From 3367a6218b8dac6e847bb821a301768ca4367ca0 Mon Sep 17 00:00:00 2001 From: Rob Moffat Date: Thu, 20 Jun 2024 17:32:02 +0100 Subject: [PATCH] Updated Readme (#196) Co-authored-by: sshiells-scottlogic <148051590+sshiells-scottlogic@users.noreply.github.com> Co-authored-by: Jared Lambert <116378154+jared-lambert@users.noreply.github.com> Co-authored-by: Eddie Knight --- Readme.md | 119 +++++++++++------- .../community-guidelines/communication.md | 2 +- docs/governance/finos-poc.md | 16 +++ .../duplication-reduction/charter.md | 1 + participants.md | 1 + 5 files changed, 92 insertions(+), 47 deletions(-) create mode 100644 docs/governance/finos-poc.md create mode 100644 docs/governance/working-groups/duplication-reduction/charter.md diff --git a/Readme.md b/Readme.md index ea3ace31..0a899c7a 100644 --- a/Readme.md +++ b/Readme.md @@ -2,79 +2,106 @@ -FINOS Common Cloud Controls (FINOS CCC) is the codename for an open standard project, originally proposed by Citi and currently incubating in FINOS, to describe consistent controls for compliant public cloud deployments in the financial services sector. +## What Is It? + +FINOS Common Cloud Controls (FINOS CCC) is an open standard project that describes consistent controls for compliant public cloud deployments in the financial services (FS) sector. This standard is a collaborative project which aims to develop a unified set of cybersecurity, resiliency, and compliance controls for common services across the major cloud service providers (CSPs). -You can read more and register your interest on [finos.org/common-cloud-controls-project](https://www.finos.org/common-cloud-controls-project). +## What Are The Benefits? -## FINOS CSLA Needed to Participate in Common Cloud Controls +#### 💯 Defining Best Practices Around Cloud Security -All FINOS Common Cloud Controls participants are required to sign a FINOS [Community Specification Contributor License Agreement](https://github.com/finos/standards-project-blueprint/blob/main/governance-documents/Getting%20Started.md#best-practices) before joining project calls and collaborating in working groups. +> CCC aims to standardize cloud security controls for the banking sector, providing a common set of controls that CSPs can implement to meet the requirements of FS firms. As multiple FS firms are involved in the project, effort is shared, the controls will be representative of the sector as a whole, and be more robust than any one firm could develop on its own. -Please visit [participants.md](participants.md) and raise a Pull Request by adding your `name`, `organisation` and `enrollment date` to the markdown file. +#### 🎯 One Target For CSPs To Conform To -Raising a Pull Request on [participants.md](participants.md) will automatically take you through the Linux Foundation EasyCLA process for signing the FINOS [CSCLA](https://github.com/finos/standards-project-blueprint/blob/main/governance-documents/Getting%20Started.md#best-practices). +> If all FS firms specify their own cloud infrastructure requirements, CSPs will have to conform to multiple standards. CCC aims to provide a single target for CSPs to conform to. -Email help@finos.org if you require further help. +#### 🎒 Sharing The Burden Of A Common Definition + +> CCC aims to reduce the burden of compliance for CSPs by providing a common definition of controls which they can adopt. As CCC controls are specified in a cloud-agostic way, CSPs can implement them in a way that is consistent with their own infrastructure, while delivering services that FS firms understand and trust. + +#### 🧭 A Path Towards Common Implementation + +> FINOS sister project, [Compliant Financial Infrastructure](https://github.com/finos/compliant-financial-infrastructure) aims to be a downstream implementation of the CCC controls standard. In tandem with CCC, this will provide FS firms with a one-stop shop for secure cloud infrastructure deployment. + +#### 🥇 A Path Towards Certification + +> It is envisaged that eventually, CCC will offer _certification_ for CSPs who conform to the standard. + +## How Does It Work? + +The CCC project is in **incubation** at the moment but aims to deliver its first standards in 2024. The project is split into 6 working groups, each with a specific focus: + +- **Communications / All Hands**: Focused on the overall project communications and community engagement. +- **Security** - Working to specify the security controls and threats that will be covered by the standard. +- **Community Structure** - Focused on the governance and structure of the CCC project. +- **Duplication Reduction** - Focused on ensuring that the CCC standard does not duplicate existing standards. +- **Taxonomy** - Focused on defining the taxonomy of cloud services that will be covered by the standard. +- **Delivery** - Focused on the delivery of the CCC standard for use downstream by FS firms and CSPs. + +Work is done in the open, with all meetings and decisions documented in the project GitHub repository. ## Get Involved with FINOS Common Cloud Controls There are several ways to contribute to FINOS Common Cloud Controls. -### Join FINOS CCC Project Meetings -FINOS Common Cloud Controls meets over Zoom and you can find future agendas and previous meetings below. +### 1. Join FINOS CCC Project Meetings + +The CCC project is split into 6 working groups in the CCC project which meet on a fortnightly basis: -- **FINOS Common Cloud Controls - Project All Hands** - [First Thursday of Each Month](https://github.com/finos/common-cloud-controls/issues?q=is%3Aissue+is%3Aopen+label%3Ameeting+label%3A%22All+Working+Groups%22) -- **OSCAL Representation of FINOS CCC** - [Second Thursday of Each Month](https://github.com/finos/common-cloud-controls/issues?q=is%3Aissue+is%3Aopen+label%3Ameeting+label%3A%22OSCAL+Representation+of+FINOS+CCC%22) -- **Engage with MITRE Threat Catalogue** - [Third Thursday of Each Month](https://github.com/finos/common-cloud-controls/issues?q=is%3Aissue+is%3Aopen+label%3Ameeting+label%3A%22Engage+with+MITRE+Threat+Catalogue%22) -- **Define Cloud Services Taxonomy** - [Fourth Thursday of each Month](https://github.com/finos/common-cloud-controls/issues?q=is%3Aissue+is%3Aopen+label%3A%22Define+Cloud+Services+Taxonomy%22+label%3Ameeting) +| Working Group | When | Chair | Mailing List | +| --- | --- | --- | --- | +| [Security](/docs/governance/working-groups/security/charter.md) | 4PM UK, 1st and 3rd Thursday each month | @mlysaght2017 | [ccc-security](mailto:ccc-security+subscribe@lists.finos.org) | +| [Delivery](/docs/governance/working-groups/delivery/charter.md) | 4:30PM UK, 1st and 3rd Thursday each month | @damienjburks | [ccc-delivery](mailto:ccc-delivery+subscribe@lists.finos.org) | +| [Communications / All Hands](/docs/governance/working-groups/communications/charter.md) | 5PM UK, 1st and 3rd Thursday each month | @Alexstpierrework | [ccc-communications](mailto:ccc-communications+subscribe@lists.finos.org) | +| [Taxonomy](/docs/governance/working-groups/taxonomy/charter.md) | 4:30PM UK, 2nd and 4th Thursday each month | @smendis-scottlogic | [ccc-taxonomy](mailto:ccc-taxonomy+subscribe@lists.finos.org) | +| [Community Structure](/docs/governance/working-groups/community-structure/charter.md) | 5PM UK, 2nd and 4th Thursday each month | @sshiells-scottlogic | [ccc-structure](mailto:ccc-structure+subscribe@lists.finos.org) | +| [Duplication Reduction](/docs/governance/working-groups/duplication-reduction/charter.md) | 5:30PM UK, 2nd and 4th Thursday each month | @jared-lambert | [ccc-duplication](mailto:ccc-duplication-reduction@lists.finos.org) | -Alternatively, find the next meeting on the [FINOS Community Calendar](https://finos.org/calendar) and browse [Past Meeting Minutes in GitHub](https://github.com/finos/common-cloud-controls/labels/meeting). +Find the next meeting on the [FINOS Community Calendar](https://finos.org/calendar) and browse [Past Meeting Minutes in GitHub](https://github.com/finos/common-cloud-controls/labels/meeting). + +### 2. Join the FINOS Common Cloud Controls Mailing Lists -### Join the FINOS Common Cloud Controls Mailing List FINOS Common Cloud Controls communications are conducted through the ccc-participants@lists.finos.org mailing list. Simply email [ccc-participants+subscribe@lists.finos.org](mailto: ccc-participants+subscribe@lists.finos.org) to join. -### Raise a FINOS Common Cloud Controls GitHub Issue -FINOS Common Cloud Controls is maintained and run through GitHub. Simply [Raise a GitHub Issue](https://github.com/finos/common-cloud-controls/issues/new/choose) to ask questions or make suggestions. +### 3. Raise a FINOS Common Cloud Controls GitHub Issue + +FINOS Common Cloud Controls is maintained and run through GitHub. Simply [Raise a GitHub Issue](https://github.com/finos/common-cloud-controls/issues/new/choose) to ask questions or make suggestions. + +### FINOS CSLA Needed to Participate in Common Cloud Controls + +All FINOS Common Cloud Controls participants are required to sign a FINOS [Community Specification Contributor License Agreement](https://github.com/finos/standards-project-blueprint/blob/main/governance-documents/Getting%20Started.md#best-practices) before joining project calls and collaborating in working groups. + +Please visit [participants.md](participants.md) and raise a Pull Request by adding your `name`, `organisation` and `enrollment date` to the markdown file. + +Raising a Pull Request on [participants.md](participants.md) will automatically take you through the Linux Foundation EasyCLA process for signing the FINOS [CSCLA](https://github.com/finos/standards-project-blueprint/blob/main/governance-documents/Getting%20Started.md#best-practices). + +Email help@finos.org if you require further help. + +### FINOS Code of Conduct + +Participants of FINOS standards projects should follow the FINOS Code of Conduct, which can be found at: + +## Governance -## FINOS CCC Steering Committeee Members +### FINOS CCC Steering Committee The CCC Steering Committee is the governing body of the CCC project, providing decision-making and oversight pertaining to the CCC project bylaws, sub-organizations, and financial planning. The Steering Committee also defines the project values and structure. [Documented here](docs/governance/steering/charter.md). -| FINOS CCC Maintainer | Representing | Seat | -| -------------------- | -------------- | ---- | -| Jon Meadows | Citi | FSI | -| Oli Bage | LSEG | FSI | -| Simon Zhang | BMO | FSI | -| Paul Stevenson | Morgan Stanley | FSI | +| Name | Representing | Seat | +| -------------------- | -------------- | --------- | +| Jon Meadows | Citi | FSI | +| Oli Bage | LSEG | FSI | +| Simon Zhang | BMO | FSI | +| Paul Stevenson | Morgan Stanley | FSI | | Robert Griffiths | Scott Logic | Community | | Eddie Knight | Sonatype | Community | | Adrian Hammond | Red Hat | Community | -## FINOS CCC Project Maintainers - -FINOS Common Cloud Controls is maintained by FINOS members and the wider open source in finance community. - -The following are the FINOS CCC maintainers, the firms they represent and the maintainer working group alignment. - -| FINOS CCC Maintainer | Representing | FINOS CCC Working Group | -| -------------------- | -------------- | ------------------------------------------- | -| Jonathan Meadows | Citi | OSCAL Representation of CCC | -| Jason Nelson | Citi | Engage with MITRE Threat Catalogue | -| Mark Rushing | Citi | Define Cloud Services Taxonomy | -| Moe Matar | Citi | Define Cloud Services Taxonomy | -| Anna Selyugina | Goldman Sachs | Engage with MITRE & Cloud Services Taxonomy | -| Paul Stevenson | Morgan Stanley | Cloud Services Taxonomy & OSCAL Representation of CCC | -| Simon Zhang | BMO | Define Cloud Services Taxonomy | -| Adrian Hammond | Red Hat | Define Cloud Services Taxonomy | -| Naseer Mohammad | Google | Engage with MITRE Threat Catalogue | -| Valentin Mihai | Google | Engage with MITRE Threat Catalogue & OSCAL Representation of CCC| -| Rachel Kim | Google | OSCAL Representation of CCC | -| Raj Krishnamurthy | Compliance Cow | Engage with MITRE Threat Catalogue | -| Vicente Herrera | Control Plane | Define Cloud Services Taxonomy | -| Michaela Iorga | NIST | OSCAL Representation of CCC | +@robmoffat is the current [FINOS Point of Contact](docs/governance/finos-poc.md) for the CCC project. ## License diff --git a/docs/governance/community-guidelines/communication.md b/docs/governance/community-guidelines/communication.md index 886fe516..e82c00b3 100644 --- a/docs/governance/community-guidelines/communication.md +++ b/docs/governance/community-guidelines/communication.md @@ -39,4 +39,4 @@ Any meeting published on the public calendar must additionally adhere to a stric [SC]: <../community-groups.md#steering-committee> [WG]: <../community-groups.md#working-groups> [community guideline]: <./README.md> -[FINOS Point of Contact]: <../steering/charter.md#finos-point-of-contact> \ No newline at end of file +[FINOS Point of Contact]: <../finos-poc.md> \ No newline at end of file diff --git a/docs/governance/finos-poc.md b/docs/governance/finos-poc.md new file mode 100644 index 00000000..2e2a70a0 --- /dev/null +++ b/docs/governance/finos-poc.md @@ -0,0 +1,16 @@ +# FINOS Point-of-Contact (POC) + +Most administative tasks around FINOS projects are performed by [FINOS Help](help@finos.org), such as changing mailing lists, meeting cadence, tool support etc. + +CCC is currently a FINOS strategic initiative and as such as an appointed POC. This role is responsible for: + +1. Representing the project to the FINOS community. +2. Helping with CCC marketing, recruitment and promotion. +3. General advice around open source governance and community management. +4. Project administration tasks where necessary. +5. Engaging with other parts of the FINOS / LF organisation, including board-level reporting. + +The FINOS POC is responsible to the FINOS Board-appointed CCC Executive sponsors, who can set direction for the FINOS involvement in CCC as a strategic initiative, apart from the general CCC community goals. The FINOS POC is therefore also responsible for: + +1. Representing the interests of the CCC Executive sponsors to the project. +2. Attempting to action executive sponsors requests where possible. diff --git a/docs/governance/working-groups/duplication-reduction/charter.md b/docs/governance/working-groups/duplication-reduction/charter.md new file mode 100644 index 00000000..782aedde --- /dev/null +++ b/docs/governance/working-groups/duplication-reduction/charter.md @@ -0,0 +1 @@ +Approved by the Steering Committee, but pending merge. Please see [here](https://github.com/finos/common-cloud-controls/blob/83573b755d75676e55438a19cb4f93ab447252df/docs/governance/working-groups/duplication-reduction/charter.md) diff --git a/participants.md b/participants.md index 0ebe8867..7758b014 100644 --- a/participants.md +++ b/participants.md @@ -25,6 +25,7 @@ Below is the list of [participants](governance-documents/5._Governance.md#1roles - Zeal Somani, JupiterOne, Mar/7/2024 - Michael Lysaght, Citi, Mar/07/2024 - Damien Burks, Citi, MAR/07/2024 +- Jared Lambert, Microsoft, APR/01/2024 - Eric Peeters, Weaver, JUN/12/2024 ## How to enroll as a participant