Security Operational Procedures

Application: Aaperture
Version: 1.0
Last Updated: 2025-01-26
Effective Date: 2025-01-26

1. Overview

This document outlines the operational security procedures for Aaperture, including monitoring, incident response, secret rotation, and audit procedures. These procedures ensure continuous security and compliance with CASA Tier 2 requirements.

2. Security Monitoring

2.1 Real-Time Monitoring

Security Alert System:

• Automated detection of suspicious activities
• Real-time alerting for security incidents
• Email notifications for HIGH/CRITICAL incidents
• Integration with application logging

Monitored Events:

• Multiple failed authentication attempts (threshold: 5)
• Rate limit violations (threshold: 3)
• CSRF violations
• Permission violations
• Suspicious API usage patterns

Implementation:

• Service: SecurityAlertsService
• File: backend/src/security/security-alerts.service.ts
• Alert levels: INFO, WARNING, HIGH, CRITICAL

2.2 Logging Procedures

Security Event Logging:

• All authentication attempts (success and failure)
• OAuth token operations (without token values)
• Email sending operations (metadata only)
• Security violations and incidents
• Administrative actions

Log Format:

• Structured logging with context
• User ID, timestamp, action, result
• No sensitive data in logs (tokens, passwords, email content)

Log Retention:

• Application logs: 30 days
• Security logs: 90 days
• Audit logs: 1 year

2.3 Monitoring Dashboard

Key Metrics:

• Failed authentication attempts per hour
• Rate limit violations per hour
• CSRF violations per day
• Email sending success rate
• API error rate

Alert Thresholds:

• INFO: Normal operations
• WARNING: Minor anomalies
• HIGH: Security concerns requiring attention
• CRITICAL: Immediate security threat

3. Incident Response Procedures

3.1 Incident Classification

CRITICAL:

• Unauthorized access to user data
• OAuth token compromise
• Database breach
• Active attack in progress

HIGH:

• Multiple failed authentication attempts from same source
• Suspicious API usage patterns
• Rate limit violations indicating potential attack
• Security configuration errors

WARNING:

• Single failed authentication attempt
• Minor permission violations
• Non-critical security warnings

INFO:

• Normal security events
• Routine operations
• Successful security checks

3.2 Incident Response Steps

Step 1: Detection

• Automated detection via security alerts
• Manual review of security logs
• User reports of suspicious activity
• External security notifications

Step 2: Assessment

• Determine incident severity
• Identify affected systems and users
• Assess potential impact
• Classify incident type

Step 3: Containment

• Isolate affected systems if necessary
• Revoke compromised credentials
• Block suspicious IP addresses
• Disable affected user accounts if needed

Step 4: Investigation

• Review security logs
• Analyze attack patterns
• Identify root cause
• Document findings

Step 5: Remediation

• Fix security vulnerabilities
• Update security configurations
• Rotate compromised secrets
• Restore affected systems

Step 6: Recovery

• Verify system security
• Restore normal operations
• Monitor for recurrence
• User notification if required

Step 7: Post-Incident

• Document incident details
• Update security procedures
• Conduct lessons learned review
• Update security measures

3.3 Communication Procedures

Internal Communication:

• Immediate notification to security team for CRITICAL incidents
• Email alerts for HIGH/CRITICAL incidents
• Status updates during incident response
• Post-incident report

External Communication:

• User notification if data breach occurred
• Regulatory notification if required (GDPR)
• Public disclosure if necessary

4. Secret Rotation Procedures

4.1 OAuth Client Credentials

Rotation Frequency: As needed (when compromised or periodically)

Procedure:

1. Generate new OAuth client ID and secret in Google Cloud Console
2. Update environment variables:
   • GOOGLE_CLIENT_ID (Web)
   • GOOGLE_IOS_CLIENT_ID (iOS, if mobile app is used)
   • GOOGLE_ANDROID_CLIENT_ID (Android, if mobile app is used)
   • GOOGLE_CLIENT_SECRET
3. Restart application services
4. Users will need to reconnect Google Calendar (OAuth flow)
5. Old credentials can be disabled in Google Cloud Console

Files:

• Environment variables: .env (production)
• Configuration: backend/src/auth/google-oauth.service.ts

4.2 Encryption Key

Rotation Frequency: Annually or when compromised

Procedure:

1. Generate new encryption key:

   node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"

2. Decrypt existing data with old key
3. Encrypt data with new key
4. Update environment variable: ENCRYPTION_KEY
5. Restart application services
6. Verify data decryption works
7. Archive old key securely (for data recovery if needed)

Files:

• Environment variable: ENCRYPTION_KEY
• Service: backend/src/common/encryption.service.ts

Important: Old key must be retained for decrypting existing data. Migration script may be needed.

4.3 JWT Secret

Rotation Frequency: Annually or when compromised

Procedure:

1. Generate new JWT secret (minimum 32 characters)
2. Update environment variable: JWT_SECRET
3. Restart application services
4. All users will need to re-authenticate (tokens invalidated)
5. Verify authentication works

Files:

• Environment variable: JWT_SECRET
• Strategy: backend/src/auth/jwt.strategy.ts

4.4 Database Credentials

Rotation Frequency: Quarterly or when compromised

Procedure:

1. Create new database user with new password
2. Update environment variables:
   • DATABASE_URL or individual credentials
3. Test connection with new credentials
4. Update application configuration
5. Restart application services
6. Verify database operations
7. Disable old database user

Files:

• Environment variable: DATABASE_URL
• Configuration: Database connection settings

4.5 Other Secrets

SMTP Credentials:

• Rotation: As needed
• Update: OVH_SMTP_USER, OVH_SMTP_PASSWORD

Cloudflare R2 Credentials:

• Rotation: As needed
• Update: R2_ACCESS_KEY_ID, R2_SECRET_ACCESS_KEY

5. Audit Procedures

5.1 Security Audit Schedule

Daily:

• Review security alerts
• Check for failed authentication attempts
• Monitor rate limit violations
• Review error logs

Weekly:

• Review security event summary
• Check for suspicious patterns
• Review user access patterns
• Verify backup procedures

Monthly:

• Comprehensive security log review
• User access review
• Permission audit
• Configuration review

Quarterly:

• Full security assessment
• Policy review
• Procedure updates
• Training review

5.2 Audit Checklist

Authentication and Authorization:

• Review failed authentication attempts
• Verify user access controls
• Check permission assignments
• Review OAuth token usage

Data Protection:

• Verify encryption of sensitive data
• Check token storage security
• Review data retention policies
• Verify data deletion procedures

API Security:

• Review SMTP email sending usage
• Check scope validation
• Verify error handling
• Review rate limiting

Infrastructure:

• Verify HTTPS/TLS configuration
• Check security headers
• Review CORS configuration
• Verify environment variable security

Monitoring:

• Review security alerts
• Check logging completeness
• Verify alert thresholds
• Review incident response

5.3 Audit Documentation

Audit Report Contents:

• Date and scope of audit
• Findings and observations
• Security incidents during period
• Recommendations
• Action items and timelines

Audit Report Retention:

• Quarterly reports: 2 years
• Annual reports: 5 years
• Incident reports: Permanent

6. Backup and Recovery Procedures

6.1 Database Backups

Backup Frequency:

• Daily automated backups
• Weekly full backups
• Monthly archive backups

Backup Storage:

• Encrypted backups
• Off-site storage
• Multiple backup copies
• Retention: 30 days (daily), 90 days (weekly), 1 year (monthly)

Recovery Testing:

• Monthly recovery test
• Verify backup integrity
• Test recovery procedures
• Document recovery time

6.2 Configuration Backups

Backed Up Configuration:

• Environment variables (encrypted)
• Application configuration
• Security settings
• OAuth client configurations

Backup Storage:

• Secure configuration repository
• Encrypted storage
• Access control
• Version control

6.3 Recovery Procedures

Database Recovery:

1. Identify backup to restore
2. Verify backup integrity
3. Restore database from backup
4. Verify data integrity
5. Restart application services
6. Test application functionality

Configuration Recovery:

1. Identify configuration version
2. Restore from secure repository
3. Update environment variables
4. Restart application services
5. Verify configuration

7. Email Sending Operational Procedures

7.1 SMTP Email Sending Monitoring

Daily Checks:

• Monitor SMTP email sending success rate
• Check for SMTP configuration errors
• Review email delivery time
• Verify SMTP connection health

Weekly Review:

• Review email sending success rate
• Check for users with email sending issues
• Verify SMTP configuration effectiveness
• Review error patterns

7.2 Email Sending Metrics

Metrics to Monitor:

• Email sending success rate
• SMTP error rate
• Email delivery time
• Failed email attempts

Alert Thresholds:

• WARNING: Success rate < 95%
• HIGH: Success rate < 90%
• CRITICAL: Success rate < 80%

7.3 SMTP Configuration Procedures

SMTP Configuration:

1. Verify SMTP credentials are configured
2. Test SMTP connection
3. Log SMTP configuration status
4. Alert if SMTP unavailable

Before Each Email Send:

1. Verify SMTP transporter is available
2. Validate email content
3. Proceed with email send via SMTP

8. Access Control Procedures

8.1 User Access Management

New User Onboarding:

1. User registration with email verification
2. Account activation required
3. Default permissions assigned
4. Security policies communicated

User Access Review:

• Quarterly review of active users
• Review of permission assignments
• Verification of account status
• Removal of inactive accounts

8.2 Administrative Access

Administrator Account Management:

• Minimal number of admin accounts
• Strong password requirements
• Two-factor authentication (planned)
• Regular access reviews

Administrative Action Logging:

• All admin actions logged
• Audit trail for sensitive operations
• Regular review of admin logs
• Alert on suspicious admin activity

9. Security Training and Awareness

9.1 Security Training

Topics Covered:

• Security policies and procedures
• Incident response procedures
• Secure coding practices
• Data protection requirements

Training Frequency:

• Initial training for new team members
• Annual refresher training
• Updates when policies change
• Incident-based training

9.2 Security Awareness

Regular Communications:

• Security updates and alerts
• Policy changes
• Incident summaries (anonymized)
• Best practices reminders

10. Compliance Monitoring

10.1 CASA Tier 2 Compliance

Monthly Checks:

• Verify restricted scope usage
• Review OAuth token security
• Check scope validation
• Review error handling

Quarterly Review:

• Full compliance assessment
• Policy compliance verification
• Procedure effectiveness review
• Update documentation as needed

10.2 GDPR Compliance

Regular Checks:

• User data access controls
• Data retention policies
• User rights implementation
• Privacy policy updates

11. Procedure Updates

11.1 Update Triggers

• Security incidents
• Policy changes
• Technology changes
• Compliance requirements
• Best practice updates

11.2 Update Process

1. Identify need for update
2. Draft updated procedures
3. Review by security team
4. Approval process
5. Communication to team
6. Implementation
7. Training if needed

---

Document Version: 1.0
Last Updated: 2025-01-26
Next Review: 2025-04-26