H33 is building its Information Security Management System on a foundation of SOC 2 Type II certification, post-quantum cryptography, and continuous compliance monitoring via Drata.
Documented information security policy, roles, responsibilities, and segregation of duties. Management direction established through Drata policy framework.
Inventory of all information assets including 13 RDS instances, 56 S3 buckets, and compute infrastructure. Classification and labeling procedures in place.
Identity and access management with IAM policies, MFA enforcement, 14-char password minimums, 90-day rotation, and role-based FHE permissions with time-bounded grants.
Supplier security requirements documented for AWS, Stripe, Twilio, and Auth1. Data processing agreements in place. Third-party risk assessments conducted.
Incident response plan with severity classification, escalation procedures, and SNS-based real-time alerting. 14 CIS benchmark alarms for automated detection.
Multi-AZ RDS deployment, automated daily backups with KMS encryption, point-in-time recovery, and disaster recovery procedures documented.
Post-quantum cryptographic controls: Kyber-1024 (ML-KEM) key encapsulation, Dilithium (ML-DSA) signatures, AES-256-GCM symmetric encryption. All KMS keys with automatic annual rotation.
CloudTrail (2 multi-region trails, KMS-encrypted), VPC flow logs (5 VPCs), GuardDuty threat detection, AWS Config continuous recording, and application-level immutable audit logs.
VPC network segmentation, default security groups locked (no rules), TLS 1.2/1.3 on all connections, nginx rate limiting, and IAM Access Analyzer for continuous external access monitoring.
All databases KMS-encrypted at rest. All S3 buckets KMS-encrypted. EBS default encryption enabled. Field-level FHE encryption for sensitive data. Data masking and deletion capabilities (GDPR Right to be Forgotten).
Amazon Inspector enabled for EC2 and Lambda scanning. GuardDuty malware protection for EBS volumes. Dependency scanning in CI/CD pipeline.
GitLab branch protection with required merge request approvals. Code review process enforced. Separate development, staging, and production environments.
Continuous compliance monitoring with automated evidence collection. 114+ controls tested and passing. Real-time drift detection and remediation tracking.
Automated security posture assessment against CIS benchmarks. Findings triaged and remediated. Integration with GuardDuty, Inspector, and Config for unified view.