Skip to main content
AC

Acme Cloud

EthicPages logoVisit EthicPages

Security Overview

Last updated: January 15, 2026

Security Overview

Document owner: Chief Information Security Officer (CISO) Version: 3.0 Effective date: January 1, 2026 Last updated: January 15, 2026 Classification: Public — Trust Center Review cadence: Quarterly, and upon material architecture, vendor, or threat landscape changes Company: Acme Cloud, Inc. Address: 1200 Market Street, Suite 400, San Francisco, CA 94103, USA Primary contacts: trust@acmecloud.com | security@acmecloud.com | privacy@acmecloud.com

Definitions

TermDefinition
AWSAmazon Web Services, the primary infrastructure provider for Acme Cloud production systems
CMKCustomer Master Key, the top-level encryption key in AWS KMS hierarchy
CUECComplementary User Entity Controls, customer responsibilities in a shared responsibility model
DEKData Encryption Key, symmetric key used to encrypt data directly
EDREndpoint Detection and Response, security software for threat detection on endpoints
FIDO2Fast Identity Online 2, passwordless authentication standard using public-key cryptography
HSTSHTTP Strict Transport Security, mechanism forcing HTTPS connections
IaCInfrastructure as Code, managing infrastructure through machine-readable definition files
ISMSInformation Security Management System, framework for managing security policies and controls
JITJust-in-Time, access provisioning approach granting privileges only when needed
KMSKey Management Service, AWS service for creating and managing encryption keys
MFAMulti-Factor Authentication, requiring multiple verification methods for access
mTLSMutual TLS, bidirectional certificate authentication for service-to-service communication
NIST CSFNational Institute of Standards and Technology Cybersecurity Framework
PAMPrivileged Access Management, controlling elevated system access
RTORecovery Time Objective, target duration for restoring service after disruption
RPORecovery Point Objective, maximum acceptable data loss measured in time
SIEMSecurity Information and Event Management, centralized security monitoring platform
SOC 2Service Organization Control 2, trust services audit framework
TSCTrust Services Criteria, principles for SOC 2 compliance
VPCVirtual Private Cloud, isolated network environment within AWS
WAFWeb Application Firewall, filtering malicious web traffic
WebAuthnWeb Authentication API, browser standard for FIDO2 authentication
ZTAZero Trust Architecture, security model requiring verification for all access requests

Scope and Applicability

1.1 Organizational Scope

This Security Overview applies to the entire Acme Cloud, Inc. organization, including all subsidiaries, divisions, and affiliated entities. The scope encompasses all personnel with access to Acme Cloud systems, data, or facilities, including full-time employees, part-time employees, contractors, consultants, temporary workers, interns, and third-party service providers operating on behalf of Acme Cloud.

1.2 Technical Scope

The security program covers all technology systems and infrastructure operated by or on behalf of Acme Cloud:

System CategoryScope InclusionExamples
Production InfrastructureFull scopeAWS accounts hosting customer-facing SaaS platform
Staging EnvironmentsFull scope when containing customer data copiesPre-production validation environments
Development EnvironmentsPartial scope (code security, access controls)Developer workstations, CI/CD pipelines
Corporate IT SystemsFull scope for systems accessing productionOkta, Google Workspace, Slack, Jira
Third-Party IntegrationsRisk-based scope per vendor tierPayment processors, analytics providers
Physical FacilitiesPhysical security controls onlyOffice locations, data center colocations

1.3 Data Scope

All data processed, stored, or transmitted by Acme Cloud systems falls within scope of this security program. Data classification determines specific control requirements:

ClassificationScope TreatmentEncryption RequirementAccess Restriction
PublicIntegrity controls onlyOptionalNone
InternalStandard security controlsRecommendedRole-based
ConfidentialEnhanced controls, monitoringRequiredNeed-to-know
RestrictedMaximum controls, auditRequired with field-levelExplicit approval

1.4 Exclusions

The following are explicitly excluded from scope: personal devices not enrolled in mobile device management (MDM), customer-owned systems accessing Acme Cloud via public APIs (covered by shared responsibility), and third-party services where Acme Cloud is solely a consumer without administrative access.

Security Governance Framework

2.1 Governance Structure

Acme Cloud maintains a multi-tiered security governance structure with clear accountability, escalation paths, and decision-making authority.

Governance BodyMembersMeeting CadenceResponsibilities
Board Audit CommitteeIndependent directors (3)QuarterlySecurity risk oversight, compliance attestation approval
Executive Security CommitteeCEO, CTO, CISO, CFO, CLOMonthlySecurity strategy, major incident review, budget approval
Security Leadership TeamCISO, Security Directors (4)WeeklyOperational decisions, policy approval, program management
Security Architecture Review BoardCISO, Principal Architects (3), Security Engineering LeadBi-weeklyTechnical standards, design reviews, exception approvals
Incident Response TeamCISO, Security Ops Lead, Engineering On-Call, Legal, CommunicationsAs neededActive incident management, customer notification decisions

2.2 Roles and Responsibilities (RACI Matrix)

ActivityBoardCEOCISOSecurity EngineeringEngineering TeamsHRLegal
Security strategy approvalARCIIIC
Policy developmentIIARCCC
Control implementationIIARRII
Risk assessmentICARCIC
Incident responseIIARCCR
Compliance attestationARRCIIC
Security awareness trainingIIACIRI
Vendor security reviewIIARIIC
Background checksIICIIA/RC
Breach notificationACRCIIR

Legend: R = Responsible, A = Accountable, C = Consulted, I = Informed

2.3 Security Organization Structure

The Security organization comprises 32 full-time employees organized into specialized teams:

TeamHeadcountLeaderPrimary Functions
Security Engineering14Director, Security EngineeringInfrastructure security, security tooling, detection engineering
Governance, Risk & Compliance5Director, GRCPolicy management, audit coordination, compliance monitoring
Security Operations7Director, Security Operations24/7 monitoring, incident response, threat intelligence
Privacy Engineering3Privacy Engineering ManagerPrivacy controls, data protection, DSR automation
Application Security3Application Security LeadSecure SDLC, code review, penetration testing coordination

The CISO reports directly to the CEO with a dotted-line reporting relationship to the Board Audit Committee. Security budget represents 9.1% of total engineering spend for FY2026.

2.4 Policy Framework

Acme Cloud maintains a hierarchical policy framework:

Policy LevelApproval AuthorityReview CadenceExamples
Enterprise PoliciesExecutive Security CommitteeAnnualInformation Security Policy, Acceptable Use Policy
StandardsCISOAnnualEncryption Standards, Access Control Standards
ProceduresSecurity Leadership TeamSemi-annualIncident Response Procedures, Change Management Procedures
GuidelinesSecurity EngineeringAs neededSecure Coding Guidelines, Cloud Configuration Guidelines
RunbooksSecurity OperationsQuarterlyIncident runbooks, operational playbooks

All policies are version-controlled in a central repository with approval workflows. Policy changes require formal change request, impact assessment, stakeholder review, and documented approval before publication.

Information Security Management System (ISMS)

3.1 ISMS Scope and Objectives

Acme Cloud operates an ISMS aligned with ISO/IEC 27001:2022 requirements. The ISMS scope encompasses the design, development, operation, and support of the Acme Cloud SaaS platform, including all supporting infrastructure, personnel, and processes.

ISMS objectives for FY2026:

ObjectiveMetricTargetCurrent Status
Achieve ISO 27001 certificationCertification statusCertified by Q3 2026Stage 1 audit completed
Maintain zero material security breachesSEV1 incidents with data exfiltration00 (on track)
Reduce critical vulnerability MTTRHours to remediate critical findings< 48 hours52 hours average
Achieve security training completionPercentage of workforce trained100%98.7%
Complete all access reviews on scheduleReviews completed on time100%100%

3.2 Risk Management Process

Acme Cloud conducts formal risk assessments following a defined methodology:

Step 1: Asset Identification 1.1. Inventory all information assets within ISMS scope 1.2. Assign asset owners and custodians 1.3. Classify assets per data classification policy 1.4. Document asset dependencies and interconnections

Step 2: Threat and Vulnerability Assessment 2.1. Identify applicable threats using MITRE ATT&CK framework 2.2. Assess vulnerabilities through automated scanning and manual review 2.3. Evaluate threat actor capabilities and likelihood 2.4. Document threat scenarios with potential impact

Step 3: Risk Calculation and Prioritization 3.1. Calculate inherent risk using likelihood × impact matrix 3.2. Evaluate existing control effectiveness 3.3. Calculate residual risk post-controls 3.4. Prioritize risks by residual risk score

LikelihoodImpact: NegligibleImpact: MinorImpact: ModerateImpact: MajorImpact: Severe
Almost CertainMediumHighHighCriticalCritical
LikelyLowMediumHighHighCritical
PossibleLowMediumMediumHighHigh
UnlikelyLowLowMediumMediumHigh
RareLowLowLowMediumMedium

Step 4: Risk Treatment 4.1. Select treatment option: mitigate, transfer, accept, or avoid 4.2. Design and implement controls for mitigation 4.3. Document risk acceptance for residual risk above threshold (requires CISO approval for High, Executive Committee for Critical) 4.4. Monitor control effectiveness and residual risk continuously

3.3 Continuous Improvement

The ISMS improvement cycle includes:

Input SourceFrequencyReview ProcessImprovement Output
Internal auditsQuarterlyGRC review, finding trackingControl enhancements, procedure updates
External auditsAnnualManagement review, action planningPolicy revisions, training updates
Incident post-mortemsPer incidentLessons learned meetingsRunbook updates, detection improvements
Threat intelligenceContinuousSecurity Operations analysisControl adjustments, monitoring rules
Customer feedbackContinuousTrust team aggregationFeature requests, documentation updates
Regulatory changesAs neededLegal and GRC assessmentPolicy updates, control additions

Infrastructure Security Architecture

4.1 Cloud Infrastructure Overview

Acme Cloud production infrastructure operates exclusively on Amazon Web Services (AWS) with a multi-region architecture:

EnvironmentPrimary RegionDR RegionPurposeNetwork Isolation
Productionus-east-1 (N. Virginia)eu-west-1 (Ireland)Customer-facing SaaS platformDedicated VPC, private subnets
Stagingus-east-1N/APre-production validation with sanitized dataSeparate VPC, no production connectivity
Developmentus-east-1N/ADeveloper environments, CI/CDIsolated VPC, no customer data
Corporateus-east-1N/AInternal tooling, security systemsSeparate AWS account, VPC peering to production for monitoring only
DR-Hoteu-west-1N/AActive-passive failover, real-time replicationMirrored VPC architecture

4.2 Network Security Architecture

The production network implements a defense-in-depth architecture with multiple security layers:

Edge Security Layer

  • Cloudflare CDN/WAF: DDoS protection, rate limiting, bot management, geographic restrictions
  • AWS Shield Advanced: Network and application layer DDoS protection
  • Custom WAF rules: OWASP Top 10 protection, application-specific signatures

Application Layer

  • AWS Application Load Balancer: TLS termination, request routing, health checks
  • AWS WAF integration: Additional filtering rules, IP reputation blocking
  • Auto-scaling ECS services: Container-based microservices in private subnets
  • Service mesh (AWS App Mesh): mTLS for service-to-service communication

Data Layer

  • Amazon RDS PostgreSQL Multi-AZ: Primary database with automated failover
  • Amazon ElastiCache Redis: Session storage and caching with encryption
  • Amazon OpenSearch: Log aggregation and search with encryption at rest
  • No direct internet connectivity: All data-tier resources in isolated private subnets

4.3 Network Segmentation and Access Controls

Subnet TierInternet AccessCross-Tier AccessSecurity Group Rules
Public (Edge)Inbound HTTPS only (443)To Application tier onlyAllowlist: ALB ports, WAF
ApplicationOutbound via NAT GatewayFrom Public, to DataAllowlist: Service ports, health checks
DataNoneFrom Application tier onlyAllowlist: Database ports from app security groups
ManagementOutbound via NAT GatewayTo all tiers (restricted)Allowlist: SSH/RDP from bastion only

Network security controls:

ControlImplementationMonitoring
VPC Flow LogsAll subnets, 14-day retention in S3, shipped to SIEMAnomaly detection rules
AWS GuardDutyEnabled for all accounts, findings to Security HubAutomated alerting
Network ACLsStateless filtering at subnet boundariesQuarterly review
Security GroupsStateful filtering at instance/container levelIaC enforcement, drift detection
Transit GatewayControlled inter-VPC routingRoute table auditing

4.4 Infrastructure as Code and Configuration Management

All infrastructure is defined and managed through Infrastructure as Code:

ComponentIaC ToolRepositoryReview Process
AWS ResourcesTerraformmonorepo/infrastructurePR review, automated security scanning
Kubernetes ManifestsHelm + Kustomizemonorepo/k8sPR review, policy validation
Container ImagesDockerfile + CImonorepo/servicesAutomated scanning, base image governance
Network PoliciesTerraform + Calicomonorepo/infrastructureSecurity Architecture Review Board
Secrets ManagementTerraform + AWS Secrets Managermonorepo/infrastructurePR review, secret rotation automation

Configuration drift detection runs hourly. Unauthorized changes trigger immediate alerts and automatic remediation where safe.

Identity and Access Management

5.1 Workforce Identity Management

Acme Cloud uses Okta as the centralized identity provider for all workforce access:

Identity ComponentImplementationSecurity Controls
DirectoryOkta Universal DirectoryHR system integration, automated provisioning
SSOOkta SSOSAML 2.0 for all corporate applications
MFAOkta Verify + FIDO2 keysRequired for all users, phishing-resistant preferred
Password PolicyOkta Password Policy14+ characters, complexity requirements, breach database checks
Session ManagementOkta Session Policy12-hour maximum session, re-authentication for sensitive actions

5.2 Multi-Factor Authentication Requirements

Access TypeMFA RequirementApproved MethodsExceptions
Corporate SSORequiredFIDO2 (preferred), Okta Verify Push, TOTPNone
Production AccessRequired + Step-upFIDO2 requiredBreak-glass only (documented)
VPN AccessRequiredFIDO2, Okta Verify PushNone
Customer SSO (Enterprise)Customer-configurableSAML 2.0 assertion with MFA claimPer customer security policy
API AccessToken-basedAPI keys with IP restrictions, OAuth 2.0Service accounts (audited)

5.3 Privileged Access Management

Production access follows Just-in-Time (JIT) principles:

Standard Access Request Workflow

  1. Engineer submits access request via internal PAM tool specifying resource, duration, and justification
  2. System validates requestor role and entitlements
  3. Request routes to appropriate approver (team lead for standard, Security for privileged)
  4. Approver reviews justification and approves/denies within SLA
  5. Upon approval, temporary credentials provisioned with specified duration
  6. All session activity recorded for audit
  7. Access automatically revoked at expiration
Access LevelMaximum DurationApproval RequiredSession Recording
Read-only production8 hoursTeam leadAudit log only
Read-write production4 hoursSecurity OperationsFull session recording
Database direct access2 hoursCISO or delegateFull session recording
Infrastructure admin2 hoursSecurity OperationsFull session recording
Break-glass emergencyAs neededPost-incident review requiredFull session recording

5.4 Access Reviews and Recertification

Review TypeScopeFrequencyReviewerSLA for Completion
Production accessAll users with production accessMonthlySecurity Operations + Manager5 business days
Privileged rolesAdmin, security, infrastructure rolesMonthlyCISO or delegate3 business days
Application accessAll enterprise applicationsQuarterlyApplication owners10 business days
Service accountsAll service accounts and API keysQuarterlyService owners10 business days
Third-party accessContractor and vendor accountsMonthlySponsor + Security5 business days
Dormant accountsAccounts inactive > 30 daysMonthlyAutomated + Security reviewImmediate disable, 5-day review

5.5 Offboarding and Access Termination

Termination TypeAccess Revocation SLAVerificationDocumentation
Voluntary departure4 hours from notificationSecurity Operations checklistHR system record
Involuntary terminationImmediate (before notification)Security Operations checklistHR system record
Contractor end of engagement4 hours from sponsor notificationSecurity Operations checklistProcurement system record
Role change (internal transfer)24 hours for old role accessManager + Security reviewHR system record

Offboarding checklist includes: Okta account disable, production access revocation, email access removal, MFA device deregistration, laptop retrieval scheduling, exit interview scheduling, and knowledge transfer documentation.

Data Protection and Encryption

6.1 Data Classification Framework

ClassificationDefinitionExamplesHandling Requirements
PublicInformation approved for public releaseMarketing materials, public documentationNo restrictions
InternalBusiness information for internal useInternal wikis, non-sensitive communicationsAccess controls, no public sharing
ConfidentialSensitive business or customer informationCustomer data, PII, financial recordsEncryption required, need-to-know access
RestrictedHighly sensitive regulatory or contractual dataPHI, payment card data, encryption keysMaximum controls, explicit authorization

6.2 Encryption Standards Summary

Data StateStandardImplementationKey Management
At Rest - DatabasesAES-256RDS encryption, transparent data encryptionAWS KMS with annual rotation
At Rest - Object StorageAES-256S3 SSE-KMSPer-bucket CMKs
At Rest - Block StorageAES-256EBS encryptionAWS managed keys
At Rest - BackupsAES-256Separate encryption keysDedicated backup CMKs
In Transit - ExternalTLS 1.2+ (1.3 preferred)ALB termination, certificate automationACM managed
In Transit - InternalmTLSService mesh with internal PKIAutomated certificate rotation
Application LayerAES-256-GCMField-level encryption for sensitive fieldsTenant-specific DEKs wrapped by CMKs

Full encryption standards documented in /encryption-standards.

6.3 Data Loss Prevention Controls

DLP ControlScopeDetection MethodResponse Action
Email DLPOutbound emailPattern matching for PII, customer dataBlock, quarantine, alert
Endpoint DLPWorkstationsUSB transfer monitoring, screen capture detectionBlock, alert, log
Cloud DLPSaaS applicationsAPI integration, content inspectionAlert, access review
Code RepositoryGitHubSecret scanning, sensitive data patternsBlock commit, alert
Data TransferAWS S3, database exportsCross-account transfer monitoringAlert, require approval

6.4 Data Residency and Sovereignty

Acme Cloud offers data residency options for enterprise customers:

Region OptionPrimary Data CenterBackup LocationApplicable Regulations
United Statesus-east-1 (N. Virginia)us-west-2 (Oregon)US domestic
European Unioneu-west-1 (Ireland)eu-central-1 (Frankfurt)GDPR, Schrems II
United Kingdomeu-west-2 (London)eu-west-1 (Ireland)UK GDPR, Data Protection Act 2018
Asia Pacificap-southeast-1 (Singapore)ap-northeast-1 (Tokyo)Regional requirements

Data residency selection locks all customer data storage to the selected region. Metadata for global service functionality may traverse regions per documented data flow diagrams available upon request.

Vulnerability Management Program

7.1 Vulnerability Identification

Scanning TypeScopeFrequencyTools
Dependency scanningApplication dependenciesEvery commit (CI/CD)Snyk, Dependabot
Container scanningContainer imagesEvery buildTrivy, AWS ECR scanning
Infrastructure scanningCloud configurationContinuousAWS Config, Prisma Cloud
Web application scanningCustomer-facing applicationsWeeklyOWASP ZAP, Burp Suite
Network scanningInternal and external networksWeeklyNessus, Qualys
Code analysis (SAST)Source codeEvery commitSonarQube, Semgrep

7.2 Vulnerability Severity and SLA

SeverityCVSS ScoreRemediation SLAEscalation Path
Critical9.0 - 10.072 hoursImmediate Security Ops, CISO notification
High7.0 - 8.914 daysSecurity Engineering lead
Medium4.0 - 6.930 daysOwning team
Low0.1 - 3.990 daysOwning team, prioritized in backlog
InformationalN/ABest effortDocumentation only

7.3 Vulnerability Remediation Workflow

Step 1: Triage and Validation 1.1. Security Operations receives vulnerability alert 1.2. Validate finding is not false positive 1.3. Determine affected systems and potential impact 1.4. Assign severity based on CVSS and contextual risk

Step 2: Assignment and Tracking 2.1. Create tracking ticket with severity, affected systems, and SLA 2.2. Assign to appropriate remediation owner 2.3. Notify stakeholders per severity level

Step 3: Remediation 3.1. Develop and test fix in non-production environment 3.2. Implement emergency change for critical, standard change for others 3.3. Deploy fix to production

Step 4: Verification 4.1. Rescan affected systems to confirm remediation 4.2. Close tracking ticket with evidence 4.3. Document lessons learned for recurring issues

7.4 Patch Management

System CategoryPatching WindowTesting RequirementRollback Plan
Operating SystemsWeekly maintenance windowStaging validationSnapshot restore
Container Base ImagesContinuous rebuildCI/CD pipeline validationPrevious image rollback
Application DependenciesWith application releasesFull regression testingVersion rollback
Database EnginesMonthly maintenance windowStaging validation + backupPoint-in-time recovery
Network DevicesQuarterlyLab environment validationConfiguration rollback

7.5 Vulnerability Metrics (FY2025 Actuals)

MetricTargetActualStatus
Critical MTTR72 hours54 hoursExceeds target
High MTTR14 days9.2 daysExceeds target
Medium MTTR30 days22 daysExceeds target
Vulnerability backlog (High+)00On target
Scan coverage100%100%On target
False positive rate< 10%7.3%Exceeds target

Security Operations and Monitoring

8.1 Security Operations Center

Acme Cloud operates a Security Operations Center (SOC) providing 24/7/365 monitoring and response capability.

SOC FunctionCoverageStaffing ModelEscalation Path
Alert monitoring24/7/365Follow-the-sun (3 regions)Tiered escalation
Incident response24/7/365On-call rotation + SOC analystsCISO for SEV1
Threat intelligenceBusiness hours + on-callDedicated analystSecurity Engineering
ForensicsOn-demandSpecialized teamLegal coordination

8.2 Security Information and Event Management (SIEM)

Acme Cloud aggregates security telemetry in Datadog SIEM:

Log SourceRetention (Hot)Retention (Archive)Use Case
Application logs30 days1 yearError analysis, behavior anomaly
Infrastructure logs30 days1 yearConfiguration changes, resource access
Security event logs90 days7 yearsIncident investigation, compliance
Authentication logs90 days7 yearsAccess auditing, compromise detection
Network flow logs14 days1 yearNetwork forensics, lateral movement
WAF logs30 days1 yearAttack analysis, rule tuning

8.3 Detection and Alerting

Detection CategoryDetection MethodAlert ThresholdResponse SLA
Brute force attacksFailed authentication threshold10 failures in 5 minutes15 minutes
Credential stuffingDistributed login patternsAnomaly detection30 minutes
Data exfiltrationUnusual data transfer volume2 standard deviations30 minutes
Privilege escalationUnauthorized admin actionsAny occurrence15 minutes
Malware executionEDR behavioral detectionAny detection15 minutes
Lateral movementUnusual internal connectionsAnomaly detection30 minutes
Configuration tamperingUnauthorized IaC changesAny occurrence15 minutes

8.4 Threat Intelligence Program

Acme Cloud maintains a threat intelligence program to proactively identify risks:

Intelligence SourceUpdate FrequencyIntegration
Commercial threat feedsReal-timeSIEM correlation rules
Industry ISACsWeeklyAnalyst review, indicator import
Vendor security bulletinsAs publishedVulnerability management integration
Internal honeypotsContinuousAutomated indicator extraction
Bug bounty programContinuousVulnerability pipeline

Incident Response

9.1 Incident Classification

SeverityDefinitionExampleResponse TimeCustomer Notification
SEV1 - CriticalConfirmed data breach, complete service outageCustomer data exfiltration, ransomwareImmediateWithin 24 hours
SEV2 - HighService compromise, significant degradationUnauthorized access, partial outage1 hourWithin 48 hours
SEV3 - MediumContained security eventBlocked attack, limited impact4 hoursAs warranted
SEV4 - LowMinor security anomalyPolicy violation, false positive24 hoursNot required

9.2 Incident Response Process

Phase 1: Detection and Identification (SLA: 15 minutes for SEV1/2)

  1. Alert triggered via monitoring systems
  2. SOC analyst performs initial triage
  3. Severity classification applied
  4. Incident ticket created with initial details
  5. Incident commander assigned for SEV1/2

Phase 2: Containment (SLA: 1 hour for SEV1)

  1. Immediate containment actions executed (isolation, blocking)
  2. Evidence preservation initiated
  3. Impact assessment conducted
  4. Stakeholder notification per severity
  5. Customer communication drafted if required

Phase 3: Eradication (Variable based on incident)

  1. Root cause identified
  2. Malicious artifacts removed
  3. Vulnerabilities remediated
  4. Additional detection deployed
  5. Verification scanning completed

Phase 4: Recovery (Variable based on incident)

  1. Systems restored from clean state
  2. Monitoring enhanced for recurrence
  3. Normal operations resumed
  4. Customer communication sent if affected
  5. All-clear notification to stakeholders

Phase 5: Post-Incident (SLA: 5 business days)

  1. Post-incident review conducted
  2. Timeline and root cause documented
  3. Lessons learned identified
  4. Improvement actions assigned
  5. Incident report finalized

9.3 Customer Notification Commitments

Notification TriggerTimelineCommunication MethodContent
Confirmed breach of customer data24 hoursEmail to admin contacts, in-app bannerNature of incident, data affected, remediation
Service compromise (no confirmed exfiltration)48 hoursEmail to admin contactsNature of incident, containment actions
Regulatory-required notificationPer regulation (typically 72 hours)Formal noticeRequired disclosures
Scheduled maintenance5 business days advanceEmail, status pageMaintenance window, expected impact

9.4 Incident Response Testing

Exercise TypeFrequencyParticipantsObjectives
Tabletop exerciseQuarterlyCross-functional leadershipDecision-making, communication
Technical simulationSemi-annuallySecurity Operations, EngineeringDetection, containment procedures
Full-scale exerciseAnnuallyAll teams including executiveEnd-to-end response, customer notification
Purple team engagementAnnuallySecurity + third-party red teamDetection gaps, control effectiveness

Business Continuity and Disaster Recovery

10.1 Business Continuity Objectives

Service TierRTORPOAvailability TargetDR Region
Core Platform (API, UI)4 hours1 hour99.9% monthlyeu-west-1
Data Processing8 hours4 hours99.5% monthlyeu-west-1
Reporting/Analytics24 hours24 hours99.0% monthlyBest effort
Internal Systems48 hours24 hours99.0% monthlyN/A

10.2 Disaster Recovery Architecture

ComponentPrimaryDRReplication MethodFailover Type
DatabaseRDS Multi-AZ us-east-1RDS Read Replica eu-west-1Asynchronous (< 1 minute lag)Manual promotion
Object StorageS3 us-east-1S3 eu-west-1Cross-region replicationAutomatic
ApplicationECS us-east-1ECS eu-west-1 (scaled down)IaC deploymentRoute 53 failover
SecretsSecrets Manager us-east-1Secrets Manager eu-west-1Cross-region replicationAutomatic
DNSRoute 53 GlobalRoute 53 GlobalN/A (global service)Health check failover

10.3 Backup and Recovery

Data TypeBackup FrequencyRetentionTesting FrequencyRecovery Procedure
Database (full)Daily90 daysQuarterly restore testPoint-in-time recovery
Database (transaction logs)Continuous90 daysWith full restore testLog replay
Object storageVersioning enabled90 daysQuarterly sample recoveryVersion restoration
Configuration (IaC)Every commitIndefinite (Git)With each deploymentGit revert + deploy
SecretsAutomatic replicationN/AQuarterly validationSecrets Manager restore

10.4 DR Testing

Test TypeFrequencyScopeSuccess Criteria
Backup restore validationQuarterlySample database and file restoreData integrity verified
DR failover (partial)Semi-annuallySingle service failoverService restored within RTO
DR failover (full)AnnuallyComplete region failoverPlatform restored within RTO
Communication testQuarterlyStakeholder notificationAll contacts reached

Third-Party Risk Management

11.1 Vendor Classification

TierCriteriaAssessment RequirementReview Frequency
CriticalProcesses customer data, single point of failureFull security assessment, SOC 2 requiredAnnually
HighAccesses production systems, processes internal dataSecurity questionnaire, SOC 2 preferredAnnually
MediumAccesses internal systems, no productionSecurity questionnaireEvery 2 years
LowNo system access, public information onlyStandard due diligenceContract renewal

11.2 Vendor Assessment Process

Step 1: Initial Screening 1.1. Business sponsor submits vendor request 1.2. Security classifies vendor tier 1.3. Conflict of interest and sanctions screening

Step 2: Security Assessment 2.1. Security questionnaire distributed (SIG Lite for standard, full SIG for critical) 2.2. SOC 2 report review (where available) 2.3. Technical security review (for integrations) 2.4. Findings documented and risk rated

Step 3: Risk Acceptance 3.1. Findings reviewed with business sponsor 3.2. Remediation requirements or risk acceptance determined 3.3. Contractual security requirements confirmed 3.4. CISO approval for High/Critical vendors with material findings

Step 4: Ongoing Monitoring 4.1. Continuous monitoring for security incidents 4.2. Annual reassessment per tier requirements 4.3. Contract renewal security review

11.3 Subprocessor Management

Current subprocessor list maintained at /subprocessor-list.

Subprocessor CategoryCountAssessment StatusNotification Process
Infrastructure (AWS, Cloudflare)2Annual SOC 2 review30-day advance notice
Data Processing (Analytics, support)5Annual questionnaire30-day advance notice
Security Tools4Annual SOC 2 review30-day advance notice
Business Tools (no customer data)8Risk-based reviewN/A

Compliance and Audit

12.1 Current Certifications and Attestations

CertificationScopeStatusRenewal
SOC 2 Type IISaaS platform (Security, Availability, Confidentiality)ActiveAnnual
ISO 27001Information Security Management SystemIn progress (Q3 2026 target)Annual surveillance
CSA STAR Level 1Cloud security self-assessmentPlanned (Q4 2026)Annual
HIPAABAA customersBAA availableN/A (contractual)
GDPREU data subjectsCompliantContinuous

12.2 Audit Calendar

Audit TypeAuditorTimingDurationOutput
SOC 2 Type IIDeloitteQ4 annually4 weeksSOC 2 report
ISO 27001 Stage 2BSIQ3 20262 weeksCertification
Penetration testNCC GroupQ3 annually2 weeksExecutive summary
Internal auditGRC TeamQuarterlyOngoingFinding reports
Privacy impact assessmentPrivacy EngineeringPer material changeVariablePIA report

12.3 Evidence Collection and Management

Evidence TypeCollection MethodRetentionAccess
Policy documentsDocument management systemIndefiniteGRC team, auditors
Access review recordsPAM tool exports7 yearsGRC team, auditors
Change recordsJira + GitHub7 yearsGRC team, auditors
Training completionLMS exports7 yearsGRC team, auditors
Vulnerability scansSecurity tool exports3 yearsSecurity team, auditors
Incident recordsIncident management system7 yearsSecurity team, auditors

Customer Security Features

13.1 Security Controls by Plan

FeatureFreeProfessionalEnterprise
MFA enforcementAvailableAvailableAvailable
SSO (SAML/OIDC)Not availableAvailableAvailable
SCIM provisioningNot availableNot availableAvailable
IP allowlistingNot availableNot availableAvailable
Audit log access7 days90 days1 year + export
Session timeout configurationDefault onlyConfigurableConfigurable
Data residency selectionUS onlyUS/EUUS/EU/UK/APAC
Customer-managed encryption keysNot availableNot availableAvailable
Custom data retentionNot availableNot availableAvailable
Security questionnaire supportSelf-service10 business days5 business days
Architecture reviewNot availableNot availableAvailable
CISO briefingNot availableNot availableAnnual

13.2 Complementary User Entity Controls (CUECs)

Customers are responsible for the following security controls within the shared responsibility model:

CUEC CategoryCustomer ResponsibilityAcme Cloud Support
User access managementProvision/deprovision users appropriatelySSO, SCIM, admin console
Authentication strengthEnforce MFA for usersMFA enforcement setting
Session managementConfigure appropriate session timeoutsConfigurable timeout settings
Access reviewsReview user access periodicallyAudit log access, user export
Integration securitySecure API keys and webhooksKey rotation, IP restrictions
MonitoringMonitor audit logs for suspicious activityAudit log export, SIEM integration
Data classificationApply appropriate classification to dataRole-based access controls
Incident reportingReport security concerns promptlySecurity contact, in-app reporting

Framework Mapping Appendix

SOC 2 Trust Services Criteria Mapping

TSCControl AreaKey ControlsEvidence
CC1.1Control EnvironmentSecurity policies, organizational structurePolicy documents, org charts
CC2.1CommunicationSecurity awareness trainingTraining records
CC3.1Risk AssessmentRisk assessment processRisk register, assessment reports
CC4.1MonitoringContinuous monitoring, log reviewSIEM dashboards, alert records
CC5.1Control ActivitiesAccess controls, change managementAccess review records, change tickets
CC6.1Logical AccessIdentity management, authenticationIAM configurations, MFA enforcement
CC6.6System OperationsIncident response, backup/recoveryIR records, backup test results
CC6.7Change ManagementSDLC, change controlsChange tickets, deployment records
CC7.1System MonitoringSecurity monitoring, vulnerability managementScan reports, alert records
CC7.2Incident ResponseIR plan, incident handlingIR plan document, incident records
CC7.3RecoveryBusiness continuity, DRDR test results, backup records
CC7.4Vendor ManagementThird-party risk managementVendor assessments, contracts

ISO 27001 Annex A Control Mapping

Annex A ControlAcme Cloud ImplementationEvidence
A.5.1 Policies for information securityInformation Security Policy, supporting standardsPolicy documents
A.5.2 Information security rolesRACI matrix, job descriptionsOrg documentation
A.6.1 ScreeningBackground checksHR records
A.6.2 Terms and conditionsEmployment agreements, NDASigned agreements
A.7.1 Asset managementAsset inventory, classificationCMDB, data classification
A.8.1 Access controlIAM policy, access reviewsAccess records
A.8.2 CryptographyEncryption standardsTechnical configurations
A.8.3 Physical securityOffice security, data center SOC 2Access logs, vendor reports
A.8.4 Operations securityChange management, capacity planningChange records, metrics
A.8.5 Network securityNetwork segmentation, firewallsNetwork diagrams, configs
A.8.6 Application securitySecure SDLC, code reviewReview records, scan reports
A.8.7 Supplier relationshipsVendor management programAssessments, contracts
A.8.8 Incident managementIR plan, proceduresIR records
A.8.9 Business continuityBC/DR plans, testingDR test results
A.8.10 ComplianceCompliance monitoring, auditsAudit reports

Related Trust Center documents

access control, encryption standards, incident response, penetration testing, compliance frameworks, business continuity, third party risk, vulnerability disclosure, backup recovery, data retention

Document revision history

VersionDateAuthorSummary of changes
1.02024-06-01Legal & ComplianceInitial Trust Center publication
2.02025-03-15GRC ProgramSOC 2 Type II alignment refresh; expanded subprocessors
2.52025-09-01Security EngineeringEncryption standards update; ISO 27001 mapping
3.02026-01-15Trust Center ProgramFull procurement-grade expansion; 34-document set

Contact

Acme Cloud, Inc. 1200 Market Street, Suite 400 San Francisco, CA 94103, USA

ChannelEmailUse case
Trust & procurementtrust@acmecloud.comSecurity questionnaires, trust reviews
Securitysecurity@acmecloud.comIncidents, vulnerabilities, control questions
Privacyprivacy@acmecloud.comDSRs, privacy assessments
Legallegal@acmecloud.comContractual, DPA, legal notices
Last updated: January 15, 2026
EthicPages logoEthicPages