Canada Luggage Depot - Secure SDLC
Requirements

This page summarizes CLD’s SDLC policy and baseline controls. It is the canonical reference for vendor deliverables, release gates, and evidence required at each stage.

  • Policy owner (ISO): Mary Mouradian

  • Executive Sponsor: (Executive Sponsor name) — approves exceptions and residual risk

  • Vendor Manager: (Vendor Manager name) — vendor performance, evidence cadence, escalation

  • Scope: third‑party web/mobile apps, APIs/integrations, IaC/templates, data pipelines, container images, and major SaaS configurations.

  • Default data residency: Canada‑only for storage and administrative access. Exceptions require documented risk assessment and approval with expiry.

  • Gates: Intake → Design → Pre‑Production → Go‑Live → Post‑Go‑Live (30‑day review). Each gate requires specific evidence and sign‑off (see annexes).

  • Build/CI controls: SAST on change sets; SCA + SBOM per build; secrets scanning; IaC and container image scanning; artifact signing; automated fail gates with documented waivers.

  • Testing & Assurance: DAST pre‑prod; annual 3rd‑party pentest after material changes; annual code scan; evidence package per release (SBOM, SAST/SCA/DAST summaries, changelog, rollback plan, logging schema updates, UAT sign‑off).

  • Vulnerability SLAs (baseline): Critical 7 days / High 30 days / Medium 60 days / Low 90 days. POA&M required for open items with owners and target dates.

  • Logging & SIEM: Mandatory event families (authN/authZ, admin changes, permission changes, lifecycle events, API calls, uploads/exports, control blocks). Retention baseline: 12 months. NTP/time sync required; redaction rules enforced.

  • Identity: SSO (OIDC/SAML) integration with CLD IdP; MFA required for admin and restricted data; standard RBAC roles and time‑boxed third‑party support accounts with auditable sessions.

  • API security: OAuth2/OIDC for user flows; client‑credentials or mTLS for service‑to‑service; token TTLs, scope least‑privilege, rate limits and replay protections.

  • File upload: Allowed MIME types, AV scanning, quarantine behavior, max file size (suggested 100MB), strip image EXIF/GPS metadata on ingest.

  • Availability & DR: Tiered RTO/RPO targets, encrypted backups, restore test cadence and evidence (to be defined per solution tier).

  • Release management: Change classification, notice periods by risk class, rollback plans mandatory, canary/blue‑green recommended for high‑risk releases.

  • Third‑party expectations: SOC2 Type 2 for key vendors/subprocessors where applicable; annual pentest and code scan; cooperation with audits and right‑to‑audit clauses.

  • Metrics & Training: KPIs (release frequency, change failure rate, time‑to‑remediate, evidence completeness); role‑based secure SDLC training required for staff and vendors.

  • Exceptions: Formal exception process with compensating controls, owner, ISO + Executive Sponsor approval, and expiry date.

See annexes for templates: design review checklist, release evidence checklist, POA&M template, SBOM submission instructions, logging field dictionary.

http://localhost:1313/process/ssdlc/policy/