IllumiDesk Security Docs
  • IllumiDesk Team Handbook
  • People Group
    • Introduction
    • General Employment
    • Employment Status & Recordkeeping
    • Working Conditions & Hours
    • Employee Benefits
    • Employee Conduct
    • Timekeeping & Payroll
  • Security and Compliance
    • Security Controls
      • BC.1.01 - Business Continuity Plan
        • IllumiDesk Business Continuity Plan
        • IllumiDesk Disaster Recovery
        • IllumiDesk Reference Architectures
        • IllumiDesk Handbook listing of DR for Databases
      • BC.1.0.2 - Business Continuity Plan: Roles and Responsibilities
      • BC.1.03 - Continuity Testing
      • BC.1.04 - Business Impact Analysis
        • Business Impact Analysis in the handbook
        • Data Protection Impact Assessment (DPIA) Policy
        • Data Protection Impact Assessments or DPIAs
        • UX Department
        • Triage Operations - Communication about expected automation impact
        • NIST BCP with reference to BIA
      • CFG.1.01 - Baseline Configuration Standard
        • Laptop or Desktop System configuration
        • Configuring New Laptops
        • Security Best Practices
      • CFG.1.03 - Configuration Checks
        • Production Change Requests Policy
      • CM.1.01 - Change Management Workflow
      • CM.1.02 - Change Approval
      • CM.1.03 - Change Management Issue Tracker
      • CM.1.04 - Emergency Changes
      • DM.1.01 - Data Classification Criteria
        • Data Classification Policy
      • DM.2.01 - Terms of Service
        • Application Terms of Use
      • DM.4.01 - Encryption of Data in Transit
        • Deprecate support for TLS 1.0 and TLS 1.1
      • DM.7.03 - Data Retention and Disposal Policy
      • IAM.1.01 - Logical Access Provisioning
        • Access Requests
        • Access Management Process
      • IAM.1.02 - Logical Access De-Provisioning
        • Access Management Process
        • Logical Access Deprovisioning
        • Access Reviews
        • IllumiDesk Offboarding Guidelines
      • IAM.1.04 - Logical Access Review
        • Access Reviews
      • IAM.1.05 - Transfers: Access De-Provisioning
        • Access Control Policy and Procedures
        • Job Transfers
        • Access Change Request
      • IAM.1.06 - Shared Logical Accounts
        • Security Process and Procedures for Team Members
        • Access Management Process
      • IAM.1.08 - New Access Provisioning
        • Access Requests
        • Access Management Process
      • IAM.2.01 - Unique Identifiers
        • Unique Account Identifiers
        • Access Control Policy and Procedures
        • Section on shared accounts in Okta handbook page
        • Access Management Process
      • IAM.2.02 - Password Authentication
      • IAM.2.03 - Multi-factor Authentication
      • IAM.3.02 - Source Code Security
      • IAM.4.01 - Remote Connections
      • IAM.6.01 - Key Repository Access
      • IR.1.01 - Incident Response Plan
      • IR.1.03 - Incident response
      • IR.1.04 - Insurance Policy
      • IR.2.02 - Incident Reporting
      • NO.1.01 - Network Policy Enforcement Points
      • PR.1.01 - Background Checks
      • RM.1.01 - Risk Assessment
      • RM.1.02 - Continuous Monitoring
        • Security Compliance
      • RM.1.04 - Service Risk Rating Assignment
      • RM.1.05 - Risk Management Policy
      • RM.3.01 - Remediation Tracking
      • SDM.1.01 - System Documentation
      • SG.1.01 - Policy and Standard Review
      • SG.2.01 - Information Security Program Content
      • SG.5.03 - Security Roles and Responsibilities
        • Incident Management Roles and Responsibilities
      • SG.5.06 - Board of Director Bylaws
        • Governance Documents
      • SG.5.07 - Board of Directors Security Program Content
        • Audit Committee Agenda Planner
      • SLC.1.01 - Service Lifecycle Workflow
      • SLC.2.01 - Source Code Management
      • SYS.1.01 - Audit Logging
      • SYS.2.01 - Security Monitoring Alert Criteria
      • SYS.2.07 - System Security Monitoring
      • TPM.1.01 - Third Party Assurance Review
      • TPM.1.02 - Vendor Risk Management
      • TRN.1.01 - General Security Awareness Training
        • Security Awareness Training
      • TRN.1.02 - Code of Conduct Training
      • VUL.1.01 - Vulnerability Scans
      • VUL.1.03 - Approved Scanning Vendor
      • VUL.2.01 - Application & Infrastructure Penetration Testing
      • VUL.3.01 - Infrastructure Patch Management
      • VUL.3.02 - End of Life Software
      • VUL.4.01 - Enterprise Protection
      • VUL.5.01 - Code Security Check
      • VUL.6.01 - External Information Security Inquiries
  • VPAT Version 2.3
Powered by GitBook
On this page
  • Control Statement
  • Context
  • Scope
  • Ownership
  • Guidance
  • Step 1: Planning
  • Step 2: Create - coding
  • Step 3: Verify - code review/ security review
  • Step 4: Change Management
  • Step 5: Packing and Release
  • Step 6: Configure and Monitor
  • Additional control information and project tracking
  • Policy Reference
  • Framework Mapping
  1. Security and Compliance
  2. Security Controls

SLC.1.01 - Service Lifecycle Workflow

Control Statement

The Service Life Cycle plan documents the phases of a major software release.

Context

The purpose of this control is to formalize the documentation and approval of software changes before those changes are implemented. This rigid process helps protect IllumiDesk from insecure code being quickly pushed out into production without proper vetting.

Scope

This control applies to all major software releases to IllumiDesk.com.

Ownership

  • Control Owner: Delivery

  • Process owner(s):

    • Delivery

    • Infrastructure

Guidance

Most of this process is already captured in current IllumiDesk workflow; the difficult part of this process will be coverage of all major software changes. Below is a detailed description of the workflow by stages:

Step 1: Planning

  • Product Section Vision - Dev explains the Manage, Plan, and Create steps of the cycle.

  • Product Development Workflow describes the validation and build tracks for the proposed changes.

Step 2: Create - coding

  • The entire engineering workflow is documented here, which describes the process from the basics such as how to pick something to work on and includes the link to the project where the issues are housed -- this is the starting point for the testing of SLC artifacts

  • Instructions on scoped labels used in updating issues using the scoped labels workflow:: series through development to the product development timeline -- following the scoped labels can be useful in testing the different parts of the cycle

  • The handbook section on code review process-- this is represented within issues as the Reviewer Roulette function

  • in the IllumiDesk Docs, guidelines are documented.

Step 3: Verify - code review/ security review

  • All code merged into the IllumiDesk.com codebase must be reviewed by an authorized Reviewer, as described in our code review documentation

  • The security release process is documented in the handbook-- *is useful for testing the Verify step of the DevOps cycle and Secure value stage

Step 4: Change Management

  • The Change Management process is documented in the handbook. It provides guidance on using the appropriate label based on the type of change, such as DeploymentNewFeature.

Step 5: Packing and Release

  • Infrastructure for the IllumiDesk system is defined as code and deployed using Terraform and Chef. These act as baseline configurations for our production systems. Changes made to those repositories - and therefore to our infrastructure - is subject to the same review process as our codebase.

  • Engineering Workflow section in the handbook notes labels and milestones and more specific information on the workflow labels

  • For other Infrastructure team specifics, there's the Infrastructure Library page.

Step 6: Configure and Monitor

  • The design of the CI/CD pipeline for IllumiDesk.com is documented in the handbook

  • Coupled with IllumiDesk Flow and the working in CE/EE codebase blueprint, this covers most of the SDLC.

  • For a description of how IllumiDesk uses the CI/CD internally for the IllumiDesk system, there's this Infrastructure page.

Additional control information and project tracking

Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the Service Lifecycle Workflow control issue.

Examples of evidence an auditor might request to satisfy this control:

  • Documentation outlining our development and release workflows

  • Sample releases and their respective reviews

  • Sample pipeline artifacts and merge request reviews

  • Feature requests would be a great example of this process since they are planned via epics and issues, created via MR's, and then run through a IllumiDesk pipeline to satisfy the remaining requirements for this control

Policy Reference

  • Engineering Workflow

  • Security Releases

  • Code Review

  • Change Management

Framework Mapping

  • SOC2 CC

    • CC8.1

PreviousAudit Committee Agenda PlannerNextSLC.2.01 - Source Code Management

Last updated 1 year ago