1# Information Security Policy for Cloud and Web Applications (Layer 3)
 2# Conforms to Gemara Layer 3 #Policy (layer-3.cue).
 3# Aligned to threat-assessment-guide scope (SEC.SLAM.CM) and policy guide.
 4title: "Information Security Policy for Cloud and Web Applications"
 5metadata:
 6  id: "org-policy-001"
 7  type: Policy
 8  gemara-version: "0.20.0"
 9  description: "Policy for cloud and web application security; references control catalogs."
10  version: "1.0.0"
11  author:
12    id: security-team
13    name: "Security Team"
14    type: Human
15  mapping-references:
16    - id: "SEC.SLAM.CM"
17      title: "Container Management Tool Security Control Catalog"
18      version: "1.0.0"
19      description: "Control catalog for container management tool security."
20
21contacts:
22  responsible:
23    - name: "Platform Engineering"
24      affiliation: "Engineering"
25      email: "platform@example.com"
26  accountable:
27    - name: "CISO"
28      affiliation: "Security"
29      email: "ciso@example.com"
30
31scope:
32  in:
33    technologies:
34      - "Cloud Computing"
35      - "Web Applications"
36    geopolitical:
37      - "United States"
38      - "European Union"
39
40imports:
41  catalogs:
42    - reference-id: "SEC.SLAM.CM"
43      assessment-requirement-modifications:
44        - id: "CTL02-AR01-strict"
45          target-id: "SEC.SLAM.CM.CTL02.AR01"
46          modification-type: Override
47          modification-rationale: "Require TLS and certificate pinning for all registry communication in this org."
48          text: "The system MUST use TLS/SSL for all registry communication and MUST pin to the expected server certificate or public key (or certificate chain) for the registry."
49        - id: "CTL02-AR02-strict"
50          target-id: "SEC.SLAM.CM.CTL02.AR02"
51          modification-type: Override
52          modification-rationale: "Require VPN or trusted path on untrusted networks for registry traffic in this org."
53          text: "On untrusted networks, the system or deployment pipeline MUST use a VPN or other trusted path for registry traffic, or MUST restrict image pulls to environments where the network is trusted."
54
55implementation-plan:
56  notification-process: "Policy communicated via internal wiki and team leads; rollout via Platform Engineering."
57  evaluation-timeline:
58    start: "2025-03-01T00:00:00Z"
59    end: "2025-06-01T00:00:00Z"
60    notes: "Initial evaluation phase; automated checks rolled out by Q2."
61  enforcement-timeline:
62    start: "2025-06-01T00:00:00Z"
63    notes: "Enforcement begins after evaluation baseline is established."
64
65adherence:
66  evaluation-methods:
67    - id: "EV-AUTO-01"
68      type: "Behavioral"
69      mode: "Automated"
70      required: true
71      description: "CI pipeline runs control checks via Privateer."
72    - id: "EV-MANUAL-01"
73      type: "Behavioral"
74      mode: "Manual"
75      required: true
76      description: "Quarterly review of exception requests."
77  assessment-plans:
78    - id: "plan-ctl01-ar01"
79      requirement-id: "SEC.SLAM.CM.CTL01.AR01"
80      frequency: "every push"
81      evaluation-methods:
82        - id: "EV-AUTO-02"
83          type: "Behavioral"
84          mode: "Automated"
85          required: true
86  enforcement-methods:
87    - id: "EM-GATE-01"
88      type: "Gate"
89      mode: "Automated"
90      required: true
91      description: "Block merge if control check fails."
92  non-compliance: "Non-compliance is reported to responsible contacts and tracked in issue tracker; critical failures block deployment."