Security Overview
Last updated: 14 Sep 2025
1. Governance & Frameworks
Controls mapped to ISO 27001 domains with continuous improvement loops; policies reviewed at least annually.
2. Infrastructure
Hardened containerised workloads, encrypted block/object storage, WAF & DDoS protections, least-privilege IAM, segregated production and staging accounts.
3. Data Protection
Encryption in transit (TLS 1.2+), encryption at rest (AES‑256), field-level hashing/salting for sensitive identifiers, key management using HSM-backed KMS with strict separation of duties.
4. Secure SDLC
Static & dependency scanning on each commit; signed builds; manual security review for high-risk changes; secrets detection and blocking at commit time.
5. Identity & Access
MFA enforced for privileged accounts; JIT elevation, RBAC, session timeouts, automated de-provisioning workflows, periodic access recertification.
6. Monitoring & Logging
Centralised log aggregation, immutable audit trails, anomaly detection, behavioural analytics, 24/7 alerting with defined escalation paths.
7. Vulnerability Management
Weekly automated scans plus monthly authenticated scans; critical vulns triaged under 24h; patch SLAs: Critical <72h, High <7d, Medium <30d.
8. Incident Response
Documented runbooks, simulated tabletop & technical exercises at least twice per year; post-incident reviews producing tracked corrective actions.
9. Business Continuity
Multi-AZ redundancy, automated backups with point-in-time recovery testing, RPO ≤ 15 min, target RTO < 2h for critical services.
10. Customer Responsibilities
Maintain strong identity hygiene, review audit logs, configure role boundaries, rotate credentials, and report suspected issues promptly.
11. Contact
Security inquiries & disclosures: security@custosadvisory.club. We encourage encrypted reports (PGP details available on request).