Versions Compared

Old Version 6

changes.mady.by.user Ryan Heathcote

Saved on

compared with

New Version 7

changes.mady.by.user Ryan Heathcote

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Policy Owner: Principal Engineer

...

  • Log user log-in and log-out

  • Log CRUD (create, read, update, delete) operations on application and system users and objects

  • Log security settings changes (including disabling or modifying of logging)

  • Log application owner or administrator access to customer data (i.e. Access Transparency)

  • Logs must include user ID, IP address, valid timestamp, type of action performed, and object of this action.

  • Logs must be stored for at least 30 days, and should not contain sensitive data or payloads

Protection of Log Information

...

Risks shall be considered prior to the acquisition of, or significant changes to, systems, technologies, or facilities. Where requirements are formally identified, any relevant security requirements shall be included. The acquisition of new suppliers and services shall be made in accordance with the Third-Party Management Policy.

The company shall perform an annual network security assessment that includes a review of major changes to the environment such as new system components and network topology.

Anchor
exceptions
exceptions
Exceptions

...

Appendix B - Configuration Management Plan

The configuration management plan applies to all configurations in AWS affecting production resources.

  1. Where feasible, record configurations as code in the application monorepo (e.g. terraform, SQL migrations).

  2. Provide detailed instructions for making the change in a trello card added to the CloudCard Release board. If the change cannot be recorded in code, it should be fully detailed in the trello card.

  3. Configuration changes must be tested in the test environment unless it is a change that can only be made to production.

    1. Even in the case of a production-only change, we should seek to test an equivalent change in the test environment.

  4. Another engineer must review all configuration change cards and pull requests.

  5. Configuration changes are typically applied during a release window prior to deploying the application package. Configuration changes that do not apply to an elastic beanstalk environment or that are of low risk can be applied as soon as they are reviewed.