Skip to content
RunWhen

Annual Security Policy Review

Purpose

This policy defines RunWhen’s scope of annual security policy reviews.

User Credentials

  • Reconcile user credentials for Google Workspace here with active employees/contractors.
  • Reconcile user credentials for GitHub here with active employees/contractors.

Endpoint Security (macOS Fleet)

  • All Macs enrolled in MDM (Jamf/Kandji/Mosyle).
  • FileVault enabled and keys escrowed.
  • Firewall enabled.
  • Automatic OS updates enforced.
  • Auto-lock after ≤15 minutes inactivity (screenshot or MDM report).
  • USB storage devices blocked by policy.
  • Verify MDM compliance reports available for audit.

Data Protection

  • Data Retention & Deletion Policy reviewed and updated.
  • Verify scheduled deletion jobs (Google Workspace, GitHub, databases, logs).
  • Spot-check 1–2 customer offboarding cases for data deletion evidence.
  • Verify backups are encrypted and tested for restoration.

Cloud & SaaS Security

  • Review IAM permissions for all individuals and groups in GCP.
  • Review GCP audit logs for any unexplained access.
  • Verify MFA enabled for cloud admin accounts.
  • Review GitHub org-level security settings (branch protection, code scanning).
  • All production firewall rules and change requests should be reviewed for accuracy.
  • Confirm monitoring/logging tools are enabled (GCP audit logs).

Policies & Procedures

  • Review all policy documents here, including:
    • Data Deletion Policy reviewed and approved.
    • Access Control Policy reviewed and approved.
    • Incident Response Plan tested with at least one tabletop exercise.
    • Business Continuity Plan reviewed, disaster recovery tested.
  • Security awareness training delivered to all employees.

Vendor & Third-Party Risk

  • Review list of active vendors with any API keys stored in vault.
  • Ensure vendor contracts include data protection/security terms.
  • Reassess critical vendors (cloud providers, SaaS tools, contractors).

Audit Evidence

  • Collect and archive screenshots, compliance reports, and logs.
  • Store evidence in secure internal drive with date-stamps.
  • Document remediation for any failed checks.

Governance

This policy is jointly owned by the Head of Engineering and Head of Security/Compliance, and it is reviewed at least annually or whenever practices evolve significantly.

For any questions or clarifications regarding this policy, please contact the Security or Engineering leadership team.