From 521831dbf3ac70b8bf5171f03ffdd6a27aca4e87 Mon Sep 17 00:00:00 2001 From: Administrator Date: Sat, 5 Apr 2025 01:50:26 +0000 Subject: [PATCH] docs: create DocumentationStrategy/CompliancePerspective --- .../CompliancePerspective.md | 132 ++++++++++++++++++ 1 file changed, 132 insertions(+) create mode 100644 DocumentationStrategy/CompliancePerspective.md diff --git a/DocumentationStrategy/CompliancePerspective.md b/DocumentationStrategy/CompliancePerspective.md new file mode 100644 index 0000000..4c70b85 --- /dev/null +++ b/DocumentationStrategy/CompliancePerspective.md @@ -0,0 +1,132 @@ +--- +title: Compliance Perspective +description: +published: true +date: 2025-04-05T01:50:24.026Z +tags: +editor: markdown +dateCreated: 2025-04-05T01:50:24.026Z +--- + +# โœ… Compliance-Ready Documentation Strategy + +### For: Janusian Infra & Knowledge Stack +**Audience:** DevOps, Infra, Security, Docs +**Version:** v1 +**Last Reviewed:** 2025-04-05 + +--- + +## ๐Ÿงญ Overview + +This document outlines how our documentation stack (Wiki.js + Git + frontmatter) can be hardened for **compliance-readiness**, enabling: + +- Granular access control +- Immutable audit logs +- Identity & access management (IAM) +- Policy enforcement for documentation changes +- Integration with external logging and monitoring + +This helps us align with frameworks like **SOC 2**, **ISO 27001**, **GDPR**, and partially with **HIPAA**. + +--- + +## ๐Ÿ—๏ธ System Components + +| Component | Role | +|---------------|-------------------------------------| +| Wiki.js | Primary editing & browsing interface | +| Git (GitHub) | Backend version control, history | +| YAML Frontmatter | Structured metadata for compliance labeling | +| GitHub Actions | Policy enforcement & automation | +| SSO (e.g., Google/Okta) | Identity management | +| Monitoring (optional) | Access log visibility | + +--- + +## ๐Ÿ” 1. Access Control & Identity Management + +- **Use Wiki.js Auth Providers**: + - Integrate OAuth2, SAML, or LDAP (Google Workspace, Okta, Azure AD). + - Enable **SSO with MFA**. + - Apply **page-level permissions** (reader, editor, admin). +- **Group users** by roles (e.g., `docs_editor`, `infra_admin`, `read_only`). +- **Map Git permissions** to teams for repo access (e.g., `docs/` path in GitHub). + +--- + +## ๐Ÿงพ 2. Immutable Audit Logs + +### Wiki.js Logs: +- Enable **Audit Logging** to track: + - Page views + - Edits and deletions + - Permission changes + - Login attempts + +### Git Logs: +- Every doc change is: + - **Signed** (optional via `git commit -S`) + - Timestamped and traceable + - Stored in Git history (cryptographically verifiable) + +๐Ÿ“Œ **Optional:** Use [OpenTimestamps](https://opentimestamps.org/) or [Sigstore](https://www.sigstore.dev/) to append public, verifiable timestamps. + +--- + +## ๐Ÿ“œ 3. Policy Enforcement + +- Define **GitHub CODEOWNERS** for all Markdown documentation: + - Require approvals from specific teams (e.g., `docs-core`, `compliance`). +- Implement CI checks: + - Ensure `classification`, `relevant_for`, and `last_reviewed` exist in frontmatter. + - Auto-tag missing fields or block merges. +- Configure **Wiki.js page drafts + approval plugins** for reviewable content. + +--- + +## ๐Ÿ“Š 4. Monitoring & Alerting + +- Pipe Wiki.js audit logs to: + - ELK Stack + - Datadog + - Prometheus + Grafana + +Set up alerts for: +- Unauthorized access attempts +- Changes to classified or sensitive pages +- Admin permission changes + +--- + +## ๐Ÿงฉ 5. Compliance Frameworks We Could Map To + +| Compliance | Support Level | Notes | +|------------|----------------|-------| +| **SOC 2** | โœ… Full coverage for Change Mgmt, IAM, Logging | +| **ISO 27001** | โœ… Aligns with Access Control & Audit Domains | +| **GDPR** | โœ… Log access to personal data, support deletion requests | +| **HIPAA** | โš ๏ธ Partial โ€” not medical record-safe, but audit & access logs supported | + +--- + +## ๐Ÿš€ Next Steps + +- [ ] Enable Wiki.js Audit Log to PostgreSQL or external logger +- [ ] Enforce Git commit signing for doc repo +- [ ] Add CODEOWNERS and review workflows +- [ ] Set up GitHub Actions to lint frontmatter +- [ ] Route logs to Grafana or Datadog for alerting + +--- + +## ๐Ÿ” References + +- [Wiki.js Auth Providers](https://docs.requarks.io/authentication) +- [Git Signed Commits](https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work) +- [OpenTimestamps](https://opentimestamps.org/) +- [Sigstore](https://www.sigstore.dev/) +- [SOC 2 Criteria](https://www.aicpa.org/resources/article/trust-services-criteria) +- [ISO 27001 Controls](https://www.iso.org/isoiec-27001-information-security.html) + +---