devops-automation icon indicating copy to clipboard operation
devops-automation copied to clipboard
verified publisher icon finos

SDLC Framework WG Bi-weekly call - November 24th

Open meekrosoft opened this issue 2 months ago • 7 comments

Date

Monday November 24th- 1000 EST / 1500UK

Untracked attendees

| Name | Firm | Comment | | Abhishek Chowdhury| UBS |

Meeting notices

  • FINOS Project leads are responsible for observing the FINOS guidelines for running project meetings. Project maintainers can find additional resources in the FINOS Maintainers Cheatsheet.

  • All participants in FINOS project meetings are subject to the LF Antitrust Policy, the FINOS Community Code of Conduct and all other FINOS policies.

  • FINOS meetings involve participation by industry competitors, and it is the intention of FINOS and the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. Please contact [email protected] with any questions.

  • FINOS project meetings may be recorded for use solely by the FINOS team for administration purposes. In very limited instances, and with explicit approval, recordings may be made more widely available.

Agenda

  • [x] Convene, roll call, welcome new people
  • [x] Approve previous meeting minutes: https://github.com/finos/devops-automation/issues/279
  • [x] Updates to the getting started/landing page.
  • [x] Controls & Mitigation backlog for tracking status & ingest list Controls Backlog Tracker - Issue #18
  • [x] Risk Domain backlog for tracking status & ingest list. Issue #19 - Risk Domain Backlog Tracker
  • [ ] Next session will focus on supply chain risks in software builds:
    • [ ] 1. Insider threat
    • [ ] 2. Provenance / supply chain integrity / chain of custody (demonstrate you can prove the supply chain identity)
    • [ ] 3. Third party open source risks (vulnerabilities + licensing)
  • [x] AOB, Q&A & Adjourn (5mins)

Meeting Notes

  • The meeting was cut short to 30 minutes due to prior commitments.
  • A quick update/overview of the new landing page which contains some reading material/background for new joiners.
  • An overview of a "backlog" table for both mitigations/controls and risk domains for contribution.
  • Ownership/next steps were discussed for the initial draft definitions of the three controls. One volunteer so far.
  • Regulatory frameworks and how they might be linked to risk domains was discussed.
  • The topic of including a regulatory framework/requirement list for reference between risk domains both for covering the regulatory as well as the underlying risks was raised.
  • The need for a fundamental definition of the lifecycle of a control and its governance was discussed. A rough outline given which will need writing up so that it can be followed.
  • The topic of example implementations were raised and whether or not we would be including how a control can be evidenced. The discussion shifted to focus away from concrete implementations and instead stay with policy rather than procedure, but if examples help illustrate they could and should be included. We also discussed that in some cases the implementation informs the control and so it is sometimes hard to avoid some overlap. However; given the breadth of organisations and the aim to drive consistency it is unlikely we will achieve consistency of implementation so our focus should be on policy primarily.

Decisions Made

  • Controls should first start on the Backlog List. Then be assigned to an owner/author for creation of an initial draft. From there we will need to define how we manage the integration of the initial control into the repo and the relevant signoff/voting from the maintainers.
  • [] UBS (Abhishek Chowdhury/Gay Pinto) agreed to join as a maintainer! Bringing us to three FIs.

Action Items

  • [] @aaronsearle to mail workshop attendees to point them at out getting started page.
  • [ ] Advertise the upcoming meeting in the mailing list & individually (@aaronsearle)
  • [ ] Send round links to the "backlog" tables for further input to the mailing list.
  • [ ] @aaronsearle to write a draft document for control suggestion and initial review
  • [ ] @aaronsearle to mee with potential additional FI
  • [ ] @aaronsearle / Jyoti to discuss creating a list of intersecting regulatory frameworks (initially as an issue or inclusion in the risk domain issue for reference)
  • [ ] @carmithersh volunteered for an initial draft of one of the below controls as an issue for discussion.

The below are carried over from the previous sessions as we did not get to them in time.

  • [ ] Next session will focus on supply chain risks in software builds:
  • [ ] 1. Insider threat
  • [ ] 2. Provenance / supply chain integrity / chain of custody (demonstrate you can prove the supply chain identity)
  • [ ] 3. Third party open source risks (vulnerabilities + licensing)

Zoom info

(https://zoom-lfx.platform.linuxfoundation.org/meeting/96292319760?password=a023f03e-c2aa-46fb-aae3-5d93c9d9664e)

Join Zoom Meeting

  • https://zoom.us/j/94904595244
  • Meeting ID: 949 0459 5244
  • Passcode: 545224
  • Find your local number: https://zoom.us/u/aesEqmNODb

Github Repo: https://github.com/finos-labs/SDLC-Controls-Framework/

Project Board: https://github.com/orgs/finos-labs/projects/18

Mailing List: Email [email protected] to subscribe to our mailing list

meekrosoft avatar Nov 24 '25 09:11 meekrosoft