Canada Luggage Depot - Secure SDLC
Policy Principles

5. Policy Principles #

Security and privacy by design

All solutions must embed security and privacy controls from the outset. Designs must minimize data collected and retained, restrict access to least privilege, and support subject‑rights, configurable retention, and secure deletion. Where applicable privacy law or contract is stricter than this policy, the stricter requirement applies.

Canada‑only residency by default

Personal information must be stored and accessed in Canada by default. Any exception requires a documented risk assessment and, if PI is involved, a DPIA, with technical and contractual safeguards and a defined expiry for re‑validation. PENDING: Residency exception package contents and approval workflow

Standard identity and least privilege

Solutions must support SSO with CLD’s IdP, enforce MFA for administrative roles and Restricted data access, and implement RBAC/ABAC with clearly scoped roles. Service accounts must be non‑interactive, least‑privilege, vaulted, and rotated. PENDING: IdP/protocols; standard roles; SCIM/JIT expectation

Measurable gates and evidence

Releases must pass defined SDLC gates (Design, Pre‑Production, Go‑Live) with a minimal, consistent evidence package (e.g., SBOM, SAST/SCA/DAST summaries, change/rollback plan, updated logging/data‑flow where applicable, UAT sign‑off). Evidence must be reviewable and retained. PENDING: Final evidence list, SBOM format and delivery location

Logging, monitoring, and SIEM readiness

Security/audit events must be comprehensive, tamper‑resistant, and SIEM‑ready, capturing who/when/where/what/outcome and a correlation ID, with time sync (UTC) and sensitive data redaction. Vendors must operate a SIEM per contract; CLD may require log forwarding to its SIEM. PENDING: CLD SIEM forwarding decision, ingestion method, minimum fields, retention months

Testing and continuous assurance

Each release must complete pre‑production security testing appropriate to risk (SAST, SCA with SBOM, secrets scanning, DAST for web/API; container/IaC scans when applicable). Vendors must conduct an annual independent penetration test (and after material changes) and provide remediation plans with verification. Releases are blocked on unresolved Critical/High issues unless an ISO‑approved waiver with compensating controls exists. PENDING: Fail‑gate thresholds; pentest report sharing scope

Vulnerability remediation SLAs

Discovered vulnerabilities and misconfigurations must be triaged, tracked, and remediated within defined timeframes, with emergency handling for exploited issues, and evidence of closure. Proposed SLAs: Critical 7 days, High 30 days, Medium 60 days, Low 90 days. PENDING: Confirm or adjust SLAs; notification thresholds

API and file‑upload protections

APIs must use OAuth 2.0/OIDC (user flows via Auth Code + PKCE; service‑to‑service via Client Credentials or mTLS), least‑privilege scopes, input validation, schema enforcement, and rate‑limiting. File uploads must be size/type‑restricted, scanned by AV/antimalware, and processed without retaining sensitive metadata (e.g., EXIF/GPS) unless required. PENDING: Allowed grants, token TTLs, scope conventions; upload size/types; AV behavior; EXIF rule

Operational resilience

Solutions must meet defined availability objectives, maintain encrypted and verifiable backups, and practice recovery with documented runbooks and rollback plans. RTO/RPO targets are set by solution tier and validated through periodic restore tests with retained evidence. PENDING: Tiers and targets; restore cadence; immutability/object‑lock requirement

Subprocessor governance

Vendors must disclose and obtain approval before engaging subprocessors that store, process, or access CLD data, flow down equivalent obligations contractually, and provide annual compliance artifacts (e.g., SOC 2 Type 2). PENDING: Notice lead time; prohibited jurisdictions; CLD approver

Exceptions are temporary and controlled

Any deviation from this policy requires a written exception with scope, rationale, risk assessment, compensating controls, named owner, and expiry; ISO recommends and Executive Sponsor approves. Privacy‑impacting exceptions require Legal/Privacy review. PENDING: Exception template location