ABSTRACT
Chapter 6 integrates risk management practices within DevOps to achieve compliance with applicable legal and regulatory requirements. Through 2015, 80% of the risks associated with DevOps program objectives stemmed from how organizational change was managed.
The risk management process shows how to evaluate, starting with the absence of internal controls, which is known as inherent risk. With the inclusion of proper code certification, which indicates that the overall system works as intended and that its environment protects it from undue influences, the risk is mitigated. Secure capabilities allow stakeholders to take pro-active actions such as quarantining, meaning moving or deleting sensitive or non-public information from their network before it negatively impacts their capabilities through unauthorized exposure and results in a brand, reputational, financial, legal or cybersecurity risk to the business.
A common reason for not implementing DevOps and continuous delivery in IT organizations is that this approach does not comply with industry standards and regulations.
Regulations and standards require organizations to prove that they know what is happening and why. Therefore, protecting information and services and performing accurate reporting are essential. Compliance with the authorities to acquire certain data and the mechanisms employed to secure the data acquired are at the forefront of many discussions today. Most IT organizations are subject to regulation and implement controls to ensure that they comply. Controls are also essential in reducing the risk of loss that may affect the confidentiality, integrity, availability and privacy of information.
This chapter contains a detailed case study to demonstrate the implementation of the cybersecurity risk management framework within the DevOps lifecycle. The cases present the business overview, technical environment with a list of focus areas to address, answering specific questions. This case provides the entire solution set using the cybersecurity risk management framework.
