Hop And Haul Policies

Appearance

Risk Assessment & Tabletop Exercise Policy

Document ID: PLCY-RSK-001
Version: 1.0
Effective Date: December 22, 2025
Last Review: December 22, 2025
Owner: Hop And Haul Team

CONFIDENTIAL

This document is CONFIDENTIAL and for internal use only. Do not distribute outside the organization.

1. Purpose

This document establishes the framework for conducting risk assessments and tabletop exercises to identify, evaluate, and mitigate risks to Hop And Haul's operations, data, and infrastructure.

2. Scope

This policy applies to:

  • All Hop And Haul production systems and infrastructure
  • Third-party integrations and dependencies
  • Business processes and operational procedures
  • Personnel and organizational risks
  • Regulatory and compliance obligations

3. Risk Assessment Framework

3.1 Risk Categories

CategoryDescriptionExamples
InfrastructureAWS, Cloudflare, network failuresRegion outage, tunnel disruption
ApplicationSwift Vapor runtime, logic errorsMemory issues, API failures
DataPostgreSQL, data integrity, lossCorruption, breach, ransomware
SecurityAuthentication, authorizationJWT compromise, privilege escalation
ComplianceRegulatory, contractualDOT violations, data privacy
OperationalProcess, human errorMisconfiguration, deployment failure
Third-PartyVendor, supply chainProvider outage, API deprecation

3.2 Risk Scoring Matrix

Likelihood Scale:

ScoreLikelihoodFrequency
1RareLess than once per 5 years
2UnlikelyOnce per 2-5 years
3PossibleOnce per 1-2 years
4LikelyMultiple times per year
5Almost CertainMonthly or more frequent

Impact Scale:

ScoreImpactDescription
1NegligibleMinor inconvenience, no data loss
2MinorLimited service degradation, <1 hour
3ModeratePartial outage, 1-4 hours, limited data impact
4MajorFull outage, 4-24 hours, significant data impact
5CriticalExtended outage, data breach, regulatory action

Risk Rating:

RatingScore RangeAction Required
Critical20-25Immediate mitigation required
High12-19Mitigation within 30 days
Medium6-11Mitigation within 90 days
Low1-5Accept or monitor

4. Risk Register

4.1 Infrastructure Risks

IDRiskLikelihoodImpactRatingMitigationOwner
INF-001AWS region failure2510 (M)Multi-region deployment, automated failoverInfrastructure
INF-002Cloudflare tunnel disruption248 (M)Backup DNS, direct failover capabilityInfrastructure
INF-003Database instance failure3412 (H)Multi-AZ, read replicas, automated failoverInfrastructure
INF-004S3 availability loss133 (L)Cross-region replicationInfrastructure
INF-005Network partition248 (M)Multi-AZ, health checksInfrastructure

4.2 Application Risks

IDRiskLikelihoodImpactRatingMitigationOwner
APP-001Memory safety issue144 (L)Swift memory safety, code reviewDevelopment
APP-002API performance degradation339 (M)Auto-scaling, caching, monitoringDevelopment
APP-003Deployment failure339 (M)Blue-green deployment, rollbackDevOps
APP-004Configuration drift236 (M)Infrastructure as code, drift detectionInfrastructure
APP-005Dependency vulnerability3412 (H)Dependency scanning, update policySecurity

4.3 Security Risks

IDRiskLikelihoodImpactRatingMitigationOwner
SEC-001JWT key compromise2510 (M)Key rotation, HSM storage, monitoringSecurity
SEC-002Privilege escalation2510 (M)Role-based access, audit loggingSecurity
SEC-003Cross-tenant data access155 (L)Org-scoped queries, tenant isolationDevelopment
SEC-004DDoS attack339 (M)Cloudflare protection, rate limitingInfrastructure
SEC-005Credential stuffing4312 (H)Rate limiting, MFA, monitoringSecurity

4.4 Data Risks

IDRiskLikelihoodImpactRatingMitigationOwner
DAT-001Database corruption2510 (M)Point-in-time recovery, integrity checksInfrastructure
DAT-002Accidental data deletion3412 (H)Soft deletes, backup retention, RBACDevelopment
DAT-003Ransomware2510 (M)Immutable backups, network segmentationSecurity
DAT-004Data exfiltration2510 (M)DLP, encryption, access controlsSecurity
DAT-005Backup failure248 (M)Backup monitoring, restoration testingInfrastructure

4.5 Compliance Risks

IDRiskLikelihoodImpactRatingMitigationOwner
CMP-001DOT regulation violation248 (M)Policy controls, driver state validationOperations
CMP-002Data privacy breach2510 (M)Encryption, access controls, auditSecurity
CMP-003Audit finding339 (M)Continuous compliance, control testingCompliance
CMP-004Contract breach248 (M)SLA monitoring, incident responseOperations
CMP-005Records retention failure236 (M)Automated retention, policy enforcementCompliance

4.6 Third-Party Risks

IDRiskLikelihoodImpactRatingMitigationOwner
TPR-001Cloudflare service outage155 (L)Backup DNS, direct access capabilityInfrastructure
TPR-002AWS service degradation248 (M)Multi-region, service redundancyInfrastructure
TPR-003Payment processor failure248 (M)Backup processor, queue managementOperations
TPR-004Insurance API unavailable339 (M)Caching, manual verification workflowOperations
TPR-005Twilio outage236 (M)Backup voice provider, SMS fallbackOperations

5. Tabletop Exercise Program

5.1 Exercise Schedule

Exercise TypeFrequencyDurationParticipants
Security incidentQuarterly2 hoursSecurity, Infrastructure, Operations
Infrastructure failureQuarterly2 hoursInfrastructure, Operations, Development
Data breachBi-annually4 hoursAll departments + Legal
Business continuityAnnuallyFull dayExecutive team + All departments
Compliance scenarioAnnually2 hoursCompliance, Legal, Operations

5.2 Exercise Scenarios

Scenario Library

IDScenarioCategoryComplexity
TTX-001AWS us-east-1 complete outageInfrastructureHigh
TTX-002Cloudflare Zero Trust compromiseSecurityHigh
TTX-003PostgreSQL data corruptionDataMedium
TTX-004JWT signing key leakedSecurityHigh
TTX-005Ransomware attackSecurityCritical
TTX-006Insider threat - data exfiltrationSecurityHigh
TTX-007Third-party API breachThird-PartyMedium
TTX-008DOT audit with deficienciesComplianceMedium
TTX-009Driver safety incident cascadeOperationalMedium
TTX-010Multi-tenant data exposureSecurityCritical

5.3 Scenario: AWS Region Failure (TTX-001)

Scenario Brief:

At 2:00 PM EST on a Tuesday, AWS reports a major outage affecting us-east-1. All EC2, RDS, and S3 services in the region are unavailable. The outage is expected to last 4-6 hours. Hop And Haul has active drivers on the road and pending transactions.

Inject Timeline:

TimeInjectExpected Response
T+0AWS status page shows us-east-1 degradedMonitoring alerts trigger
T+5mCustomer reports API errorsIncident declared
T+15mAWS confirms extended outageDR plan activated
T+30mSocial media complaints increasingCommunications plan activated
T+1hCompetitor offers driver incentivesBusiness decision required
T+2hDriver stranded mid-routeSafety protocol activation
T+4hAWS begins recoveryFailback planning

Discussion Questions:

  1. How quickly can we detect the outage versus relying on AWS status?
  2. What is our communication plan for drivers mid-transaction?
  3. How do we handle the data synchronization during failback?
  4. What manual processes can we activate for critical operations?

5.4 Scenario: JWT Signing Key Compromise (TTX-004)

Scenario Brief:

Security monitoring detects unusual token patterns suggesting the JWT signing key may have been compromised. An attacker could be forging authentication tokens to access any account.

Inject Timeline:

TimeInjectExpected Response
T+0Anomaly detected: token from unknown IPSecurity alert
T+5mSecond anomalous token detectedInvestigation initiated
T+15mPattern suggests key compromiseIncident escalation
T+30mConfirm: forged tokens in useKey rotation decision
T+45mKey rotated, all sessions invalidatedMass user logout
T+1hUser complaints spikeCommunications response
T+2hForensics identifies leak sourceRemediation planning

Discussion Questions:

  1. What is our threshold for declaring a key compromise?
  2. How do we balance security (rotate now) vs. user experience (mass logout)?
  3. How do we communicate with users about forced re-authentication?
  4. What forensic data do we need to preserve?

5.5 Scenario: Multi-Tenant Data Exposure (TTX-010)

Scenario Brief:

A customer reports seeing another organization's data in their dashboard. Investigation reveals a code deployment introduced a bug that bypassed org_id filtering in certain queries.

Inject Timeline:

TimeInjectExpected Response
T+0Customer support ticket: "seeing wrong data"Triage
T+10mConfirmed: cross-tenant data visibleSeverity escalation
T+20mBug identified in recent deploymentRollback decision
T+30mScope assessment: 50 orgs potentially affectedBreach notification assessment
T+1hRollback complete, access restoredForensic analysis
T+2hFull exposure scope determinedLegal consultation
T+24hNotification decision requiredCustomer communication

Discussion Questions:

  1. At what point does this become a reportable breach?
  2. How do we determine the full scope of data exposure?
  3. What is our communication strategy with affected tenants?
  4. How do we prevent similar bugs from reaching production?

6. Exercise Execution

6.1 Pre-Exercise Preparation

TaskOwnerTimeline
Select scenarioSecurity DirectorT-4 weeks
Customize injectsExercise facilitatorT-3 weeks
Identify participantsDepartment leadsT-2 weeks
Schedule exerciseOperationsT-2 weeks
Prepare materialsExercise facilitatorT-1 week
Brief participants (no spoilers)Exercise facilitatorT-1 day

6.2 Exercise Roles

RoleResponsibilities
FacilitatorRuns exercise, delivers injects, manages time
ScribeDocuments responses, decisions, action items
ParticipantsRespond to scenario, make decisions
ObserverNotes process effectiveness, gaps
Subject Matter ExpertProvides technical clarification

6.3 Exercise Ground Rules

  1. No "out of game" discussions during exercise
  2. Make decisions with information available at that inject
  3. Assume normal staffing levels
  4. Document assumptions explicitly
  5. No judgment - focus on learning
  6. Phones silenced unless playing a role

6.4 Post-Exercise Activities

ActivityTimelineOwner
Hot wash (immediate debrief)End of exerciseFacilitator
Detailed reportT+1 weekScribe
Action item assignmentT+1 weekSecurity Director
Gap remediationT+30-90 daysAction owners
Follow-up exercise (if needed)T+6 monthsSecurity Director

7. Exercise Documentation

7.1 Exercise Report Template 

TABLETOP EXERCISE REPORT

Exercise ID: TTX-YYYY-MM-###
Date: [Date]
Scenario: [Scenario ID and Title]
Duration: [Actual duration]
Facilitator: [Name]

PARTICIPANTS
- [Name, Role, Department]
- ...

SCENARIO SUMMARY
[Brief description of scenario and objectives]

TIMELINE OF RESPONSES
| Time | Inject | Response | Decision Made |
|------|--------|----------|---------------|

KEY DECISIONS
1. [Decision and rationale]
2. ...

GAPS IDENTIFIED
| Gap | Severity | Recommendation |
|-----|----------|----------------|

ACTION ITEMS
| Item | Owner | Due Date | Status |
|------|-------|----------|--------|

LESSONS LEARNED
1. [Lesson]
2. ...

RECOMMENDATIONS FOR NEXT EXERCISE
[Suggestions for future exercises]

SIGN-OFF
Facilitator: _____________ Date: _______
Security Director: _____________ Date: _______

8. Risk Assessment Process

8.1 Annual Risk Assessment

PhaseActivitiesTimeline
PlanningDefine scope, gather documentationQ1 Week 1-2
IdentificationThreat modeling, vulnerability assessmentQ1 Week 3-6
AnalysisLikelihood and impact scoringQ1 Week 7-8
EvaluationRisk prioritization, treatment decisionsQ1 Week 9-10
TreatmentMitigation planning, resource allocationQ1 Week 11-12
ReviewBoard presentation, approvalQ1 Week 13

8.2 Continuous Risk Monitoring

ActivityFrequencyOwner
Threat intelligence reviewWeeklySecurity
Vulnerability scanningWeeklySecurity
Risk register updateMonthlySecurity Director
Control effectiveness reviewQuarterlyCompliance
Third-party risk reviewQuarterlySecurity

8.3 Risk Treatment Options

OptionWhen to UseExample
MitigateRisk exceeds tolerance, controls availableImplement MFA
TransferRisk can be shared, insurance availableCyber insurance
AcceptRisk within tolerance, cost exceeds benefitLow-impact vendor risk
AvoidRisk unacceptable, activity not essentialDiscontinue feature

9. Infrastructure-Specific Assessments

9.1 Zero Trust Architecture Review

ControlAssessment CriteriaFrequency
Cloudflare TunnelNo public ports, tunnel healthMonthly
Identity verificationJWT validation, role enforcementQuarterly
Device trust(If applicable) Device postureQuarterly
Network segmentationTunnel isolation, VPC rulesQuarterly
Access loggingComplete audit trailMonthly

9.2 Swift Vapor Application Security

AssessmentCriteriaFrequency
Dependency auditKnown vulnerabilities, updatesMonthly
Memory safety reviewNo unsafe code blocksPer release
API security testingOWASP Top 10Quarterly
Authentication flowJWT handling, expirationQuarterly
Multi-tenant isolationOrg_id enforcementQuarterly

9.3 PostgreSQL Security Assessment

AssessmentCriteriaFrequency
Access controlsNo direct access, app-onlyMonthly
EncryptionAt-rest and in-transitQuarterly
Backup integrityRestoration testingMonthly
Query loggingAudit trail completenessMonthly
Tenant isolationOrg_id constraints, RLSQuarterly

10. Metrics and Reporting

10.1 Key Risk Indicators

MetricTargetFrequency
Critical risks open0Monthly
High risks open > 30 days0Monthly
Tabletop exercises completed4/yearQuarterly
Action items closed on time> 90%Quarterly
Risk register currency< 30 daysMonthly

10.2 Board Reporting

ReportContentFrequency
Risk summaryTop 10 risks, trend, treatment statusQuarterly
Exercise summaryExercises completed, key findingsQuarterly
Annual assessmentFull risk register, year-over-yearAnnual

11. Document References

DocumentRelevance
PLCY-DRP-001 Disaster Recovery PlanRecovery procedures tested in exercises
PLCY-INC-001 Incident ResponseIncident handling procedures
PLCY-SEC-001 Security ControlsControl effectiveness
PLCY-AUD-001 Audit Trail SpecsAudit requirements

12. Revision History

VersionDateAuthorChanges
1.0December 22, 2025Security DirectorInitial release

CONFIDENTIAL - Internal Use Only - Hop And Haul Policy Documentation

Hop And Haul Team - Do Not Distribute