From c71f86e2727044d8737fb55c0a8e3f67fdde8a75 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Tue, 3 Oct 2023 21:42:14 +0000 Subject: [PATCH] [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --- common-practices-tools/security/README.md | 4 ++-- company-policies/security.md | 6 +++--- practice-areas/engineering/security-compliance.md | 6 +++--- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/common-practices-tools/security/README.md b/common-practices-tools/security/README.md index b58b2ed4bb..ca26da23c8 100644 --- a/common-practices-tools/security/README.md +++ b/common-practices-tools/security/README.md @@ -21,7 +21,7 @@ Additionally, your laptop should lock (require a password to resume) on screen c A password manager enables you to have unique, strong passwords for every service that you log into. Good password managers will generate new passwords for you, auto-fill web forms, allow extra protection for high-security accounts (like banking), and more. Choose a password manager that encrypts locally (in your browser, so you don't have to trust the provider to keep their data safe) and that has iPhone and Android apps that will auto-sync with the manager. At CivicActions, we currently recommend LastPass as it is the most full-featured, but we are keeping a close eye on other solutions. -The password manager itself must be protected by a strong _memorized secret_ (this may be the only password you have to remember) as defined in the [Password Policy](../../company-policies/security/#password-policy) +The password manager itself must be protected by a strong _memorized secret_ (this may be the only password you have to remember) as defined in the [Password Policy](../../company-policies/security.md#password-policy) ### LastPass @@ -47,7 +47,7 @@ Multi-Factor Authentication (MFA), sometimes known as Two-Factor Authentication If you lose your second factor (say a Yubikey or your phone) you may not be able to unlock the service any more. For this reason it is crucially important that you have a [backup second factor](#multi-factor-redundancy-and-mfa-backup-codes) for each MFA-enabled service. -CivicActions requires MFA for access to your password manager, the CivicActions Google Workspace, GitHub, Gitlab and for any *privileged account* access. +CivicActions requires MFA for access to your password manager, the CivicActions Google Workspace, GitHub, Gitlab and for any _privileged account_ access. ### Multi-Factor Authenticators (MFA) diff --git a/company-policies/security.md b/company-policies/security.md index a31f5987c6..cb2c0ed7e9 100644 --- a/company-policies/security.md +++ b/company-policies/security.md @@ -115,7 +115,7 @@ If a system is believed to be compromised, either through theft, loss, remote ac ## Password Policy -Strong passwords provide the basis for secure authentication to many systems and services. +Strong passwords provide the basis for secure authentication to many systems and services. To qualify as a strong password, it must be at least 16 characters long with multiple character types and no repetitions. A longer _passphrase_ consisting of several words in an order that make sense only to you can work well as a _memorized secret_. @@ -126,13 +126,13 @@ All passwords at CivicActions must follow this policy, including passwords used - Accounts on any CivicActions or client site or service. - Accounts on 3rd party vendor sites. -CivicActions requires that you employ a unique, strong password for every service that you log into. For this reason, CivicActions requires use of a [Password Manager](../common-practices-tools/security#password-management-tools). +CivicActions requires that you employ a unique, strong password for every service that you log into. For this reason, CivicActions requires use of a [Password Manager](../common-practices-tools/security/README.md#password-management-tools). Please see the [Security Awareness and Tools](../common-practices-tools/security/README.md) document for details on these subjects and more. ### Mitigation -If you suspect a password has been compromised (for example, it was accidentally typed into an unencrypted chat session), [report the incident](../common-practices-tools/security/incidents/#reporting-an-incident) immediately - the Security Team will provide support. It is usually good practice to change the password yourself if possible. +If you suspect a password has been compromised (for example, it was accidentally typed into an unencrypted chat session), [report the incident](../common-practices-tools/security/incidents.md#reporting-an-incident) immediately - the Security Team will provide support. It is usually good practice to change the password yourself if possible. - This includes the case when a client sends a name/password pair in the clear in an email. diff --git a/practice-areas/engineering/security-compliance.md b/practice-areas/engineering/security-compliance.md index cfd0c9947c..5426f718d7 100644 --- a/practice-areas/engineering/security-compliance.md +++ b/practice-areas/engineering/security-compliance.md @@ -10,7 +10,7 @@ All engineers understand and abide by the [CivicActions Employee/Contractor Secu In particular: -- We practice [Server & Site Security](../../company-policies/security.md#server-and-site-security) +- We practice [Server & Site Security](#server-and-site-security) - using only sanitized databases - taking care to not install restricted access files on development or personal instances outside the project defined security accreditation boundary - and scrubbing unneeded data from our development systems @@ -55,8 +55,8 @@ There are some instructions at