Platform Documentation
Platform Documentation
Breadcrumbs

Annual Security Policy Review

Purpose

This policy defines RunWhen’s scope of annual security policy reviews.

User Credentials

  • Reconcile user credentials for Google Workspace here with active employees/contractors

  • Reconcile user credentials for Github here and here with active employees/contractors

Endpoint Security (macOS Fleet)

  • All Macs enrolled in MDM (Jamf/Kandji/Mosyle).

  • FileVault enabled and keys escrowed.

  • Firewall enabled.

  • Automatic OS updates enforced.

  • Auto-lock after ≤15 minutes inactivity (screenshot or MDM report).

  • USB storage devices blocked by policy.

  • Verify MDM compliance reports available for audit.

Data Protection

  • Data Retention & Deletion Policy reviewed and updated.

  • Verify scheduled deletion jobs (Google Workspace, GitHub, databases, logs).

  • Spot-check 1–2 customer offboarding cases for data deletion evidence.

  • Verify backups are encrypted and tested for restoration.

Cloud & SaaS Security

  • Review IAM permissions for all individuals and groups here

  • Review GCP audit logs here for any unexplained access

  • Verify MFA enabled for cloud admin accounts.

  • Review GitHub org-level security settings (branch protection, code scanning).

  • All production firewall rules here and change requests here should be reviewed for accuracy

  • Confirm monitoring/logging tools are enabled (GCP audit logs).

Policies & Procedures

  • Review all policy documents here, including:

    • Data Deletion Policy reviewed and approved.

    • Access Control Policy reviewed and approved.

    • Incident Response Plan tested with at least one tabletop exercise.

    • Business Continuity Plan reviewed, disaster recovery tested.

  • Security awareness training delivered to all employees.

Vendor & Third-Party Risk

  • Review list of active vendors with any API keys stored in vault

  • Ensure vendor contracts include data protection/security terms.

  • Reassess critical vendors (cloud providers, SaaS tools, contractors).

Audit Evidence

  • Collect and archive screenshots, compliance reports, and logs.

  • Store evidence in secure internal drive with date-stamps.

  • Document remediation for any failed checks.

Governance

This policy is jointly owned by the Head of Engineering and Head of Security/Compliance, and it is reviewed at least annually or whenever test practices evolve significantly.

For any questions or clarifications regarding this policy, please contact the Security or Engineering leadership team.