Electronically Signed By:
Isa Hasenko
Secure Configuration & Hardening Program Organization: Fintable, Inc. Owner: Security & Compliance + Engineering Review cadence: Annual or upon material change Approved by: Isa Hasenko Approval Date: 2025 August 15 1) Introduction Fintable maintains a documented, enforced secure configuration and hardening program for applications, platforms, and underlying infrastructure. The program is built around bare‑metal Linux servers fully controlled by Fintable, encryption by default, strict organization-level access, iptables and Cloudflare WAF at the network perimeter, centralized logging and monitoring, and password/credential sharing solely via Apple iCloud Keychain (never plaintext). It incorporates industry‑standard SaaS security controls and continuous improvement through reviews, patching, and vulnerability management. 2) Scope & Applicability This standard applies to all environments (production, staging, development), corporate IT endpoints (macOS), and all services operated by Fintable (applications, platforms, and the underlying bare‑metal infrastructure), as well as third parties used for security enforcement (e.g., Cloudflare). 3) Roles & Responsibilities - Security & Compliance: owns this program; approves baselines; runs reviews and risk assessments. - Engineering (Infra/App): builds and maintains hardened images, applies patches, and enforces least‑privilege configuration. - Support/Operations: follows access rules; never stores or shares credentials in plaintext; reports exceptions. - All Personnel: complete training, use MFA, store passwords only in iCloud Keychain; no shadow IT. - Vendors/Processors: must meet or exceed these controls where they process Fintable data. 4) Configuration Baselines 4.1) Bare‑metal Linux Server Baseline - Full organizational control over hardware, firmware, and OS install; disable external boot; set BIOS/UEFI passwords. - Disk encryption with LUKS or equivalent; keys protected and rotated per incident/role change. - Minimal OS profile; remove unused packages, compilers, and services; principle of least functionality. - User management: no shared accounts; unique user IDs; sudo with logging; disable direct root SSH. - SSH: key‑only authentication; strong ciphers; MFA for bastion access; restrict by source IPs. - iptables: default‑deny inbound; allow only required ports; rate‑limit and log drops. - Cloudflare WAF/Proxy: all Internet‑facing HTTP(S) behind Cloudflare; WAF managed rules on; OWASP/Bot protections enabled; TLS 1.2+ with modern ciphers; HSTS for web apps. - Time sync (NTP/chrony) and consistent timezone for logs; trusted NTP sources. - File integrity and audit: auditd with CIS‑aligned rules; periodic baseline comparisons; alert on critical changes. - Service hardening: run apps under least‑privileged service accounts; systemd unit hardening (NoNewPrivileges, PrivateTmp, ProtectSystem, ProtectHome). - Kernel and sysctl hardening: disable IP forwarding unless required; turn off source routing; enable SYN cookies; restrict ptrace; dmesg_restrict. - Package updates: security updates within 7 days (24–72h for critical/remote exploits); routine patch windows monthly. - Centralized logging: forward syslog/journal and application logs to an aggregator; protect at rest; retain per policy. - Backups: encrypted in transit and at rest; include configs and secrets as needed; periodic recovery tests. 4.2) Application Hardening - Follow OWASP ASVS/L1‑L2 controls appropriate to data sensitivity; threat modeling for new features. - Secure defaults: strong TLS, secure cookies, CSRF protection, rate limiting, content security policy (CSP), and security headers. - Dependency hygiene: lockfiles, automated vulnerability scanning (SCA), and prompt remediation based on severity. - Secrets: never committed to source control; stored and shared only via iCloud Keychain; rotated on exposure/role change. - Database: least‑privilege DB roles; encrypted connections; column‑level or tablespace encryption where appropriate. - Logging: avoid sensitive payloads; use structured logs; redaction on known PII fields. - Build & deploy: signed artifacts; reproducible builds; peer‑reviewed changes; automated checks (lint/tests/security scans). 4.3) Network & Perimeter Controls - Cloudflare WAF in front of all public web services; geo/ASN blocks as needed; DDoS protections enabled. - iptables host firewalls on every server; default‑deny inbound and restricted egress; intra‑service segmentation via IP allowlists or private VLANs. - Administrative access through a hardened bastion with MFA and IP allowlisting; optional WireGuard for admin plane. - TLS configuration reviewed quarterly; certificates managed with short lifetimes and automated renewals. 4.4) macOS Endpoint Hardening (Corporate Devices) - FileVault full‑disk encryption enabled; screen lock after inactivity; Gatekeeper and XProtect enabled. - OS and application auto‑updates enabled; only approved software; least‑privilege local users. - iCloud Keychain required for password storage/sharing; no plaintext passwords in notes, tickets, or chat. - Device firewall on; remote wipe capability; mandatory MFA for Google Workspace and other SaaS. 5) Access Control & Credential Management - Google Workspace as identity provider; SSO and MFA mandatory; role‑based access with least privilege. - Per‑user SSH keys; no shared accounts; break‑glass account stored offline and tested quarterly. - Secrets/passwords shared only via iCloud Keychain; never via plaintext, email, or chat; rotate on role change or suspected compromise. 6) Change & Configuration Management - Baseline configurations are version‑controlled (e.g., Ansible or scripted playbooks); changes tracked in tickets with peer review. - Production changes executed during defined windows with rollback plans and post‑deployment verification. - Configuration drift detection: periodic server audits against baseline; findings remediated promptly. 7) Patch & Vulnerability Management - Apply critical security patches within 72 hours (24 hours for actively exploited vulnerabilities); high within 7 days; others in the next maintenance window. - Continuous vulnerability scanning of Internet‑facing assets; authenticated scans of servers quarterly. - Triage and remediation tracked to closure; exceptions documented with compensating controls and expiry. 8) Logging, Monitoring & Alerting - Centralized collection of system, application, WAF, and authentication logs with time sync. - Alerts for authentication anomalies, privilege escalations, WAF blocks, kernel errors, and integrity violations. - Retain logs per policy and legal requirements; protect confidentiality and integrity of logs. 9) Backup & Recovery - Encrypted backups (in transit and at rest) for critical systems, configurations, and databases. - Daily incrementals and weekly fulls (or equivalent snapshot strategy); off‑site copies. - Quarterly restore tests; documented RPO/RTO and restoration runbooks. 10) Compliance Alignment (SOC 2 / ISO 27001) In anticipation of future compliance: - SOC 2 CC2/CC3/CC6/CC7: configuration standards, change management, access control, and monitoring. - ISO/IEC 27001 Annex A: A.5 (policies), A.8 (asset management), A.9 (access control), A.12 (ops security), A.14 (system acquisition/development), A.16 (incident management). 11) Exceptions Temporary exceptions require Security & Compliance approval, documented business justification, explicit compensating controls, and an expiry date. Exceptions are reviewed at least quarterly. 12) Review & Maintenance This program is reviewed at least annually or upon material changes to infrastructure, applications, vendors, or threat landscape. Outcomes feed into continuous improvement and the risk register. 13) Go‑Live Hardening Checklist (Server) - [ ] Full‑disk encryption enabled (LUKS/FDE) and tested - [ ] Minimal OS; unused packages removed - [ ] Unique users; sudo logging; root SSH disabled - [ ] SSH key‑only auth; MFA on bastion; IP allowlist - [ ] iptables default‑deny; only required ports open - [ ] Cloudflare WAF in front of service; TLS >= 1.2; HSTS - [ ] auditd rules loaded; integrity monitoring active - [ ] Systemd unit hardening applied to services - [ ] Centralized logging forwarding configured - [ ] Security patches current; auto‑updates configured or scheduled - [ ] Backups configured, encrypted, and test restore performed - [ ] Runbook updated; monitoring/alerts verified Approved By: Isa Hasenko Chief Executive Officer
Electronically Signed By:
Isa Hasenko