Hacker News new | ask | show | jobs
by jgworks 1410 days ago
I am not in a regulated industry, but we have recently gone through the process of getting SOC2/ISO27001 certified.

This is what was cited for us.

ISO27001:2013 A.6.1.2: Segregation of Duties. Conflicting duties and areas of responsibility must be segregated in order to reduce the opportunities for unauthorized or unintentional modification or misuse of any of the organization's assets.
2 comments
randerson 1410 days ago
Surely that means that no one individual can push a change they created without involving someone else, but that it is still fine as long as any two people (even if they're on the same team) are involved? You could solve this by e.g. forcing GitHub to require a review.
link
jesseryoung 1410 days ago
What exactly is a "Conflicting duty"? What's stopping a company from stating that developing, deploying and supporting software is a single duty?
link
jiveturkey 1410 days ago
Nothing ... except compliance.

The idea comes from finance -- to require collusion to execute a fraud. It's not perfect, but it's something.

link
jesseryoung 1410 days ago
Maybe I should rephrase that: Is it impossible for a company that defines Dev+Ops as a single responsibility to be compliant?
link
jiveturkey 1410 days ago
Not impossible. even in a prescriptive framework like ISO 27001, adequate SOD is a judgement call between you and the auditor. Generally speaking, if a single dev can push a code change to prod, in a way that would escape audit or not require a second pair of eyes, that would not be compliant. So if a dev writing code, also manages the deploy environment, that may not pass muster.

But it's not that cut and dried. There are degrees of rigor.

link
darkr 1410 days ago
No. Assuming a well configured continuous deployment type environment; you just need to have peer review on code before it can hit production, and you need to have controls in place over the who, what and when of elevated access to production being granted
link
destroy-2A 1410 days ago
This all breaks down as soon as audit realise the Devops team is also admin of the ci/cd stack and therefore all controls put in place to make it harder for a single actor to do bad stuff can be bypassed via this all powerful system.
link
Aeolun 1410 days ago
It seems like the description is vague enough that this is entirely up to whoever gives you your certification.
link