Document preview
beacon-test-it-security-runbook.txt · IT Operations · IT Operations
Beacon Test IT and Security Runbook Effective Date: June 25, 2026 Document Owner: IT Operations Account Access Requests New application access must be requested through the Beacon Test access request queue. The request must include the employee name, department, manager approver, system name, requested role, and business justification. Managers must approve standard access requests before IT provisions the account. Standard requests should be completed within 2 business days after approval. Privileged access requests require approval from both the manager and the Security Lead. Privileged access expires after 90 days unless the manager renews it. Shared user accounts are not allowed. Password and MFA Requirements All employees must use multi-factor authentication for email, document storage, source control, finance tools, and production systems. Passwords must be at least 12 characters long. Employees may not reuse passwords from personal accounts or other work systems. Password reset requests should be sent to helpdesk@beacontest.example. If a user loses access to their MFA device, the Helpdesk must verify the user with a manager-confirmed callback before resetting MFA. Device Loss Procedure Lost or stolen laptops and mobile devices must be reported within 1 hour of discovery. Employees should notify security@beacontest.example and their manager. The IT team must remotely lock the device, revoke active sessions, rotate affected credentials, and document the incident in the security incident log. If customer data may have been exposed, the Security Lead must notify Legal within 4 hours. Production Change Controls Production changes require a change ticket, rollback plan, test evidence, and approval from the service owner. Normal production releases should be scheduled between 10:00 AM and 2:00 PM Pacific Time, Monday through Thursday. Emergency changes may be approved by the Incident Commander during an active incident. Emergency changes must receive retrospective review within 2 business days. Data Retention and Deletion Support logs are retained for 180 days. Security audit logs are retained for 1 year. Customer-uploaded files marked for deletion should be removed from primary storage within 7 days and from backups according to the backup lifecycle. Requests for legal hold must be sent to legal@beacontest.example before any deletion job runs.