3.9 KiB
3.9 KiB
| title | description | published | date | tags | editor | dateCreated |
|---|---|---|---|---|---|---|
| Compliance Perspective | true | 2025-04-05T01:50:24.026Z | markdown | 2025-04-05T01:50:24.026Z |
✅ Compliance-Ready Documentation Strategy
For: Janusian Infra & Knowledge Stack
Audience: DevOps, Infra, Security, Docs
Version: v1
Last Reviewed: 2025-04-05
🧭 Overview
This document outlines how our documentation stack (Wiki.js + Git + frontmatter) can be hardened for compliance-readiness, enabling:
- Granular access control
- Immutable audit logs
- Identity & access management (IAM)
- Policy enforcement for documentation changes
- Integration with external logging and monitoring
This helps us align with frameworks like SOC 2, ISO 27001, GDPR, and partially with HIPAA.
🏗️ System Components
| Component | Role |
|---|---|
| Wiki.js | Primary editing & browsing interface |
| Git (GitHub) | Backend version control, history |
| YAML Frontmatter | Structured metadata for compliance labeling |
| GitHub Actions | Policy enforcement & automation |
| SSO (e.g., Google/Okta) | Identity management |
| Monitoring (optional) | Access log visibility |
🔐 1. Access Control & Identity Management
- Use Wiki.js Auth Providers:
- Integrate OAuth2, SAML, or LDAP (Google Workspace, Okta, Azure AD).
- Enable SSO with MFA.
- Apply page-level permissions (reader, editor, admin).
- Group users by roles (e.g.,
docs_editor,infra_admin,read_only). - Map Git permissions to teams for repo access (e.g.,
docs/path in GitHub).
🧾 2. Immutable Audit Logs
Wiki.js Logs:
- Enable Audit Logging to track:
- Page views
- Edits and deletions
- Permission changes
- Login attempts
Git Logs:
- Every doc change is:
- Signed (optional via
git commit -S) - Timestamped and traceable
- Stored in Git history (cryptographically verifiable)
- Signed (optional via
📌 Optional: Use OpenTimestamps or Sigstore to append public, verifiable timestamps.
📜 3. Policy Enforcement
- Define GitHub CODEOWNERS for all Markdown documentation:
- Require approvals from specific teams (e.g.,
docs-core,compliance).
- Require approvals from specific teams (e.g.,
- Implement CI checks:
- Ensure
classification,relevant_for, andlast_reviewedexist in frontmatter. - Auto-tag missing fields or block merges.
- Ensure
- Configure Wiki.js page drafts + approval plugins for reviewable content.
📊 4. Monitoring & Alerting
- Pipe Wiki.js audit logs to:
- ELK Stack
- Datadog
- Prometheus + Grafana
Set up alerts for:
- Unauthorized access attempts
- Changes to classified or sensitive pages
- Admin permission changes
🧩 5. Compliance Frameworks We Could Map To
| Compliance | Support Level | Notes |
|---|---|---|
| SOC 2 | ✅ Full coverage for Change Mgmt, IAM, Logging | |
| ISO 27001 | ✅ Aligns with Access Control & Audit Domains | |
| GDPR | ✅ Log access to personal data, support deletion requests | |
| HIPAA | ⚠️ Partial — not medical record-safe, but audit & access logs supported |
🚀 Next Steps
- Enable Wiki.js Audit Log to PostgreSQL or external logger
- Enforce Git commit signing for doc repo
- Add CODEOWNERS and review workflows
- Set up GitHub Actions to lint frontmatter
- Route logs to Grafana or Datadog for alerting