Security and Compliance Workflow
An outline of a Compliance Project workflow
Last updated
Was this helpful?
An outline of a Compliance Project workflow
Last updated
Was this helpful?
When a DevSecOps or DevSecOps PLUS subscriber needs to achieve specific compliance certifications, a Compliance Project is initiated. This ensures that their cloud infrastructure meets the required security and compliance standards.
A typical Compliance Project includes the following steps:
The customer designates a primary owner to manage the compliance program within their organization.
Choose a Governance, Risk, and Compliance (GRC) tool such as Vanta, Thoropass, or Drata. This step is optional but highly recommended. For more information about using GRC tools with DuploCloud, see the .
Select a security/compliance partner who specializes in assisting with compliance certifications and security controls.
The program owner works with the internal team to define, document, and finalize compliance policies. This step requires buy-in from the customer’s executive leadership.
Once policies are defined, DuploCloud implements cybersecurity controls to meet the customer’s requirements. In the meantime, we integrate your GRC tool with the cloud environment of your application and systems. You add DuploCloud as an admin of the GRC tool so we can begin work on infrastructure controls. You will see many of the controls in green (Pass) mode due to your DuploCloud platform deployment. Our team will just work on making the necessary adjustments to make it all green.
If selected, activate SIEM for continuous monitoring.
These provide auditors with the internal controls you use for backup and recovery. We can provide a customized report for your environment that can be shared with an auditing team.
If a penetration test is needed, we follow these steps:
Discovery: Define the scope, including an application walkthrough.
Account Setup: Create necessary accounts for the penetration test.
Pen Test Sign-Off: Confirm test accounts and dates.
Run Tests: Perform automated and manual tests.
Deliver Report: Provide the findings and report. This occurs approximately two weeks after the Pen Test sign-off.
*Penetration testing conducted by DuploCloud. Some subscribers will need to purchase penetration testing as an add-on service.
DuploCloud assists the customer with the gathering of evidence within the scope of DuploCloud’s engagement.
The customer appoints the auditor and agrees on an observation window. DuploCloud participates in auditor sessions when needed.
DuploCloud provides a security white paper outlining the controls implemented in the customer’s cloud environment and on the DuploCloud platform, with templates available for customer use.
DuploCloud assists with ongoing management of the infrastructure and security controls in scope of DuploCloud’s responsibility
Configurations may vary based on the customer's cloud environment and could include additional steps such as enabling security measures, deploying gateways, configuring backups, and setting up monitoring and alerting systems. These measures help align services with the organization’s compliance requirements while streamlining the process of achieving and maintaining certifications.
For more about DuploCloud’s security and compliance scope and responsibilities, see the DuploCloud .