Nested Knowledge

Bringing Systematic Review to Life

User Tools

Site Tools

Trace:
wiki:policies:cloud

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
wiki:policies:cloud [2023/01/25 19:34]
kholub 		wiki:policies:cloud [2023/10/11 06:18] (current)
kholub
Line 1: Line 1:
 ===== Cloud Security ===== ===== Cloud Security =====
 +
 +==== Standards Compliance ====
 +
 +Our development team designs and maintains architecture, access rules, logging, and monitoring/alerting in our production cloud environment that aim to achieve compliance with the [[https://www.cisecurity.org/cis-benchmarks|CIS AWS Benchmark]]. An internal review is performed annually for all scored, Level 1 controls, with the reviewers, date, and benchmark score recorded. Remediations for noncompliancies are maintained, prioritized, and tracked per our development policies.
 +
 +Being that CIS updates recommendations, the benchmark should be updated to newest versions with each annual review.
  
 ==== Changes to the Cloud Environment ==== ==== Changes to the Cloud Environment ====
Line 17: Line 23:
   * A review of the methodology and documented changes   * A review of the methodology and documented changes
       * The developer requesting changes must explain any risks associated with the change, mitigations, and advance testing methods that may be used.       * The developer requesting changes must explain any risks associated with the change, mitigations, and advance testing methods that may be used.
 +  * Advance testing in our staging environment
   * Requirement of generating a rollback strategy   * Requirement of generating a rollback strategy
   * Requirement of providing a full audit log of actions taken upon deployment   * Requirement of providing a full audit log of actions taken upon deployment
   * Verification via manual testing, access & network logging, load testing, etc. as appropriate by the release engineer.   * Verification via manual testing, access & network logging, load testing, etc. as appropriate by the release engineer.
  
-**Notification of Changes:**  We will notify our client and customers of changes to the cloud environment in cases where the change is likely to disrupt services, workflows, or introduce new security vulnerabilities. Our chief technology officer will communicate the planned change and the associated risks at least 48 hours before the change is implemented.+**Notification of Changes:**  We will notify our client and customers of changes to the cloud environment in cases where the change is likely to disrupt services, workflows, or introduce new security vulnerabilities. We will communicate the planned change and the associated risks at least 1 week prior to the change being implemented.
  
 ==== Cloud-related Access Policy ==== ==== Cloud-related Access Policy ====
Line 38: Line 45:
  
 ^Author^Date of Revision/Review^Comments/Description| ^Author^Date of Revision/Review^Comments/Description|
-|K. Holub|1/25/2023|Annual review, added rollback provision|+|K. Holub|2/24/2023|Addition of CIS benchmark|
 |K. Cowie|11/21/2021|Minor Changes| |K. Cowie|11/21/2021|Minor Changes|
  
wiki/policies/cloud.1674675249.txt.gz ยท Last modified: 2023/01/25 19:34 by kholub

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki