Initial skills documentation — 25 categories, all SKILL.md + references + scripts
This commit is contained in:
@@ -0,0 +1,39 @@
|
||||
# ITGC Build-Time Checklist
|
||||
|
||||
Keep this checklist in mind whenever deploying a NEW service or making significant infrastructure changes. Not every item applies to every project — use judgement.
|
||||
|
||||
## Pre-deployment
|
||||
|
||||
- [ ] **Access logging** — Does this service log admin actions? Who did what when?
|
||||
- [ ] **Least privilege** — Is the API key / service account scoped to minimum permissions? Nothing more?
|
||||
- [ ] **MFA** — Can this service support MFA for admin access? If not, document the gap.
|
||||
- [ ] **Secrets** — Are credentials in `.env` (chmod 600), not hardcoded in config files?
|
||||
- [ ] **Backup** — Is the data backed up independently of the server? How often? To where?
|
||||
- [ ] **Restore test** — Has the backup been tested by actually restoring? (Quarterly minimum)
|
||||
|
||||
## Post-deployment
|
||||
|
||||
- [ ] **Document** — Is the deployment captured in the project log?
|
||||
- [ ] **Access list** — Who has access? (SSH keys, API tokens, admin accounts)
|
||||
- [ ] **Change ticket** — Is there a record of what was done, why, and by whom?
|
||||
- [ ] **Runbook** — If this service goes down, does someone know how to bring it back?
|
||||
|
||||
## Semi-annual
|
||||
|
||||
- [ ] **Access review** — Are all SSH keys still needed? Any terminated employees/contractors still have access?
|
||||
- [ ] **Token rotation** — Are long-lived API tokens still scoped correctly?
|
||||
- [ ] **Backup restore test** — Actually restore from backup, not just verify backup ran.
|
||||
|
||||
## Current gaps (Jul 2026)
|
||||
|
||||
These are documented so we can track closure over time:
|
||||
|
||||
| Gap | Target | Status |
|
||||
|-----|--------|--------|
|
||||
| MFA on SSH/admin | All admin access | ❌ Missing |
|
||||
| Access reviews | Quarterly | ❌ Missing |
|
||||
| Change tickets | Every infra change | ❌ Missing |
|
||||
| Incident response plan | Written + tested | ❌ Missing |
|
||||
| Backup restore tests | Quarterly | ❌ Never done |
|
||||
| Password policy | 14+ chars, rotated, MFA | ❌ Missing |
|
||||
| Encryption at rest | Sensitive data stores | ❌ Missing |
|
||||
Reference in New Issue
Block a user