One Playbook for Risk, Controls, and Proof
This Security Policy sets the minimum rules for protecting SolveForce and customer systems, data, and servicesβon-prem, cloud, and edge.
It defines what βgoodβ looks like, who is accountable, how we measure it, and where the evidence lives.
- π (888) 765-8301
- βοΈ contact@solveforce.com
Quick links:
π§ GRC β /grc β’ π‘οΈ Cybersecurity β /cybersecurity β’ π€ IAM β /iam β’ πͺ ZTNA β /ztna ⒠𧱠Microsegmentation β /microsegmentation
π Keys β /key-management β’ ποΈ Secrets β /secrets-management β’ π Encryption β /encryption
π SIEM/SOAR β /siem-soar β’ π§ͺ Incident Response β /incident-response β’ πΎ Backups β /cloud-backup β’ π Immutability β /backup-immutability
π― Purpose & Scope
- Purpose β Reduce risk to appetite, enable the business, and prove control effectiveness.
- Scope β Applies to all people (employees, contractors, vendors), systems (on-prem, cloud, SaaS), data (customer & internal), and workloads/devices.
ποΈ Policy Hierarchy & Governance
- Policy β Standard β Control β Procedure β Evidence.
- Owners: vCISO (policy), Control Owners (standards & controls), System Owners (implementation), Data Stewards (classification), All Users (compliance).
- Lifecycle: versioned in Git; annual recertification; quarterly control attestation; exceptions expire β€ 90 days by default.
- Evidence: Logs, configs, approvals, tests stream to SIEM/SOAR. β /siem-soar
π₯ Roles & Accountability (RACI)
- vCISO / Security β Accountable for policy & control design; approves exceptions.
- System/Data Owners β Responsible for implementation & continuous monitoring.
- Managers β Ensure staff compliance; certify access quarterly.
- Users/Vendors β Comply with AUP and least-privilege access; report incidents.
π Core Policy Areas & Minimum Requirements
1) Identity & Access (IAM / Zero Trust)
- SSO + MFA required for all non-public systems; WebAuthn/Passkeys preferred. β /iam
- Least privilege by RBAC/ABAC; no standing adminβuse JIT via PAM with recording. β /pam
- Joiner/Mover/Leaver automation; leaver revoke β€ 15 minutes incl. sessions/keys. β /identity-lifecycle
- ZTNA per-app/session for remote & vendor access; no flat VPNs. β /ztna
2) Network & Segmentation
- Default-deny at L3/L7; microseg for crown-jewel/CDE/PHI/CUI enclaves. β /microsegmentation
- Egress allow-lists, secure DNS, WAF/Bot + DDoS at public edges. β /waf β’ /ddos
3) Data Classification & Privacy
- Tag data Public / Internal / Confidential / Restricted (+ PII/PHI/PAN/CUI).
- DLP on egress; tokenization for PAN/PII where feasible; residency & retention enforced. β /dlp
4) Cryptography, Keys & Secrets
- FIPS-validated TLS 1.2+; HSTS; modern ciphers only.
- CMEK/HSM for key custody; dual-control & rotation; documented ceremonies. β /key-management
- No secrets in code/imagesβvault-issued, short-lived creds only. β /secrets-management
5) Logging, Detection & Response
- Centralize activity/auth/network/WAF/DLP/EDR logs to SIEM within β€ 120s; time sync required. β /siem-soar
- SOAR playbooks for isolate/revoke/rekey/patch; TTX at least annually with AAR artifacts. β /tabletop β’ /incident-response
6) Vulnerability & Patch Management
- Scan monthly (or continuous) + after change; treat criticals immediately.
- SLOs: Critical β€ 15 days; High β€ 30 days (or stricter by regime).
7) Secure Config & SDLC
- IaC baselines and CIS/STIG images; drift alerts; policy-as-code gates in CI. β /infrastructure-as-code
- SAST/DAST/SCA, SBOM, signed artifacts; change approvals; no direct prod changes.
8) Backup, Immutability & DR
- Object-Lock/WORM on Tier-1 backups; clean-point catalog; DR runbooks tested quarterly with artifacts. β /backup-immutability β’ /draas
9) Third-Party & SaaS
- Security due-diligence, DPAs/BAAs, least-privilege scopes; continuous monitoring; vendor AOCs retained.
10) Acceptable Use & Endpoint
- Devices must be MDM/UEM-managed with EDR; disk encryption; screen lock; no unapproved software. β /mdm β’ /mdr-xdr
π Control SLOs (Policy β Measurable Outcomes)
| Control Domain | SLO / KPI | Target |
|---|---|---|
| Identity | Joiner β productive access | β€ 15β60 min |
| Leaver full revoke (human/priv) | β€ 5β15 / β€ 1β5 min | |
| Logging | Log delivery to SIEM | β€ 60β120 s |
| Vulns | Critical / High remediation | β€ 15 / β€ 30 days |
| Backups | Immutability coverage (Tier-1) | = 100% |
| DR | RTO / RPO (Tier-1) | β€ 5β60 min / β€ 0β15 min |
| Access Gov. | Quarterly certifications | β₯ 95β100% on time |
| Evidence | Completeness (audits/incidents) | = 100% |
Breach of SLO triggers SOAR (rollback, revoke, rekey, resegment) and ticketing with owner & deadline. β /siem-soar
π§Ύ Exceptions & Risk Acceptance
- Request via GRC portal with business justification, compensating controls, and expiry β€ 90 days.
- Requires approvals: System Owner β Security β vCISO.
- Exceptions logged to risk register; renewals not automatic.
π Enforcement
Non-compliance may result in access restriction, disciplinary action, or contract termination. Violations affecting regulated data are reported per legal/regulatory timelines.
π§ Regulatory & Framework Mapping
- NIST CSF / 800-53 r5 / 800-171 / 800-207, ISO/IEC 27001, SOC 2, PCI DSS, HIPAA/HITECH, FedRAMP (ConMon).
- Controls are harmonized in GRC; each has owner, test method, frequency, and evidence pointer. β /grc β’ /fedramp β’ /pci-dss β’ /nist
π οΈ Implementation Blueprint (Make Policy Real)
1) Publish & train β role-based briefings; manager sign-off.
2) Instrument β wire logs/approvals/test results to SIEM/SOAR; dashboards for SLOs.
3) Build controls β IAM/ZTNA/NAC, keys/secrets, WAF/DLP, backup immutability, DR runbooks.
4) Exercise β TTX and DR drills; capture artifacts; fix gaps.
5) Attest & improve β quarterly control certs; annual policy recert; update roadmap.
π Glossary (selected)
- CDE: Cardholder Data Environment.
- CUI/PHI/PII: Controlled/Protected/Personally Identifiable Information.
- JIT/PAM: Just-in-Time Privileged Access Management.
- WORM: Write Once Read Many (immutability).
π Questions or Requests
- Need an exception, control mapping, or training? Contact the Security team.
- π (888) 765-8301 β’ βοΈ contact@solveforce.com