1. Introduction

At Node.Monster, security is a top priority. This Information Security Policy outlines our approach to safeguarding sensitive data, validator operations, and infrastructure from potential threats. This policy applies to all employees, contractors, and stakeholders involved in our node operations and validator services.

2. Access Control & Authentication

2.1 Role-Based Access Control (RBAC)

• Access to systems is granted based on job responsibilities and is restricted to the minimum required privileges.
• Administrative and privileged accounts are limited to essential personnel only.

2.2 Multi-Factor Authentication (MFA)

• All access to administrative systems and key management services requires MFA.
• MFA is enforced across all internal and external tools, including cloud providers.

2.3 Least Privilege Principle

• Users and automated processes are granted only the minimum permissions necessary to perform their functions.
• Regular audits ensure that no excessive permissions are granted beyond operational requirements.

3. Secure Key Management

3.1 Cryptographic Security

• All private keys are secured using Multi-Party Computation (MPC) to eliminate single points of failure.
• Keys used for signing are stored in cold storage hardware wallets to prevent unauthorized access.
• Automated key rotation policies are enforced to mitigate key exposure risks.

3.2 Secure Storage & Access Control

• All cryptographic keys are stored in FIPS 140-2 compliant secure hardware modules.
• Secure logging and auditing track every access and operation involving private keys.