Skip to content

Compliant Financial Infrastructure accelerates the development, deployment and adoption of services provided for AWS, Azure and Google in a way that meets existing regulatory and internal security controls.

License

Notifications You must be signed in to change notification settings

finos/compliant-financial-infrastructure

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

FINOS - Incubating CII Best Practices

⚠️ ** Maintenance Temporarily Suspended

In order to elevate end user priorities and streamline contribution, the CFI project is currently undergoing a reorganization.

Work will be suspended until the formation of a steering committee is established, then fresh working groups will be launched. This process will be loosely coupled with the outputs coming from the FINOS Common Cloud Controls effort.

The content below is historical information about the project. The vision and intent for CFI will persist, though the structure and methods will likely look different soon.

The community remains optimistic that we can provide the best tools to improve the processes around secure infrastructure deployments for FSIs. If you would like to contribute to the reorganization discussion, or otherwise explore your involvement with CFI, please reach out to a project maintainer or contact help@finos.org.

Compliant Financial Infrastructure

Compliant Financial Infrastructure (CFI) is a project that exists to accelerate the development, deployment and adoption of services provided for infrastructure in a way that meets common regulatory and internal security controls.

Through our three working groups, we provide:

  • Opinionated compliance documentation provided by our service approval accelerators
  • Vetted infrastructure as code that is ready to import to your internal registry
  • CI/CD-friendly runtime validation tests to ensure your deployed resources are compliant

Policy Working Group

This WG exists to define and document best practice and process for implementing compliant infrastructure, while streamlining the process for contributions from financial institutions in a frictionless manner.

Compliance may mean something different from one institution to the next. The goal of CFI is not to create a single solution that all firms must adhere to, instead our goal is to streamline adoption and free up security teams to focus on non-redundant activities.

Detailed documentation in the form of Service Approval Accelerators (SAAs) live within this main CFI repository.

High level objectives

  1. Maintain a knowledge base of up-to-date compliance requirements from member financial institutions (Inputs)
  2. Document how to achieve compliance for different infrastructure resources from a financial perspective (Outputs)

Approach

  • Document opinionated configurations, mitigations, and decisions to accelerate compliance for infrastructure services in SAAs.
  • Ensure all SAAs are informed by industry-wide experience/feedback
  • Ensure CFI communication methods (both inputs and outputs) are streamlined to best serve our community and users

A template Service Approval Accelerator is maintained here.

Contributions

Reproducible Infrastructure Working Group

This WG exists to develop, maintain, and document easily consumable infrastructure as code (IaC) which can be used as a base for deploying systems in highly-regulated environments.

Detailed documentation regarding the process for developing and delivering IaC can be found here.

High level objectives

  1. Create and maintain IaC to deploy services that meet policies as defined by the Policy Working Group

Approach

  • Review Service Accelerators and work with the Policy Working Group to agree on each approach to codify policies
  • Build and maintain the IaC to meet requirements set out in the SAA
    • Where this is not possible then any policy gaps will be documented

Contributions

Runtime Validation Working Group

This WG exists to maintain a suite of tools that may be used to validate that deployed infrastructure is compliant with the documentation provided by the Policy Working Group, and provide actionable information for users who are working toward compliance.

Detailed documentation regarding the process for developing and delivering runtime validation test packs can be found here.

High level objectives

  1. Maintain tests matching each SAA to validate the compliance of any deployed resource
  2. Maintain test harness to streamline approach across all services

Approach

  • Execute tests that match the accelerators provided by the Policy WG (no more, no less)
  • Ensure harnes is easily configurable & can be used for diverse validation purposes
  • Maintain smooth logging functionality for validation and development purposes
  • Ensure common human-readable output format for all test packs

Contributions

Join the Community!

For more information about how to engage with the rest of the community and contribute to the project, view the documentation and links here.

Please feel free to request changes via GitHub Issues.

Everyone is encouraged to join our public community meetings found on the FINOS community calendar, and join us on Slack.

Thank you to our contributors!

License

Distributed under the Apache License, Version 2.0.

SPDX-License-Identifier: Apache-2.0

Security Concerns

If you have any security concerns related to this project, please create an issue on this repository or create an issue on the repository associated with your concern.

About

Compliant Financial Infrastructure accelerates the development, deployment and adoption of services provided for AWS, Azure and Google in a way that meets existing regulatory and internal security controls.

Topics

Resources

License

Code of conduct

Stars

Watchers

Forks

Releases

No releases published

Packages