# ITGC Build-Time Checklist Keep this checklist in mind whenever deploying a NEW service or making significant infrastructure changes. Not every item applies to every project — use judgement. ## Pre-deployment - [ ] **Access logging** — Does this service log admin actions? Who did what when? - [ ] **Least privilege** — Is the API key / service account scoped to minimum permissions? Nothing more? - [ ] **MFA** — Can this service support MFA for admin access? If not, document the gap. - [ ] **Secrets** — Are credentials in `.env` (chmod 600), not hardcoded in config files? - [ ] **Backup** — Is the data backed up independently of the server? How often? To where? - [ ] **Restore test** — Has the backup been tested by actually restoring? (Quarterly minimum) ## Post-deployment - [ ] **Document** — Is the deployment captured in the project log? - [ ] **Access list** — Who has access? (SSH keys, API tokens, admin accounts) - [ ] **Change ticket** — Is there a record of what was done, why, and by whom? - [ ] **Runbook** — If this service goes down, does someone know how to bring it back? ## Semi-annual - [ ] **Access review** — Are all SSH keys still needed? Any terminated employees/contractors still have access? - [ ] **Token rotation** — Are long-lived API tokens still scoped correctly? - [ ] **Backup restore test** — Actually restore from backup, not just verify backup ran. ## Current gaps (Jul 2026) These are documented so we can track closure over time: | Gap | Target | Status | |-----|--------|--------| | MFA on SSH/admin | All admin access | ❌ Missing | | Access reviews | Quarterly | ❌ Missing | | Change tickets | Every infra change | ❌ Missing | | Incident response plan | Written + tested | ❌ Missing | | Backup restore tests | Quarterly | ❌ Never done | | Password policy | 14+ chars, rotated, MFA | ❌ Missing | | Encryption at rest | Sensitive data stores | ❌ Missing |