Document Type: Engineering Documentation Index / Reference
Owner: Engineering Lead
Applies To: All engineering contributors
Review Frequency: Annual
Version: 1.0

Purpose

This index lists the security and privacy engineering documents that define how Vertuna designs, builds, reviews, and operates systems securely. It provides a single reference point for engineering, audit readiness, and vendor assessments.

Scope

Applies to all engineering activities and all Vertuna-managed systems.

Engineering Security Standards Library

Core Engineering Standards

1. Engineering Security & Privacy-by-Design Principles (Standard)

   • Defines mandatory secure-by-design and privacy-by-design principles

   • Applies to all engineering work, system implementation efforts, and architecture decisions

2. Significant Code Change Review & Approval Process (Process)

   • Defines how significant code changes are reviewed, approved, and deployed

   • Defines roles, approval criteria, and evidence requirements

3. Secure-by-Design Engineering Review Checklist (Checklist)

   • Used as a release gate for significant changes

   • Confirms implementation of secure-by-design and privacy-by-design controls

4. Privacy Impact Checklist (Checklist)

   • Required when personal/customer data processing is introduced or modified

   • Ensures minimization, encryption, retention, deletion, and transparency are addressed

Supporting Security Policies

1. Access Control Policy

   • Least privilege, access approval, access reviews, revocation

2. Encryption & Cryptographic Controls Policy

   • Encryption at rest and in transit, key storage, algorithm expectations

3. Vulnerability Management Policy

   • Scanning, remediation prioritization, tracking, verification

4. Patch Management Policy

   • Operating system updates, dependency upgrades, prioritization

5. Logging & Monitoring Policy

   • Security event logging, access restrictions, retention, monitoring expectations

6. Incident Response Policy

• Incident identification, containment, response, and reporting

1. Environment Segregation Policy

• Separation of production and non-production, production data restrictions

1. Third-Party Risk Management Policy

• Vendor review expectations, minimum data access, periodic reassessment

1. Asset Management Policy

• Hardware/software inventory, lifecycle management, licensing

1. Endpoint Security & Removable Media Policy

• Endpoint protections, patching, removable media handling expectations

Control Coverage Mapping (High Level)

This standards library supports common audit and assessment controls including:

• secure SDLC

• change management and peer review

• access management

• encryption and secrets handling

• vulnerability scanning and remediation

• logging and incident response

• privacy-by-design and data lifecycle protection

Maintenance and Ownership

• All documents listed above are owned by the Engineering Lead.

• Documents must be reviewed annually and updated when systems or practices materially change.

Document Control

Version 1.0 — Owner: Engineering Lead — Next Review: 12 months