Canada Luggage Depot - Secure SDLC
CLD SDLC Policy

This page consolidates CLD’s SDLC policy for third‑party delivered systems and significant SaaS customizations. It defines roles, gates, evidence requirements, and baseline controls vendors must meet to deploy and operate software for CLD.

Key facts

  • Policy owner (ISO): Mary Mouradian
  • Executive Sponsor: Mary Mouradian
  • Vendor Manager: Mary Mouradian
  • Scope: third‑party web/mobile apps, APIs/integrations, data pipelines, and major SaaS configurations.

Policy principles

  • Security and privacy by design
  • Least privilege and role‑based access
  • Default Canada‑only data residency for CLD personal information (exceptions require documented risk assessment and expiry)
  • Standardization and automation of evidence collection

Gates and evidence

  • Intake: business case, data classification, residency check, initial DPIA trigger
  • Design: security/privacy review, threat model, data flow diagrams, log design; sign‑off by ISO + Product Owner
  • Pre‑Production: evidence package (SBOM, SAST/SCA summaries, secrets scan, UAT sign‑off, rollback plan)
  • Go‑Live: monitoring routing validated, runbooks and on‑call ready, final approvals
  • Post‑Go‑Live: 30‑day stability, unresolved risks escalated

Build & CI/CD controls

  • SAST on change sets; SCA + SBOM per build; secrets scanning
  • Pre‑merge checks and protected branch policies; automated tests and quality gates

Security & privacy requirements

  • SSO integration with CLD IdP (OIDC/SAML); MFA for administrative roles and restricted data
  • API security: OAuth2/OIDC for user flows; client‑credentials or mTLS for service‑to‑service; rate limits and replay protections
  • Logging: emit SIEM‑ready logs for auth, admin changes, API calls, uploads/exports; retention baseline 12 months; redact secrets
  • File uploads: allowed MIME types, AV scanning, strip EXIF/GPS for images; suggested max size 100MB

Vulnerability & patch management

  • Proposed SLAs: Critical 7d / High 30d / Medium 60d / Low 90d
  • POA&M with owners and target dates; waivers possible with ISO approval and expiry

Availability & DR

  • Tiered RTO/RPO targets per solution; encrypted backups; restore test cadence and evidence

Third‑party expectations

  • Key vendors/subprocessors: SOC2 Type 2 where applicable; annual pentest and code scan; cooperation with audits and right‑to‑audit clauses

Exceptions

  • Formal exception process: scope, justification, compensating controls, owner, ISO + Executive Sponsor approval, expiry date

Annexes and templates

  • Design review checklist, release evidence checklist, POA&M template, SBOM submission instructions, logging field dictionary (linked in annexes)