Angelique's 14 Points

DevSecOps Governance Rules

1. Ubiquitous Encryption: encryption for all data states must be implemented.
   • Data-at-Rest & Data-in-Motion: Required
   • Data-in-Use: Pending use-case, compliance & risk-based approach
2. Zero-Trust: Authentication must be performed according to approved processes, the identity of any actor must be verified. (Centralized User Management)
3. Authorization: mechanisms to allow or disallow access to resources must be in place.
4. Certificates Validation: All Certificates must be validated. Self-signed and non-public certificates are not allowed.
5. Block Unsecure Access: The blocking of unsecure alternatives must be implemented (e.g. disallow port 80) This includes administrative user-access.
6. Isolate Exceptions: Granted exceptions to item 5 must be isolated. (Segmented from other resources)
7. Vulnerability Management (VM): Vulnerability management must be implemented. (e.g. automated scanning, controlled hacking, code inspection, et cetera) A local team should be formed to run and fix detected systems, etc.
8. Strict Rules: Implement strict security groups/firewall rules (network access) and governance.
9. Love GDPR: GDPR imposed requirements and processes must be documented, communicated and adhered to! Any application or process using personally identifiable information (PII) or "personal data" must be registered (Process: Registry of processing activities). Recommended to maintain this for all data. Idea of a Data repository!!!
10. Document: Teams must document what data they process and why, how they process it, with whom they share it, and for how long they keep it. (Processes: DPIA and/or IRAMv2)
11. No Prod-data for DEVs: Developers must not have access to production data, unless it has been provided by an audit role. Administrative access must be requested, monitored & communicated. Error and incident mgmt. rules apply.
12. Immutable Systems: Nobody must have access to production systems, except for deploy pipeline roles that must use MFA. (Are-Have-Know, are:Instance with Role + know:External ID)
13. Security Ambassadors: A local group and its members must be defined and must be empowered to uphold IT and information security directives and rules. This should encompass IT Security, Information Security & GDPR.
    (Read: Local(=team) CyberSec / InfoSec / Risk-Management must be formed)
14. Do Risk Management: Risk, technical debt, deviations & exceptions must be managed & prioritized by the risk-owner/an audit role. Risks must be evaluated and communicated to group and/ or C- level.

Contributions & Thanks

Major thanks go to Rainer Rehm, for his contributions over the years and improving these simple and effective guidelines!