4 files changed, 95 insertions, 0 deletions

diff --git a/genesishosting/security/incident-response.md b/genesishosting/security/incident-response.md
new file mode 100644
index 0000000..29f7ce5
--- /dev/null
+++ b/genesishosting/security/incident-response.md
@@ -0,0 +1,25 @@
+# Incident Response Policy
+
+This document defines how we detect, respond to, and report security incidents.
+
+## Response Workflow
+
+1. Detection via monitoring, alert, or client report
+2. Triage severity and affected systems
+3. Contain and isolate threat (e.g., suspend access)
+4. Notify stakeholders if client-impacting
+5. Perform root cause analysis
+6. Patch, re-secure, and document the event
+
+## Timelines
+
+- Initial triage: within 2 hours
+- Client notification (if impacted): within 24 hours
+- Final report delivered internally within 72 hours
+
+## Tools Used
+
+- Fail2Ban
+- Genesis Shield alerting
+- Zabbix/Prometheus incident flags
+- Manual log reviews (forensic-level)
diff --git a/genesishosting/security/logging-monitoring.md b/genesishosting/security/logging-monitoring.md
new file mode 100644
index 0000000..c305627
--- /dev/null
+++ b/genesishosting/security/logging-monitoring.md
@@ -0,0 +1,24 @@
+# Logging & Monitoring Policy
+
+We collect and monitor system activity to detect threats, enforce accountability, and assist in incident resolution.
+
+## Log Types
+
+- SSH login attempts
+- WHMCS access logs
+- AzuraCast and TeamTalk server logs
+- PostgreSQL query and connection logs
+- Fail2Ban logs (ban/unban events)
+
+## Monitoring Tools
+
+- Prometheus for metrics
+- Grafana dashboards for visual alerts
+- Genesis Shield (Telegram + Mastodon alerting)
+- Manual log review every 7 days
+
+## Retention
+
+- General logs: 30 days
+- Security-related logs: 90 days minimum
+- Logs archived to encrypted ZFS volume
diff --git a/genesishosting/security/security-encryption-standards.md b/genesishosting/security/security-encryption-standards.md
new file mode 100644
index 0000000..6d9139c
--- /dev/null
+++ b/genesishosting/security/security-encryption-standards.md
@@ -0,0 +1,23 @@
+# Encryption Standards
+
+Encryption is applied to all data in transit and at rest across Genesis Hosting Technologies infrastructure.
+
+## In Transit
+
+- HTTPS via TLS 1.3 (minimum TLS 1.2 for legacy fallback)
+- SFTP for all file transfers
+- SSH for all administrative access
+- rclone with TLS for object storage replication
+
+## At Rest
+
+- ZFS encryption on backup pools
+- PostgreSQL encryption at the database or filesystem level
+- WHMCS and DirectAdmin credentials hashed and salted
+- Backups encrypted with AES-256 before remote transfer
+
+## Key Management
+
+- SSH keys rotated every 6 months
+- Let's Encrypt certs auto-renew every 90 days
+- Master encryption keys stored offline and version-controlled
diff --git a/genesishosting/security/security-policy.md b/genesishosting/security/security-policy.md
new file mode 100644
index 0000000..7ed282f
--- /dev/null
+++ b/genesishosting/security/security-policy.md
@@ -0,0 +1,23 @@
+# Security Policy
+
+Genesis Hosting Technologies enforces strict security practices across all infrastructure and services to protect client data and maintain service integrity.
+
+## Core Principles
+
+- Least privilege for all users and services
+- Regular audits and patching
+- Encrypted communication and storage
+- Real-time monitoring and alerting
+
+## Enforcement Areas
+
+- 2FA required for all admin portals
+- SSH access limited to key-based logins
+- Centralized log collection and review
+- All critical assets monitored via Genesis Shield
+
+## Review Cycle
+
+- Policies reviewed quarterly
+- Logs retained for 30–90 days depending on system
+- Incidents reviewed post-mortem with improvements logged