# Information Security Policy for Cloud and Web Applications (Layer 3)
# Conforms to Gemara Layer 3 #Policy (layer-3.cue).
# Aligned to threat-assessment-guide scope (SEC.SLAM.CM) and policy guide.
title: "Information Security Policy for Cloud and Web Applications"
metadata:
  id: "org-policy-001"
  type: Policy
  gemara-version: "0.20.0"
  description: "Policy for cloud and web application security; references control catalogs."
  version: "1.0.0"
  author:
    id: security-team
    name: "Security Team"
    type: Human
  mapping-references:
    - id: "SEC.SLAM.CM"
      title: "Container Management Tool Security Control Catalog"
      version: "1.0.0"
      description: "Control catalog for container management tool security."

contacts:
  responsible:
    - name: "Platform Engineering"
      affiliation: "Engineering"
      email: "platform@example.com"
  accountable:
    - name: "CISO"
      affiliation: "Security"
      email: "ciso@example.com"

scope:
  in:
    technologies:
      - "Cloud Computing"
      - "Web Applications"
    geopolitical:
      - "United States"
      - "European Union"

imports:
  catalogs:
    - reference-id: "SEC.SLAM.CM"
      assessment-requirement-modifications:
        - id: "CTL02-AR01-strict"
          target-id: "SEC.SLAM.CM.CTL02.AR01"
          modification-type: Override
          modification-rationale: "Require TLS and certificate pinning for all registry communication in this org."
          text: "The system MUST use TLS/SSL for all registry communication and MUST pin to the expected server certificate or public key (or certificate chain) for the registry."
        - id: "CTL02-AR02-strict"
          target-id: "SEC.SLAM.CM.CTL02.AR02"
          modification-type: Override
          modification-rationale: "Require VPN or trusted path on untrusted networks for registry traffic in this org."
          text: "On untrusted networks, the system or deployment pipeline MUST use a VPN or other trusted path for registry traffic, or MUST restrict image pulls to environments where the network is trusted."

implementation-plan:
  notification-process: "Policy communicated via internal wiki and team leads; rollout via Platform Engineering."
  evaluation-timeline:
    start: "2025-03-01T00:00:00Z"
    end: "2025-06-01T00:00:00Z"
    notes: "Initial evaluation phase; automated checks rolled out by Q2."
  enforcement-timeline:
    start: "2025-06-01T00:00:00Z"
    notes: "Enforcement begins after evaluation baseline is established."

adherence:
  evaluation-methods:
    - id: "EV-AUTO-01"
      type: "Behavioral"
      mode: "Automated"
      required: true
      description: "CI pipeline runs control checks via Privateer."
    - id: "EV-MANUAL-01"
      type: "Behavioral"
      mode: "Manual"
      required: true
      description: "Quarterly review of exception requests."
  assessment-plans:
    - id: "plan-ctl01-ar01"
      requirement-id: "SEC.SLAM.CM.CTL01.AR01"
      frequency: "every push"
      evaluation-methods:
        - id: "EV-AUTO-02"
          type: "Behavioral"
          mode: "Automated"
          required: true
  enforcement-methods:
    - id: "EM-GATE-01"
      type: "Gate"
      mode: "Automated"
      required: true
      description: "Block merge if control check fails."
  non-compliance: "Non-compliance is reported to responsible contacts and tracked in issue tracker; critical failures block deployment."