Governance & Security

Prospectus/listing workflow: roles, approvals, versioning, dating

Segregation of duties (SoD), 4-eyes principle, CAB (Change Advisory Board)

Audit and records: hash/anchor, retention policies

Contractual framework: MoU (UAT/SIM access), DPA

External providers, privacy-by-design, no unnecessary data

IAM (OIDC, SSO, RBAC/ABAC, least privilege)

Network (mTLS, WAF, rate-limiting, DDoS protection)

Data (encryption, HSM/KMS, key rotation, field tokenization)

Vulnerability management (SAST/DAST, SBOM, patching, 2× yearly pentest)

Observability (SLO/SLA, tracing, logs; MTTR ≤2h; availability ≥99.5% in pilots)

BCP/DR (geo-redundancy, drills, runbooks; RTO ≤4h, RPO ≤1h)