Policy Owner: Principal Engineer
...
Log user log-in and log-out
Log CRUD (create, read, update, delete) operations on application and system users and objects
Log security settings changes (including disabling or modifying of logging)
Log application owner or administrator access to customer data (i.e. Access Transparency)
Logs must include user ID, IP address, valid timestamp, type of action performed, and object of this action.
Logs must be stored for at least 30 days, and should not contain sensitive data or payloads
Protection of Log Information
...
Vulnerability scans shall be performed on public-facing systems in the production environment on an ongoing basis.
Penetration Customers and other third parties shall be permitted to perform penetration tests of the applications and production network shall be performed at least annually, and additional scanning and testing shall be performed following major changes to production systems and softwareupon request.
The Engineering team shall evaluate the severity of vulnerabilities identified from any source, and if it is determined to be a risk-relevant critical or high-risk vulnerability, a Trello card will be created. The CloudCard assessed severity level may differ from the level automatically generated by scanning software or determined by external researchers based on CloudCard’s internal knowledge and understanding of technical architecture and real-world impact/exploitability. Tickets are assigned to the system, application, or platform owners for further investigation and/or remediation.
...
Risks shall be considered prior to the acquisition of, or significant changes to, systems, technologies, or facilities. Where requirements are formally identified, any relevant security requirements shall be included. The acquisition of new suppliers and services shall be made in accordance with the Third-Party Management Policy.
The company shall perform an annual network security assessment that includes a review of major changes to the environment such as new system components and network topology.
| Anchor | ||||
|---|---|---|---|---|
|
...
Any known violations of this policy should be reported to the Managing Director. Violations of this policy can result in immediate withdrawal or suspension of system and network privileges and/or disciplinary action in accordance with company procedures up to and including termination of employment.
Version | Date | Description | Author | Approved by |
1.0 | 2023-03-26 | First Version | Ryan Heathcote | Tony Erskine |
1.1 | 2024- |
07-13 | Annual Review | Ryan Heathcote | Luke Rettstatt | |
1.1.1 | 2024-08-17 | Minor Clarification | Ryan Heathcote | Luke Rettstatt |
APPENDIX A - Configuration and Hardening Standards
...