-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #2 from FortAwesome/sec-n-priv
Initial Pass at Significant Policies
- Loading branch information
Showing
7 changed files
with
489 additions
and
0 deletions.
There are no files selected for viewing
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,69 @@ | ||
| # ACCESS CONTROL POLICY | ||
|
|
||
| ## Classification Level | ||
| Publicly available | ||
|
|
||
| ## Review Information | ||
|
|
||
| __Mandatory Review Period__ | ||
|
|
||
| Yearly | ||
|
|
||
| __Date of Last Review__ | ||
|
|
||
| October 25, 2022 | ||
|
|
||
| ## Introduction | ||
|
|
||
| An access control policy helps employees and external parties understand who is allowed to access what client and user data | ||
| and under what circumstances and conditions they can access that data. | ||
|
|
||
| ### Goal Statement | ||
|
|
||
| At present, we are a small company (literally everyone in the company knows everyone else on a first name basis). The | ||
| unfortunate reality is that, no matter how much we may know, like, or trust an individual we know personally, they have the | ||
| capacity to take harmful actions. Beyond that, there is risk that an employee's identity (from a system perspective) may be | ||
| compromised allowing an attacker the same level of access as an employee. In general, we mitigate these kinds of risks by | ||
| collecting as little data as possible so that, even in the event of a breach, nothing of value would be lost. However, we do | ||
| offer a service whose value is in its availability and providing too much access to everyone could result in a loss of that | ||
| availability to our clients. To that end we need some basic guidelines indicating who should have access to what, and how, | ||
| when, and why that access should change. | ||
|
|
||
| ### Background Statement | ||
|
|
||
| We, at Fonticons, Inc., know our culture but it is entirely reasonable for others planning to use our technology to desire | ||
| to understand our goals and commitments around security and privacy. Some of our policies have been de facto in nature, e.g., | ||
| you simply can't get access to something because so-and-so wouldn't give it to you. While this is arguably effective for a | ||
| company of our size, having a de jure policy that others can consider is appropriate for the space in which we work. | ||
|
|
||
| ## Definitions | ||
|
|
||
| ### Terms | ||
|
|
||
| * The word "we" shall mean Fonticons, Inc., all Fonticons, Inc. employees and any individuals contracting with Fonticons, Inc. to complete work. | ||
| * The word Fonticons will be synonymous with Fonticons, Inc. for the purposes of this policy. | ||
| * Employee shall mean an individual directly employed by Fonticons, and all contractors, consultants, temporary employees, or business partners. | ||
| * Fonticons products/services refers to any and all paid or free products and/or services offered by Fonticons. | ||
| * Client shall mean a person or entity who installs or configures part or all of Fonticons product/service for use on a website or product not owned or otherwise controlled by Fonticons. | ||
| * Fonticons system shall mean any computers, communication systems, platforms, and any other information technology systems used by Fonticons, to provide the Font Awesome product and service. | ||
| * Font Awesome product shall mean the icons, their digital representation, and associated icon functionality present in code. | ||
| * Font Awesome service shall mean the technologies that make the Font Awesome product available to clients, users, and site users. | ||
|
|
||
| ## Policy | ||
|
|
||
| 1. This policy applies to all employees. | ||
| 1. This policy applies to all Fonticons systems. | ||
| 1. All Fonticons systems must implement or otherwise leverage an authentication and authorization scheme that can limit access based on authentication information. | ||
| 1. To facilitate this policy Fonticons must maintain a valid, up-to-date inventory of their systems as part of their asset inventory. | ||
| 1. Authorization level must be commensurate with the role and/or business related activities, e.g., an icon designer does not typically require admin access to the logging database. | ||
| 1. Any employee or pro clients accessing Fonticons systems (with the exception of the free and or public aspects of the system) must be authenticated to said system and only be able to access those items to which they have appropriate authorization. | ||
| 1. System access must not be granted to any employee without appropriate approval from a manager or the head of security. | ||
| 1. System access must be granted only on a need-to-know basis. | ||
| 1. Employees are prohibited from gaining unauthorized access to any other information systems or in any way damaging, altering, or disrupting the operations of these systems. | ||
|
|
||
| ## Procedures | ||
|
|
||
| 1. An employee that detects any violation of this policy must report the issue to their supervisor, the head of security, or the CTO. | ||
| 1. Intentionally or maliciously violating this policy is a serious offense and grounds for termination of employment. | ||
| 1. Any system not in compliance with this policy must have compliance activities identified and prioritized. | ||
| 1. Prioritization of compliance must be documented and produced upon request. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,45 @@ | ||
| # BUG REPORT/BOUNTY POLICY | ||
|
|
||
| ## Classification Level | ||
| Publicly available | ||
|
|
||
| ## Review Information | ||
|
|
||
| __Mandatory Review Period__ | ||
|
|
||
| Yearly | ||
|
|
||
| __Date of Last Review__ | ||
|
|
||
| October 25, 2022 | ||
|
|
||
| ## Introduction | ||
|
|
||
| A bug report/bounty policy clearly lays out how to make and how we address bug reports. | ||
|
|
||
| ### Goal Statement | ||
|
|
||
| We've always tried to be as community oriented as we practically can be. We always appreciate a valid bug report but, our | ||
| general policy is that we don't offer monetary or other rewards for bug reports. | ||
|
|
||
| ### Background Statement | ||
|
|
||
| Obviously we don't want to turn away assistance from people willing to take the time to find issues with our product or | ||
| configurations. The current reality is, as a small, private company it isn't practical for us to pay bug bounties. We get a | ||
| lot of reports that are valid but are either low risk or something we just don't have the people available to address immediately as | ||
| we are trying to continue to improve and expand the product. All that being said, if your goal is to help us improve the | ||
| offering we don't want to turn that help away. | ||
|
|
||
| ## Policy | ||
|
|
||
| 1. All bugs involving the open source aspects of our code should be submitted to the GitHub repository where the bug was found. | ||
| 1. All bugs involving networking, configurations, our website, etc., should be submitted to help@fontawesome.com. | ||
| 1. We do not offer monetary or other (swag) rewards for bug submissions. | ||
| 1. We will collect security bug reports and: | ||
| 1. If the issue was previously unknown AND | ||
| 1. Is determined by our head of security to have high enough risk, WE MAY | ||
| 1. Praise the work of the reporter on Twitter (if the reporter consents to having us release their Twitter handle and finding) and WE WILL | ||
| 1. Communicate the results of our investigation into the bug report with: | ||
| 1. The original reporter (if the reporter consents to having us release their Twitter handle and finding) AND | ||
| 1. Identify our plan and timeframe to mitigate the issue | ||
| 1. All determinations of risk are at the final discretion of the head of security. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,72 @@ | ||
| # CHANGE MANAGEMENT POLICY | ||
|
|
||
| ## Classification Level | ||
| Publicly available | ||
|
|
||
| ## Review Information | ||
|
|
||
| __Mandatory Review Period__ | ||
|
|
||
| Yearly | ||
|
|
||
| __Date of Last Review__ | ||
|
|
||
| October 25, 2022 | ||
|
|
||
| ## Introduction | ||
|
|
||
| A change management policy helps employees and external parties understand the processes by which we change our software and | ||
| systems. Specifically, it helps us and them reason about when, how, and why things might change that may have an impact on | ||
| functionality. | ||
|
|
||
| ### Goal Statement | ||
|
|
||
| At present, we are a small company (literally everyone in the company knows everyone else on a first name basis). Any change | ||
| is easily vetted with all internal stakeholders and subject matter experts. However, it is easy, especially within a group | ||
| that is very comfortable with one another, to grow complacent in our rigor around validating the impact of a change. To that | ||
| end, there is some benefit in formalizing aspects of change management or, at minimum, capturing what commonly occurs. When | ||
| contemplating or initiating change we should always apply due diligence in the consideration of client needs while balancing | ||
| our needs as well. | ||
|
|
||
| ### Background Statement | ||
|
|
||
| We, at Fonticons Inc., know our culture but it is entirely reasonable for others planning to use our technology to desire to | ||
| understand how and why are software and services might change. This is especially true as some of our changes may not be | ||
| backward compatible or may have unforeseen impacts (since our software is open source and thus can and is often leveraged in | ||
| ways that we do not expect). | ||
|
|
||
| ## Definitions | ||
|
|
||
| ### Terms | ||
|
|
||
| * The word "we" shall mean Fonticons Inc., all Fonticons employees, and any individuals contracting with Fonticons to complete work. | ||
| * The word Fonticons will be synonymous with Fonticons, Inc. for the purposes of this policy. | ||
| * Employee shall mean an individual directly employed by Fonticons and all contractors, consultants, temporary employees, or business partners. | ||
| * User shall mean any individual who is not an employee. | ||
| * Fonticons products/services refers to any and all paid or free products and/or services offered by Fonticons. | ||
| * Product shall mean, specifically, the icons, their digital representation, and associated icon functionality present in code. | ||
| * Service shall mean, specifically, the technologies that make the Fonticons product available to clients, users, and site users. | ||
| * Client shall mean a person or entity who installs or configures part or all of Fonticons product/service for use on a website or product not owned or otherwise controlled by Fonticons. | ||
| * Fonticons system shall mean any computers, communication systems, platforms, and any other information technology systems used by Fonticons to provide the Fonticons products/services. | ||
|
|
||
| ## Policy | ||
|
|
||
| 1. This policy applies to changes that directly impact clients. Like-for-like functional changes such as those associated with operations or security follow a different policy. | ||
| 1. All employees may suggest, request, or initiate a change to the Font Awesome product or service. | ||
| 1. Any user with access to GitHub may suggest or request a change to the Font Awesome product or service. | ||
| 1. All changes must either be classified as technical or design changes. | ||
| 1. Technical changes are changes to the Font Awesome service or the aspects of the Font Awesome product that are not direct visual representations of icons and their metadata. | ||
| 1. Design changes are changes to direct visual representations of icons and their metadata. | ||
| 1. Technical changes must be approved by the head of development. | ||
| 1. Design changes must be approved by the head of design. | ||
| 1. The head of development and head of design should take special care to consider the impact on clients and users within the bounds of expected usage. | ||
| 1. To facilitate this policy Fonticons must maintain an up-to-date expected usage statement. | ||
| 1. The head of development and head of design should consult with the CTO or other department heads (e.g., head of security or head of operations) if the proposed change is significant or otherwise has special significance in another department. | ||
| 1. All changes must ultimately be tracked in our project management software unless they are an emergency fix. In those instances, the fact that the fix was an emergency must be recorded in code management. | ||
| 1. We will attempt to release standard changes every 6-8 weeks. | ||
| 1. The head of development and CTO may choose to release an emergency or maintenance fix at any cadence they deem necessary for the stability of the product or service. | ||
|
|
||
| ## Procedures | ||
|
|
||
| 1. An employee that detects any violation of this policy must report the issue to their supervisor, the head of development, the head of design, the head of security, or the CTO. | ||
| 1. Intentionally or maliciously violating this policy is a serious offense and grounds for termination of employment. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,69 @@ | ||
| # INCIDENT RESPONSE POLICY | ||
|
|
||
| ## Classification Level | ||
| Publicly available | ||
|
|
||
| ## Review Information | ||
|
|
||
| __Mandatory Review Period__ | ||
|
|
||
| Yearly | ||
|
|
||
| __Date of Last Review__ | ||
|
|
||
| October 25, 2022 | ||
|
|
||
| ## Introduction | ||
|
|
||
| An incident response policy clearly defines the roles, responsibilities, and expectations around investigations and actions | ||
| associated with a cybersecurity incident, such as a data breach or other attack. | ||
|
|
||
| ### Goal Statement | ||
|
|
||
| As regards cybersecurity incidents, our focus is on restoring functionality while doing whatever is practical to maintain | ||
| any available information about the attack. However, given the generally very low risk nature of our solution, we will | ||
| typically prioritize restoring functionality and maintaining client commitments first. | ||
|
|
||
| ### Background Statement | ||
|
|
||
| We, at Fonticons Inc., know our culture but it is entirely reasonable for others planning to use our technology to desire to | ||
| understand how we deal with issues, especially those that might result in a loss of or degradation of service. | ||
|
|
||
| ## Definitions | ||
|
|
||
| ### Terms | ||
|
|
||
| * The word "we" shall mean Fonticons Inc., all Fonticons employees, and any individuals contracting with Fonticons to complete work. | ||
| * The word Fonticons will be synonymous with Fonticons, Inc. for the purposes of this policy. | ||
| * Employee shall mean an individual directly employed by Fonticons and all contractors, consultants, temporary employees, or business partners. | ||
| * Fonticons products/services refers to any and all paid or free products and/or services offered by Fonticons. | ||
| * Product shall mean, specifically, the icons, their digital representation, and associated icon functionality present in code. | ||
| * Service shall mean, specifically, the technologies that make the Fonticons product available to clients, users, and site users. | ||
| * Client shall mean a person or entity who installs or configures part or all of Fonticons product/service for use on a website or product not owned or otherwise controlled by Fonticons. | ||
| * Incident shall mean any event, whether electronic, physical, or social that adversely impacts the confidentiality, integrity, or availability of Fonticons systems or data. | ||
| * Fonticons system shall mean any computers, communication systems, platforms, and any other information technology systems used by Fonticons to provide the Font Awesome product and service. | ||
| * Fonticons data shall mean data in any format collected, developed, maintained or managed by or on behalf of Fonticons Inc. | ||
|
|
||
| ## Policy | ||
|
|
||
| 1. All critical systems must have some level of automated monitoring and alerting. | ||
| 1. At least one employee must always be "on call" to respond to alerts 24 hours a day 7 days a week. | ||
| 1. The on call person must either have access to their computer or a device that is configured to recieve alerts from our automated systems. | ||
| 1. All employees are responsible for monitoring potential incidents generally. | ||
| 1. The support lead or an assigned delegate monitors help desk tickets for potential incidents between 9 AM and 5 PM Eastern Time, Monday through Friday. | ||
| 1. Any employee who detects an incident or potential incident must immediately report it to our internal reporting tool. | ||
| 1. Incidents must be investigated immediately. | ||
| 1. If the incident causes an outage or serious degredation of service, it must be addressed immediately. | ||
| 1. If it is unclear if an incident causes serious degredation of service, validate with head of ops, head of development, or the CTO. | ||
| 1. Incidents not causing an outage or serious degregation of service may be addressed during normal business hours. | ||
| 1. Any employee can begin addressing an incident after reporting. | ||
| 1. During an active incident, all employees should consider the incident their top priority and should coordinate with the team to determine what actions they are expected to take to remedy the issue. | ||
| 1. Upon detection of an incident impacting clients a discussion will occur internally and an appropriate employee will make an initial, official statement via Twitter. | ||
| 1. System outages must be updated on our status indicator page once we have definitively determined a degregation or service outage. | ||
| 1. Other department heads or employees will update official communication as necessary. | ||
| 1. If an incident results in the loss of client data, we will also communicate that information directly to clients via their existing contact information. | ||
|
|
||
| ## Procedures | ||
|
|
||
| 1. An employee that detects any violation of this policy must report the issue to their supervisor, the head of development (Rob Madole), the head of security (Alex Poiry), or the CTO (Travis Chase). | ||
| 1. Intentionally or maliciously violating this policy is a serious offense and is grouds for termination of employment. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.