1.9 KiB
1.9 KiB
ITGC Build-Time Checklist
Keep this checklist in mind whenever deploying a NEW service or making significant infrastructure changes. Not every item applies to every project — use judgement.
Pre-deployment
- Access logging — Does this service log admin actions? Who did what when?
- Least privilege — Is the API key / service account scoped to minimum permissions? Nothing more?
- MFA — Can this service support MFA for admin access? If not, document the gap.
- Secrets — Are credentials in
.env(chmod 600), not hardcoded in config files? - Backup — Is the data backed up independently of the server? How often? To where?
- Restore test — Has the backup been tested by actually restoring? (Quarterly minimum)
Post-deployment
- Document — Is the deployment captured in the project log?
- Access list — Who has access? (SSH keys, API tokens, admin accounts)
- Change ticket — Is there a record of what was done, why, and by whom?
- Runbook — If this service goes down, does someone know how to bring it back?
Semi-annual
- Access review — Are all SSH keys still needed? Any terminated employees/contractors still have access?
- Token rotation — Are long-lived API tokens still scoped correctly?
- Backup restore test — Actually restore from backup, not just verify backup ran.
Current gaps (Jul 2026)
These are documented so we can track closure over time:
| Gap | Target | Status |
|---|---|---|
| MFA on SSH/admin | All admin access | ❌ Missing |
| Access reviews | Quarterly | ❌ Missing |
| Change tickets | Every infra change | ❌ Missing |
| Incident response plan | Written + tested | ❌ Missing |
| Backup restore tests | Quarterly | ❌ Never done |
| Password policy | 14+ chars, rotated, MFA | ❌ Missing |
| Encryption at rest | Sensitive data stores | ❌ Missing |