generated from coulomb/repo-seed
52 lines
2.3 KiB
Markdown
52 lines
2.3 KiB
Markdown
# Security Readiness Levels
|
|
|
|
Status: initial readiness model extracted from the genesis exploration
|
|
|
|
## Purpose
|
|
|
|
Readiness levels make the catalog operational. They define how strong a
|
|
capability or pattern must be before it is trusted for a given deployment
|
|
stage.
|
|
|
|
## Levels
|
|
|
|
| Level | Name | Suitable for | Minimum expectations |
|
|
| --- | --- | --- | --- |
|
|
| RL0 | Experimental | local prototypes | no production data, no external users, no real secrets in code |
|
|
| RL1 | Internal alpha | internal use | central login preferred, basic access control, secrets not committed, known risks documented |
|
|
| RL2 | Private beta | selected external users | tenant model defined, isolation tested, backups configured, security logging centralized |
|
|
| RL3 | Production | paid customers | MFA for privileged users, least privilege, secrets rotation, auditable admin actions, restore tested |
|
|
| RL4 | Regulated production | high-trust or regulated customers | formal risk management, customer audit logs, artifact provenance, stronger data residency and deletion controls |
|
|
|
|
## Pattern Maturity
|
|
|
|
Pattern maturity is related to readiness, but not identical:
|
|
|
|
```text
|
|
seed -> draft -> reviewed -> canonical -> deprecated
|
|
```
|
|
|
|
- `seed`: captured from exploration, source notes, or external reading.
|
|
- `draft`: written in the pattern template with initial mapping.
|
|
- `reviewed`: checked for threat model, ownership, and verification.
|
|
- `canonical`: accepted as the recommended NetKingdom pattern.
|
|
- `deprecated`: retained for history but no longer recommended.
|
|
|
|
## Evidence By Level
|
|
|
|
| Evidence | RL1 | RL2 | RL3 | RL4 |
|
|
| --- | --- | --- | --- | --- |
|
|
| owner named | required | required | required | required |
|
|
| threat notes | useful | required | required | required |
|
|
| verification checklist | useful | required | required | required |
|
|
| operational runbook | optional | useful | required | required |
|
|
| audit hooks | optional | useful | required | required |
|
|
| restore or failure drill | optional | useful | required | required |
|
|
| standards mapping | optional | useful | useful | required |
|
|
|
|
## NetKingdom Default
|
|
|
|
Patterns that touch identity, authorization, secrets, tenant isolation,
|
|
or privileged access should not be marked canonical below RL3 unless
|
|
their production limitations are explicitly documented.
|