Canada Luggage Depot - Secure SDLC
Definitions

3. Definitions #

For simplicity and consistency, these definitions apply throughout this policy and its supporting standards. Where a client contract or law defines a term more strictly, that stricter definition prevails.

Application (App)

Any software solution (web, mobile, API, integration, low/no‑code, or significant SaaS configuration) delivered for CLD that processes CLD or client data.

Vendor

A third party that designs, builds, hosts, operates, or maintains an Application for CLD under contract.

Subprocessor

A third party used by a Vendor to store, process, or access CLD data (e.g., hosting provider, scanning service, email/SMS provider).

Personal Information (PI)

Information about an identifiable individual as defined by applicable privacy law (e.g., PIPEDA, Quebec Law 25). Examples include name, contact details, addresses, claim photos, identifiers.

Restricted Data

CLD’s highest sensitivity category (includes PI and other sensitive business/client data). Access is strictly least privilege and MFA‑protected.

Data Residency (Canada‑only)

The requirement that storage and access for Restricted Data occur in Canada (e.g., ca‑central) unless an approved exception exists.

DPIA (Data Protection Impact Assessment)

A documented assessment of privacy risks and safeguards for processing activities that may pose high risk to individuals (e.g., cross‑border transfers, new data uses).

Threat & Vulnerability Management (TVM)

The continuous process of discovering, assessing, prioritizing, and remediating vulnerabilities and misconfigurations, with defined SLAs and verification of fixes.

SAST / DAST / SCA

  • SAST: Static code analysis to find insecure code patterns.

  • DAST: Dynamic testing of running web/API endpoints.

  • SCA: Software Composition Analysis to detect vulnerable third‑party libraries and produce an SBOM.

SBOM (Software Bill of Materials)

A machine‑readable inventory of third‑party libraries/components in an Application build. PENDING: Preferred format — SPDX or CycloneDX.

CI/CD

Build and deployment pipelines (Continuous Integration / Continuous Delivery) used to package, test, and release Applications.

Identity Provider (IdP) / SSO

Centralized authentication using OIDC or SAML with the CLD IdP, providing single sign‑on and policy enforcement. PENDING: CLD IdP + required protocol(s).

MFA (Multi‑Factor Authentication)

Authentication requiring at least two independent factors (something you know, have, or are), mandatory for admin roles and Restricted Data access.

SCIM / JIT

  • SCIM: Automated provisioning/de‑provisioning of user accounts from the IdP.

  • JIT: Just‑in‑time account creation on first sign‑in via SSO.

    PENDING: CLD expectation — SCIM required or JIT acceptable.

OAuth 2.0 / OIDC

Standards for authorization and authentication used by web/mobile/API flows (e.g., Authorization Code + PKCE for user flows; Client Credentials or mTLS for service‑to‑service). PENDING: Allowed grant types and token TTLs.

RBAC / ABAC

Role‑Based or Attribute‑Based Access Control models that implement least privilege via defined roles/attributes. PENDING: CLD standard roles and scopes.

WAF (Web Application Firewall)

A control placed in front of internet‑facing Applications to block common attacks (e.g., OWASP Top 10) and rate‑limit abusive traffic.

SIEM (Security Information and Event Management)

The platform that ingests, correlates, and alerts on security/audit logs. Vendors operate a SIEM per contract; CLD may also require forwarding to its SIEM. PENDING: CLD forwarding method + minimum log fields + retention.

POA&M (Plan of Actions & Milestones)

A tracked remediation plan for findings, including owner, risk, milestones, target dates, compensating controls, and closure evidence.

RTO / RPO

  • RTO: Maximum acceptable time to restore service after an outage.

  • RPO: Maximum acceptable data loss (time) during recovery.

    PENDING: Targets per solution tier.

Crypto‑Shred

Rendering data irrecoverable by destroying keys (or re‑encrypting with new keys) so that retained encrypted blobs no longer reveal data.

Exception

A documented, time‑bound deviation from a policy control, with risk assessment, compensating controls, named owner, and expiry, approved by the ISO and Executive Sponsor.

Evidence Package (Release)

The bundle of artifacts required at the pre‑production gate (e.g., SBOM, SAST/SCA/DAST summaries, change log, deployment/rollback plan, logging/data‑flow updates, UAT sign‑off). PENDING: Final contents + SBOM format + delivery location.