--- title: Compliance Perspective description: published: true date: 2025-04-05T01:50:24.026Z tags: editor: markdown dateCreated: 2025-04-05T01:50:24.026Z --- # โœ… Compliance-Ready Documentation Strategy ### For: Janusian Infra & Knowledge Stack **Audience:** DevOps, Infra, Security, Docs **Version:** v1 **Last Reviewed:** 2025-04-05 --- ## ๐Ÿงญ Overview This document outlines how our documentation stack (Wiki.js + Git + frontmatter) can be hardened for **compliance-readiness**, enabling: - Granular access control - Immutable audit logs - Identity & access management (IAM) - Policy enforcement for documentation changes - Integration with external logging and monitoring This helps us align with frameworks like **SOC 2**, **ISO 27001**, **GDPR**, and partially with **HIPAA**. --- ## ๐Ÿ—๏ธ System Components | Component | Role | |---------------|-------------------------------------| | Wiki.js | Primary editing & browsing interface | | Git (GitHub) | Backend version control, history | | YAML Frontmatter | Structured metadata for compliance labeling | | GitHub Actions | Policy enforcement & automation | | SSO (e.g., Google/Okta) | Identity management | | Monitoring (optional) | Access log visibility | --- ## ๐Ÿ” 1. Access Control & Identity Management - **Use Wiki.js Auth Providers**: - Integrate OAuth2, SAML, or LDAP (Google Workspace, Okta, Azure AD). - Enable **SSO with MFA**. - Apply **page-level permissions** (reader, editor, admin). - **Group users** by roles (e.g., `docs_editor`, `infra_admin`, `read_only`). - **Map Git permissions** to teams for repo access (e.g., `docs/` path in GitHub). --- ## ๐Ÿงพ 2. Immutable Audit Logs ### Wiki.js Logs: - Enable **Audit Logging** to track: - Page views - Edits and deletions - Permission changes - Login attempts ### Git Logs: - Every doc change is: - **Signed** (optional via `git commit -S`) - Timestamped and traceable - Stored in Git history (cryptographically verifiable) ๐Ÿ“Œ **Optional:** Use [OpenTimestamps](https://opentimestamps.org/) or [Sigstore](https://www.sigstore.dev/) to append public, verifiable timestamps. --- ## ๐Ÿ“œ 3. Policy Enforcement - Define **GitHub CODEOWNERS** for all Markdown documentation: - Require approvals from specific teams (e.g., `docs-core`, `compliance`). - Implement CI checks: - Ensure `classification`, `relevant_for`, and `last_reviewed` exist in frontmatter. - Auto-tag missing fields or block merges. - Configure **Wiki.js page drafts + approval plugins** for reviewable content. --- ## ๐Ÿ“Š 4. Monitoring & Alerting - Pipe Wiki.js audit logs to: - ELK Stack - Datadog - Prometheus + Grafana Set up alerts for: - Unauthorized access attempts - Changes to classified or sensitive pages - Admin permission changes --- ## ๐Ÿงฉ 5. Compliance Frameworks We Could Map To | Compliance | Support Level | Notes | |------------|----------------|-------| | **SOC 2** | โœ… Full coverage for Change Mgmt, IAM, Logging | | **ISO 27001** | โœ… Aligns with Access Control & Audit Domains | | **GDPR** | โœ… Log access to personal data, support deletion requests | | **HIPAA** | โš ๏ธ Partial โ€” not medical record-safe, but audit & access logs supported | --- ## ๐Ÿš€ Next Steps - [ ] Enable Wiki.js Audit Log to PostgreSQL or external logger - [ ] Enforce Git commit signing for doc repo - [ ] Add CODEOWNERS and review workflows - [ ] Set up GitHub Actions to lint frontmatter - [ ] Route logs to Grafana or Datadog for alerting --- ## ๐Ÿ” References - [Wiki.js Auth Providers](https://docs.requarks.io/authentication) - [Git Signed Commits](https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work) - [OpenTimestamps](https://opentimestamps.org/) - [Sigstore](https://www.sigstore.dev/) - [SOC 2 Criteria](https://www.aicpa.org/resources/article/trust-services-criteria) - [ISO 27001 Controls](https://www.iso.org/isoiec-27001-information-security.html) ---