Policy Objectives
- Safeguard MaisonRMI data, infrastructure, and customer trust.
- Provide a repeatable approach for access requests, change management, and incident handling.
- Align MaisonRMI technology practices with SOC 2 and GDPR controls.
Key Controls
- Access Governance
- Role-based access is provisioned through Okta groups.
- Privileged accounts require multi-factor authentication and quarterly re-certification.
- Secure Development Lifecycle
- All code changes follow pull-request review with automated security scanning.
- Dependencies are patched within 14 days of a critical CVE release.
- Device Management
- Corporate laptops are enrolled in MDM with enforced disk encryption and automatic updates.
- Lost or stolen devices must be reported to [email protected] within one hour for remote wipe.
- Vendor Risk Management
- Vendors are classified high, medium, or low risk. High-risk providers require annual due diligence and data processing agreements.
- Incident Response
- Incidents are triaged within 15 minutes during business hours. Severity 1 incidents require executive notification and a post-incident review.
Monitoring & Reporting
| Control Area | Metric | Frequency | Owner |
|---|---|---|---|
| Access | % of accounts reviewed | Quarterly | IT Operations Lead |
| Patching | Mean time to patch critical CVEs | Weekly | Platform Engineering |
| Incidents | Number of Severity 1 incidents | Monthly | Security Operations |
| Backups | Restore test success rate | Monthly | Infrastructure Team |
Linked SOPs
Exceptions
Exceptions must be time-bound, documented in the IT risk register, and approved by the Director of Technology. A compensating control is required for every exception.
Contacts
- Policy Owner: Director of Technology ([email protected])
- Security Escalation: [email protected]
- Business Continuity: [email protected]
Review Cycle
Effective from 1 January 2025 and reviewed quarterly by the Security Steering Committee.