Security Operations Schedule
Last Updated: 2026-02-04 Owner: Engineering Team
This document defines recurring security operations required for compliance and security posture maintenance.
Daily Operations
Automated (No Action Required)
- CloudWatch alarms monitor audit failures
- Rate limiting enforces request quotas
- CSRF protection validates state-changing requests
- File upload validation checks all uploads
Manual Review (If Alerts Fire)
- Check CloudWatch alarm notifications
- Review Sentry error reports for security-related errors
- Investigate any authentication anomalies
Weekly Operations
Every Monday
Audit Log Review (~15 minutes)
-- Check for unusual patterns
SELECT action, COUNT(*), DATE(created_at) as day
FROM audit_log
WHERE created_at > NOW() - INTERVAL '7 days'
GROUP BY action, DATE(created_at)
ORDER BY day DESC, COUNT(*) DESC;
-- Check failed actions
SELECT action, error_message, COUNT(*)
FROM audit_log
WHERE success = false
AND created_at > NOW() - INTERVAL '7 days'
GROUP BY action, error_message
ORDER BY COUNT(*) DESC
LIMIT 20;
Security Dashboard Review (~5 minutes)
- Log into AWS Console
- Navigate to CloudWatch > Dashboards > invapp-dev-security
- Review:
- Audit failure trends
- Authentication failure patterns
- Rate limit hit frequency
Every Friday
Dependency Security Check (~10 minutes)
# Check for known vulnerabilities
npm audit
# Review high/critical issues
npm audit --audit-level=high
Document any deferred updates in docs/production-blockers.md.
Monthly Operations
First Week of Month
Authentication & Authorization Review (~1 hour)
Checklist:
- Review new API routes added in past month
- Verify all routes use
createProtectedRoute()wrapper - Check for any hardcoded credentials in codebase
- Review Cognito user pool settings
# Search for potential hardcoded secrets
grep -r "password\|secret\|api_key\|apikey" --include="*.ts" --include="*.tsx" | grep -v node_modules | grep -v ".test."
Second Week of Month
Error Handling Review (~30 minutes)
- Review Sentry error trends
- Check for any new unhandled error patterns
- Verify error responses don't leak sensitive information
Third Week of Month
Test Coverage Review (~30 minutes)
# Run tests with coverage
npm run test:coverage
# Review coverage report
open coverage/lcov-report/index.html
- Verify critical paths still have coverage
- Add tests for any new security-sensitive code
- Review and update skipped tests
Fourth Week of Month
Compliance Control Verification (~1 hour)
HIPAA Controls:
- Audit logs are being written
- PHI flags are being set appropriately
- Access controls are enforced
- Session timeouts are working
FedRAMP Controls:
- MFA is required for all users
- Password policy is enforced
- Rate limiting is active
- CSRF protection is working
Quarterly Operations
Every Quarter (Jan, Apr, Jul, Oct)
Full Security Posture Review (~4 hours)
-
Infrastructure Review
- Review AWS IAM policies
- Check S3 bucket policies
- Verify RDS security groups
- Review Cognito settings
-
Code Security Review
- Run Semgrep security scan locally
- Review any security-related TODOs
- Check for outdated dependencies
- Review encryption implementations
-
Threat Model Update
- Review for new attack vectors
- Update threat model if architecture changed
- Document any new risks
-
Documentation Update
- Update security assessment document
- Review and update this operations schedule
- Update compliance controls documentation
Credential Rotation (~2 hours)
- Rotate database credentials
- Rotate API keys approaching expiry
- Rotate encryption keys if needed
- Update Secrets Manager values
- Verify application still functions after rotation
Incident Response Plan Review (~1 hour)
- Review incident response procedures
- Verify contact information is current
- Conduct tabletop exercise if time permits
Annual Operations
Every January
External Penetration Test (~1-2 weeks)
- Select vendor (if not already contracted)
- Define scope:
- Web application testing
- API security testing
- AWS infrastructure review
- Schedule test window
- Receive and review report
- Remediate critical/high findings
- Schedule re-test if needed
SOC 2 Audit Preparation (if pursuing)
- Gather evidence for controls
- Update policies and procedures
- Prepare access reviews
- Document change management
Every June
HIPAA Risk Assessment Update
- Review risk assessment document
- Update for any infrastructure changes
- Document new risks and mitigations
- Update BAA agreements if needed
Security Awareness Training
- Conduct security training for team
- Document training completion
- Update training materials
Escalation Procedures
Severity Levels
| Level | Description | Response Time |
|---|---|---|
| Critical | Active breach, data exposure | Immediate |
| High | Vulnerability being exploited | < 4 hours |
| Medium | Vulnerability discovered, no active exploit | < 24 hours |
| Low | Security improvement opportunity | < 1 week |
Escalation Contacts
- Primary: Engineering Lead
- Secondary: CTO/Founder
- External: AWS Support (for infrastructure)
Incident Response Steps
- Contain: Stop the immediate threat
- Assess: Determine scope and impact
- Notify: Alert stakeholders as needed
- Remediate: Fix the vulnerability
- Document: Create incident report
- Review: Update procedures to prevent recurrence
Review Log
| Date | Reviewer | Changes Made |
|---|---|---|
| 2026-02-04 | Claude | Initial document creation |
Quick Reference Commands
# Check audit health
curl -s http://localhost:3000/api/admin/audit-health | jq
# Run security scan
npx semgrep --config auto .
# Check for secrets in code
git secrets --scan
# Verify CSRF is working
curl -X POST http://localhost:3000/api/test \
-H "Content-Type: application/json" \
-d '{"test": true}'
# Should return 403
# Check file validation
# Upload should reject .exe files
# Test rate limiting
for i in {1..20}; do curl -s http://localhost:3000/api/rate-limited-endpoint; done
Schedule maintained by Engineering Team. Review quarterly.