Files

1.9 KiB

ITGC Build-Time Checklist

Keep this checklist in mind whenever deploying a NEW service or making significant infrastructure changes. Not every item applies to every project — use judgement.

Pre-deployment

  • Access logging — Does this service log admin actions? Who did what when?
  • Least privilege — Is the API key / service account scoped to minimum permissions? Nothing more?
  • MFA — Can this service support MFA for admin access? If not, document the gap.
  • Secrets — Are credentials in .env (chmod 600), not hardcoded in config files?
  • Backup — Is the data backed up independently of the server? How often? To where?
  • Restore test — Has the backup been tested by actually restoring? (Quarterly minimum)

Post-deployment

  • Document — Is the deployment captured in the project log?
  • Access list — Who has access? (SSH keys, API tokens, admin accounts)
  • Change ticket — Is there a record of what was done, why, and by whom?
  • Runbook — If this service goes down, does someone know how to bring it back?

Semi-annual

  • Access review — Are all SSH keys still needed? Any terminated employees/contractors still have access?
  • Token rotation — Are long-lived API tokens still scoped correctly?
  • Backup restore test — Actually restore from backup, not just verify backup ran.

Current gaps (Jul 2026)

These are documented so we can track closure over time:

Gap Target Status
MFA on SSH/admin All admin access Missing
Access reviews Quarterly Missing
Change tickets Every infra change Missing
Incident response plan Written + tested Missing
Backup restore tests Quarterly Never done
Password policy 14+ chars, rotated, MFA Missing
Encryption at rest Sensitive data stores Missing