From 0b6b9c5a5032bf4333ecfed1608813359154877e Mon Sep 17 00:00:00 2001
From: Maya Kaczorowski <15946341+mayakacz@users.noreply.github.com>
Date: Wed, 12 Jul 2023 14:19:25 -0700
Subject: [PATCH] update policies on 2023/07/12 (#10)
---
README.md | 2 +-
change-management/index.md | 2 +-
information-classification/index.md | 3 ---
overview.md | 2 +-
personnel/index.md | 2 +-
5 files changed, 4 insertions(+), 7 deletions(-)
diff --git a/README.md b/README.md
index 153f289..eddbb86 100644
--- a/README.md
+++ b/README.md
@@ -8,7 +8,7 @@ _Since these are our internal policies, some links to internal documents or reso
This repository is the source of truth for the policies available at https://tailscale.com/security-policies/.
-These policies were last reviewed on 2023-04-03.
+These policies were last reviewed on 2023-07-12.
### FAQ
diff --git a/change-management/index.md b/change-management/index.md
index f9e023d..e81c431 100644
--- a/change-management/index.md
+++ b/change-management/index.md
@@ -14,7 +14,7 @@ To avoid potential security incidents, Tailscale requires change management cont
Changes to code in Tailscale’s environment made by an employee or contractor must be tested and approved by another employee prior to being merged and rolled out.
-Tailscale uses branch protection rules on GitHub to require a second review prior to merging code.
+Tailscale uses branch protection rules on GitHub to require changes be made through a pull request with a second review prior to merging code.
Exceptionally, employees can push changes without a second review where they are required to mitigate an incident. Changes pushed without prior approval are tagged and audited after the fact, within 2 business days.
diff --git a/information-classification/index.md b/information-classification/index.md
index c4c89e2..a6fbd54 100644
--- a/information-classification/index.md
+++ b/information-classification/index.md
@@ -39,7 +39,6 @@ Tailscale classifies assets into three risk categories: **Low Risk**, **Medium R
-
- Data: protection is mandated by confidentiality agreements, labor codes, specific laws and regulations (e.g. PCI DSS, HIPAA, GDPR), or data is subject to breach reporting requirements, or disclosure would have a significant adverse impact on Tailscale (e.g., user accounts database).
- Hardware and software systems: compromise would have a significant adverse impact on Tailscale (e.g. the login.tailscale.com control plane service).
@@ -52,7 +51,6 @@ Tailscale classifies assets into three risk categories: **Low Risk**, **Medium R
|
-
- Data: not generally available to the public, and disclosure would have some adverse impact on Tailscale (e.g. internal engineering documentation).
- Hardware and software systems: compromise would have some adverse impact on Tailscale (e.g. cloud VM running production monitoring system).
@@ -65,7 +63,6 @@ Tailscale classifies assets into three risk categories: **Low Risk**, **Medium R
|
-
- Data: publicly available, or disclosure would have no adverse operational or financial impact on Tailscale (e.g. tailscale.com website source code). May still have some limited reputational impact.
- Hardware and software systems: compromise would have no adverse impact on Tailscale (e.g. testbed cloud VM with no user data or privileged access).
diff --git a/overview.md b/overview.md
index f567591..6e3efcd 100644
--- a/overview.md
+++ b/overview.md
@@ -1,5 +1,5 @@
### Security policy ownership
-All security policies are owned by the Chief Operating Officer (COO). The Security Review Team (members in Engineering, Product and Operations) are responsible for reviewing the policies.
+All security policies are owned by the Chief Operating Officer (COO). The Security Review Team (members in Security, Engineering, and Operations) are responsible for reviewing the policies.
The Chief Operating Officer and the Security Review Team are responsible for implementing the processes and controls laid out in the security policies, and pulling in other employees as needed.
diff --git a/personnel/index.md b/personnel/index.md
index 57ad07d..efcf747 100644
--- a/personnel/index.md
+++ b/personnel/index.md
@@ -15,4 +15,4 @@ As part of its hiring process, Tailscale does not perform criminal background ch
All employees must complete Tailscale’s information security awareness training as part of their initial onboarding and thereafter, while still under contract, on an annual basis.
### Performance Reviews
-All full time employees must complete a biannual Performance Review, the results of which are signed and dated by both the employee and their manager, and uploaded to the employee’s personnel files in the HR system.
\ No newline at end of file
+All full time employees must complete an annual Performance Review, the results of which are signed and dated by both the employee and their manager, and uploaded to the employee’s personnel files in the HR system.
\ No newline at end of file
|