Authentication & Authorization Standard
User authentication methodology, access controls, and API security measures
Standards
Operational standards implementing Policies. Standards describe how — scoring tables, thresholds, procedures — and update with operational practice without Board re-approval.
Standards
Standards operationalise the Policies. Where a Policy states what the organization commits to, a Standard states how the relevant function actually does it — specific scoring tables, thresholds, runbooks, and workflows.
Authoring and approval:
Standards are maintained by the security function and approved by security leadership (the CISO role; currently pending formal appointment — the CTO acts as interim CISO). Standards may be updated when operational practice changes (e.g. new tooling, revised thresholds) without Board re-approval. The parent Policy remains Board-approved and annually reviewed.
Audit traceability:
Each Standard cites the Policy it implements. Changes to a Standard are recorded in ISRMC quarterly minutes so the audit trail stays intact even when operational details evolve.
Catalogue
| Standard | Implements |
|---|---|
| Anti-Fraud Measures Standard (STD-001) | Fraud detection, investigation, reporting |
| Asset Inventory & Management Standard (STD-002) | Hardware, software, data asset inventory |
| Authentication & Authorization Standard (STD-003) | Identity, MFA, session, OAuth / OIDC |
| Change Management Standard (STD-004) | 8-stage change process, sprint cadence, emergency changes |
| Cyber Risk Management Standard (STD-005) | Risk register, scoring, treatment workflow |
| Data Protection Standard (STD-006) | Data classification handling, encryption expectations |
| Email Security Standard (STD-007) | SPF, DKIM, DMARC, phishing controls |
| Encryption Standard (STD-008) | Algorithms, key management, TLS requirements |
| Endpoint Security Standard (STD-009) | Laptop / workstation security baseline |
| Firewall Management Standard (STD-010) | Ingress / egress rules, review cadence |
| Information Logging Standard (STD-011) | What to log, where, retention |
| Log Management Standard (STD-012) | Log pipeline, storage tiers, archival |
| Password Construction Guidelines (STD-013) | Password length, entropy, rotation |
| User Account Lifecycle Standard (STD-014) | Joiner / mover / leaver |
| Vendor Security Assessment Standard (STD-015) | Questionnaire, scoring, contracts, vendor inventory |
Cyber Risk Management Standard
Operational methodology implementing the Cyber Risk Management Policy — scoring, categories, treatment, lifecycle, and review cadence
Vendor Security Assessment Standard
Process for evaluating, onboarding, and continuously monitoring third-party vendor security posture. Operationalises the Third-Party & Vendor Management Policy.
Change Management Standard
Operational implementation of the Change Management Policy — 8-stage process, Plane conventions, weekly sprint cadence, emergency change and scope-change procedures.
Endpoint Security Standard
How we secure API endpoints, from Cloudflare to our StarkNet gateway and application layer.
Email Security Standard
How we secure corporate and client-facing email, from phishing protection to DLP and compliance.
User Account Lifecycle Standard
How we manage user accounts from onboarding and provisioning to deactivation and deletion.
Asset Inventory Management Standard
How we track, manage, and secure our IT assets, including hardware, cloud resources, and software licenses.
Log Management Standard
Our standard for log collection, storage, retention, and access control across GCP Cloud Logging and AWS CloudWatch.
Encryption & Hashing Standards
How we handle password hashing, communication encryption, secret management, and data encryption.
Firewall Management Standard
How we manage firewall rules and traffic filtering across Cloudflare, AWS WAF, GCP, and our API gateway.
Data Protection Standard
Our approach to data classification, PII handling, encryption, data subject rights, and retention.
Anti-Fraud Measures Standard
Our multi-layer approach to fraud detection and prevention, covering authentication, transactions, and technical protections.
Information Logging Standard
Requirements for system audit logging and log management
Password Construction Guidelines
Best practices and guidelines for creating strong passwords