finos / community

FINOS Community, Project and SIG wide collaboration space
http://community.finos.org
66 stars 28 forks source link

FINOS DevOps Mutualization Project Agenda - July 30th 2020 @ 6pm BST / 1pm ET #52

Closed mcleo-d closed 4 years ago

mcleo-d commented 4 years ago

Description

The FINOS DevOps Mutualization Project is scheduled to meet on July 30th 2020 @ 6pm BST / 1pm ET.

DevOps Mutualization aims to solve common engineering problems by providing a continuous compliance and assurance approach to DevOps for financial services and fintech.

The group last met on 18th June with the meeting minutes found here https://github.com/finos/community/issues/44#issuecomment-648791809

Agenda

Discussion Topics

Please leave your feedback on the agenda above in the comments below #52

We look forward to your ideas and contribution.

The FINOS Team.

mcleo-d commented 4 years ago

As DevOps Mutualization continues to establish itself, it would be great for participants to read the following FINOS Meeting Procedure that includes running special interests groups. This will help with setting agendas and taking minutes moving forward.

jbjonesjr commented 4 years ago

One of the outstanding questions I had heard on the last call was for:

Iterate the list of the different type of evidence, what risk we think it's trying to address, and where the source fo that evidence typically comes from.

as a way to identify the first movements on this group. Would like to check to see if any of the banks made progress on that. This should map to our Topic 2 from above

From my side, George from Citi asked about Tekton support with Actions. That is something we're looking into, but no immediate roadmap feedback (note, our roadmap is now public at https://github.com/github/roadmap ) on it, however we are embarking on many of these same themes (better k8s support, scaling, etc) later this year.

peterrhysthomas commented 4 years ago

Here is the list we came up with in point 1's discussion:

mcleo-d commented 4 years ago

All - Thank you for attending the second FINOS DevOps Mutualization formation meeting last Thursday. It was great having so many FINOS members join the call and input into the project.

Please find a list of the attendees below as I complete the meeting minutes and add them to the issue. Also, please let me know your GitHub ID in the comments if it's missing from the list.

DevOps Mutualization Meeting Attendees

Date and Time : Thursday 30th July @ 1pm ET / 6pm BST

Name Firm GitHub ID
Andrew Aitken Wipro
Eric Tice Wipro
Murali Kaundinya Wells Fargo
Rajeev Agrawal Wells Fargo
Karel Deman Scott Logic @kdeman
Amol Shukla Morgan Stanley
Dov Katz Morgan Stanley @DovOps
Gus Paul Morgan Stanley
Jamie Jones GitHub @jbjonesjr
James McLeod FINOS @mcleo-d
Maurizio Pillitu FINOS @maoo
Rob Underwood FINOS @brooklynrob
Tosha Ellison FINOS @toshaellison
Peter Thomas Deutsche Bank @peterrhysthomas
Shay Naeh Cloudify
Anders Wallgren CloudBees
Tim Johnson CloudBees @tcraigjohnson
George Kichukov Citi
Paul Groves Citi @grovesy
Stefanos Piperoglou Citi @citistefanos
Tyler Bell Capital One
Lee Faus Armory @leefaus
mcleo-d commented 4 years ago

Please find below meeting minutes from the DevOps Mutualization Formation Meeting that took place on Thursday 30th July @ 1pm ET / 6pm BST.

DevOps Mutualization Meeting Minutes

Date and Time : Thursday 30th July @ 1pm ET / 6pm BST

Group Questions and Discussions

The following are DevOps Mutualization group questions that are open to asynchronous feedback and discussion.

mcleo-d commented 4 years ago

@tcraigjohnson asks here ... https://github.com/finos/community/issues/44#issuecomment-668159551

On last week's call, I believe it was Stefanos was talking about the burden of Change Management. They have an astounding number of manual approvals in their process that sound like they are little more than someone ticking a box because Change Management requires it. In a segment that has to move fast, that's a lot of administrative burden.

Here's my questions for the forum:

How do you change Change Management? What evidence and automation would the CMB need to actually improve and streamline the process? Are you changing people to change the process or do you show how to change the process to change the people?

mcleo-d commented 4 years ago

@peterrhysthomas - I have added these points to the meeting minutes and have also added to #55 where the subject matter discussion should continue 👍

Here is the list we came up with in point 1's discussion:

  • Record of code review/4-eyes check
  • Record of test execution
  • Record of test result acceptance/sign off
  • Record of code/image/vulnerability scanning
  • Environment deployment history/promotion
  • Record of ITIL related control points
  • Conformance to other control points – CSO or Architecture compliance
  • Code/config changes - commit id/PR/etc
  • Traceability to requirements/jira issues, etc
  • Test plan
  • Change classification - material/minor - impact and testing scope, risk, etc
  • Change/risk assessment - maybe some automated risk assessment, blast radius assessment
guspaul commented 4 years ago

@tcraigjohnson asks here ... #44 (comment)

How do you change Change Management? What evidence and automation would the CMB need to actually improve and streamline the process? Are you changing people to change the process or do you show how to change the process to change the people?

We are starting to go through this right now, and I am very keen to swap notes on what others are doing. We are not even using Service Now to capture change requests, which I think makes us an outlier, but even if we were, I feel like we would still have to cover other assessments to automate the approvals.

Things like

I think some of those can be yes/no answers, but others might be more graduated, which would lend itself to an assessment rather than fully automating the approvals. So you would automatically grade the release ( a bit like this site does for security of websites https://securityheaders.com/ ) which would let you better highlight the releases that need more oversight. You could then move the boundary up and down for which releases got auto approved depending on current context.

mcleo-d commented 4 years ago

@DovOps and Group Members - On 10th September at 11am ET / 5pm BST we have the opportunity to present a 3 minute DevOps Mutualization update on the FINOS All Community Call as a FINOS Focus Project. See issue #53

Please use 👍 to register your interest to present and list your thoughts on the topics below ... 🚀

mindthegab commented 4 years ago

Can this be closed @mcleo-d ?