[pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci

common-practices-tools/security/README.md

@@ -21,7 +21,7 @@ Additionally, your laptop should lock (require a password to resume) on screen c
 
 A password manager enables you to have unique, strong passwords for every service that you log into. Good password managers will generate new passwords for you, auto-fill web forms, allow extra protection for high-security accounts (like banking), and more. Choose a password manager that encrypts locally (in your browser, so you don't have to trust the provider to keep their data safe) and that has iPhone and Android apps that will auto-sync with the manager. At CivicActions, we currently recommend LastPass as it is the most full-featured, but we are keeping a close eye on other solutions.
 
-The password manager itself must be protected by a strong _memorized secret_ (this may be the only password you have to remember) as defined in the [Password Policy](../../company-policies/security/#password-policy)
+The password manager itself must be protected by a strong _memorized secret_ (this may be the only password you have to remember) as defined in the [Password Policy](../../company-policies/security.md#password-policy)
 
 ### LastPass
 
@@ -47,7 +47,7 @@ Multi-Factor Authentication (MFA), sometimes known as Two-Factor Authentication
 
 If you lose your second factor (say a Yubikey or your phone) you may not be able to unlock the service any more. For this reason it is crucially important that you have a [backup second factor](#multi-factor-redundancy-and-mfa-backup-codes) for each MFA-enabled service.
 
-CivicActions requires MFA for access to your password manager, the CivicActions Google Workspace, GitHub, Gitlab and for any *privileged account* access.
+CivicActions requires MFA for access to your password manager, the CivicActions Google Workspace, GitHub, Gitlab and for any _privileged account_ access.
 
 ### Multi-Factor Authenticators (MFA)
 

company-policies/security.md

@@ -115,7 +115,7 @@ If a system is believed to be compromised, either through theft, loss, remote ac
 
 ## Password Policy
 
-Strong passwords provide the basis for secure authentication to many systems and services. 
+Strong passwords provide the basis for secure authentication to many systems and services.
 
 To qualify as a strong password, it must be at least 16 characters long with multiple character types and no repetitions. A longer _passphrase_ consisting of several words in an order that make sense only to you can work well as a _memorized secret_.
 
@@ -126,13 +126,13 @@ All passwords at CivicActions must follow this policy, including passwords used
 -   Accounts on any CivicActions or client site or service.
 -   Accounts on 3rd party vendor sites.
 
-CivicActions requires that you employ a unique, strong password for every service that you log into. For this reason, CivicActions requires use of a [Password Manager](../common-practices-tools/security#password-management-tools).
+CivicActions requires that you employ a unique, strong password for every service that you log into. For this reason, CivicActions requires use of a [Password Manager](../common-practices-tools/security/README.md#password-management-tools).
 
 Please see the [Security Awareness and Tools](../common-practices-tools/security/README.md) document for details on these subjects and more.
 
 ### Mitigation
 
-If you suspect a password has been compromised (for example, it was accidentally typed into an unencrypted chat session), [report the incident](../common-practices-tools/security/incidents/#reporting-an-incident) immediately - the Security Team will provide support. It is usually good practice to change the password yourself if possible.
+If you suspect a password has been compromised (for example, it was accidentally typed into an unencrypted chat session), [report the incident](../common-practices-tools/security/incidents.md#reporting-an-incident) immediately - the Security Team will provide support. It is usually good practice to change the password yourself if possible.
 
 -   This includes the case when a client sends a name/password pair in the clear in an email.
 

practice-areas/engineering/security-compliance.md

@@ -10,7 +10,7 @@ All engineers understand and abide by the [CivicActions Employee/Contractor Secu
 
 In particular:
 
--   We practice [Server & Site Security](../../company-policies/security.md#server-and-site-security)
+-   We practice [Server & Site Security](#server-and-site-security)
     -   using only sanitized databases
     -   taking care to not install restricted access files on development or personal instances outside the project defined security accreditation boundary
     -   and scrubbing unneeded data from our development systems
@@ -55,8 +55,8 @@ There are some instructions at <https://support.google.com/accounts/answer/18583
 
 -   If a service allows individual accounts, use only individual accounts and not shared credentials.
 -   Prefer services that allow individual accounts, services that allow MFA and secure password policies.
--   If a service only allows a single account, have a shared LastPass master account that ideally only 2-3 trusted people have access to. From there share passwords out on an "as needed" basis only, including to individual day-to-day LastPass accounts for the 2-3 trusted people.
--   If the LastPass master account is a paid account it also allows sharing credentials in a way that makes the password harder for the person who you shared it with to recover/view/share (but still allow them to log in with it).
+-   If a service only allows a single account, have a shared LastPass account that ideally only 2-3 trusted people have access to. From there share passwords out on an "as needed" basis only, including to individual day-to-day LastPass accounts for the 2-3 trusted people.
+-   If the shared LastPass account is a paid account it also allows sharing credentials in a way that makes the password harder for the person who you shared it with to recover/view/share (but still allow them to log in with it).
 -   Shared account passwords should rotate to ensure that only those users needing access continue to have access, revoking individual accounts particularly when people leave.
 
 ### Private keys