Nested Knowledge

Bringing Systematic Review to Life

User Tools

Site Tools

Trace: Cloud Security
wiki:policies:cloud

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
wiki:policies:cloud [2021/11/19 04:00]
kholub 		wiki:policies:cloud [2023/10/11 06:18] (current)
kholub
Line 1: Line 1:
 ===== Cloud Security ===== ===== Cloud Security =====
 +
 +==== Standards Compliance ====
 +
 +Our development team designs and maintains architecture, access rules, logging, and monitoring/alerting in our production cloud environment that aim to achieve compliance with the [[https://www.cisecurity.org/cis-benchmarks|CIS AWS Benchmark]]. An internal review is performed annually for all scored, Level 1 controls, with the reviewers, date, and benchmark score recorded. Remediations for noncompliancies are maintained, prioritized, and tracked per our development policies.
 +
 +Being that CIS updates recommendations, the benchmark should be updated to newest versions with each annual review.
  
 ==== Changes to the Cloud Environment ==== ==== Changes to the Cloud Environment ====
Line 14: Line 20:
 All changes are subject to: All changes are subject to:
  
-  * A change to deployment, architecture & cloud environemnt documentation in the codebase+  * A change to deployment, architecture & cloud environment documentation in the codebase
   * A review of the methodology and documented changes   * A review of the methodology and documented changes
       * The developer requesting changes must explain any risks associated with the change, mitigations, and advance testing methods that may be used.       * The developer requesting changes must explain any risks associated with the change, mitigations, and advance testing methods that may be used.
-  * Providing a full audit log of actions taken upon deployment+  * Advance testing in our staging environment 
 +  * Requirement of generating a rollback strategy 
 +  * Requirement of providing a full audit log of actions taken upon deployment
   * Verification via manual testing, access & network logging, load testing, etc. as appropriate by the release engineer.   * Verification via manual testing, access & network logging, load testing, etc. as appropriate by the release engineer.
 +
 +**Notification of Changes:**  We will notify our client and customers of changes to the cloud environment in cases where the change is likely to disrupt services, workflows, or introduce new security vulnerabilities. We will communicate the planned change and the associated risks at least 1 week prior to the change being implemented.
  
 ==== Cloud-related Access Policy ==== ==== Cloud-related Access Policy ====
Line 31: Line 41:
  
 All Employees and Contractors who access Nested Knowledge’s information systems will be provided with and required to review the Cloud-Related Access Policy. All Employees and Contractors who access Nested Knowledge’s information systems will be provided with and required to review the Cloud-Related Access Policy.
 +
 +===== Revision History =====
 +
 +^Author^Date of Revision/Review^Comments/Description|
 +|K. Holub|2/24/2023|Addition of CIS benchmark|
 +|K. Cowie|11/21/2021|Minor Changes|
 +
 +[[:wiki:policies|Return to Policies]]
  
  
wiki/policies/cloud.1637294406.txt.gz · Last modified: 2021/11/19 04:00 by kholub

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki