The Operations Security Policy is published in the Changineers trust portal. This page is the handbook index for the procedures that implement it.
What’s required
Section titled “What’s required”Production systems are configured to a known baseline, kept current with patches, segmented at the network layer, and monitored continuously. Changes to production go through a controlled process with approval and rollback. Vulnerabilities that surface from any source are detected, triaged, and remediated.
Implementing procedures
Section titled “Implementing procedures”| Topic | Page |
|---|---|
| Production changes: proposing, reviewing, and deploying | Change management |
| Manual production changes when the standard process can’t be followed | Emergency change |
| Configuration baselines for AWS resources, VMs, network controls, Cognito, and engineer laptops | Configuration baselines |
| Metrics, logs, traces, and alarms | Observability |
| Authentication anomalies, account intrusion detection, audit logging | Threat detection |
| Vulnerability detection, triage, severity, and remediation | Vulnerability management |
Management systems
Section titled “Management systems”Production AWS resources are defined as code in Terraform; changes go through the release pull request flow on Change management.
Engineers who need elevated AWS access for an exceptional case request it through AWS IAM Identity Center, federated from Google Workspace, with approval by the CTO. See Change management § Authorised actors.