Effective: August 18, 2025
Owner: Security Officer (CTO)
Audience: External (Trust page) & Internal (overview). For binding requirements, see the full policies and runbooks.
Scope: All workforce identities (employees/contractors), admin accounts, break‑glass accounts; excludes service accounts (managed by secrets policy).
Standards
Length: ≥ 14 characters (workforce); 20+ for privileged/break‑glass.
Complexity: Passphrases encouraged; deny‑list of common/compromised passwords (HIBP/wordlist checks).
Rotation: No forced periodic rotation unless compromise suspected/confirmed; immediate reset on risk events.
Reuse: Block last 24 passwords; unique per system.
MFA: Required for IdP/SSO, production access, code repositories, support tools. Phishing‑resistant MFA (WebAuthn/OTP) preferred.
Storage: Only salted, slow‑hash (e.g., bcrypt/scrypt/Argon2) with strong work factor; never store plaintext or reversible encryption.
Sharing: Prohibited. Break‑glass creds sealed in a vault with dual‑control and audit trail.
Managers: Use enterprise‑approved password manager; secrets never in tickets, chat, or code.
Monitoring: Credential‑leak detection; automatic revocation on off‑boarding within 24 hours (sooner for priv).
Controls Mapping: SOC 2 CC6, CC7; ISO 27001 A.5, A.8; NIST IA‑5.
Reference: Operations Security Policy (HYV‑S2‑OPS‑001) in effect 2025‑08‑11.
Scope: Production DigitalOcean (US‑primary), Kubernetes/Droplets/LB/Firewalls/Object storage/MongoDB; CI/CD (GitLab); monitoring (Sentry), IdP/SSO.
Core Controls (high level)
Environment separation: Dev/Staging/Prod isolated; no prod data in lower envs (synthetic/masked only).
Least privilege: RBAC, MFA, time‑bound elevation; quarterly access recertification.
Hardening: CIS baselines (Ubuntu/K8s/MongoDB), OWASP guidance.
Encryption: TLS 1.2+ in transit; AES‑256 at rest, including backups.
Secrets: Managed via encrypted stores and masked CI/CD variables; no secrets in code.
Logging/Monitoring: Centralized, time‑synced audit/security logs; alerting on IOCs; Sentry for app telemetry.
Backups: Encrypted, logically isolated, separate credentials; periodic restore tests.
Vulnerability management: SAST/DAST/dependency/container scans; defined SLAs (see §5).
Change control: Git‑based workflow, peer review, security gates, CAB for high‑risk; emergency changes get retro review.
Controls Mapping: SOC 2 CC6–CC9.
Scope: Security, privacy, or availability incidents affecting Hyvery systems or Customer Content.
Severities
Sev‑1 (Critical): Active compromise, data loss/corruption, platform outage; no workaround.
Sev‑2 (High): Major degradation or high‑risk vuln with exploit path.
Sev‑3/4: Contained events, suspicious activity, or informational.
Lifecycle (NIST‑aligned)
Prepare: IR playbooks, comms templates, logging, forensics tooling, on‑call.
Detect/Report: Alerts (SIEM/Sentry/IdP), user reports to security@hyvery.com.
Triage: Classify severity, assign Incident Commander, open case and timeline.
Contain: Short‑term (isolate access, kill sessions); long‑term (patch, rotate creds).
Eradicate: Remove artifacts/backdoors; validate fixed.
Recover: Restore services/data; validate integrity and monitoring; customer comms.
Post‑Incident Review (PIR): Within 5 business days for Sev‑1; RCA, corrective actions, lessons learned.
Customer Notification Targets
Security incidents with impact: Initial notice as soon as practicable, generally within 72 hours of confirmation; regular updates via ticket/email; RFO/RCA provided post‑restoration.
Evidence Handling: Chain‑of‑custody, timestamped logs (UTC), minimal data access, preserve volatile data when safe.
Controls Mapping: SOC 2 CC7; NIST 800‑61.
Scope: Databases (MongoDB), object storage, app artifacts, configurations, and critical service metadata in US regions.
Backups
Schedule: Daily full + intra‑day incrementals for DB; object storage lifecycle policies.
Security: AES‑256 at rest; TLS in transit; separate credentials and logical isolation from prod.
Retention: Per data‑class policy (e.g., 30–90 days DB snapshots; longer for compliance if required).
Testing: Quarterly restore tests to non‑prod; verify integrity and RPO/RTO.
Disaster Recovery
Targets: RTO ≤ 4 hours, RPO ≤ 15 minutes (configurable by tier; see SLA).
Strategy: Multi‑AZ design; infrastructure as code for rebuilds; automation for bootstrap; documented runbooks.
Failover/Failback: Controlled by Incident Commander; change record kept; post‑DR validation before cutback.
Customer Responsibilities: Maintain current contacts, validate exports, and test your side of integrations after DR events.
Controls Mapping: SOC 2 CC7, CC8.
Scope: Application code, third‑party libraries, containers/images, OS/DB, cloud services, and network devices.
Scanning & Intake
Code: SAST + secret detection on every MR; dependency scanning with advisories and SBOM.
Containers/Images: Build‑time scans; base images rebuilt on new CVEs.
Dynamic: DAST against staging; selective prod scanning within safe limits.
Infra/Cloud: CIS/K8s policies; periodic credential hygiene checks; external attack surface monitoring.
Prioritization
Risk = CVSS + exploit availability + exposure + data sensitivity + compensating controls.
Remediation SLAs (maximum time to remediate/mitigate)
Critical: 24–72 hours (expedited; emergency change allowed).
High: ≤ 7 days.
Medium: ≤ 30 days.
Low: ≤ 90 days.
Exceptions: Require documented risk acceptance, compensating controls, and expiry date approved by Security Officer.
Verification: Fix validation via rescans, unit/integration tests, and monitoring for regression.
Controls Mapping: SOC 2 CC7, CC9.
HYV‑S2‑OPS‑001 — Operations Security Policy (master policy)
Password Security Policy (HYV‑S2‑ID‑001)
Incident Response Plan & Playbooks (HYV‑S2‑IR‑001)
Backup & DR Runbooks (HYV‑S2‑DR‑001)
Vulnerability & Patch Management Standard (HYV‑S2‑VM‑001)