Playbooks

Our core processes and practices.

Playbooks

All playbooks are currently listed here regardless of who they are relevant for in the company. We will eventually provide lists of playbooks that are targeted at specific roles (e.g. The playbooks that are relevant for developers).

Playbooks

Asset Management

Management and tracking of assets

Backup

Protection of the confidentiality, integrity, and availability of Narrative-Owned Data

Hiring

Procedures related to hiring

Incident Response

Ensure detection and reaction of security vulnerabilities, incidents and security breaches

Information Security

General approach to information security and the minimization of information misuse, compromise or loss

Password

Select and securely manage passwords

Responsible Disclosure

Reporting and disclosure of vulnerabilities and information security violations

SOC 2 Evidence Gathering

Gather the evidence needed for SOC 2 certification purposes

Software Development Life Cycle

Support the approval, planning, and life-cycle development of software systems

System Access Control

Manage access to the company’s network and data

System Hardening

Hardening Standards in Place

Vendor Management

Ensure third-party service providers/vendors meet security requirements

Vulnerability Management

Handle vulnerability findings

Roles

Describes the processes relevant to role and highlights the parts of the processes that are of particular importance in terms of generating evidence for SOC 2. A lot of evidence is generated by following specific conventions when using Shortcut, so make sure to review Shortcut Conventions.

Business Operations Lead

Team leader for:

Operations team, as mentioned in the Business Continuity Plan

Compliance Officer

TODO

Developer

Main Responsibilities

Responsible for

Following the general principles of the Software Development Life Cycle Processes

On-Call Techops Responsibilities

Responsible for

Following the Maintenance section of the Software Development Life Cycle Processes

In particular, the following items are of particular importance in terms of generating evidence for SOC 2:

Creating tasks for incidents in the Techops project using the Techops template
Recording the execution of the checklists in the corresponding tickets and/or pull requests/code reviews

Head of Engineering

Team leader for:

DevOps team, as mentioned in the Business Continuity Plan

Responsible for:

The recovery of Narrative I/O, Inc. technical environments

TODO

Information Resource Owner

Responsible for

Authorizing the usage of production data in tests. See the Testing section of Software Development Life Cycle.
In particular, the following items are of particular importance in terms of generating evidence for SOC 2:
- Information Owner Resource Requests
Reviewing and approving Data Asset Retirement requests
In particular, the following items are of particular importance in terms of generating evidence for SOC 2:
- Information Owner Resource Requests project

Information Security Manager

Responsible for

Doing ??? for Incident Response

Define on-call schedules and assign an Information Security Manager (ISM) responsible for managing incident response procedures during each availability window

Define a notification channel to alert the on-call ISM of a potential security incident. Establish a company resource that includes up to date contact information for on-call ISM.

IT Manager

Responsible for

Performing Data Wipes

Product Owner

TODO

Privacy Officer

Responsible for

Updating the Business Continuity Plan (with the Security Officer)

Security Officer

In broad terms, the Information Security Policy describes the responsibilities of the Security Officer as

The design, development, maintenance, dissemination, and enforcement of the items contained in this policy and other ISP policies. Reporting on the performance of the information security program to top management.

In terms of our internal processes, the Security Officer is responsible for

Creating, addressing, and tracking System Access Change requests to completion
Performing yearly System Access Reviews as dictated by the Security Event Calendar (Currently: beginning of January)
Monitoring the #auto-security Slack channel and addressing important warnings (TODO: process needed)
Reviewing process changes to ensure that they are compatible with the SOC 2 policies and generate enough evidence
Keep everyone in the team honest / ensure everyone is following the agreed-upon security-related processes/checklists
Updating the Business Continuity Plan (with the Privacy Officer)
Managing the training of Information Security Managers for executing Incident Response
Track the training of new hires to completion
Take care of the Annual Security Awareness Training

Teams

TODO: merge teams and roles

Compliance

TODO

Operations

Trained to respond to a contingency event as described in Business Continuity: Operations is responsible for ensuring the physical safety of all Narrative I/O, Inc. personnel and environmental safety at each Narrative I/O, Inc. physical location.

DevOps

Trained to respond to a contingency event as described in Business Continuity: DevOps is responsible for assuring all applications, web services, platforms, and their supporting infrastructure in the Cloud. The team is also responsible for testing re-deployments and assessing damage to the environment

Legal

TODO

Security

As described in Business Continuity:

Responsible for assessing and responding to all cybersecurity related incidents according to Narrative I/O, Inc. Incident Response policy and procedures. The security team shall assist the above teams in recovery as needed in non-cybersecurity events. The team leader is the Security Officer.

PlaybooksAsset Management