Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-23 08:58:41 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 76

Update security-policies.md (#11606)

Browse source 
Update security policy with an SLA around customer notification. Removed
several steps where Head of Security was the owner of the action item.

.
This commit is contained in:
Zay Hanlon 2023-05-10 11:27:41 -04:00 committed by GitHub
parent 152fb9e9b2
commit 1abe24d1a4
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 16 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
handbook/business-operations/security-policies.md
View file

@ -415,9 +415,9 @@ The Security Incident Response Team (SIRT) is responsible for
Current members of the Fleet SIRT:
* Head of Security
* CTO
* CEO
* VP of Customer Success
#### Incident Management Process
Fleet's incident response classifies security-related events into the following categories:
@ -472,23 +472,23 @@ Incidents of a severity/impact rating higher than **MINOR** shall trigger the re
1. Immediately upon observation, Fleet members report suspected and known
Events, Precursors, Indications, and Incidents in one of the following ways:
1. Direct report to management, the Head of Security, CTO, CEO, or
1. Direct report to management, CTO, CEO, or
other
2. Email
3. Phone call
4. Slack
2. The individual receiving the report facilitates the collection of additional
information about the incident, as needed, and notifies the Head of Security
information about the incident, as needed, and notifies the CTO
(if not already done).
3. The Head of Security determines if the issue is an Event, Precursor,
3. The CTO determines if the issue is an Event, Precursor,
Indication, or Incident.
1. If the issue is an event, indication, or precursor, the Head of Security
1. If the issue is an event, indication, or precursor, the CTO
forwards it to the appropriate resource for resolution.
1. Non-Technical Event (minor infringement): the Head of Security of the
1. Non-Technical Event (minor infringement): the CTO of the
designee creates an appropriate issue in GitHub and further investigates
the incident as needed.
2. Technical Event: Assign the issue to a technical resource for
@ -496,7 +496,7 @@ Incidents of a severity/impact rating higher than **MINOR** shall trigger the re
technical resource in the event of a lack of resource or expertise in
the area.
2. If the issue is a security incident, the Head of Security activates the
2. If the issue is a security incident, the CTO activates the
Security Incident Response Team (SIRT) and notifies senior leadership by
email.
@ -627,7 +627,14 @@ been corrected.
phase.
6. Apprise Senior Management of progress.
7. Continue to notify affected Customers and Partners with relevant updates
as needed.
as needed. Fleets incident response policy is to report significant cyber
incidents within 24 hours.
- Reporting Timeline 24 hours after determining a cyber incident has occurred.
- Definitions Significant cyber incidents are defined as an incident or group
of incidents that are likely to result in demonstrable harm to Fleet or Fleets
customers.
- Reporting Mechanism Reports to be provided to customers via email
correspondence and Slack.
8. Move to Phase V, Follow-up.
#### V - Post-Incident Analysis (Technical and Non-Technical)
@ -682,7 +689,7 @@ Fleet Device Management is committed to conducting business in compliance with a
| Role | Responsibilities |
| ----------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Board of directors | Oversight over risk and internal control for information security, privacy, and compliance<br/> Consults with executive leadership and head of security to understand Fleet's security mission and risks and provides guidance to bring them into alignment |
| Board of directors | Oversight over risk and internal control for information security, privacy, and compliance<br/> Consults with executive leadership to understand Fleet's security mission and risks and provides guidance to bring them into alignment |
| Executive leadership | Approves capital expenditures for information security<br/> Oversight over the execution of the information security risk management program<br/> Communication path to Fleet's board of directors. Meets with the board regularly, including at least one official meeting a year<br/> Aligns information security policy and posture based on Fleet's mission, strategic objectives, and risk appetite |
CTO | Oversight over information security in the software development process<br/> Responsible for the design, development, implementation, operation, maintenance and monitoring of development and commercial cloud hosting security controls<br/> Responsible for oversight over policy development <br/>Responsible for implementing risk management in the development process |
| Head of security | Oversight over the implementation of information security controls for infrastructure and IT processes<br/> Responsible for the design, development, implementation, operation, maintenance, and monitoring of IT security controls<br/> Communicate information security risks to executive leadership<br/> Report information security risks annually to Fleet's leadership and gains approvals to bring risks to acceptable levels<br/> Coordinate the development and maintenance of information security policies and standards<br/> Work with applicable executive leadership to establish an information security framework and awareness program<br/> Serve as liaison to the board of directors, law enforcement and legal department.<br/> Oversight over identity management and access control processes |