QA Compliance
VN regulations cho tech
- Luật An toàn Thông tin Mạng 2018 (ATTT) — overarching cybersecurity.
- Decree 13/2023 (Personal Data Protection) — like mini-GDPR.
- Decree 53/2022 (data localization for some sectors).
- SBV regulations for banking.
- Ministry of Information Communications for telco.
Compliance test requirements
- Privacy: data encryption, retention, deletion.
- Audit log: who accessed what when.
- Access control: role-based, MFA.
- Backup + DR: RTO/RPO defined.
- Incident response: 24h-72h notification.
International (if VN serve overseas)
- PCI-DSS — payment cards.
- HIPAA — US healthcare.
- GDPR — EU privacy.
- SOC 2 — security/availability for SaaS.
- ISO 27001 — info security mgmt.
QA role in compliance
- Test access control (RBAC working).
- Test encryption (data at rest, in transit).
- Test audit log generation.
- Test deletion (right to be forgotten).
- Test breach response runbook.
Evidence for audit
- Test case mapped to compliance requirement.
- Test execution history archive.
- Defect resolution trail.
- Change control documentation.
Tools compliance-aware
- TestRail audit log.
- JIRA workflow restriction.
- Encrypted backup.
- SAML SSO with enterprise IdP.
VN context banking
SBV inspection 1-2 lần/năm. Bank QA team prepare evidence package:
- Test plan archive.
- Pen test report.
- Change request + sign-off.
- Production change log.
Anti-pattern
- "Compliance theater" — checkbox cuối project.
- No traceability — auditor reject.
- One person knowledge — bus factor.