From 00ff5326f9fe2360d22f5ddc17e7c2454c2c31df Mon Sep 17 00:00:00 2001
From: Guillaume Ross <guillaume@fleetdm.com>
Date: Wed, 1 Jun 2022 10:16:53 -0400
Subject: [PATCH] Pre-SOC 2 policy review (#5991)

* Update security-policies.md

1. Background checks do not actually need to be done before the first day but rather before access to the Fleet automatic update environment is granted.
2. Added note about board meetings.
3. Added a note about Fleeties spreadsheet being required

* Update security-policies.md

Added risk mitigation timeline

* Update security-policies.md

quarterly reviews of risk register

* Update security-policies.md

Added whistleblower link
---
 handbook/security-policies.md | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/handbook/security-policies.md b/handbook/security-policies.md
index 8a7cb8532f..902cb95795 100644
--- a/handbook/security-policies.md
+++ b/handbook/security-policies.md
@@ -379,7 +379,10 @@ Fleet policy requires that:
 10. Fleet will publish job descriptions for available positions and conduct interviews to assess a candidate's technical skills as well as soft skills prior to hiring.
 
 11. Background checks of an employee or contractor must be performed by operations and/or the hiring team prior to the the new employee or contractor being granted access to the Fleet automatic updater environment.
- 
+
+12. A list of employees and contractors will be maintained, including their titles and managers, and made available to everyone internally.
+
+13. An [anonymous](https://docs.google.com/forms/d/e/1FAIpQLSdv2abLfCUUSxFCrSwh4Ou5yF80c4V2K_POoYbHt3EU1IY-sQ/viewform?vc=0&c=0&w=1&flr=0&fbzx=4276110450338060288) form to report unethical behaviour will be provided to employees.
 
 ## Incident response policy
 *Created from [JupiterOne/security-policy-templates](https://github.com/JupiterOne/security-policy-templates). [CC BY-SA 4 license](https://creativecommons.org/licenses/by-sa/4.0/). Based on the SANS incident response process.*
@@ -714,6 +717,22 @@ Fleet policy requires:
 
 3. strategies shall be developed to mitigate or accept the risks identified in the risk assessment process.
 
+4.  The risk register is monitored on a quarterly basis to assess compliance with above policy as well as to document newly discovered or created risks.
+
+### Acceptable Risk Levels
+
+Risks that are either low impact or low probability, are generally considered acceptable.
+
+All other risks must be individually reviewed and managed.
+
+### Risk corrective action timelines
+
+| Risk Level | Corrective action timeline |
+| ---------- | ------------------- |
+| Low        | Best effort         |
+| Medium     | 120 days            |
+| High       | 30 days             |
+
 
 ## Secure software development and product security policy 
 *Created from [JupiterOne/security-policy-templates](https://github.com/JupiterOne/security-policy-templates). [CC BY-SA 4 license](https://creativecommons.org/licenses/by-sa/4.0/)*