This has been a week dominated by compliance meetings, so I did not get to do any real technical work.
Compliance is one of those fun things you get to deal when you work for a very large company, or a company that is rapidly growing. At its core, most compliance frameworks expect you to do three things:
- Identify your risks
- Document your controls and processes that mitigate those risks
- Keep logs proving that you are actually doing the controls
Once you get into it, it of course gets a bit more complicated. For example, for a team that is building software you will need to be able to prove that the code you have running production is the same code that is in your source repository. Documenting this is going to require a way to trace a given software feature from inception, all the way through to release. That means having a work tracking system that links to code commits in source control, that links to a build, that links to a deployment package.
If you are in a company where you are looking to get some form of compliance certification, do yourself a favor and start documenting all the things. You will thank me later when an auditor requests some obscure piece of information, and you find that it is already documented.
I am hoping this coming week will things will get back to “normal”, and that I will have time to work on some technical stuff. With a little luck I will have something much more interesting to write about next weekend.