Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-23 08:58:41 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 111

Pre-SOC 2 policy review (#5991)

Browse source 
* Update security-policies.md

1. Background checks do not actually need to be done before the first day but rather before access to the Fleet automatic update environment is granted.
2. Added note about board meetings.
3. Added a note about Fleeties spreadsheet being required

* Update security-policies.md

Added risk mitigation timeline

* Update security-policies.md

quarterly reviews of risk register

* Update security-policies.md

Added whistleblower link
This commit is contained in:
Guillaume Ross 2022-06-01 10:16:53 -04:00 committed by GitHub
parent 2a5996c5bf
commit 00ff5326f9
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 20 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
handbook/security-policies.md
View file

@ -379,7 +379,10 @@ Fleet policy requires that:
10. Fleet will publish job descriptions for available positions and conduct interviews to assess a candidate's technical skills as well as soft skills prior to hiring.
11. Background checks of an employee or contractor must be performed by operations and/or the hiring team prior to the the new employee or contractor being granted access to the Fleet automatic updater environment.
12. A list of employees and contractors will be maintained, including their titles and managers, and made available to everyone internally.
13. An [anonymous](https://docs.google.com/forms/d/e/1FAIpQLSdv2abLfCUUSxFCrSwh4Ou5yF80c4V2K_POoYbHt3EU1IY-sQ/viewform?vc=0&c=0&w=1&flr=0&fbzx=4276110450338060288) form to report unethical behaviour will be provided to employees.
## Incident response policy
*Created from [JupiterOne/security-policy-templates](https://github.com/JupiterOne/security-policy-templates). [CC BY-SA 4 license](https://creativecommons.org/licenses/by-sa/4.0/). Based on the SANS incident response process.*
@ -714,6 +717,22 @@ Fleet policy requires:
3. strategies shall be developed to mitigate or accept the risks identified in the risk assessment process.
4. The risk register is monitored on a quarterly basis to assess compliance with above policy as well as to document newly discovered or created risks.
### Acceptable Risk Levels
Risks that are either low impact or low probability, are generally considered acceptable.
All other risks must be individually reviewed and managed.
### Risk corrective action timelines
| Risk Level | Corrective action timeline |
| ---------- | ------------------- |
| Low | Best effort |
| Medium | 120 days |
| High | 30 days |
## Secure software development and product security policy
*Created from [JupiterOne/security-policy-templates](https://github.com/JupiterOne/security-policy-templates). [CC BY-SA 4 license](https://creativecommons.org/licenses/by-sa/4.0/)*