Canada Luggage Depot - Secure SDLC
Purpose

1. Purpose #

This policy establishes CLD’s governance and minimum security, privacy, and quality requirements for software and configuration delivered by third parties on CLD’s behalf. It applies to custom or customized web/mobile applications, APIs and integrations, data pipelines, low/no‑code solutions, and significant SaaS configurations that process CLD or client data. The policy ensures that all vendor‑delivered changes follow a consistent, auditable life cycle from requirements through retirement, and that releases meet CLD’s baseline controls for confidentiality, integrity, availability, and lawful processing of personal information.

This policy is necessary because CLD does not develop systems in‑house and depends on external vendors for build and operation. CLD retains accountability for outcomes, legal compliance, and client obligations, while vendors are responsible for implementing secure SDLC practices and supplying verifiable evidence. Where a client contract or law is stricter than this policy, the stricter requirement prevails.

The policy directs vendors to design and operate solutions with security and privacy by design, keep personal information resident in Canada by default, integrate with CLD identity and logging, provide continuous vulnerability management and assured remediation, and support incident response, recovery, and data lifecycle obligations (retention, deletion, subject requests). It also defines CLD’s release gates, documentation, and acceptance criteria so that production changes are predictable, reversible, and supportable.

Objectives

  • Standardize the SDLC across vendors with clear gates, roles, and evidence so releases are repeatable, reviewable, and reversible.

  • Enforce baseline controls for identity (SSO/MFA, least privilege), logging/SIEM, encryption, WAF/API security, file‑upload protections, environment segregation, and privacy safeguards aligned to applicable law.

  • Require continuous testing and assurance (SAST/SCA with SBOM, DAST, pentesting, IaC/container scanning) and time‑bound remediation of vulnerabilities, with emergency handling for actively exploited issues.

  • Protect availability through defined RTO/RPO targets, encrypted/verified backups, and documented, tested recovery.

  • Make exceptions deliberate and temporary, with documented risk, compensating controls, named owners, and expiry.