johan
/
inou
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
inou/docs/soc2/security-policy.md

327 lines
7.4 KiB
Markdown
Raw Blame History

# Security Policy
**Version:** 1.0
**Effective:** January 2026
**Owner:** Johan Jongsma
**Review:** Annually
---
## 1. Purpose
Establish security requirements for inou systems, data, and operations.
---
## 2. Scope
- All inou systems (production, staging)
- All data processed by inou
- All administrative access
---
## 3. Roles and Responsibilities
| Role | Responsibilities |
|------|------------------|
| Owner (Johan Jongsma) | Security policy, incident response, system administration, compliance |
---
## 4. Access Control
### 4.1 Administrative Access
| System | Method | Requirements |
|--------|--------|--------------|
| Production server | SSH | Ed25519 key, admin subnet only |
| Staging server | SSH | Ed25519 key, admin subnet only |
| Database | Local only | No remote connections |
| Backups (Google Drive) | rclone | Encrypted credentials |
| Master key (Proton Pass) | Web/app | E2E encrypted, 2FA |
### 4.2 User Authentication
| Method | Specification |
|--------|---------------|
| Login | Email + 6-digit verification code |
| Code expiry | 10 minutes |
| Session duration | 30 days |
| API tokens | AES-256-GCM encrypted, 4-hour expiry |
| OAuth | Authorization code + PKCE |
### 4.3 Principle of Least Privilege
- Users access only their own data by default
- Explicit grants required for shared access
- RBAC enforced at data layer
- API tokens scoped to specific dossiers
---
## 5. Data Protection
### 5.1 Classification
| Level | Examples | Protection |
|-------|----------|------------|
| Critical | Medical images, genome data, lab results | Encrypted at rest and transit |
| Confidential | Names, emails, dates of birth | Encrypted at rest and transit |
| Internal | Logs, configs | Access restricted |
### 5.2 Encryption Standards
| Layer | Standard |
|-------|----------|
| Disk | Full disk encryption |
| Database fields | AES-256-GCM |
| Transit | TLS 1.3 |
| Tokens | AES-256-GCM |
| Compliance | FIPS 140-3 |
### 5.3 Key Management
| Key | Storage | Backup |
|-----|---------|--------|
| Master key | /tank/inou/master.key (chmod 600) | Proton Pass |
| TLS certificates | Caddy auto-managed | Let's Encrypt renewal |
| SSH keys | ~/.ssh/ | Local backup |
---
## 6. Infrastructure Security
### 6.1 Network Architecture
| Zone | Network | Purpose |
|------|---------|---------|
| Production | VLAN 10 (192.168.100.0/24) | Isolated production environment |
| Admin | 192.168.1.0/24 | Administrative access |
| DMZ | 192.168.0.0/24 | Reverse proxy (Caddy) |
### 6.2 Firewall Policy
**Default:** Deny all incoming
**Application Server (192.168.100.2):**
| Port | Source | Purpose |
|------|--------|---------|
| 22/tcp | Admin subnet only | SSH |
| 443/tcp | Any | HTTPS |
| 1080 | Caddy only | Internal proxy |
### 6.3 OS Hardening
| Control | Implementation |
|---------|----------------|
| Operating system | Ubuntu 24.04 LTS |
| Updates | Automatic (unattended-upgrades) |
| Firewall | UFW, default deny |
| SSH | Key-only, password disabled |
| MAC | AppArmor enforcing |
| Intrusion prevention | Fail2ban (sshd) |
| Kernel | SYN cookies, RP filter, ASLR |
---
## 7. Application Security
### 7.1 Secure Development
| Practice | Implementation |
|----------|----------------|
| SQL injection prevention | Parameterized queries only |
| Input validation | All external input validated |
| Output encoding | Context-appropriate encoding |
| Cryptography | Go standard library, FIPS 140-3 |
| Dependencies | Minimal, reviewed |
### 7.2 Prohibited Practices
- Direct database access outside `lib/db_queries.go`
- Hardcoded credentials or keys
- Logging of sensitive data
- Custom cryptography implementations
- Disabled security controls
### 7.3 Deployment Security
| Control | Implementation |
|---------|----------------|
| Pre-deploy validation | `make check-db` (mandatory) |
| Testing | 18 integration tests |
| Staging | Required before production |
| Rollback | ZFS snapshots available |
---
## 8. Physical Security
### 8.1 Facility
| Control | Implementation |
|---------|----------------|
| Location | Private secure facility |
| Access control | Alarm system with monitoring |
| Power | UPS + natural gas generator |
| Connectivity | Fiber + Starlink backup |
### 8.2 Server Security
| Control | Implementation |
|---------|----------------|
| Disk encryption | Full disk encryption |
| Physical access | Owner only |
| Console | Headless, no KVM |
### 8.3 Media Disposal
Failed or decommissioned storage media is physically destroyed.
---
## 9. Incident Response
See: [Incident Response Plan](incident-response-plan.md)
**Contact:** security@inou.com
### Severity Classification
| Severity | Response Time |
|----------|---------------|
| Critical | < 1 hour |
| High | < 4 hours |
| Medium | < 24 hours |
| Low | < 72 hours |
---
## 10. Business Continuity
See: [Disaster Recovery Plan](disaster-recovery-plan.md)
| Metric | Target |
|--------|--------|
| RTO | 4 hours |
| RPO | 24 hours |
| SLA | 99.9% (excluding maintenance) |
---
## 11. Compliance
### Regulatory Framework
| Regulation | Applicability |
|------------|---------------|
| HIPAA | US health data |
| GDPR | EU residents |
| FADP | Swiss residents |
| CCPA | California residents |
### Audit Requirements
- Maintain audit logs for 7 years
- Annual security review
- Document all security incidents
---
## 12. Third-Party Services
| Vendor | Service | Data Exposure | Controls |
|--------|---------|---------------|----------|
| Proton | SMTP | Verification codes only | E2E encryption |
| Google | Backup storage | Encrypted blobs | Pre-encryption |
| Openprovider | DNS | None | N/A |
### LLM Integration (Anthropic Claude)
- User-initiated queries only
- Data flows from inou to user's AI session
- No PHI stored by Anthropic
- No BAA required (conduit model)
---
## 13. Monitoring and Logging
### Logged Events
| Event | Retention |
|-------|-----------|
| HTTP requests | 90 days |
| Authentication | 90 days |
| Data access | 7 years |
| Security events | 7 years |
### Alerting
| Event | Alert Method |
|-------|--------------|
| Suspicious 404s | System notification |
| Tarpit triggers | Logged |
| Failed logins | Fail2ban action |
| Service outage | Uptime Kuma James AI Signal |
| Critical vulnerability | Nuclei James AI Signal |
### External Monitoring (Zurich)
| Service | Location | Purpose |
|---------|----------|---------|
| Uptime Kuma | zurich.inou.com:3001 | 24/7 availability monitoring |
| Nuclei | zurich.inou.com | Vulnerability scanning |
---
## 13a. Vulnerability Management
### Scanning Program
| Schedule | Type | Tool | Action |
|----------|------|------|--------|
| Monthly (1st, 9am ET) | Full scan | Nuclei | Report + remediate |
| Weekly (Sun, 10am ET) | Critical/High/Medium | Nuclei | Alert if found |
| Pre-release | Full scan | Nuclei | Gate deployment |
### Remediation SLAs
| Severity | Response | Resolution |
|----------|----------|------------|
| Critical | 4 hours | 24 hours |
| High | 24 hours | 7 days |
| Medium | 7 days | 30 days |
| Low | 30 days | 90 days |
### Scan Results
Results stored in: `docs/soc2/scans/YYYY-MM/`
---
## 14. Policy Maintenance
### Review Schedule
| Review | Frequency |
|--------|-----------|
| Full policy review | Annually |
| Risk assessment | Annually |
| Incident review | After each incident |
| Control testing | Quarterly |
### Change Management
Policy changes require:
1. Risk assessment of change
2. Documentation update
3. Version increment
4. Effective date notation
---
*Document end*
Reference in New Issue View Git Blame Copy Permalink