_private/qwestly-docs/Policies/Operations Security Policy.md

Table of Contents

Operations Security Policy

Purpose

To ensure secure operation of Qwestly's systems and data while supporting our cloud-based talent marketplace platform.

Scope

This policy applies to all Qwestly team members (currently 3 employees) and covers:

  • AWS cloud infrastructure and services
  • Application development and deployment
  • Data processing and AI/ML systems
  • Third-party integrations and vendors
  • System monitoring and incident response

Policy

Cloud Infrastructure Security

AWS Security Basics:

  • Multi-factor authentication required for all AWS console access
  • Use least-privilege IAM policies - only grant necessary permissions
  • Enable CloudTrail logging for all activities
  • Regular security group review - default deny, explicit allow
  • Encrypt all data at rest (S3, RDS, etc.)

Infrastructure as Code:

  • All infrastructure deployed via Terraform or similar tools
  • Infrastructure changes require code review before deployment
  • Version control all infrastructure configurations
  • Document any manual changes and update code accordingly

Change Management

Development to Production:

  • All code changes go through GitHub pull request review
  • Automated testing required before merging to main branch
  • Staging environment testing before production deployment
  • Have rollback plan for all production changes

Change Categories:

  • Low risk (bug fixes, minor updates): Automated deployment after tests pass
  • Medium risk (new features, config changes): Team member review required
  • High risk (architecture changes, security changes): All 3 team members must review

Emergency Changes:

  • CTO (Dominick) can authorize emergency deployments
  • Document and review all emergency changes within 24 hours

System Monitoring

Basic Monitoring Requirements:

  • Application uptime and performance monitoring
  • Error tracking and alerting
  • AWS CloudWatch for infrastructure monitoring
  • Database performance monitoring
  • Set up alerts for system failures and performance issues

Security Monitoring:

  • Monitor failed login attempts
  • Alert on unusual data access patterns
  • Track administrative actions
  • Monitor API usage for anomalies

Data Protection

Data Handling:

  • Encrypt all candidate and customer data
  • Separate production data from development/staging
  • Never use real customer data in development
  • Regular database backups with encryption

Access Control:

  • Principle of least privilege for all data access
  • Regular review of who has access to what data
  • Multi-factor authentication for systems with sensitive data
  • Immediately revoke access when team members leave

AI/ML Operations

Model Security:

  • Secure storage of training data and models
  • Track versions of all AI models in production
  • Monitor model performance and bias
  • Have rollback procedures for problematic model deployments

Backup and Recovery

Backup Requirements:

  • Daily automated backups of all critical data
  • Test backup restoration quarterly
  • Store backups in different AWS region than primary
  • Document recovery procedures and keep them updated

Recovery Targets:

  • Critical systems back online within 4 hours
  • Data loss limited to maximum 1 hour of transactions
  • Customer communication plan for extended outages

Vendor Management

Third-Party Services:

  • Evaluate security practices of all vendors
  • Monitor vendor service availability and performance
  • Have backup plans for critical vendor dependencies
  • Regular review of vendor access to our systems

Vulnerability Management

Security Updates:

  • Apply critical security patches within 7 days
  • Regular dependency updates for applications
  • Monthly review of security advisories
  • Automated vulnerability scanning where possible

Incident Response

When Something Goes Wrong:

  1. Immediate: Contain the issue (stop data access, isolate systems)
  2. Within 1 hour: Assess impact and notify team
  3. Within 24 hours: Document incident and implement fixes
  4. Within 1 week: Review what happened and improve processes

Contact Information:

  • Primary: CTO (Dominick) - [phone/email]
  • Secondary: CEO (Adam) - [phone/email]
  • After hours: Use team Slack emergency channel

Compliance

SOC 2 Basics:

  • Document all security controls and procedures
  • Regular access reviews (quarterly)
  • Maintain audit logs for all system access
  • Annual security training for all team members

Responsibilities

  • All team members: Follow security procedures, report issues immediately
  • CTO (Dominick): Policy owner, incident response leader, security decisions
  • CEO (Adam): Policy approval, resource allocation, customer communication
  • Engineering team: Implement security controls, maintain systems

Implementation

  • Immediate: Basic monitoring and access controls
  • Month 1: Automated backups and incident procedures
  • Month 3: Advanced monitoring and compliance documentation
  • Ongoing: Regular reviews and improvements

Training

  • Security awareness training during onboarding
  • Monthly team discussion of security practices
  • Quarterly review of this policy
  • Annual security training refresh

Document History

Version Date Description Written by Approved by
1.0.0 6/13/25 Dominick Pham Adam Boender