SOC 2 Operations Runbook

1. Overview

Day-to-day procedures for maintaining SOC 2 Type II compliance. Evidence is tracked in GitHub Issues, stored in evidence/, and controlled documents live in policies/, procedures/, and guides/.

Systems Reference

System	Purpose	Access
Google Workspace Enterprise Standard	Identity, endpoint management, DLP, Vault, audit logs	admin.google.com
CrowdStrike Falcon Enterprise	NGAV, EDR, endpoint containment	falcon.crowdstrike.com
GCP Cloud Monitoring	Uptime checks, alert policies, notification channels, incident alerting	console.cloud.google.com
1Password Business	Credential management, breach monitoring	1password.com
GitHub	Code, change management, workflow tracking, evidence storage	github.com/Meridian7-io
Doppler	Application secrets management	doppler.com
Slack	Communication and alert routing	meridian-seven.slack.com
Cloudflare	WAF, DDoS, CDN, Zero Trust	dash.cloudflare.com
Supabase	Database, auth, audit_log	supabase.com
GCP Cloud Run	Web app and agent service hosting	console.cloud.google.com
Backblaze B2 + Cube Backup	Workspace backup and restore	cubebackup.com

On-Call

Role	Contact
Primary (CTO)	Notified via GCP Cloud Monitoring → Slack `#incidents`
Escalation Backup (CISO)	Notified via Slack DM if no ack in 15 min

2. Weekly Security Review

Frequency: Every Monday | Owner: CTO | SLA: Friday EOD

The weekly GitHub issue is auto-created by security-cadence.yml and pre-populated with real compliance data by weekly_review.py: compliance state from status.json, incident summary from GCP Cloud Monitoring, Dependabot alert counts, CrowdStrike detection summary, and workflow health.

Open the auto-populated GitHub issue for the current week.
Review pre-populated compliance state, incident summary, Dependabot alerts, CrowdStrike detections, and workflow health.
Investigate any flagged items (FAILs, open incidents, critical alerts).
Add follow-up issues for new findings.
Close issue with summary and linked follow-up issue numbers.

Evidence: Completed GitHub issue; automated artifacts in evidence/logs/<system>/YYYY/MM/.

3. Monthly Access Review

Frequency: 1st of each month | Owner: CISO | SLA: 5 business days

The monthly GitHub issue is auto-created by security-cadence.yml and pre-populated with access findings by access_review.py. The script pulls the live roster from Google Workspace, maps each user’s orgUnit to expected access via role-access-map.yaml, and cross-references against evidence artifacts to surface discrepancies directly in the issue.

Open the auto-populated monthly access review GitHub issue.
Review pre-populated access findings — stale accounts, over-provisioned access, and unrecognized tokens are flagged by the script.
Validate each finding: confirm whether it is a true positive or approved exception.
Remediate confirmed findings in the relevant system dashboard.
Run verify to confirm no access-related FAILs post-remediation.
Close issue with summary of findings and actions taken.

Evidence: Completed monthly review GitHub issue; automated access evidence in evidence/logs/.

4. Incident Response Operations

Trigger: GCP Cloud Monitoring alert, CrowdStrike detection, Cloudflare event, or manual discovery | Owner: CISO (triage), CTO (remediation)

Severity	Definition	Response Time
SEV-1	Active breach / system compromise / complete outage	15 minutes
SEV-2	Potential exposure / significant vulnerability / degraded service	1 hour
SEV-3	Security misconfiguration or moderate vulnerability	24 hours
SEV-4	Informational event / policy question	72 hours

GCP Cloud Monitoring fires alert policy, notification channel posts to #incidents with alert details.
Responder acknowledges in Slack #incidents thread.
Triage severity and begin investigation timeline; open GitHub Issue as incident record.
Contain: endpoint (CrowdStrike isolate), account (suspend in Google Workspace), credentials (rotate via Doppler/1Password), active attack (block via Cloudflare WAF).
Investigate with GCP Cloud Logging, CrowdStrike, Google admin logs, platform logs.
Remediate and recover services.
Resolve incident by closing the GitHub Issue.
Complete postmortem within 5 business days (SEV-1/2) via Slack modal for post-mortem capture.

Evidence: GCP Cloud Monitoring alert data (collected nightly to evidence/logs/gcp-monitoring/YYYY/MM/); incident-specific artifacts in evidence/incidents/YYYY/.

5. Onboarding

Trigger: New team member joining | Owner: CTO | SLA: First day of employment

Submit the New Employee Onboarding form in Linear Asks. This creates a Linear issue in the IT Ops team with the full provisioning checklist.
Follow the checklist in the resulting Linear issue step by step:
- Create Google Workspace account manually.
- Run the access-provision.yml workflow for automated provisioning (GitHub, Supabase, Doppler).
- Complete manual provisioning: GCP IAM, 1Password, Slack, Cloudflare (leadership only), Backblaze (leadership only).
- Send welcome email with device setup instructions.
Verify security requirements (MFA, CrowdStrike, device compliance).

Run verify to confirm new user appears correctly in system user lists:

doppler run -p m7-security -c prd -- python3 automation/scripts/runner.py --mode verify --systems google-workspace

Move Linear issue to Done when all checklist items are complete.

Evidence: Completed Linear issue (IT Ops team); access-provision.yml workflow run; nightly evidence collection captures new user in system user lists.

6. Offboarding

Trigger: Team member departure | Owner: CTO | SLA: 24 hours (1 hour for involuntary)

Submit the Employee Offboarding form in Linear Asks. This creates a Linear issue in the IT Ops team with the full deprovisioning checklist and SLA.
Follow the checklist in the resulting Linear issue step by step:
- Suspend Google Workspace account immediately (do NOT delete — 90-day data retention).
- Run the access-provision.yml workflow for automated deprovisioning (GitHub, Supabase, Doppler).
- Complete manual deprovisioning: GCP IAM, 1Password, Slack, Cloudflare, CrowdStrike, Backblaze.
- Rotate impacted Doppler secrets and shared credentials.
- Complete BYOD device offboarding.
Run verify to confirm departed user is absent from all system user lists.
Set issue due date to 90 days from suspension (for Google account deletion) and move to Waiting.
On due date: delete Google account and move issue to Done.

Evidence: Completed Linear issue (IT Ops team); access-provision.yml workflow run; evidence collection confirms user absent from all system user lists.

7. Vulnerability Management

Trigger: Dependabot alert, CrowdStrike finding, manual discovery | Owner: CTO

Severity	SLA
Critical	72 hours
High	7 days
Medium	30 days
Low	Next sprint

Create remediation issue from template; set severity and due date.
Implement fix via PR through standard change process.
Validate closure; attach evidence to evidence/vulnerabilities/YYYY/.
Close issue with verification notes.

8. Backup Restoration Test

Frequency: Quarterly | Owner: CTO

Create quarterly restoration-test issue.
Run Google Workspace restore test (Cube Backup).
Run Supabase PITR restore test (non-production target).
Verify evidence/log presence in evidence/logs/ for recent period.
Document RTO/RPO observations and remediation items.
Close issue with artifacts in evidence/restoration-tests/YYYY/QN/.

9. Vendor Register Review

Frequency: Quarterly (critical) / annually (standard) | Owner: CISO

Open guides/Vendor-Register.md.
Validate SOC 2 report status, risk tier, renewal dates, and data-handling changes.
Add/remove vendors as needed.
Store review artifacts in evidence/vendor-reviews/YYYY/.
Open follow-up issues for missing reports or unresolved risk findings.

10. Nightly Automated Processes

Review these during weekly security review. Failures must be triaged within 24 hours.

Process	Schedule (UTC)	Output
Evidence manifests	06:20 daily	`evidence/automation/manifests/YYYY/MM/DD/`
GitHub control snapshots	06:20 daily	`evidence/logs/github/YYYY/MM/`
GCP Cloud Monitoring evidence	06:30 daily	`evidence/logs/gcp-monitoring/YYYY/MM/`
Cloudflare evidence	06:40 daily	`evidence/logs/cloudflare/YYYY/MM/`
CrowdStrike evidence	06:50 daily	`evidence/logs/crowdstrike/YYYY/MM/`
Google Workspace evidence	07:00 daily	`evidence/logs/google-workspace/YYYY/MM/`
Supabase evidence	07:10 daily	`evidence/logs/supabase/YYYY/MM/`
External systems evidence	07:20 daily	`evidence/logs/<system>/YYYY/MM/`
Compliance verify (`system-verify.yml`)	05:00 nightly	`automation/reports/status.json`
Weekly issue scheduler + data population	Monday	GitHub Issues (pre-populated via `weekly_review.py`)
Monthly issue scheduler + access findings	1st of month	GitHub Issues (pre-populated via `access_review.py`)
Incident post-mortem remind (SEV-1/2)	Nightly	Slack modal prompt if open postmortem
Cube Backup	Nightly	Backblaze B2

11. Evidence Folder Structure

evidence/
  automation/manifests/YYYY/MM/DD/
  weekly-security-reviews/YYYY/
  monthly-access-reviews/YYYY/
  incidents/YYYY/
  vulnerabilities/YYYY/
  access/onboarding/YYYY/
  access/offboarding/YYYY/
  logs/github/YYYY/MM/
  logs/gcp-monitoring/YYYY/MM/
  logs/gcp-cloudrun/YYYY/MM/
  logs/cloudflare/YYYY/MM/
  logs/crowdstrike/YYYY/MM/
  logs/google-workspace/YYYY/MM/
  logs/supabase/YYYY/MM/
  logs/1password/YYYY/MM/
  logs/doppler/YYYY/MM/
  logs/slack/YYYY/MM/
  logs/backblaze/YYYY/MM/
  restoration-tests/YYYY/QN/
  vendor-reviews/YYYY/

12. Auditor Handoff Checklist

Provide read-only access to:

Repository (Meridian7-io/m7-security)
GitHub Issues and GitHub Project
evidence/ tree
Latest policy release artifacts
Vendor register and vendor evidence
Incident history and postmortems
Monthly access review evidence
Weekly security review evidence
Backup restoration test evidence

Appendix: Key SLAs

Activity	SLA
SEV-1 response	15 minutes
SEV-2 response	1 hour
Offboarding completion	24 hours (1 hour involuntary)
Critical vulnerability remediation	72 hours
Postmortem completion	5 business days
Monthly access review	5 business days
Weekly security review closure	Friday EOD

Meridian Seven — Confidential