Policies

This section contains LEF policies and procedures.

• A policy defines what we require (expectations, constraints, responsibilities).
• A procedure defines how we execute in a specific situation (incidents, vulnerabilities, recovery).

For step-by-step operational runbooks, see Infrastructure Operations.

Start here

Classify information

How to label, store, and share information safely.

Access control

How access is granted, reviewed, and revoked.

Incident response

What to do when you suspect a security incident.

ISO 27001 readiness

A planning view for structuring policies and evidence toward ISO 27001.

Compliance & alignment

Client/vendor questions and framework alignment.

Browse by domain

Area	Notes
Governance & ISMS	Policy governance and ISO 27001 readiness.
Risk management	Methodology, risk register, and Statement of Applicability (SoA).
Suppliers	Supplier security expectations and review approach.
Access	Authentication, authorization, reviews, and revocation.
Data	Classification, retention, deletion, and handling.
Operations	Incidents, vulnerabilities, and operational security procedures.
Continuity	Backups, recovery, and continuity planning.
People & legal	Confidentiality anchors and people-side policy gaps.

Policy library

Policy	Notes
Information classification	Classification levels and handling rules.
Access control	How access is granted, reviewed, and revoked.
Incident response	How we respond to and learn from security incidents.
Vulnerability management	How we track, prioritize, and remediate vulnerabilities.
Backup and recovery	Backup strategy and recovery responsibilities.
Data retention and deletion	Retention rules and secure deletion expectations.
Business continuity and disaster recovery	Continuity objectives, recovery strategy, and responsibilities.
NDA defaults	Default NDA positions and negotiation guardrails.