🛡️ Security Policy

One Playbook for Risk, Controls, and Proof

This Security Policy sets the minimum rules for protecting SolveForce and customer systems, data, and services—on-prem, cloud, and edge.
It defines what “good” looks like, who is accountable, how we measure it, and where the evidence lives.

Quick links:
🧭 GRC/grc • 🛡️ Cybersecurity/cybersecurity • 👤 IAM/iam • 🚪 ZTNA/ztna • 🧱 Microsegmentation/microsegmentation
🔑 Keys/key-management • 🗝️ Secrets/secrets-management • 🔒 Encryption/encryption
🔍 SIEM/SOAR/siem-soar • 🧪 Incident Response/incident-response • 💾 Backups/cloud-backup • 🔐 Immutability/backup-immutability

🎯 Purpose & Scope

  • Purpose — Reduce risk to appetite, enable the business, and prove control effectiveness.
  • Scope — Applies to all people (employees, contractors, vendors), systems (on-prem, cloud, SaaS), data (customer & internal), and workloads/devices.

🏗️ Policy Hierarchy & Governance

  • Policy → Standard → Control → Procedure → Evidence.
  • Owners: vCISO (policy), Control Owners (standards & controls), System Owners (implementation), Data Stewards (classification), All Users (compliance).
  • Lifecycle: versioned in Git; annual recertification; quarterly control attestation; exceptions expire ≤ 90 days by default.
  • Evidence: Logs, configs, approvals, tests stream to SIEM/SOAR. → /siem-soar

👥 Roles & Accountability (RACI)

  • vCISO / Security — Accountable for policy & control design; approves exceptions.
  • System/Data Owners — Responsible for implementation & continuous monitoring.
  • Managers — Ensure staff compliance; certify access quarterly.
  • Users/Vendors — Comply with AUP and least-privilege access; report incidents.

🔑 Core Policy Areas & Minimum Requirements

1) Identity & Access (IAM / Zero Trust)

  • SSO + MFA required for all non-public systems; WebAuthn/Passkeys preferred. → /iam
  • Least privilege by RBAC/ABAC; no standing admin—use JIT via PAM with recording. → /pam
  • Joiner/Mover/Leaver automation; leaver revoke ≤ 15 minutes incl. sessions/keys. → /identity-lifecycle
  • ZTNA per-app/session for remote & vendor access; no flat VPNs. → /ztna

2) Network & Segmentation

  • Default-deny at L3/L7; microseg for crown-jewel/CDE/PHI/CUI enclaves. → /microsegmentation
  • Egress allow-lists, secure DNS, WAF/Bot + DDoS at public edges. → /waf/ddos

3) Data Classification & Privacy

  • Tag data Public / Internal / Confidential / Restricted (+ PII/PHI/PAN/CUI).
  • DLP on egress; tokenization for PAN/PII where feasible; residency & retention enforced. → /dlp

4) Cryptography, Keys & Secrets

  • FIPS-validated TLS 1.2+; HSTS; modern ciphers only.
  • CMEK/HSM for key custody; dual-control & rotation; documented ceremonies. → /key-management
  • No secrets in code/images—vault-issued, short-lived creds only. → /secrets-management

5) Logging, Detection & Response

  • Centralize activity/auth/network/WAF/DLP/EDR logs to SIEM within ≤ 120s; time sync required. → /siem-soar
  • SOAR playbooks for isolate/revoke/rekey/patch; TTX at least annually with AAR artifacts. → /tabletop/incident-response

6) Vulnerability & Patch Management

  • Scan monthly (or continuous) + after change; treat criticals immediately.
  • SLOs: Critical ≤ 15 days; High ≤ 30 days (or stricter by regime).

7) Secure Config & SDLC

  • IaC baselines and CIS/STIG images; drift alerts; policy-as-code gates in CI. → /infrastructure-as-code
  • SAST/DAST/SCA, SBOM, signed artifacts; change approvals; no direct prod changes.

8) Backup, Immutability & DR

  • Object-Lock/WORM on Tier-1 backups; clean-point catalog; DR runbooks tested quarterly with artifacts. → /backup-immutability/draas

9) Third-Party & SaaS

  • Security due-diligence, DPAs/BAAs, least-privilege scopes; continuous monitoring; vendor AOCs retained.

10) Acceptable Use & Endpoint

  • Devices must be MDM/UEM-managed with EDR; disk encryption; screen lock; no unapproved software. → /mdm/mdr-xdr

📐 Control SLOs (Policy → Measurable Outcomes)

Control DomainSLO / KPITarget
IdentityJoiner → productive access≤ 15–60 min
Leaver full revoke (human/priv)≤ 5–15 / ≤ 1–5 min
LoggingLog delivery to SIEM≤ 60–120 s
VulnsCritical / High remediation≤ 15 / ≤ 30 days
BackupsImmutability coverage (Tier-1)= 100%
DRRTO / RPO (Tier-1)≤ 5–60 min / ≤ 0–15 min
Access Gov.Quarterly certifications≥ 95–100% on time
EvidenceCompleteness (audits/incidents)= 100%

Breach of SLO triggers SOAR (rollback, revoke, rekey, resegment) and ticketing with owner & deadline. → /siem-soar

🧾 Exceptions & Risk Acceptance

  • Request via GRC portal with business justification, compensating controls, and expiry ≤ 90 days.
  • Requires approvals: System Owner → Security → vCISO.
  • Exceptions logged to risk register; renewals not automatic.

🔍 Enforcement

Non-compliance may result in access restriction, disciplinary action, or contract termination. Violations affecting regulated data are reported per legal/regulatory timelines.

🧭 Regulatory & Framework Mapping

  • NIST CSF / 800-53 r5 / 800-171 / 800-207, ISO/IEC 27001, SOC 2, PCI DSS, HIPAA/HITECH, FedRAMP (ConMon).
  • Controls are harmonized in GRC; each has owner, test method, frequency, and evidence pointer. → /grc/fedramp/pci-dss/nist

🛠️ Implementation Blueprint (Make Policy Real)

1) Publish & train — role-based briefings; manager sign-off.
2) Instrument — wire logs/approvals/test results to SIEM/SOAR; dashboards for SLOs.
3) Build controls — IAM/ZTNA/NAC, keys/secrets, WAF/DLP, backup immutability, DR runbooks.
4) ExerciseTTX and DR drills; capture artifacts; fix gaps.
5) Attest & improve — quarterly control certs; annual policy recert; update roadmap.

📚 Glossary (selected)

  • CDE: Cardholder Data Environment.
  • CUI/PHI/PII: Controlled/Protected/Personally Identifiable Information.
  • JIT/PAM: Just-in-Time Privileged Access Management.
  • WORM: Write Once Read Many (immutability).

📞 Questions or Requests