diff --git a/handbook/security-policies.md b/handbook/security-policies.md index 8a7cb8532f..902cb95795 100644 --- a/handbook/security-policies.md +++ b/handbook/security-policies.md @@ -379,7 +379,10 @@ Fleet policy requires that: 10. Fleet will publish job descriptions for available positions and conduct interviews to assess a candidate's technical skills as well as soft skills prior to hiring. 11. Background checks of an employee or contractor must be performed by operations and/or the hiring team prior to the the new employee or contractor being granted access to the Fleet automatic updater environment. - + +12. A list of employees and contractors will be maintained, including their titles and managers, and made available to everyone internally. + +13. An [anonymous](https://docs.google.com/forms/d/e/1FAIpQLSdv2abLfCUUSxFCrSwh4Ou5yF80c4V2K_POoYbHt3EU1IY-sQ/viewform?vc=0&c=0&w=1&flr=0&fbzx=4276110450338060288) form to report unethical behaviour will be provided to employees. ## Incident response policy *Created from [JupiterOne/security-policy-templates](https://github.com/JupiterOne/security-policy-templates). [CC BY-SA 4 license](https://creativecommons.org/licenses/by-sa/4.0/). Based on the SANS incident response process.* @@ -714,6 +717,22 @@ Fleet policy requires: 3. strategies shall be developed to mitigate or accept the risks identified in the risk assessment process. +4. The risk register is monitored on a quarterly basis to assess compliance with above policy as well as to document newly discovered or created risks. + +### Acceptable Risk Levels + +Risks that are either low impact or low probability, are generally considered acceptable. + +All other risks must be individually reviewed and managed. + +### Risk corrective action timelines + +| Risk Level | Corrective action timeline | +| ---------- | ------------------- | +| Low | Best effort | +| Medium | 120 days | +| High | 30 days | + ## Secure software development and product security policy *Created from [JupiterOne/security-policy-templates](https://github.com/JupiterOne/security-policy-templates). [CC BY-SA 4 license](https://creativecommons.org/licenses/by-sa/4.0/)*