Create a secure commit policy document for handling cryptographic keys and PII data within a multi-tenant SaaS platform source repository

Existing Security Policy Bundle

Hosting & Architecture Context * Select hosting context On-premises US Federal On-premises State Government On-premises Private Sector AWS US-East-1 (FedRAMP High) AWS GovCloud (CJIS compliant) Azure Government Secret Google Cloud FedRAMP Authorized Multi-cloud Hybrid SaaS multi-tenant with C2M2 maturity 3+ Edge / OT integration

Data Classification Levels * Select data level Public (no restrictions) Internal Use Only (company proprietary) Confidential (PII, business sensitive) Restricted (PHI, financial records) Top Secret (Defense or IC data) Controlled Unclassified Information (CUI) PCI-DSS cardholder data ITAR technical data category VIII GDPR Art 9 special categories Mixed (multiple levels)

Primary Stakeholder Roles * Select policy steward CISO Security Council Product Security Engineering Customer Compliance Board Federal Agency Security Officer External SOC 2 auditor ISO 27001 certification team Internal DevSecOps guild Customer-facing Managed Security Service Provider Legal Privacy Officer (CPO) Joint vendor-customer governance

Key Vault & SCM Combinations *

Mandatory Policy Sections * Select required sections Mandatory code signing with FIPS-validated certs Dual-control review for cryptographic material commits Leaked-secret scanning with pre-receive hooks (TruffleHog/Gitleaks) Branch protection & signed-only merges 2FA hardware token requirement for elevated access Break-glass incident response SLA (≤ 1 hour) Customer-isolated tenant CI runners SBOM generation & vulnerability attestation PII tokenization enforcement in pipeline Audit log capture for 7-year retention

Tooling & Enforcement Stack

Reviewer Persona & SLA * Select reviewer profile Single senior security engineer (< 8 working hrs) Dual security + privacy officer review (< 24 hrs) Customer delegated review (< 48 business hrs) Automated scan + out-of-band spot audit Critical path team lead approval (< 4 hrs) Red-team challenge review (< 5 days) SOC 2 control owner sign-off (< 2 business days) External CREST penetration team (< 10 days)

Custom Acceptable Use Notes

Output Format & Template Language * Choose format ISO 27001 control annex style narrative Agile policy-as-code (OPA & Conftest) SOC 2 Type II control matrix spreadsheet NIST 800-53 concise control statement Markdown in repository SECURITY.md ready for ADR Confluence wiki page with approval table Miro-style flow diagram + PDF narrative Sphinx-generated HTML & searchable PDF