SDLC Controls Framework Working Group
Our community meetings provide a forum for collaboration on the SDLC Controls Framework. Because of potential tool restrictions across our community of organizations, we will use GitHub for all collaboration. We will provide updates detailing community activity at each meeting of the FINOS DevOps Automation SIG (see here for meeting announcements).
About the SDLC Controls Framework
The SDLC Controls Framework initiative is establishing a shared, open reference library for software governance controls within the financial services industry. This collaborative effort addresses the systemic inefficiencies created when each institution independently develops and maintains SDLC controls, resulting in duplication, drift, and fragmentation across the sector.
The working group is creating a reusable controls catalog that institutions can selectively adopt while maintaining flexibility for organization-specific requirements. The framework provides standardized language, taxonomy, and reference implementations that enable cross-institutional and vendor collaboration.
For more information and to contribute, visit the SDLC Controls Framework repository.
Meeting Announcements
Announcements for working group meetings will be made as issues on the github issue tracker. We will follow the same conventions used for the FINOS DevOps Automation SIG meetings.
Meeting Cadence
The SDLC Controls Framework Working Group meets bi-weekly to collaborate on framework development and control definitions.
Meeting invitations are available on the FINOS Community Calendar.
Meeting Notes
Meeting notes will be added as comments to the meeting announcement.
Meeting Agenda
We believe a regular cadence of real-time collaboration amongst practitioners will accelerate the development of the SDLC Controls Framework and drive adoption across the industry. We will know we have succeeded when attendees contribute to deliverables and provide feedback to improve working group meetings.
Why
- Reduce duplication of effort across financial institutions by establishing standardized control definitions
- Create consistency through shared terminology and taxonomy for software governance controls
- Enable benchmarking and collaboration across organizations and with vendors
- Provide reference implementations and examples that organizations can adopt and adapt
- Bridge the gap between platform engineers, control owners, auditors, and regulators through common language
- Accelerate adoption of software governance best practices across the financial services industry
Who
Open to all practitioners, including:
- Primary audience: Platform engineers, control owners, auditors
- Secondary audience: Regulators, governance software vendors, compliance teams
Meeting Structure
Meetings are held regularly to advance the framework and facilitate collaboration:
- Review progress on current initiatives
- Discuss proposed control definitions and taxonomy
- Share implementation experiences and best practices
- Plan upcoming work and assign contributors
- Coordinate with related FINOS initiatives
Meeting agendas and topics are tracked via GitHub issues in the finos/devops-automation repository.
Working Groups
Depending on the topics at hand, we may form smaller working groups to focus on specific areas such as:
- Control taxonomy and standardization
- Reference implementations
- Mapping to regulatory frameworks
- Documentation and onboarding
Roadmap
Short-term (0-6 months)
- Repository infrastructure and governance
- Define core taxonomy and standardized language
- Develop project website and documentation
- Onboard contributors and establish working group processes
Medium-term (6-12 months)
- Populate core control domains (peer review, change management, access control)
- Expand to advanced controls and emerging practices
- Map controls to regulatory standards and frameworks
- Build reference implementations and examples
Artifacts
The SDLC Controls Framework is maintained in the finos-labs/SDLC-Controls-Framework repository.
All documentation, control definitions, and reference implementations are organized within that repository.
Contributions are welcome under the Creative Commons Attribution 4.0 International (CC-BY-4.0) license. See the repository's CONTRIBUTING.md for contribution guidelines.