Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DRY on password management; move eng sec policy to eng sec page #1298

Merged
merged 7 commits into from
Oct 9, 2023
Merged

DRY on password management; move eng sec policy to eng sec page #1298

merged 7 commits into from
Oct 9, 2023

Conversation

openprivacy
Copy link
Member

@openprivacy openprivacy commented Oct 3, 2023
edited by github-actions bot
Loading

@openprivacy openprivacy force-pushed the fen-passwords branch 3 times, most recently from 4c47cfc to c71f86e Compare October 4, 2023 00:04
@openprivacy openprivacy marked this pull request as ready for review October 4, 2023 00:09
@openprivacy openprivacy requested review from a team as code owners October 4, 2023 00:09
@openprivacy
Copy link
Member Author

Password Policy is more cleanly separated from Password Management, and SSH and Server management policies have been moved into Engineering > Security and Compliance -- this latter page needs some Engineering attention.

@openprivacy openprivacy self-assigned this Oct 4, 2023
@openprivacy
Copy link
Member Author

openprivacy commented Oct 4, 2023
edited
Loading

https://guidebook.civicactions.com/en/latest/practice-areas/engineering/security-compliance/ needs work, and this PR makes it even more unwieldy; the next step will be to create a branch/PR to clean up this page.

[update] see #1299

@openprivacy
Copy link
Member Author

Overview of Security Policy section changes:

  1. Password managers and two-factor authentication
    • unique text integrated into common-practices-tools/security/README.md -- duplicate text removed
  2. Some password exceptions
    • removed (if you want this, consider a move to practice-areas/engineering/security-compliance.md)
  3. Private keys
    • moved to practice-areas/engineering/security-compliance.md
  4. Server and site security
    • moved to practice-areas/engineering/security-compliance.md

The removal of sections that are only of interest to engineers should not require that everyone re-read/re-sign acceptance of the policy.

This was basically a tightening and clean-up of duplicated text. Next step will be to go over the practice-areas/engineering/security-compliance.md doc, tighten it up and ensure it contains policies that are general to all our engineers and devops teams. Tia.

openprivacy added a commit that referenced this pull request Oct 5, 2023
@openprivacy
after #1298, basic cleanup (first pass) of Eng Security page
f8147bf
@openprivacy openprivacy merged commit a4ff078 into master Oct 9, 2023
8 of 9 checks passed
@openprivacy openprivacy deleted the fen-passwords branch October 9, 2023 21:23
openprivacy added a commit that referenced this pull request Oct 10, 2023
@openprivacy
after #1298, basic cleanup (first pass) of Eng Security page
331eeaa
openprivacy added a commit that referenced this pull request Oct 11, 2023
@openprivacy @pre-commit-ci
after #1298, basic cleanup (first pass) of Eng Security page (#1299)
564a790 
* after #1298, basic cleanup (first pass) of Eng Security page

* [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci

* add confidential information link

* Remove app passwords section

* [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci

* removed a lot and reorganized - stage one

* [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci

* removed external developer section

---------

Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sfmcgee sfmcgee sfmcgee approved these changes

@marctjones marctjones marctjones approved these changes

@dmundra dmundra dmundra approved these changes

Assignees

@openprivacy openprivacy

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@openprivacy @dmundra @marctjones @sfmcgee