Security & Compliance Maturity

All user accounts use strong passwords. Shared credentials are eliminated. Production access is limited to named individuals with a documented need.

access-control · iam · credentials

All third-party libraries are scanned for known CVEs on every pull request. Critical and high vulnerabilities block merge. A remediation SLA is defined and tracked.

dependencies · cve · sca · supply-chain

Cloud accounts are configured to a security baseline. Public S3 buckets and open security groups are eliminated. Logging is enabled across all cloud services.

cloud-security · hardening · logging · cspm

No secrets in source code, environment variables checked into git, or Slack. All credentials are rotated on a schedule and retrieved from a secrets manager at runtime.

secrets · credentials · vault

A written information security policy exists, is approved by leadership, and is communicated to all employees annually. It defines acceptable use, incident response, and data classification.

policy · governance · compliance · training

Multi-factor authentication is mandatory for all user-facing systems, cloud consoles, VPN, and privileged accounts. Phishing-resistant MFA (FIDO2) is required for administrative access.

mfa · identity · authentication · phishing-resistant

Production, staging, and development environments are in separate VPCs with no lateral connectivity. Databases are in private subnets with no internet-accessible endpoints.

network-segmentation · vpc · isolation

A maintained risk register captures known security risks with likelihood, impact, owner, and treatment plan. The register is reviewed quarterly by the CISO or CTO.

risk-management · threat-modelling · governance

SAST tools analyse source code on every pull request, surfacing injection vulnerabilities, insecure patterns, and misconfigurations before code reaches production.

sast · code-scanning · appsec · devsecops

Data protection impact assessments, a data processing register, and privacy-by-design practices are in place. Subject access request and right-to-erasure workflows are tested and operational.

gdpr · privacy · data-protection · compliance

Annual third-party penetration tests cover external attack surface, application layer, and internal network. Critical findings are remediated within 30 days and re-tested.

pen-testing · external-testing · appsec

Privileged access to production is time-limited, just-in-time, and fully audited. No standing admin privileges exist in production environments.

pam · privileged-access · identity · jit

SOC 2 Type II report obtained, covering Security, Availability, and Confidentiality trust service criteria. Evidence is collected continuously, not scrambled at audit time.

soc2 · certification · audit · compliance

Compliance posture is monitored in real time. Policy violations trigger automated alerts and, where possible, automated remediation. Auditors can be given a dashboard instead of a spreadsheet.

continuous-compliance · policy-as-code · governance · automation

Security is embedded at every stage of the delivery pipeline. SAST, DAST, SCA, IaC scanning, and container image scanning all gate production deployments automatically.

devsecops · pipeline · dast · container-security

The full lifecycle of every human and machine identity is managed and audited — from joiners and movers to leavers. Access is reviewed quarterly and certifications are automated.

iga · identity-governance · lifecycle · provisioning

Network perimeter is eliminated as a trust boundary. Every request — internal or external — is verified, least-privileged, and logged. Lateral movement after compromise is contained.

zero-trust · micro-segmentation · spiffe · policy