SDLC Framework WG Bi-weekly call - December 8th #282
Description
Date
Monday December 8th- 1000 EST / 1500UK
Untracked attendees
| Name | Firm | Comment |
|Abhishek Chowdhury | UBS|
|Brian Warner| Fidelity|
| Gay Pinto | UBS|
Meeting notices
-
FINOS Project leads are responsible for observing the FINOS guidelines for running project meetings. Project maintainers can find additional resources in the FINOS Maintainers Cheatsheet.
-
All participants in FINOS project meetings are subject to the LF Antitrust Policy, the FINOS Community Code of Conduct and all other FINOS policies.
-
FINOS meetings involve participation by industry competitors, and it is the intention of FINOS and the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. Please contact legal@finos.org with any questions.
-
FINOS project meetings may be recorded for use solely by the FINOS team for administration purposes. In very limited instances, and with explicit approval, recordings may be made more widely available.
Agenda
- Convene, roll call, welcome new people
- Approve previous meeting minutes: SDLC Framework WG Bi-weekly call - November 24th #281
- AI transcription being attached as minutes?
- Additional membership
- Control Governance Lifecycle
- Two proposals
- Taxonomy/Control domain proposal
- Draft proposal document
- Draft taxonomy Review Control Domain/Group List
- Next steps
- Discuss volunteers/owners of control domains
If there is time:
- Next session will focus on supply chain risks in software builds:
- 1. Insider threat
- 2. Provenance / supply chain integrity / chain of custody (demonstrate you can prove the supply chain identity)
- 3. Third party open source risks (vulnerabilities + licensing)
- AOB, Q&A & Adjourn (5mins)
Meeting Notes
- Discussed attaching AI meeting notes directly to meeting issue. This was declined.
- A new maintainer onboarding process was discussed and that an issues should be created with the maintainers approving to provide traceability.
- The proposed lifecycle of a control proposal document was shared and discussed. No major concerns highlighted with the basic workflow.
- Proposed definition of control domain taxonomy was discussed
- Overview of the insider threat risk
- The kosli example was shared and discussed again as what we are looking to achieve at a high level.
- Discussed the need to tag fine grained risks alongside each control, these can then be grouped into domains later when defining risk domains.
Follow Up Items
- Aaron to create a proposed maintainer addition via an issue
- Mike to look into creating a template for creating new proposed control submissions
- Karl to share proposed lifecycle document internal for feedback
Zoom info
Github Repo: https://github.com/finos-labs/SDLC-Controls-Framework/
Project Board: SDLC Project Board
Mailing List: Email sdlc-framework+susbscribe@lists.finos.org to subscribe to our mailing list