Menu
ESC

Nhập từ khóa để tìm kiếm

↑↓ Di chuyển
Enter Mở
ESC Đóng

Đang tải...

Bài 35 — QA in Compliance — SBV, ATTT, PCI-DSS

Test Strategy and QA Leadership Bài 35/60

QA Compliance

VN regulations cho tech

  • Luật An toàn Thông tin Mạng 2018 (ATTT) — overarching cybersecurity.
  • Decree 13/2023 (Personal Data Protection) — like mini-GDPR.
  • Decree 53/2022 (data localization for some sectors).
  • SBV regulations for banking.
  • Ministry of Information Communications for telco.

Compliance test requirements

  • Privacy: data encryption, retention, deletion.
  • Audit log: who accessed what when.
  • Access control: role-based, MFA.
  • Backup + DR: RTO/RPO defined.
  • Incident response: 24h-72h notification.

International (if VN serve overseas)

  • PCI-DSS — payment cards.
  • HIPAA — US healthcare.
  • GDPR — EU privacy.
  • SOC 2 — security/availability for SaaS.
  • ISO 27001 — info security mgmt.

QA role in compliance

  • Test access control (RBAC working).
  • Test encryption (data at rest, in transit).
  • Test audit log generation.
  • Test deletion (right to be forgotten).
  • Test breach response runbook.

Evidence for audit

  • Test case mapped to compliance requirement.
  • Test execution history archive.
  • Defect resolution trail.
  • Change control documentation.

Tools compliance-aware

  • TestRail audit log.
  • JIRA workflow restriction.
  • Encrypted backup.
  • SAML SSO with enterprise IdP.

VN context banking

SBV inspection 1-2 lần/năm. Bank QA team prepare evidence package:
  • Test plan archive.
  • Pen test report.
  • Change request + sign-off.
  • Production change log.

Anti-pattern

  • "Compliance theater" — checkbox cuối project.
  • No traceability — auditor reject.
  • One person knowledge — bus factor.