diff --git a/SECURITY.md b/SECURITY.md index 71310b3d..bd238ca5 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,13 +1,60 @@ # General Bots Security Policy -## Supported Versions +## Overview + +Request your free IT security evaluation +• Reduce the risk of IT problems +• Plan for problems and deal with them when they happen +• Keep working if something does go wrong +• Protect company, client and employee data +• Keep valuable company information, such as plans and designs, secret +• Meet our legal obligations under the General Data Protection Regulation and other laws +• Meet our professional obligations towards our clients and customers + +This IT security policy helps us: + +• Rodrigo Rodriguez is the director with overall responsibility for IT security strategy. +• Dário Vieira has day-to-day operational responsibility for implementing this policy. +• Microsoft is the IT partner organisation we use to help with our planning and support. +• Microsoft is the data protection officer to advise on data protection laws and best practices +Review process + +We will review this policy yearly. +In the meantime, if you have any questions, suggestions +or feedback, please contact security@pragmatismo.io + + +We will only classify information which is necessary for the completion of our duties. We will also limit +access to personal data to only those that need it for processing. We classify information into different +categories so that we can ensure that it is protected properly and that we allocate security resources +appropriately: +• Unclassified. This is information that can be made public without any implications for the company, +such as information that is already in the public domain. +• Employee confidential. This includes information such as medical records, pay and so on. +• Company confidential. Such as contracts, source code, business plans, passwords for critical IT +systems, client contact records, accounts etc. +• Client confidential. This includes personally identifiable information such as name or address, +passwords to client systems, client business plans, new product information, market sensitive +information etc. + + +Employees joining and leaving + +We will provide training to new staff and support for existing staff to implement this policy. This includes: +• An initial introduction to IT security, covering the risks, basic security measures, company policies +and where to get help +• Each employee will complete the National Archives ‘Responsible for Information’ training course +(approximately 75 minutes) +• Training on how to use company systems and security software properly +• On request, a security health check on their computer, tablet or phone +When people leave a project or leave the company, we will promptly revoke their access privileges to + +The company will ensure the data protection office is given all appropriate resources to carry out their +tasks and maintain their expert knowledge. +The Data Protection Officer reports directly to the highest level of management and must not carry out +any other tasks that could result in a conflict of interest. -Use this section to tell people about which versions of your project are -currently being supported with security updates. -| Version | Supported | -| ------- | ------------------ | -| 2.x.x | x | ## Reporting a Vulnerability