Financial Services Regulatory Compliance

Examples (TODO remove this before linking from other pages)

  1. https://www.infoq.com/news/2016/07/devops-survival-finance
  2. https://www.hpe.com/us/en/insights/articles/how-the-federal-reserve-bank-of-new-york-navigates-the-supply-chain-of-open-source-software-1710.html
  3. https://www.hpe.com/us/en/insights/articles/primer-ensuring-regulatory-compliance-in-cloud-deployments-1704.html

Introduction

GitLab is used extensively to achieve regulatory compliance in the financial services industry. This page details the relevant rules, the principles needed to achieve them, and the features in GitLab that make that possible.

Regulators and regulations

  1. America: FEB in the US, also see the FFIEC IT Handbook
  2. Europe: FCA and PRA in the UK, FINMA in Switzerland
  3. Asia: MASin Singapore and HKMA

TODO Add links to relevant sections of the regulations.

Separation of duties

Rules

TODO

Principles

  1. You never merge your own code.
  2. All code needs to be peer reviewed.
  3. Only authorized people can approve the code.
  4. You need a log of who approved it

Features

  1. Protected branches https://docs.gitlab.com/ee/user/project/protected_branches.html
  2. Merge request approvals https://docs.gitlab.com/ee/user/project/merge_requests/merge_request_approvals.html
  3. Unprotect permission https://about.gitlab.com/2018/04/22/gitlab-10-7-released/#protected-branch-unprotect-permissions
  4. Future: Two person rule, https://en.wikipedia.org/wiki/Two-man_rule for admins

Reverting

Relevant rules

TODO

Principles

  1. https://en.wikipedia.org/wiki/2010_Flash_Crash
  2. https://www.schneier.com/blog/archives/2018/04/tsb_bank_disast.html
  3. Revert rollout fast

Features

  1. Automated deploy
  2. Revert button

Reviewing

Relevant rules

TODO

Principles

Review apps Great for testing algo changes.

Deploys

  1. Manual deploy (with audit log)
  2. Approvers (in branch)

Security

Rules

TODO

Principles

  1. Prevent vulnerabilities
  2. Make sure all code is scanned 1.

Features

  1. SAST
  2. DAST
  3. Dependency scanning
  4. Container scanning
  5. Future: Dashboards

GitLab replaces the following solutions:

  1. Sonarqube
  2. Jfrog X
  3. Blackduck
  4. HP Fortify
  5. Whitesource
  6. Snyk

Also see our security paradigm for more information on why GitLab security tools work better.

Auditing

  1. Audit logs
  2. Container image retention
  3. Artifact retention
  4. Test result retention
  5. Future: Disable squash of commits
  6. Future: Prevent purge

Licensed code

  1. License manager

Disaster recovery

Rules

Principles

  1. Stay available.
  2. No SPOF
  3. Quick recovery.
  4. Geographic distribution

Features

  1. Geo
  2. HA

State of art

Rules

TODO

Principles

  1. https://en.wikipedia.org/wiki/State_of_the_art#Tort_liability

Features

  1. GitLab is in use in financial services.
  2. Both relevant US regulators run GitLab themselves.
  3. 2,000 code contributors
  4. 100,000 organizations
  5. millions of users

Interested

Contact sales

Everyone can contribute

Please email suggestions

MRs are very welcome, assign to.