Merge branch 'master' of https://github.com/GeneralBots/BotServer
This commit is contained in:
Rodrigo Rodriguez
commit
f11e1f9270
1 changed files with 53 additions and 6 deletions
59
SECURITY.md
59
SECURITY.md
|
|
@ -1,13 +1,60 @@
|
|||
# General Bots Security Policy
|
||||
|
||||
## Supported Versions
|
||||
## Overview
|
||||
|
||||
Request your free IT security evaluation
|
||||
• Reduce the risk of IT problems
|
||||
• Plan for problems and deal with them when they happen
|
||||
• Keep working if something does go wrong
|
||||
• Protect company, client and employee data
|
||||
• Keep valuable company information, such as plans and designs, secret
|
||||
• Meet our legal obligations under the General Data Protection Regulation and other laws
|
||||
• Meet our professional obligations towards our clients and customers
|
||||
|
||||
This IT security policy helps us:
|
||||
|
||||
• Rodrigo Rodriguez is the director with overall responsibility for IT security strategy.
|
||||
• Dário Vieira has day-to-day operational responsibility for implementing this policy.
|
||||
• Microsoft is the IT partner organisation we use to help with our planning and support.
|
||||
• Microsoft is the data protection officer to advise on data protection laws and best practices
|
||||
Review process
|
||||
|
||||
We will review this policy yearly.
|
||||
In the meantime, if you have any questions, suggestions
|
||||
or feedback, please contact security@pragmatismo.io
|
||||
|
||||
|
||||
We will only classify information which is necessary for the completion of our duties. We will also limit
|
||||
access to personal data to only those that need it for processing. We classify information into different
|
||||
categories so that we can ensure that it is protected properly and that we allocate security resources
|
||||
appropriately:
|
||||
• Unclassified. This is information that can be made public without any implications for the company,
|
||||
such as information that is already in the public domain.
|
||||
• Employee confidential. This includes information such as medical records, pay and so on.
|
||||
• Company confidential. Such as contracts, source code, business plans, passwords for critical IT
|
||||
systems, client contact records, accounts etc.
|
||||
• Client confidential. This includes personally identifiable information such as name or address,
|
||||
passwords to client systems, client business plans, new product information, market sensitive
|
||||
information etc.
|
||||
|
||||
|
||||
Employees joining and leaving
|
||||
|
||||
We will provide training to new staff and support for existing staff to implement this policy. This includes:
|
||||
• An initial introduction to IT security, covering the risks, basic security measures, company policies
|
||||
and where to get help
|
||||
• Each employee will complete the National Archives ‘Responsible for Information’ training course
|
||||
(approximately 75 minutes)
|
||||
• Training on how to use company systems and security software properly
|
||||
• On request, a security health check on their computer, tablet or phone
|
||||
When people leave a project or leave the company, we will promptly revoke their access privileges to
|
||||
|
||||
The company will ensure the data protection office is given all appropriate resources to carry out their
|
||||
tasks and maintain their expert knowledge.
|
||||
The Data Protection Officer reports directly to the highest level of management and must not carry out
|
||||
any other tasks that could result in a conflict of interest.
|
||||
|
||||
Use this section to tell people about which versions of your project are
|
||||
currently being supported with security updates.
|
||||
|
||||
| Version | Supported |
|
||||
| ------- | ------------------ |
|
||||
| 2.x.x | x |
|
||||
|
||||
## Reporting a Vulnerability
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue