From 6dddfbb5641e849146ced2c0c7dc36c5cd980f41 Mon Sep 17 00:00:00 2001 From: Guillaume Ross Date: Mon, 30 May 2022 13:06:16 -0400 Subject: [PATCH] Update security-policies.md (#5964) 1. Background checks do not actually need to be done before the first day but rather before access to the Fleet automatic update environment is granted. 2. Added note about board meetings. 3. Added a note about Fleeties spreadsheet being required --- handbook/security-policies.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/handbook/security-policies.md b/handbook/security-policies.md index cdf8d7932c..8a7cb8532f 100644 --- a/handbook/security-policies.md +++ b/handbook/security-policies.md @@ -378,7 +378,7 @@ Fleet policy requires that: 10. Fleet will publish job descriptions for available positions and conduct interviews to assess a candidate's technical skills as well as soft skills prior to hiring. -11. Background checks of an employee or contractor must be performed by operations and/or the hiring team prior to the start date of employment. +11. Background checks of an employee or contractor must be performed by operations and/or the hiring team prior to the the new employee or contractor being granted access to the Fleet automatic updater environment. ## Incident response policy @@ -670,7 +670,7 @@ Fleet Device Management is committed to conducting business in compliance with a | Role | Responsibilities | | ----------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Board of directors | Oversight over risk and internal control for information security, privacy, and compliance
Consults with executive leadership and head of security to understand Fleet's security mission and risks and provides guidance to bring them into alignment | -| Executive leadership | Approves capital expenditures for information security
Oversight over the execution of the information security risk management program
Communication path to Fleet's board of directors
Aligns information security policy and posture based on Fleet's mission, strategic objectives, and risk appetite | +| Executive leadership | Approves capital expenditures for information security
Oversight over the execution of the information security risk management program
Communication path to Fleet's board of directors. Meets with the board regularly, including at least once official meeting a year.
Aligns information security policy and posture based on Fleet's mission, strategic objectives, and risk appetite | CTO | Oversight over information security in the software development process
Responsible for the design, development, implementation, operation, maintenance and monitoring of development and commercial cloud hosting security controls
Responsible for oversight over policy development
Responsible for implementing risk management in the development process | | Head of security | Oversight over the implementation of information security controls for infrastructure and IT processes
Responsible for the design, development, implementation, operation, maintenance, and monitoring of IT security controls
Communicate information security risks to executive leadership
Report information security risks annually to Fleet's leadership and gains approvals to bring risks to acceptable levels
Coordinate the development and maintenance of information security policies and standards
Work with applicable executive leadership to establish an information security framework and awareness program
Serve as liaison to the board of directors, law enforcement and legal department.
Oversight over identity management and access control processes | | System owners | Manage the confidentiality, integrity, and availability of the information systems for which they are responsible in compliance with Fleet policies on information security and privacy.
Approve of technical access and change requests for non-standard access |