internal_security_policy.txt

Keensafe Global Bank — Internal Security Policy (LAB DOC, FAKE)
Document ID: ISMS-POL-001
Classification: INTERNAL — DO NOT SHARE EXTERNALLY

1. Authentication
   - All employees must use FIDO2 hardware keys for VPN and admin consoles.
   - Service accounts must rotate credentials every 90 days.
   - VPN endpoint: vpn.internal.keensafeglobalbank.com (OpenVPN, port 1194/udp).
2. Privileged access
   - Domain admin actions require 4-eyes approval via Jenkins Pipeline.
   - Break-glass account: ks-breakglass@keensafeglobalbank.com (FAKE/lab).
3. Data classification
   - PCI: cardholder data — only processed in PCI scope segment.
   - PII: customer data — encrypted at rest with KMS key alias 'kms/customer-data'.
4. Internal hosts you may need
   - jenkins.internal.keensafeglobalbank.com
   - vault.internal.keensafeglobalbank.com
   - kafka01.internal.keensafeglobalbank.com
   - bastion01.internal.keensafeglobalbank.com