Written Information Security Program (WISP)

1. Purpose & Scope

Protect customer/provider data across MM App systems (mobile, backend, storage, analytics).

2. Roles & Responsibilities

• Security Owner: overall program maintenance and audits
• Engineering Lead: secure SDLC, code reviews, dependency updates
• DevOps: backups, secrets, CI/CD hardening, IAM least-privilege
• Support: data access limited by role; follows PII handling rules

3. Data Classification

• Public (marketing images)
• Internal (non-PII configs, logs)
• Confidential (user profiles, chat, license info)
• Restricted (payment tokens/IDs, auth tokens)

4. Access Control

• Firebase/GCP IAM by least privilege, quarterly reviews
• App roles via Firebase custom claims (admin, support)
• MFA required for privileged consoles (GCP, Stripe)

5. Secure Development

• PR reviews include security checklist
• Dependency scanning (npm audit, GitHub Dependabot)
• Secrets via runtime secrets/CI vault; no secrets in code

6. Data Protection

• Encryption in transit (TLS) & at rest (GCP-managed)
• Client uploads restricted (Storage rules), moderated
• Backups daily; monthly restore test

7. Incident Response

• Follow Breach-Response Playbook
• 24–72h external notifications as applicable

8. Vendor Management

• Stripe, Google, OpenAI — assess DPAs, subprocessor lists
• Revoke unused API keys quarterly

9. Logging & Monitoring

• Audit logs for auth, admin, Stripe events
• Alerting on anomalous volumes or errors

10. Training & Reviews

• Annual security training for staff with access
• WISP reviewed semi-annually