can map to the MITRE threat catalogue. What kind of format do you have currently captured?
Does CCC use the security sections in the NIST standard? What about data risks? Taxonomy of types of data risk? I don’t know how well they map to the threat catalogue. I’ll be happy to do that mapping. I’m familiar with CDMC. MITRE may be closely connected.
FINOS Maintainer Lead – Taxonomy working group maintainers should take care of this. Issue needs to be created per Morgan Stanley coordinate the effort.
BMO Maintainer: Citi’s taxonomy Maintainer is on zoom
Citi Maintainer - We’re not looking to engage with regulators directly. This is about financial services creating a standard and then the regulators can use it. The point of this standard is to level set against threats. If Cloud Service Providers chooses not to implement the standard, then we as clients have a choice to use them or not. We’d work that into the costs.
LSEG Maintainer – Lessons learned. If you have regulators too closely involved, you have no voice. CDMC did an informational briefing to all global regulators, that led to useful follow up sessions with individual regulators, once you have something meaningful to share. Tech teams, reporting and other teams will become involved.
Citi Maintainer – if we get them comfortable with common services it gives us a model to certify and secure the non-common services as well. We already use them internally.
LSEG Maintainer – We work with all the worlds regulators. About 100 of them. The African, Federal Reserve, European Union, England, POA Asia. They’ve all seen CDMC. Some want to use, and some weren’t interested.
FINOS Lead – Where does this fall with setting up working groups for CCC and establishing the standard? CCM – Continuous control monitoring. – For each control assessment it is a “point in time” basis. Can we assess on a periodic basis instead? What’s the scope if we do need to go to a continuous and close monitoring?
Citi Maintainer – We’re not looking for a point in time certification. We’re looking for controls for ongoing consistent feedback that controls are effective. The threat is that data exfiltration could happen if open to public, but we may have a control already in place. That’s one control, but we need a detective control. Everything about this is continuous control monitoring. In public cloud point in time is never good enough.
Citi Maintainer – Automation is run daily here. We need to define the test of the controls and taxonomy threats to controls. Effectively we’re changing a configuration and watching to ensure the control triggers what it is supposed to. We do that on every single control. Intention is to deliver that automated control tested capability. I’d prefer it to be implemented by vendors directly. But we can do it. We are in agreement that assessments will be used by CCM or CCM space.
FINOS - CCC Standard is being shared and was called for by project needs. RDMS defined here in a 25-page paper. It will help define the scope of the project. If we can stick to these guiderails that will get us to the first point of delivery. Working with Citi to raise a pull request. Will be distributed to people who are interested in CCC when they come through FINOS channels. Everyone will be able to get access.
Citi Maintainer – The purpose of this is evidence of controls, rather than a control itself. FINOS Lead will get the white paper over to me for pull request.
FINOS – This was part of the original contribution from Citi. There was a historical legal review.
Citi Maintainer – We have a maintainer on every work stream in detail from Citi. The CCC Standard is put in repository as a reference, but not the final one. When it goes into a repository until it’s been changed, it’s authoritative. • This document is more of the proposal of concept rather than finalized complete book of work. This must be tagged appropriately as a proposal to work from. Prefer to take the authors name off if you make changes to it.
FINOS Lead – PDF has been stamped by legal team
FINOS Lead - Auto failure, auto backups are must haves for RDMS and be implemented as much as we can in CCC.
FINOS CCC Retrospective and Future Planning – Recap of last 3 months What have we done well? • Incredible participation across multiple banks and service providers. How quickly we got everyone involved is impressive. • CCC is technical in nature. Learned all the FINOS families that are made relevant in relation to CCC – I couldn’t get working groups together but with FINOS it happens. • Opens source finance forum shows we are living in an ecosystem and not silos • Expectations and content that came out of this group from a Citi perspective. The amount of contribution has been amazing. I know it’s not the final release, the first example but I’m in awe. Sonatype packed a room full of people to learn more about CCC and how we get there. You cannot do that unless you have multiple people working together. • This works as a template for future projects. • Zero to hero in a week. Seems like a lot of work is being done. What could we do better? • Once maintainers were appointed progress was visible. In the future get maintainers earlier in the project or issue. • Contributor – feeling lost sometimes listening to the conversation. I don’t feel like I’m contributing enough to the project. If there is anything we can do in between the monthly meetings. I’d like to contribute more. The in-crowd knows what they’re doing but I do not. • FINOS Lead – it’s easy to create tight circles. We need to figure out how to raise issues etc. • Maybe a project board – good first issue, low hanging fruit items maybe you can grab when you have time. • Contributor – I had a goal myself with MITRE. If I had a group or mentor, I could’ve contributed more. • FINOS Lead – We probably should stop talking broad terms and create smaller issues to resolve and move the project forward. • Maintainer - We say there’s a problem, we say something needs to be done. No one writes it down and no one acts. We should tag things to track. We have the champion, but we need to clear the obstacles. Usually that’s just a 5-minute conversation. • FINOS - Getting things written down is priority. • Maintainer - Where’s the quick MITRE for dummies so we’re all on the same page. • FINOS Lead – Maybe we could enable discussions? Doesn’t get a ticket number. Clean space to do Q&A, back and forth. Collecting resources. Roles and responsibilities. • Is there a scrum on this call. There are 3 main working groups. Maybe a scrum could capture and scribe to each call? • We have a few milestones that are not date bound. Go through the list of who is responsible? Maintainers? FINOS? The leads? Office hours. • Track the organization of these action items? • Production of documentation, like working methodologies etc, FINOS, then maintainers, each maintainer could be designated to a workstream. • Do maintainers work on tunnel vision or like a federation? Large language etc. • Make a note of lead maintainers for work groups. • Allocating a scribe – Maintainers
Date
November 2nd 2023 - 12pm EST / 4pm GMT
This is your invitation to the hybrid CCC Project All Hands, which will take place over Zoom and at Rise New York, located at 43 W 23rd St, NY 10010.
If attending in person, please register on the first floor with security and then proceed to the Barclays Rise reception on the second floor to be checked in and taken to room 2.2 where the meeting will take place.
Alternatively, please use the Zoom details at the bottom of this issue to join the hybrid session..
Meeting notices
FINOS Project leads are responsible for observing the FINOS guidelines for running project meetings. Project maintainers can find additional resources in the FINOS Maintainers Cheatsheet.
All participants in FINOS project meetings are subject to the LF Antitrust Policy, the FINOS Community Code of Conduct and all other FINOS policies.
FINOS meetings involve participation by industry competitors, and it is the intention of FINOS and the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. Please contact legal@finos.org with any questions.
FINOS project meetings may be recorded for use solely by the FINOS team for administration purposes. In very limited instances, and with explicit approval, recordings may be made more widely available.
Agenda
Additional Items
Zoom info
Join Zoom Meeting https://zoom.us/j/98254617376?pwd=aGV6VzZQOTg3MHptY0tkZHRVSUsxUT09
Meeting ID: 982 5461 7376 Passcode: 305874
Dial by your location • +1 719 359 4580 US • +1 253 205 0468 US • +1 253 215 8782 US (Tacoma) • +1 301 715 8592 US (Washington DC) • +1 305 224 1968 US • +1 309 205 3325 US • +1 312 626 6799 US (Chicago) • +1 346 248 7799 US (Houston) • +1 360 209 5623 US • +1 386 347 5053 US • +1 507 473 4847 US • +1 564 217 2000 US • +1 646 558 8656 US (New York) • +1 646 931 3860 US • +1 669 444 9171 US • +1 669 900 6833 US (San Jose) • +1 689 278 1000 US • 855 880 1246 US Toll-free • 877 369 0926 US Toll-free • +1 438 809 7799 Canada • +1 587 328 1099 Canada • +1 647 374 4685 Canada • +1 647 558 0588 Canada • +1 778 907 2071 Canada • +1 780 666 0144 Canada • +1 204 272 7920 Canada • 855 703 8985 Canada Toll-free
Meeting ID: 982 5461 7376
Find your local number: https://zoom.us/u/acPjHdY2IO