Vertuna LLC

Page tree

Document Type: Engineering Documentation Index / Reference
Owner: Engineering Lead
Applies To: All engineering contributors
Review Frequency: Annual
Version: 1.0

Purpose

This index lists the security and privacy engineering documents that define how Vertuna designs, builds, reviews, and operates systems securely. It provides a single reference point for engineering, audit readiness, and vendor assessments.

Scope

Applies to all engineering activities and all Vertuna-managed systems.

Engineering Security Standards Library

Core Engineering Standards

  1. Engineering Security & Privacy-by-Design Principles (Standard)

    • Defines mandatory secure-by-design and privacy-by-design principles

    • Applies to all engineering work, system implementation efforts, and architecture decisions

  2. Significant Code Change Review & Approval Process (Process)

    • Defines how significant code changes are reviewed, approved, and deployed

    • Defines roles, approval criteria, and evidence requirements

  3. Secure-by-Design Engineering Review Checklist (Checklist)

    • Used as a release gate for significant changes

    • Confirms implementation of secure-by-design and privacy-by-design controls

  4. Privacy Impact Checklist (Checklist)

    • Required when personal/customer data processing is introduced or modified

    • Ensures minimization, encryption, retention, deletion, and transparency are addressed

Supporting Security Policies

  1. Access Control Policy

    • Least privilege, access approval, access reviews, revocation

  2. Encryption & Cryptographic Controls Policy

    • Encryption at rest and in transit, key storage, algorithm expectations

  3. Vulnerability Management Policy

    • Scanning, remediation prioritization, tracking, verification

  4. Patch Management Policy

    • Operating system updates, dependency upgrades, prioritization

  5. Logging & Monitoring Policy

    • Security event logging, access restrictions, retention, monitoring expectations

  6. Incident Response Policy

  • Incident identification, containment, response, and reporting

  1. Environment Segregation Policy

  • Separation of production and non-production, production data restrictions

  1. Third-Party Risk Management Policy

  • Vendor review expectations, minimum data access, periodic reassessment

  1. Asset Management Policy

  • Hardware/software inventory, lifecycle management, licensing

  1. Endpoint Security & Removable Media Policy

  • Endpoint protections, patching, removable media handling expectations

Control Coverage Mapping (High Level)

This standards library supports common audit and assessment controls including:

  • secure SDLC

  • change management and peer review

  • access management

  • encryption and secrets handling

  • vulnerability scanning and remediation

  • logging and incident response

  • privacy-by-design and data lifecycle protection

Maintenance and Ownership

  • All documents listed above are owned by the Engineering Lead.

  • Documents must be reviewed annually and updated when systems or practices materially change.

Document Control

Version 1.0 — Owner: Engineering Lead — Next Review: 12 months