1. Purpose and Scope
The WTD Information Security Policy (ISP) provides the framework for protecting the confidentiality, integrity, and availability of all data processed within the application environment. This policy applies to all systems, network infrastructure, and users associated with the WTD project.
2. Security Governance and Responsibility
The Lead Developer and Administrator (Bill) is responsible for the implementation, maintenance, and auditing of this policy. Security is integrated into the software development lifecycle (SDLC) from the design phase through deployment.
3. Policy Framework (Reference Documents)
This ISP serves as the umbrella document for the following sub-policies, which are strictly enforced:
- Access Control Policy: Governs role-based permissions and the Principle of Least Privilege.
- Secure Authentication Attestation: Defines the use of Yubikeys and TOTP MFA.
- Data Retention & Deletion Policy: Outlines the 60-day lifecycle for data and backups.
- Privacy Policy: Details user data protections and anti-sharing commitments.
4. Network and Infrastructure Security
The WTD infrastructure is architected for maximum isolation:
- Zero-Trust Networking: External access is restricted via Tailscale, ensuring only authorized, authenticated nodes can communicate with the application stack.
- Containerization: Services are isolated using Docker environments, minimizing the attack surface of the underlying host.
- Encryption in Transit: All web traffic is encrypted using TLS 1.2 or higher.
5. Vulnerability Management
To ensure the ongoing security of the application:
- Automated Updates: Host systems and Docker images are regularly pulled and updated to the latest secure versions.
- Security Audits: Periodic reviews of access logs and configuration files are performed (refer to Access Review & Audit Policy).
6. Physical Security
WTD infrastructure is housed in a secure, controlled residential environment with restricted physical access. Management consoles and hardware remain locked when not in use.
7. Incident Response
In the event of a suspected security breach, the following "Immediate Action" plan is triggered:
- Containment: The affected service or network node is immediately isolated.
- Investigation: Logs are analyzed to determine the scope of the incident.
- Notification: Impacted users (family members) and relevant third parties (e.g., Plaid) will be notified if data exposure is confirmed.
8. Enforcement
Failure to comply with this policy may result in immediate revocation of access to WTD resources.