Finding a proper balance between classic IT Governance, Risk, and Compliance (GRC) and modern technologies initiatives has been a reasonably difficult process for most large enterprises. The classic enterprise risk policy profiles are often redundant, misaligned, or in some cases outdated.
In this presentation, we are going to discuss two recently published papers that address modern patterns to deal with the imbalance. The first paper was introduced in September of 2019 called “DevOps Automated Governance Reference Architecture”. This paper discusses a reference architecture for digitally signing policy evidence that is automated in the delivery pipeline in the form of attestations in an attestation data store. The second paper was released in May of 2020 called “Automated Cloud Governance”. This paper is a follow on work from the original paper, including specific evidence opportunities from the major cloud providers to the cloud consumers.
The presenter of this session was chairperson of both of the working group papers and he will discuss an overview and also discuss opportunities these papers can provide. This session should be interesting with anyone working on DevOps, DevSecOps, and or Risk initiatives.