Merge branch 'master' of https://github.com/GeneralBots/BotServer

2022-01-23 19:35:25 -03:00 · 2022-01-23 19:35:25 -03:00 · f11e1f9270
commit f11e1f9270
parent 97f5f154c0 72c63d6e70
1 changed files with 53 additions and 6 deletions
--- a/SECURITY.md
+++ b/SECURITY.md
@ -1,13 +1,60 @@
 # General Bots Security Policy
-## Supported Versions
+## Overview
 Request your free IT security evaluation
 • Reduce the risk of IT problems
 • Plan for problems and deal with them when they happen
 • Keep working if something does go wrong
 • Protect company, client and employee data
 • Keep valuable company information, such as plans and designs, secret
 • Meet our legal obligations under the General Data Protection Regulation and other laws
 • Meet our professional obligations towards our clients and customers
 This IT security policy helps us:
 • Rodrigo Rodriguez is the director with overall responsibility for IT security strategy.
 • Dário Vieira has day-to-day operational responsibility for implementing this policy.
 • Microsoft is the IT partner organisation we use to help with our planning and support.
 • Microsoft  is the data protection officer to advise on data protection laws and best practices
 Review process
 We will review this policy yearly.
 In the meantime, if you have any questions, suggestions
 or feedback, please contact security@pragmatismo.io
 We will only classify information which is necessary for the completion of our duties. We will also limit
 access to personal data to only those that need it for processing. We classify information into different
 categories so that we can ensure that it is protected properly and that we allocate security resources
 appropriately:
 • Unclassified. This is information that can be made public without any implications for the company,
 such as information that is already in the public domain.
 • Employee confidential. This includes information such as medical records, pay and so on.
 • Company confidential. Such as contracts, source code, business plans, passwords for critical IT
 systems, client contact records, accounts etc.
 • Client confidential. This includes personally identifiable information such as name or address,
 passwords to client systems, client business plans, new product information, market sensitive
 information etc.
 Employees joining and leaving
 We will provide training to new staff and support for existing staff to implement this policy. This includes:
 • An initial introduction to IT security, covering the risks, basic security measures, company policies
 and where to get help
 • Each employee will complete the National Archives ‘Responsible for Information’ training course
 (approximately 75 minutes)
 • Training on how to use company systems and security software properly
 • On request, a security health check on their computer, tablet or phone
 When people leave a project or leave the company, we will promptly revoke their access privileges to
 The company will ensure the data protection office is given all appropriate resources to carry out their
 tasks and maintain their expert knowledge.
 The Data Protection Officer reports directly to the highest level of management and must not carry out
 any other tasks that could result in a conflict of interest.
 Use this section to tell people about which versions of your project are
 currently being supported with security updates.
 | Version | Supported          |
 | ------- | ------------------ |
 | 2.x.x   | x                  |
 ## Reporting a Vulnerability