Security and Compliance Workflow

When a DevSecOps or DevSecOps PLUS subscriber needs to achieve specific compliance certifications, a Compliance Project is initiated. This ensures that their cloud infrastructure meets the required security and compliance standards.

Compliance Project Steps

A typical Compliance Project includes the following steps:

1. Assign Program Ownership

The customer designates a primary owner to manage the compliance program within their organization.

2. Select a GRC Tool (optional but recommended)

Choose a Governance, Risk, and Compliance (GRC) tool such as Vanta, Thoropass, or Drata. This step is optional but highly recommended. For more information about using GRC tools with DuploCloud, see the DuploCloud documentation.

3. Engage a Security/Compliance Partner (optional)

Select a security/compliance partner who specializes in assisting with compliance certifications and security controls.

4. Define Policies

The program owner works with the internal team to define, document, and finalize compliance policies. This step requires buy-in from the customer’s executive leadership.

5. Implementation of Security Controls

Once policies are defined, DuploCloud implements cybersecurity controls to meet the customer’s requirements. In the meantime, we integrate your GRC tool with the cloud environment of your application and systems. You add DuploCloud as an admin of the GRC tool so we can begin work on infrastructure controls. You will see many of the controls in green (Pass) mode due to your DuploCloud platform deployment. Our team will just work on making the necessary adjustments to make it all green.

6. Enable Security Information and Event Management (SIEM)(Optional)

If selected, activate SIEM for continuous monitoring.

7. Enable Virus Scan (AWS) or Defender (Azure).

8. Enable BCP/DR and produce Policy and Activity documents.

These provide auditors with the internal controls you use for backup and recovery. We can provide a customized report for your environment that can be shared with an auditing team.

9. Penetration Testing* (If Required)

If a penetration test is needed, we follow these steps:

• Discovery: Define the scope, including an application walkthrough.

• Account Setup: Create necessary accounts for the penetration test.

• Pen Test Sign-Off: Confirm test accounts and dates.

• Run Tests: Perform automated and manual tests.

• Deliver Report: Provide the findings and report. This occurs approximately two weeks after the Pen Test sign-off.

*Penetration testing conducted by DuploCloud. Some subscribers will need to purchase penetration testing as an add-on service.

10. Gather Evidence for Compliance

DuploCloud assists the customer with the gathering of evidence within the scope of DuploCloud’s engagement.

11. Auditor Appointment

The customer appoints the auditor and agrees on an observation window. DuploCloud participates in auditor sessions when needed.

12. Security White Paper

DuploCloud provides a security white paper outlining the controls implemented in the customer’s cloud environment and on the DuploCloud platform, with templates available for customer use.

13. Ongoing Management

DuploCloud assists with ongoing management of the infrastructure and security controls in scope of DuploCloud’s responsibility

Configuration for Specific Cloud Providers (if applicable)

Configurations may vary based on the customer's cloud environment and could include additional steps such as enabling security measures, deploying gateways, configuring backups, and setting up monitoring and alerting systems. These measures help align services with the organization’s compliance requirements while streamlining the process of achieving and maintaining certifications.

For more about DuploCloud’s security and compliance scope and responsibilities, see the DuploCloud Security and Compliance documentation.