Financial Services Regulatory Compliance

Introduction

GitLab is used extensively to achieve regulatory compliance in the financial services industry. Many of the world's largest financial institutions are GitLab customers. This page details the relevant rules, the principles needed to achieve them, and the features in GitLab that make that possible.

Regulators and regulations

Examples of regulators include the following

  1. America: FEB in the US, also see the FFIEC IT Handbook
  2. Europe: FCA and PRA in the UK, FINMA in Switzerland
  3. Asia: MAS in Singapore and HKMA

Examples of relevant regulations include the following

  1. GLBA Safeguards rule requires that financial institutions must protect the consumer information they collect and hold service providers to same standards.
  2. Dodd-Frank’s purpose is to promote the financial stability of the United States by improving accountability and transparency in the financial system. It sets the baseline for what is “reasonable and appropriate” security around consumer financial data. You must be ready to prove your security controls and document them.
  3. Sarbanes Oxley (SOX) exists to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws, and for other purposes. Advice for achieving this is augmented by other frameworks such as COBIT14 and the CIS Critical Security Controls.
  4. PCI DSS is intended to maintain payment security and is required for all entities that store, process or transmit cardholder data. It requires companies using credit cards to protect cardholder data, manage vulnerabilities, provide strong access controls, monitor and test, and maintain policy.

Specific controls common amongst these regulations are outlined below, along with features of GitLab that aid in their compliance.

Separation of duties

Rules

Principles

  1. You never merge your own code.
  2. All code needs to be peer reviewed.
  3. Only authorized people can approve the code.
  4. You need a log of who approved it.

GitLab features

  1. Protected branches
  2. Merge request approvals
  3. Unprotect permission
  4. Future: Approval jobs in CI pipelines
  5. Future: Two-person access controls

Security

Rules

Principles

  1. Scan applications regularly for vulnerabilities.
  2. Establish criteria for the prioritization of vulnerabilities and remediation activities.
  3. Pay special attention to internally or custom developed applications with dynamic and static analysis.
  4. Establish secure coding as a culture, and provide qualified training on secure coding.
  5. Establish and document a secure development life-cycle approach that fits your business and developers.
  6. Combine functional testing and security testing of applications: Assess for operational bugs and coding errors.

GitLab features

  1. SAST
  2. DAST
  3. Dependency scanning
  4. Container scanning
  5. Security Dashboard

Also see our security paradigm for more information on why GitLab security tools work better.

Auditing

Rules

Principles

  1. Auditability of the production application: Software systems must generate all of the necessary logging information to construct a clear audit trail that shows how a user or entity attempts to access and utilize resources.
  2. Auditability of the software itself to detect changes in logic flow: Whether urban legend or not, the example is relevant of the developer who pockets rounding errors to his own bank account
  3. Logs must be resistant to tampering and accessible only to privileged users.

GitLab features

  1. One concept of a user across the lifecycle to ensure the right level of permissions and access
  2. Audit logs
  3. Audit events
  4. Container image retention
  5. Artifact retention
  6. Test result retention
  7. Future: Disable squash of commits
  8. Future: Prevent purge

Licensed code usage

Rules

Principles

  1. To comply with license contraints, you must track license expiration and usage. This is important to manage risk from legal costs for license agreement violations and risk to your reputation.

GitLab features

  1. License management

Change management

Rules

Principles

  1. Change Management is required with changes tracked, reviewed and approved.
  2. Changes should be made in such a way that they can be rolled back to a previous version quickly and easily. Here are two examples as to why: Flash Crash and TSB Bank Disaster Source control systems should prevent unauthorized changes using access control or, at least showing changes for a clear audit trail.

GitLab features

  1. Automated deploy
  2. Revert button
  3. Review apps make it easy to visualize the changes in code review and ensure changes function in a legitimate manner.

State of art

Rules

Principles

  1. There are some thoughts out there, that by showing that you are using the state-of-the-art methods, you MAY help prove a point against negligence.

Features

  1. GitLab is use in many large global financial services companies.
  2. Both relevant US regulators run GitLab themselves.
  3. 2,000 code contributors
  4. 100,000 organizations
  5. Millions of users

Interested

Contact sales

Reference articles of interest

  1. https://www.infoq.com/news/2016/07/devops-survival-finance
  2. https://www.hpe.com/us/en/insights/articles/how-the-federal-reserve-bank-of-new-york-navigates-the-supply-chain-of-open-source-software-1710.html
  3. https://www.hpe.com/us/en/insights/articles/primer-ensuring-regulatory-compliance-in-cloud-deployments-1704.html
  4. https://www.sans.org/reading-room/whitepapers/analyst/understanding-security-regulations-financial-services-industry-37027
  5. https://msdn.microsoft.com/en-us/library/aa480484.aspx#regcompliance_demystified_topic5

Everyone can contribute

Please email suggestions

MRs are very welcome, assign to.