Segregation of Duties Matrix
1. Purpose
Section titled “1. Purpose”Defines the SoD framework for Meridian Seven: which roles may perform which duties, where full segregation is not achievable at organizational scale, and the compensating controls in place to mitigate the associated risk. Satisfies Trust Services Criteria CC5.1 and CC5.2.
2. Scope
Section titled “2. Scope”All four personnel roles — CTO, CISO, Developer, and authorized contractors — across all 12 in-scope systems.
3. Organizational Context
Section titled “3. Organizational Context”Meridian Seven is a 4-person organization. Complete segregation is not achievable for every function. This document explicitly acknowledges those gaps and documents compensating controls that reduce associated risk to an acceptable level. Where full segregation exists, it is enforced by system-level controls, not policy alone.
4. Duty Assignment Matrix
Section titled “4. Duty Assignment Matrix”| Duty | CTO | CISO | Developer | Compensating Control |
|---|---|---|---|---|
| Code development | Yes | No | Yes | PR review required before merge (GitHub CODEOWNERS + branch protection) |
| Code review / approval | Yes | Yes | Yes | Cannot approve own PRs (branch protection ruleset enforces required reviewer) |
| Production deployment | Automatic on merge | Automatic on merge | Automatic on merge | Deployment only after PR approval; no direct push to main |
| Infrastructure changes (GCP, Cloudflare) | Yes | Read-only | No | All changes logged; SOC 2 automation verifies configuration nightly |
| Secret management (Doppler — production) | Yes | Yes | Read-only | Doppler audit log captures all access; production config requires elevated role |
| User provisioning (Google Workspace) | Yes | Yes | No | Monthly access review; provisioning requires CISO or CTO |
| Security monitoring (CrowdStrike, GCP Cloud Monitoring) | Yes | Yes | Read-only | Automated alerts to #security-alerts; no analyst can silence alerts unilaterally |
| Incident response | Yes | Yes (Lead) | Assist | IRP requires post-incident review by uninvolved party |
| Policy authoring | Yes | Yes | No | PR required; CODEOWNERS enforces reviewer for policies/ directory |
| Backup management (Backblaze) | Yes | No | No | Automated lifecycle policies; retention verified by SOC 2 runner |
| Financial / billing | CTO only | No | No | Isolated from all technical access; separate login credentials |
| Access provisioning (all systems) | Yes | Yes | No | No self-provisioning; CISO or CTO approves all access requests |
| Risk acceptance (High / Critical) | Yes (approves) | Yes (recommends) | No | Dual-role: CISO recommends, CTO approves; neither can unilaterally accept High risk |
5. Access Level Summary by System
Section titled “5. Access Level Summary by System”| System | CTO | CISO | Developer |
|---|---|---|---|
| GitHub (Meridian7-io) | Owner | Admin | Member |
| Google Workspace | Super Admin | Admin | User |
| Cloudflare | Admin | Read-only | No access |
| CrowdStrike | Admin | Admin | Read-only |
| 1Password | Owner | Admin | Member |
| Doppler | Owner | Admin | Developer (production: read-only) |
| GCP Cloud Monitoring | Admin | Admin | Read-only |
| Supabase | Admin | Admin | Developer (dev/staging only) |
| GCP (Cloud Run) | Owner | Editor | Viewer |
| Slack | Owner | Admin | Member |
| Backblaze | Admin | No access | No access |
6. Key Segregation Points
Section titled “6. Key Segregation Points”6.1 Code Development and Deployment
Section titled “6.1 Code Development and Deployment”- A developer cannot merge their own code to
main. Branch protection requires at least one approving review from a different user. - CODEOWNERS assigns required reviewers for sensitive paths:
policies/,procedures/,guides/,.github/workflows/, and infrastructure configuration. - Deployment is fully automated on merge — no manual deployment step that could bypass the preceding approval.
6.2 Access Provisioning
Section titled “6.2 Access Provisioning”- No user may request and approve their own access. All provisioning requires CISO or CTO approval.
- All access changes reviewed monthly and documented in the Monthly Access Review.
6.3 Secret Management
Section titled “6.3 Secret Management”- Production secrets in Doppler require an elevated role. Developers have read-only access to production configs.
- All Doppler access is logged; logs collected as evidence by the SOC 2 automation framework.
6.4 Financial Controls
Section titled “6.4 Financial Controls”- Billing and financial access is restricted to the CTO, separated from all technical system access.
- No engineer or CISO has access to payment accounts or financial management tools.
7. Compensating Controls for Small-Team Gaps
Section titled “7. Compensating Controls for Small-Team Gaps”| Gap | Compensating Control | Evidence Source |
|---|---|---|
| CTO and CISO both have admin access to most systems | Monthly access review; all privileged actions logged | Doppler, GitHub, and system audit logs |
| Only two people can approve a High-risk decision | Both must agree; disagreement escalates to CEO per Governance Policy §4.3 | Governance Policy |
| CTO could theoretically approve their own policy PR | CODEOWNERS requires @Meridian7-io/security-reviewers group; CTO is not sole member | .github/CODEOWNERS |
| Developers have member-level GitHub access | Cannot push to main; cannot approve own PRs; no production system access | GitHub ruleset 12837880 |
| Backblaze managed by CTO only | Automated lifecycle policies enforce retention without manual intervention; verified nightly | SOC 2 runner backblaze module |
8. Violations and Enforcement
Section titled “8. Violations and Enforcement”- SoD violations (e.g., self-approved PRs, unauthorized access elevation) flagged during Monthly Access Reviews
- Violations resolved within 5 business days and reported to the CTO
- System-enforced controls (branch protection, CODEOWNERS, Doppler role restrictions) take precedence over policy — no override permitted without documented emergency justification reviewed post-action
9. Review Cadence
Section titled “9. Review Cadence”Reviewed quarterly alongside the access review. Updated whenever a role changes, a new system is added to scope, or an access level changes. CISO maintains this document.
10. Related Documents
Section titled “10. Related Documents”- Access Control Policy
- Governance and Organization Policy
- Change Management Policy
- Incident Response Plan
- Information Security Policy
Meridian Seven — Confidential