Github/comply
1
0
Fork 0
mirror of https://github.com/strongdm/comply synced 2024-07-02 23:14:22 +00:00
Code Issues Projects Releases Wiki Activity

automated asset refresh (via Makefile)

Browse Source
This commit is contained in:
Justin McCarthy 2018-05-18 16:31:30 -07:00
parent 5acf683e04
commit eb00183724
No known key found for this signature in database
GPG Key ID: 900437410E142A48
4 changed files with 488 additions and 55 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

104
internal/theme/themes_bindata.go
View File

File diff suppressed because one or more lines are too long

90
themes/comply-soc2/policies/availability.md
View File

@ -9,4 +9,92 @@ majorRevisions:
comment: Initial document
---
# Coming Soon
# Purpose and Scope
a. The purpose of this policy is to define requirements for proper controls to protect the availability of the organizations information systems.
a. This policy applies to all users of information systems within the organization. This typically includes employees and contractors, as well as any external parties that come into contact with systems and information controlled by the organization (hereinafter referred to as “users”). This policy must be made readily available to all users.
# Background
a. The intent of this policy is to minimize the amount of unexpected or unplanned downtime (also known as outages) of information systems under the organizations control. This policy prescribes specific measures for the organization that will increase system redundancy, introduce failover mechanisms, and implement monitoring such that outages are prevented as much as possible. Where they cannot be prevented, outages will be quickly detected and remediated.
a. Within this policy, an availability is defined as a characteristic of information or information systems in which such information or systems can be accessed by authorized entities whenever needed.
# References
a. Risk Assessment Policy
# Policy
a. Information systems must be consistently available to conduct and support business operations.
a. Information systems must have a defined availability classification, with appropriate controls enabled and incorporated into development and production processes based on this classification.
a. System and network failures must be reported promptly to the organizations lead for Information Technology (IT) or designated IT operations manager.
a. Users must be notified of scheduled outages (e.g., system maintenance) that require periods of downtime. This notification must specify the date and time of the system maintenance, expected duration, and anticipated system or service resumption time.
a. Prior to production use, each new or significantly modified application must have a completed risk assessment that includes availability risks. Risk assessments must be completed in accordance with the Risk Assessment Policy (reference (a)).
a. Capacity management and load balancing techniques must be used, as deemed necessary, to help minimize the risk and impact of system failures.
a. Information systems must have an appropriate data backup plan that ensures:
i. All sensitive data can be restored within a reasonable time period.
i. Full backups of critical resources are performed on at least a weekly basis.
i. Incremental backups for critical resources are performed on at least a daily basis.
i. Backups and associated media are maintained for a minimum of thirty (30) days and retained for at least one (1) year, or in accordance with legal and regulatory requirements.
i. Backups are stored off-site with multiple points of redundancy and protected using encryption and key management.
i. Tests of backup data must be conducted once per quarter. Tests of configurations must be conducted twice per year.
a. Information systems must have an appropriate redundancy and failover plan that meets the following criteria:
i. Network infrastructure that supports critical resources must have system-level redundancy (including but not limited to a secondary power supply, backup disk-array, and secondary computing system). Critical core components (including but not limited to routers, switches, and other devices linked to Service Level Agreements (SLAs)) must have an actively maintained spare. SLAs must require parts replacement within twenty-four (24) hours.
i. Servers that support critical resources must have redundant power supplies and network interface cards. All servers must have an actively maintained spare. SLAs must require parts replacement within twenty-four (24) hours.
i. Servers classified as high availability must use disk mirroring.
a. Information systems must have an appropriate business continuity plan that meets the following criteria:
i. Recovery time and data loss limits are defined in Table 3.
i. Recovery time requirements and data loss limits must be adhered to with specific documentation in the plan.
i. Company and/or external critical resources, personnel, and necessary corrective actions must be specifically identified.
i. Specific responsibilities and tasks for responding to emergencies and resuming business operations must be included in the plan.
i. All applicable legal and regulatory requirements must be satisfied.
+-------------------+------------------+---------------+-------------------+------------------+
|**Availability** | **Availability** | **Scheduled** | **Recovery Time** | **Data Loss or** |
|**Classification** | **Requirements** | **Outage** | **Requirements** | **Impact Loss** |
+===================+==================+===============+===================+==================+
| High | High to | 30 minutes | 1 hour | Minimal |
| | Continuous | | | |
+-------------------+------------------+---------------+-------------------+------------------+
| | | | | |
+-------------------+------------------+---------------+-------------------+------------------+
| Medium | Standard | 2 hours | 4 hours | Some data loss |
| | Availability | | | is tolerated if |
| | | | | it results in |
| | | | | quicker |
| | | | | restoration |
+-------------------+------------------+---------------+-------------------+------------------+
| | | | | |
+-------------------+------------------+---------------+-------------------+------------------+
| Low | Limited | 4 hours | Next | Some data loss |
| | Availability | | business day | is tolerated if |
| | | | | it results in |
| | | | | quicker |
| | | | | restoration |
+-------------------+------------------+---------------+-------------------+------------------+
Table 3: Recovery Time and Data Loss Limits

276
themes/comply-soc2/policies/classification.md
View File

@ -7,5 +7,279 @@ majorRevisions:
- date: Jun 1 2018
comment: Initial document
---
# Appendices
Appendix A: Handling of Classified Information
Appendix B: Form - Confidentiality Statement
# Purpose and Scope
a. This data classification policy defines the requirements to ensure that information within the organization is protected at an appropriate level.
a. This document applies to the entire scope of the organizations information security program. It includes all types of information, regardless of its form, such as paper or electronic documents, applications and databases, and knowledge or information that is not written.
a. This policy applies to all individuals and systems that have access to information kept by the organization.
# Background
a. This policy defines the high level objectives and implementation instructions for the organizations data classification scheme. This includes data classification levels, as well as procedures for the classification, labeling and handling of data within the organization. Confidentiality and non-disclosure agreements maintained by the organization must reference this policy.
# References
a. Risk Assessment Policy
a. Security Incident Management Policy
# Policy
a. If classified information is received from outside the organization, the person who receives the information must classify it in accordance with the rules prescribed in this policy. The person thereby will become the owner of the information.
a. If classified information is received from outside the organization and handled as part of business operations activities (e.g., customer data on provided cloud services), the information classification, as well as the owner of such information, must be made in accordance with the specifications of the respective customer service agreement and other legal requirements.
a. When classifying information, the level of confidentiality is determined by:
i. The value of the information, based on impacts identified during the risk assessment process. More information on risk assessments is defined in the Risk Assessment Policy (reference (a)).
i. Sensitivity and criticality of the information, based on the highest risk calculated for each information item during the risk assessment.
i. Legal, regulatory and contractual obligations.
+-------------------+------------------+---------------------------+---------------------------+
|**Confidentiality**| **Label** | **Classification** | **Access** |
| **Level** | | **Criteria** | **Restrictions** |
+===================+==================+===========================+============================+
| Public | For Public | Making the information | Information is available |
| | Release | public will not harm | to the public. |
| | | the organization in | |
| | | any way. | |
+-------------------+------------------+---------------------------+---------------------------+
| | | | |
+-------------------+------------------+---------------------------+---------------------------+
| Internal Use | Internal Use | Unauthorized access | Information is available |
| | | may cause minor damage | to all employees and |
| | | and/or inconvenience | authorized third parties. |
| | | to the organization. |
+-------------------+------------------+---------------------------+---------------------------+
| | | | |
+-------------------+------------------+---------------------------+---------------------------+
| Restricted | Restricted | Unauthorized access to | Information is available |
| | | information may cause | to a specific group of |
| | | considerable damage to | employees and authhorized |
| | | the business and/or | third parties. |
| | | the organization's | |
| | | reputation. | |
+-------------------+------------------+---------------------------+---------------------------+
| | | | |
+-------------------+------------------+---------------------------+---------------------------+
| Confidential |Confidential | Unauthorized access to | Information is available |
| | | information may cause | only to specific indivi- |
| | | catastrophic damage to | duals in the |
| | | business and/or the | organization. |
| | | organization's reputation.| |
+-------------------+------------------+---------------------------+---------------------------+
Table 3: Information Confidentiality Levels
 
d. Information must be classified based on confidentiality levels as defined in Table 3.
e. Information and information system owners should try to use the lowest confidentiality level that ensures an adequate level of protection, thereby avoiding unnecessary production costs.
f. Information classified as “Restricted” or “Confidential” must be accompanied by a list of authorized persons in which the information owner specifies the names or job functions of persons who have the right to access that information.
g. Information classified as “Internal Use” must be accompanied by a list of authorized persons only if individuals outside the organization will have access to the document.
h. Information and information system owners must review the confidentiality level of their information assets every five years and assess whether the confidentiality level should be changed. Wherever possible, confidentiality levels should be lowered.
a. For cloud-based software services provided to customers, system owners under the companys control must also review the confidentiality level of their information systems after service agreement changes or after a customers formal notification. Where allowed by service agreements, confidentiality levels should be lowered.
a. Information must be labeled according to the following:
i. Paper documents: the confidentiality level is indicated on the top and bottom of each document page; it is also indicated on the front of the cover or envelope carrying such a document as well as on the filing folder in which the document is stored. If a document is not labeled, its default classification is Internal Use.
i. Electronic documents: the confidentiality level is indicated on the top and bottom of each document page. If a document is not labeled, its default classification is Internal Use.
i. Information systems: the confidentiality level in applications and databases must be indicated on the system access screen, as well as on the screen when displaying such information.
i. Electronic mail: the confidentiality level is indicated in the first line of the email body. If it is not labeled, its default classification is “Internal Use”.
i. Electronic storage media (disks, memory cards, etc.): the confidentiality level must be indicated on the top surface of the media. If it is not labeled, its default classification is “Internal Use”.
i. Information transmitted orally: the confidentiality level should be mentioned before discussing information during face-to-face communication, by telephone, or any other means of oral communication.
a. All persons accessing classified information must follow the guidelines listed in Appendix A, “Handling of Classified Information.”
a. All persons accessing classified information must complete and submit a Confidentiality Statement to their immediate supervisor or company point-of-contact. A sample Confidentiality Statement is in Appendix B.
a. Incidents related to the improper handling of classified information must be reported in accordance with the Security Incident Management Policy (reference (b)).
\pagebreak
# Appendix A: Handling of Classified Information
Information and information systems must be handled according to the following guidelines*:
a. Paper Documents
i. Internal Use
1. Only authorized persons may have access.
1. If sent outside the organization, the document must be sent as registered mail.
1. Documents may only be kept in rooms without public access.
1. Documents must be removed expeditiously from printers and fax machines.
i. Restricted
1. The document must be stored in a locked cabinet.
1. Documents may be transferred within and outside the organization only in a closed envelope.
1. If sent outside the organization, the document must be mailed with a return receipt service.
1. Documents must immediately be removed from printers and fax machines.
1. Only the document owner may copy the document.
1. Only the document owner may destroy the document.
i. Confidential
1. The document must be stored in a safe.
1. The document may be transferred within and outside the organization only by a trustworthy person in a closed and sealed envelope.
1. Faxing the document is not permitted.
1. The document may be printed only if the authorized person is standing next to the printer.
a. Electronic Documents
i. Internal Use
1. Only authorized persons may have access.
1. When documents are exchanged via unencrypted file sharing services such as FTP, they must be password protected.
1. Access to the information system where the document is stored must be protected by a strong password.
1. The screen on which the document is displayed must be automatically locked after 10 minutes of inactivity.
i. Restricted
1. Only persons with authorization for this document may access the part of the information system where this document is stored.
1. When documents are exchanged via file sharing services of any type, they must be encrypted.
1. Only the document owner may erase the document.
i. Confidential
1. The document must be stored in encrypted form.
1. The document may be stored only on servers which are controlled by the organization.
1. The document may only be shared via file sharing services that are encrypted such as HTTPS and SSH. Further, the document must be encrypted and protected with a string password when transferred.
a. Information Systems
i. Internal Use
1. Only authorized persons may have access.
1. Access to the information system must be protected by a strong password.
1. The screen must be automatically locked after 10 minutes of inactivity.
1. The information system may be only located in rooms with controlled physical access.
i. Restricted
1. Users must log out of the information system if they have temporarily or permanently left the workplace.
1. Data must be erased only with an algorithm that ensures secure deletion.
i. Confidential
1. Access to the information system must be controlled through multi-factor authentication (MFA).
1. The information system may only be installed on servers controlled by the organization.
1. The information system may only be located in rooms with controlled physical access and identity control of people accessing the room.
a. Electronic Mail
i. Internal Use
1. Only authorized persons may have access.
1. The sender must carefully check the recipient.
1. All rules stated under “information systems” apply.
i. Restricted
1. Email must be encrypted if sent outside the organization.
i. Confidential
1. Email must be encrypted.
a. Electronic Storage Media
i. Internal Use
1. Only authorized persons may have access.
1. Media or files must be password protected.
1. If sent outside the organization, the medium must be sent as registered mail.
1. The medium may only be kept in rooms with controlled physical access.
i. Restricted
1. Media and files must be encrypted.
1. Media must be stored in a locked cabinet.
1. If sent outside the organization, the medium must be mailed with a return receipt service.
1. Only the medium owner may erase or destroy the medium.
i. Confidential
1. Media must be stored in a safe.
1. Media may be transferred within and outside the organization only by a trustworthy person and in a closed and sealed envelope.
a. Information Transmitted Orally
i. Internal Use
1. Only authorized persons may have access to information.
1. Unauthorized persons must not be present in the room when the information is communicated.
i. Restricted
1. The room must be sound-proof.
1. The conversation must not be recorded.
i. Confidential
1. Conversation conducted through electronic means must be encrypted.
1. No transcript of the conversation may be kept.
In this document, controls are implemented cumulatively, meaning that controls for any confidentiality level imply the implementation of controls defined for lower confidentiality levels - if stricted controls are prescribed for a higher confidentiality level, then only such controls are implemented.
# Coming Soon

73
themes/comply-soc2/policies/encryption.md
View File

@ -7,5 +7,76 @@ majorRevisions:
- date: Jun 1 2018
comment: Initial document
---
# Purpose and Scope
a. This policy defines organizational requirements for the use of cryptographic controls, as well as the requirements for cryptographic keys, in order to protect the confidentiality, integrity, authenticity and nonrepudiation of information.
a. This policy applies to all systems, equipment, facilities and information within the scope of the organizations information security program.
a. All employees, contractors, part-time and temporary workers, service providers, and those employed by others to perform work on behalf of the organization having to do with cryptographic systems, algorithms, or keying material are subject to this policy and must comply with it.
# Background
a. This policy defines the high level objectives and implementation instructions for the organizations use of cryptographic algorithms and keys. It is vital that the organization adopt a standard approach to cryptographic controls across all work centers in order to ensure end-to-end security, while also promoting interoperability. This document defines the specific algorithms approved for use, requirements for key management and protection, and requirements for using cryptography in cloud environments.
# Policy
a. The organization must protect individual systems or information by means of cryptographic controls as defined in Table 3:
\pagebreak
+---------------------+-------------------+----------------+--------------+
| **Name of System/** | **Cryptographic** | **Encryption** | **Key Size** |
| **Type of** | **Tool** | **Algorithm** | |
| **Information** | | | |
+=====================+===================+================+==============+
| Public Key | OpenSSL | AES-256 | 256-bit key |
| Infrastructure for | | | |
| Authentication | | | |
+---------------------+-------------------+----------------+--------------+
| | | | |
+---------------------+-------------------+----------------+--------------+
| Data Encryption | OpenSSL | AES-256 | 256-bit key |
| Keys | | | |
+---------------------+-------------------+----------------+--------------+
| | | | |
+---------------------+-------------------+----------------+--------------+
| Virtual Private | OpenSSL and | AES-256 | 256-bit key |
| Network (VPN) | OpenVPN | | |
| keys | | | |
+---------------------+-------------------+----------------+--------------+
| | | | |
+---------------------+-------------------+----------------+--------------+
| Website SSL | OpenSSL, CERT | AES-256 | 256-bit key |
| Certificate | | | |
+---------------------+-------------------+----------------+--------------+
Table 3: Cryptographic Controls
 
b. Except where otherwise stated, keys must be managed by their owners.
c. Cryptographic keys must be protected against loss, change or destruction by applying appropriate access control mechanisms to prevent unauthorized use and backing up keys on a regular basis.
d. When required, customers of the organizations cloud-based software or platform offering must be able to obtain information regarding:
i. The cryptographic tools used to protect their information.
i. Any capabilities that are available to allow cloud service customers to apply their own cryptographic solutions.
i. The identity of the countries where the cryptographic tools are used to store or transfer cloud service customers data.
a. The use of organizationally-approved encryption must be governed in accordance with the laws of the country, region, or other regulating entity in which users perform their work. Encryption must not be used to violate any laws or regulations including import/export restrictions. The encryption used by the Company conforms to international standards and U.S. import/export requirements, and thus can be used across international boundaries for business purposes.
a. All key management must be performed using software that automatically manages access control, secure storage, backup and rotation of keys. Specifically:
i. The key management service must provide key access to specifically-designated users, with the ability to encrypt/decrypt information and generate data encryption keys.
i. The key management service must provide key administration access to specifically-designated users, with the ability to create, schedule delete, enable/disable rotation, and set usage policies for keys.
i. The key management service must store and backup keys for the entirety of their operational lifetime.
i. The key management service must rotate keys at least once every 12 months.
# Coming Soon