Group incident response/disclosure policies together

Reorder pages so that we have the following pages in order:
* incident response policy
* incident response process
* incident disclosure policy

access-control/index.md

@@ -3,7 +3,7 @@ title: Access control policy
 slug: access-control
 policy: true
 faq: false
-weight: 7
+weight: 9
 ---
 
 Tailscale limits access control based on job requirements, following the principle of least privilege.
@@ -18,9 +18,9 @@ This policy applies throughout the entire lifecycle of employee, contractor, or
 
 Where possible, access policies are enforced by technical measures.
 
-Tailscale should implement monitoring on its systems where possible, to record logon attempts and failures, successful logons and date and time of logon and logoff. Activities performed as administrator are logged where it is feasible to do so. 
+Tailscale should implement monitoring on its systems where possible, to record logon attempts and failures, successful logons and date and time of logon and logoff. Activities performed as administrator are logged where it is feasible to do so.
 
-Personnel who have administrative system access should use other less powerful accounts for performing non-administrative tasks. 
+Personnel who have administrative system access should use other less powerful accounts for performing non-administrative tasks.
 
 Where possible, more than one person must have full rights to any critical piece of infrastructure serving or storing production services or customer data.
 

bcp-dr/index.md

@@ -3,7 +3,7 @@ title: BCP/DR policy
 slug: bcp-dr
 policy: true
 faq: false
-weight: 6
+weight: 8
 ---
 
 ### Context

change-management/index.md

@@ -3,7 +3,7 @@ title: Change management policy
 slug: change-management
 policy: true
 faq: false
-weight: 9
+weight: 11
 ---
 
 To avoid potential security incidents, Tailscale requires change management controls to ensure only authorized changes are made to its environment and processes.
@@ -42,4 +42,4 @@ Tailscale may also make changes to customer environments without the customer in
 
 Security policies must have a change log to allow auditing of past changes, including when and by whom these changes were made. Tailscale stores these security policies in GitHub and uses git to track changes.
 
-Tailscale will review and evaluate its security policies, adapt them as needed due to changing risks, and validate if the implemented information security continuity controls are sufficient on a quarterly basis.
+Tailscale will review and evaluate its security policies, adapt them as needed due to changing risks, and validate if the implemented information security continuity controls are sufficient on a quarterly basis.

data-retention-deletion/index.md

@@ -3,7 +3,7 @@ title: Data retention and deletion policy
 slug: data-retention-deletion
 policy: true
 faq: false
-weight: 12
+weight: 14
 ---
 
 Tailscale must retain certain kinds of data for a minimum amount of time, to comply with legal requirements. At the same time, Tailscale wants to avoid retaining any identifiable data for longer than is necessary, in case of a breach.
@@ -217,4 +217,4 @@ Tailscale must delete customer data in accordance with the commitments, if any,
 
 ### Deletion method
 
-Data may be destroyed by overwriting on disk, deleting a cloud resource, encrypting and destroying the key, resetting a device, and/or physical destruction.
+Data may be destroyed by overwriting on disk, deleting a cloud resource, encrypting and destroying the key, resetting a device, and/or physical destruction.

incident-disclosure/index.md

@@ -3,7 +3,7 @@ title: Incident disclosure and notification policy
 slug: incident-disclosure
 policy: true
 faq: false
-weight: 13
+weight: 7
 ---
 
 This policy specifies when and how we notify users about security incidents.

incident-response-process/index.md

@@ -3,7 +3,7 @@ title: Incident response process
 slug: incident-response-process
 policy: true
 faq: false
-weight: 14
+weight: 6
 ---
 
 ### Incident response

password/index.md

@@ -3,7 +3,7 @@ title: Password policy
 slug: password
 policy: true
 faq: false
-weight: 8
+weight: 10
 ---
 
 To avoid potential security incidents, Tailscale requires employees to follow password requirements.
@@ -62,4 +62,4 @@ End user devices must use passwords to encrypt their disks and unlock the device
 
 Access to third party applications must use SSO where possible, MFA where possible, and enforce MFA where possible.
 
-An individual’s password for their password management vault must be unique. These do not need to be randomly generated.
+An individual’s password for their password management vault must be unique. These do not need to be randomly generated.

patch-management/index.md

@@ -3,7 +3,7 @@ title: Patch management policy
 slug: patch-management
 policy: true
 faq: false
-weight: 11
+weight: 13
 ---
 
 To avoid potential security incidents, Tailscale regularly reviews potential vulnerabilities in its environment and applies relevant patches.
@@ -38,4 +38,4 @@ Tailscale should patch security vulnerabilities as soon as possible. The expecte
 
 Where a patch is not yet available, or cannot be applied, Tailscale should put in place mitigations as appropriate to prevent a vulnerability from being exploited. Tailscale should also put in place mitigations if a vulnerability is known to be actively exploited in the wild.
 
-Mitigations can include: removing functionality, limiting who can access a service, or taking down a service.
+Mitigations can include: removing functionality, limiting who can access a service, or taking down a service.

testing/index.md

@@ -3,7 +3,7 @@ title: Testing policy
 slug: testing
 policy: true
 faq: false
-weight: 10
+weight: 12
 ---
 
 To avoid potential security incidents, Tailscale requires testing of its software to ensure that it functions as expected.