Github/comply
1
0
Fork 0
mirror of https://github.com/strongdm/comply synced 2025-12-14 18:24:05 +00:00
Code Issues Projects Releases Wiki Activity

Compare commits

base: Github:v1.1.21
Branches Tags
Github:master Github:v2-update Github:feature/windows Github:feautre/windows
Github:v1.6.0 Github:v1.5.2 Github:v1.5.1 Github:v1.5.0 Github:v1.5.0-dev Github:v1.4.5 Github:v1.4.3 Github:v1.4.2 Github:v1.4.1 Github:v1.4.0 Github:v1.3.7 Github:v1.3.6 Github:v1.3.5 Github:v1.3.4 Github:v1.3.3 Github:v1.3.2 Github:v1.3.1 Github:v1.3.0 Github:v1.2.6 Github:v1.2.5 Github:v1.2.4 Github:v1.2.3 Github:v1.2.2 Github:v1.2.1 Github:v1.2.0 Github:v1.1.27 Github:v1.1.26 Github:v1.1.25 Github:v1.1.24 Github:v1.1.23 Github:v1.1.22 Github:v1.1.21 Github:v1.1.20 Github:v1.1.19 Github:v1.1.18 Github:v1.1.17 Github:v1.1.16 Github:v1.1.15 Github:v1.1.14 Github:v1.1.13 Github:v1.1.12 Github:v1.1.11 Github:v1.1.10 Github:v1.1.9 Github:v1.1.8 Github:v1.1.7 Github:v1.1.6 Github:v1.1.5 Github:v1.1.4 Github:v1.1.3 Github:v1.1.2 Github:v1.1.1 Github:v1.1.0 Github:v1.0.14 Github:v1.0.13 Github:v1.0.12 Github:v1.0.11 Github:v1.0.10 Github:v1.0.9 Github:v1.0.8 Github:v1.0.7 Github:v1.0.6-1-g90a5079 Github:v1.0.6 Github:v0.0.3-1-g1c90341-3-gd1fdd37 Github:v0.0.3-1-g1c90341 Github:v0.0.5 Github:v0.0.3 Github:v0.0.3-dev Github:v0.0.4 Github:v0.0.1 Github:v0.0.2
...
compare: Github:v1.1.25
Branches Tags
Github:master Github:v2-update Github:feature/windows Github:feautre/windows
Github:v1.6.0 Github:v1.5.2 Github:v1.5.1 Github:v1.5.0 Github:v1.5.0-dev Github:v1.4.5 Github:v1.4.3 Github:v1.4.2 Github:v1.4.1 Github:v1.4.0 Github:v1.3.7 Github:v1.3.6 Github:v1.3.5 Github:v1.3.4 Github:v1.3.3 Github:v1.3.2 Github:v1.3.1 Github:v1.3.0 Github:v1.2.6 Github:v1.2.5 Github:v1.2.4 Github:v1.2.3 Github:v1.2.2 Github:v1.2.1 Github:v1.2.0 Github:v1.1.27 Github:v1.1.26 Github:v1.1.25 Github:v1.1.24 Github:v1.1.23 Github:v1.1.22 Github:v1.1.21 Github:v1.1.20 Github:v1.1.19 Github:v1.1.18 Github:v1.1.17 Github:v1.1.16 Github:v1.1.15 Github:v1.1.14 Github:v1.1.13 Github:v1.1.12 Github:v1.1.11 Github:v1.1.10 Github:v1.1.9 Github:v1.1.8 Github:v1.1.7 Github:v1.1.6 Github:v1.1.5 Github:v1.1.4 Github:v1.1.3 Github:v1.1.2 Github:v1.1.1 Github:v1.1.0 Github:v1.0.14 Github:v1.0.13 Github:v1.0.12 Github:v1.0.11 Github:v1.0.10 Github:v1.0.9 Github:v1.0.8 Github:v1.0.7 Github:v1.0.6-1-g90a5079 Github:v1.0.6 Github:v0.0.3-1-g1c90341-3-gd1fdd37 Github:v0.0.3-1-g1c90341 Github:v0.0.5 Github:v0.0.3 Github:v0.0.3-dev Github:v0.0.4 Github:v0.0.1 Github:v0.0.2

28 Commits
v1.1.21 ... v1.1.25

Author SHA1 Message Date
Justin McCarthy
bef531973f increment patch for release (via Makefile) 2018-05-18 16:48:36 -07:00
Justin McCarthy
a025ea5e39 automated asset refresh (via Makefile) 2018-05-18 16:48:28 -07:00
Justin McCarthy
cee7553319 invoke update in tap dir 2018-05-18 16:48:25 -07:00
Justin McCarthy
4c55c371af increment patch for release (via Makefile) 2018-05-18 16:44:29 -07:00
Justin McCarthy
af4fb6e0d2 automated asset refresh (via Makefile) 2018-05-18 16:44:21 -07:00
Justin McCarthy
0e1eed80c9 capture sha 2018-05-18 16:44:16 -07:00
Justin McCarthy
deeb8c1695 capture sha 2018-05-18 16:44:16 -07:00
Manisha Singh
2a4486315e Merge branch 'master' of github.com:strongdm/comply 2018-05-18 16:41:22 -07:00
Manisha Singh
df159a5f0d Initial commit of Risk 2018-05-18 16:41:18 -07:00
Justin McCarthy
f8a742556d increment patch for release (via Makefile) 2018-05-18 16:31:38 -07:00
Justin McCarthy
eb00183724 automated asset refresh (via Makefile) 2018-05-18 16:31:30 -07:00
Manisha Singh
5acf683e04 Initial commit of Availability 2018-05-18 16:09:48 -07:00
Manisha Singh
491bd00b20 Updated Table 3 2018-05-18 16:02:38 -07:00
Manisha Singh
a642c812e3 Initial commit of Encryption 2018-05-18 15:42:35 -07:00
Manisha Singh
69d036b00b Merge branch 'master' of github.com:strongdm/comply 2018-05-18 14:48:11 -07:00
Manisha Singh
736dfc539c Initial commit of Data Classification 2018-05-18 14:48:08 -07:00
Justin McCarthy
f5b28a1bac introduce procedure command 2018-05-18 14:42:55 -07:00
Justin McCarthy
80c8978034 increment patch for release (via Makefile) 2018-05-18 12:35:15 -07:00
Justin McCarthy
592852ad38 automated asset refresh (via Makefile) 2018-05-18 12:35:06 -07:00
Manisha Singh
179477b4ef Merge branch 'master' of github.com:strongdm/comply 2018-05-18 12:33:51 -07:00
Manisha Singh
46fd0e6987 Initial commit of Vendor 2018-05-18 12:33:48 -07:00
Justin McCarthy
9a357f7bd6 workstation procedure example 2018-05-18 12:33:08 -07:00
Justin McCarthy
378a27542f Merge branch 'master' of github.com:strongdm/comply 2018-05-18 12:21:00 -07:00
Justin McCarthy
1b010e0d04 Procedure examples 2018-05-18 12:20:53 -07:00
Manisha Singh
1eebcaeee1 Initial commit of Development 2018-05-18 12:11:48 -07:00
Manisha Singh
6973675228 Initial commit of Removable Media 2018-05-18 11:56:09 -07:00
Manisha Singh
5e82aa0cfe Merge branch 'master' of github.com:strongdm/comply 2018-05-18 11:47:03 -07:00
Manisha Singh
ed8d8a9404 Initial commit of Remote Access 2018-05-18 11:46:58 -07:00
28 changed files with 2124 additions and 99 deletions
Expand all files Collapse all files

8
Makefile
View File

@@ -78,6 +78,9 @@ release-env:
ifndef GH_LOGIN
$(error GH_LOGIN must be set to a valid GitHub token)
endif
ifndef COMPLY_TAPDIR
$(error COMPLY_TAPDIR must be set to the path of the comply homebrew tap repo)
endif
release: release-env dist release-deps
$(eval VERSION := $(shell git describe --tags --always --dirty="-dev"))
@@ -105,8 +108,9 @@ release: release-env dist release-deps
--file dist/comply-$(VERSION)-linux-amd64.tgz
@echo "Update homebrew formula with the following: "
@echo "version $(VERSION)"
@curl -L https://github.com/strongdm/comply/archive/$(VERSION).tar.gz |shasum -a 256
$(eval SHA := $(shell curl -s -L https://github.com/strongdm/comply/archive/$(VERSION).tar.gz |shasum -a 256|cut -d" " -f1))
@echo "version $(VERSION) sha $(SHA)"
cd $$COMPLY_TAPDIR && ./update.sh $(VERSION) $(SHA)
patch-release: release-env push-assets patch release
$(eval VERSION := $(shell git describe --tags --always --dirty="-dev"))

15
README.md
View File

@@ -58,12 +58,13 @@ USAGE:
comply [global options] command [command options] [arguments...]
COMMANDS:
init initialize a new compliance repository (interactive)
build, b generate a static website summarizing the compliance program
scheduler create tickets based on procedure schedule
serve live updating version of the build command
sync sync ticket status to local cache
todo list declared vs satisfied compliance controls
help, h Shows a list of commands or help for one command
init initialize a new compliance repository (interactive)
build, b generate a static website summarizing the compliance program
procedure, proc create ticket by procedure ID
scheduler create tickets based on procedure schedule
serve live updating version of the build command
sync sync ticket status to local cache
todo list declared vs satisfied compliance controls
help, h Shows a list of commands or help for one command
```

2
VERSION
View File

@@ -1 +1 @@
1.1.21
1.1.25

90
example/policies/availability.md
View File

@@ -9,4 +9,92 @@ majorRevisions:
comment: Initial document
---
# Coming Soon
# Purpose and Scope
a. The purpose of this policy is to define requirements for proper controls to protect the availability of the organizations information systems.
a. This policy applies to all users of information systems within the organization. This typically includes employees and contractors, as well as any external parties that come into contact with systems and information controlled by the organization (hereinafter referred to as “users”). This policy must be made readily available to all users.
# Background
a. The intent of this policy is to minimize the amount of unexpected or unplanned downtime (also known as outages) of information systems under the organizations control. This policy prescribes specific measures for the organization that will increase system redundancy, introduce failover mechanisms, and implement monitoring such that outages are prevented as much as possible. Where they cannot be prevented, outages will be quickly detected and remediated.
a. Within this policy, an availability is defined as a characteristic of information or information systems in which such information or systems can be accessed by authorized entities whenever needed.
# References
a. Risk Assessment Policy
# Policy
a. Information systems must be consistently available to conduct and support business operations.
a. Information systems must have a defined availability classification, with appropriate controls enabled and incorporated into development and production processes based on this classification.
a. System and network failures must be reported promptly to the organizations lead for Information Technology (IT) or designated IT operations manager.
a. Users must be notified of scheduled outages (e.g., system maintenance) that require periods of downtime. This notification must specify the date and time of the system maintenance, expected duration, and anticipated system or service resumption time.
a. Prior to production use, each new or significantly modified application must have a completed risk assessment that includes availability risks. Risk assessments must be completed in accordance with the Risk Assessment Policy (reference (a)).
a. Capacity management and load balancing techniques must be used, as deemed necessary, to help minimize the risk and impact of system failures.
a. Information systems must have an appropriate data backup plan that ensures:
i. All sensitive data can be restored within a reasonable time period.
i. Full backups of critical resources are performed on at least a weekly basis.
i. Incremental backups for critical resources are performed on at least a daily basis.
i. Backups and associated media are maintained for a minimum of thirty (30) days and retained for at least one (1) year, or in accordance with legal and regulatory requirements.
i. Backups are stored off-site with multiple points of redundancy and protected using encryption and key management.
i. Tests of backup data must be conducted once per quarter. Tests of configurations must be conducted twice per year.
a. Information systems must have an appropriate redundancy and failover plan that meets the following criteria:
i. Network infrastructure that supports critical resources must have system-level redundancy (including but not limited to a secondary power supply, backup disk-array, and secondary computing system). Critical core components (including but not limited to routers, switches, and other devices linked to Service Level Agreements (SLAs)) must have an actively maintained spare. SLAs must require parts replacement within twenty-four (24) hours.
i. Servers that support critical resources must have redundant power supplies and network interface cards. All servers must have an actively maintained spare. SLAs must require parts replacement within twenty-four (24) hours.
i. Servers classified as high availability must use disk mirroring.
a. Information systems must have an appropriate business continuity plan that meets the following criteria:
i. Recovery time and data loss limits are defined in Table 3.
i. Recovery time requirements and data loss limits must be adhered to with specific documentation in the plan.
i. Company and/or external critical resources, personnel, and necessary corrective actions must be specifically identified.
i. Specific responsibilities and tasks for responding to emergencies and resuming business operations must be included in the plan.
i. All applicable legal and regulatory requirements must be satisfied.
+-------------------+------------------+---------------+-------------------+------------------+
|**Availability** | **Availability** | **Scheduled** | **Recovery Time** | **Data Loss or** |
|**Classification** | **Requirements** | **Outage** | **Requirements** | **Impact Loss** |
+===================+==================+===============+===================+==================+
| High | High to | 30 minutes | 1 hour | Minimal |
| | Continuous | | | |
+-------------------+------------------+---------------+-------------------+------------------+
| | | | | |
+-------------------+------------------+---------------+-------------------+------------------+
| Medium | Standard | 2 hours | 4 hours | Some data loss |
| | Availability | | | is tolerated if |
| | | | | it results in |
| | | | | quicker |
| | | | | restoration |
+-------------------+------------------+---------------+-------------------+------------------+
| | | | | |
+-------------------+------------------+---------------+-------------------+------------------+
| Low | Limited | 4 hours | Next | Some data loss |
| | Availability | | business day | is tolerated if |
| | | | | it results in |
| | | | | quicker |
| | | | | restoration |
+-------------------+------------------+---------------+-------------------+------------------+
Table 3: Recovery Time and Data Loss Limits

276
example/policies/classification.md
View File

@@ -7,5 +7,279 @@ majorRevisions:
- date: Jun 1 2018
comment: Initial document
---
# Appendices
Appendix A: Handling of Classified Information
Appendix B: Form - Confidentiality Statement
# Purpose and Scope
a. This data classification policy defines the requirements to ensure that information within the organization is protected at an appropriate level.
a. This document applies to the entire scope of the organizations information security program. It includes all types of information, regardless of its form, such as paper or electronic documents, applications and databases, and knowledge or information that is not written.
a. This policy applies to all individuals and systems that have access to information kept by the organization.
# Background
a. This policy defines the high level objectives and implementation instructions for the organizations data classification scheme. This includes data classification levels, as well as procedures for the classification, labeling and handling of data within the organization. Confidentiality and non-disclosure agreements maintained by the organization must reference this policy.
# References
a. Risk Assessment Policy
a. Security Incident Management Policy
# Policy
a. If classified information is received from outside the organization, the person who receives the information must classify it in accordance with the rules prescribed in this policy. The person thereby will become the owner of the information.
a. If classified information is received from outside the organization and handled as part of business operations activities (e.g., customer data on provided cloud services), the information classification, as well as the owner of such information, must be made in accordance with the specifications of the respective customer service agreement and other legal requirements.
a. When classifying information, the level of confidentiality is determined by:
i. The value of the information, based on impacts identified during the risk assessment process. More information on risk assessments is defined in the Risk Assessment Policy (reference (a)).
i. Sensitivity and criticality of the information, based on the highest risk calculated for each information item during the risk assessment.
i. Legal, regulatory and contractual obligations.
+-------------------+------------------+---------------------------+---------------------------+
|**Confidentiality**| **Label** | **Classification** | **Access** |
| **Level** | | **Criteria** | **Restrictions** |
+===================+==================+===========================+============================+
| Public | For Public | Making the information | Information is available |
| | Release | public will not harm | to the public. |
| | | the organization in | |
| | | any way. | |
+-------------------+------------------+---------------------------+---------------------------+
| | | | |
+-------------------+------------------+---------------------------+---------------------------+
| Internal Use | Internal Use | Unauthorized access | Information is available |
| | | may cause minor damage | to all employees and |
| | | and/or inconvenience | authorized third parties. |
| | | to the organization. |
+-------------------+------------------+---------------------------+---------------------------+
| | | | |
+-------------------+------------------+---------------------------+---------------------------+
| Restricted | Restricted | Unauthorized access to | Information is available |
| | | information may cause | to a specific group of |
| | | considerable damage to | employees and authhorized |
| | | the business and/or | third parties. |
| | | the organization's | |
| | | reputation. | |
+-------------------+------------------+---------------------------+---------------------------+
| | | | |
+-------------------+------------------+---------------------------+---------------------------+
| Confidential |Confidential | Unauthorized access to | Information is available |
| | | information may cause | only to specific indivi- |
| | | catastrophic damage to | duals in the |
| | | business and/or the | organization. |
| | | organization's reputation.| |
+-------------------+------------------+---------------------------+---------------------------+
Table 3: Information Confidentiality Levels
 
d. Information must be classified based on confidentiality levels as defined in Table 3.
e. Information and information system owners should try to use the lowest confidentiality level that ensures an adequate level of protection, thereby avoiding unnecessary production costs.
f. Information classified as “Restricted” or “Confidential” must be accompanied by a list of authorized persons in which the information owner specifies the names or job functions of persons who have the right to access that information.
g. Information classified as “Internal Use” must be accompanied by a list of authorized persons only if individuals outside the organization will have access to the document.
h. Information and information system owners must review the confidentiality level of their information assets every five years and assess whether the confidentiality level should be changed. Wherever possible, confidentiality levels should be lowered.
a. For cloud-based software services provided to customers, system owners under the companys control must also review the confidentiality level of their information systems after service agreement changes or after a customers formal notification. Where allowed by service agreements, confidentiality levels should be lowered.
a. Information must be labeled according to the following:
i. Paper documents: the confidentiality level is indicated on the top and bottom of each document page; it is also indicated on the front of the cover or envelope carrying such a document as well as on the filing folder in which the document is stored. If a document is not labeled, its default classification is Internal Use.
i. Electronic documents: the confidentiality level is indicated on the top and bottom of each document page. If a document is not labeled, its default classification is Internal Use.
i. Information systems: the confidentiality level in applications and databases must be indicated on the system access screen, as well as on the screen when displaying such information.
i. Electronic mail: the confidentiality level is indicated in the first line of the email body. If it is not labeled, its default classification is “Internal Use”.
i. Electronic storage media (disks, memory cards, etc.): the confidentiality level must be indicated on the top surface of the media. If it is not labeled, its default classification is “Internal Use”.
i. Information transmitted orally: the confidentiality level should be mentioned before discussing information during face-to-face communication, by telephone, or any other means of oral communication.
a. All persons accessing classified information must follow the guidelines listed in Appendix A, “Handling of Classified Information.”
a. All persons accessing classified information must complete and submit a Confidentiality Statement to their immediate supervisor or company point-of-contact. A sample Confidentiality Statement is in Appendix B.
a. Incidents related to the improper handling of classified information must be reported in accordance with the Security Incident Management Policy (reference (b)).
\pagebreak
# Appendix A: Handling of Classified Information
Information and information systems must be handled according to the following guidelines*:
a. Paper Documents
i. Internal Use
1. Only authorized persons may have access.
1. If sent outside the organization, the document must be sent as registered mail.
1. Documents may only be kept in rooms without public access.
1. Documents must be removed expeditiously from printers and fax machines.
i. Restricted
1. The document must be stored in a locked cabinet.
1. Documents may be transferred within and outside the organization only in a closed envelope.
1. If sent outside the organization, the document must be mailed with a return receipt service.
1. Documents must immediately be removed from printers and fax machines.
1. Only the document owner may copy the document.
1. Only the document owner may destroy the document.
i. Confidential
1. The document must be stored in a safe.
1. The document may be transferred within and outside the organization only by a trustworthy person in a closed and sealed envelope.
1. Faxing the document is not permitted.
1. The document may be printed only if the authorized person is standing next to the printer.
a. Electronic Documents
i. Internal Use
1. Only authorized persons may have access.
1. When documents are exchanged via unencrypted file sharing services such as FTP, they must be password protected.
1. Access to the information system where the document is stored must be protected by a strong password.
1. The screen on which the document is displayed must be automatically locked after 10 minutes of inactivity.
i. Restricted
1. Only persons with authorization for this document may access the part of the information system where this document is stored.
1. When documents are exchanged via file sharing services of any type, they must be encrypted.
1. Only the document owner may erase the document.
i. Confidential
1. The document must be stored in encrypted form.
1. The document may be stored only on servers which are controlled by the organization.
1. The document may only be shared via file sharing services that are encrypted such as HTTPS and SSH. Further, the document must be encrypted and protected with a string password when transferred.
a. Information Systems
i. Internal Use
1. Only authorized persons may have access.
1. Access to the information system must be protected by a strong password.
1. The screen must be automatically locked after 10 minutes of inactivity.
1. The information system may be only located in rooms with controlled physical access.
i. Restricted
1. Users must log out of the information system if they have temporarily or permanently left the workplace.
1. Data must be erased only with an algorithm that ensures secure deletion.
i. Confidential
1. Access to the information system must be controlled through multi-factor authentication (MFA).
1. The information system may only be installed on servers controlled by the organization.
1. The information system may only be located in rooms with controlled physical access and identity control of people accessing the room.
a. Electronic Mail
i. Internal Use
1. Only authorized persons may have access.
1. The sender must carefully check the recipient.
1. All rules stated under “information systems” apply.
i. Restricted
1. Email must be encrypted if sent outside the organization.
i. Confidential
1. Email must be encrypted.
a. Electronic Storage Media
i. Internal Use
1. Only authorized persons may have access.
1. Media or files must be password protected.
1. If sent outside the organization, the medium must be sent as registered mail.
1. The medium may only be kept in rooms with controlled physical access.
i. Restricted
1. Media and files must be encrypted.
1. Media must be stored in a locked cabinet.
1. If sent outside the organization, the medium must be mailed with a return receipt service.
1. Only the medium owner may erase or destroy the medium.
i. Confidential
1. Media must be stored in a safe.
1. Media may be transferred within and outside the organization only by a trustworthy person and in a closed and sealed envelope.
a. Information Transmitted Orally
i. Internal Use
1. Only authorized persons may have access to information.
1. Unauthorized persons must not be present in the room when the information is communicated.
i. Restricted
1. The room must be sound-proof.
1. The conversation must not be recorded.
i. Confidential
1. Conversation conducted through electronic means must be encrypted.
1. No transcript of the conversation may be kept.
In this document, controls are implemented cumulatively, meaning that controls for any confidentiality level imply the implementation of controls defined for lower confidentiality levels - if stricted controls are prescribed for a higher confidentiality level, then only such controls are implemented.
# Coming Soon

186
example/policies/development.md
View File

@@ -8,4 +8,188 @@ majorRevisions:
comment: Initial document
---
# Coming Soon
# Purpose and Scope
a. The purpose of this policy is to define requirements for establishing and maintaining baseline protection standards for company software, network devices, servers, and desktops.
a. This policy applies to all users performing software development, system administration, and management of these activities within the organization. This typically includes employees and contractors, as well as any relevant external parties involved in these activities (hereinafter referred to as “users”). This policy must be made readily available to all users.
a. This policy also applies to enterprise-wide systems and applications developed by the organization or on behalf of the organization for production implementation.
# Background
a. The intent of this policy is to ensure a well-defined, secure and consistent process for managing the entire lifecycle of software and information systems, from initial requirements analysis until system decommission. The policy defines the procedure, roles, and responsibilities, for each stage of the software development lifecycle.
a. Within this policy, the software development lifecycle consists of requirements analysis, architecture and design, development, testing, deployment/implementation, operations/maintenance, and decommission. These processes may be followed in any form; in a waterfall model, it may be appropriate to follow the process linearly, while in an agile development model, the process can be repeated in an iterative fashion.
# References
a. Risk Assessment Policy
# Policy
a. The organizations Software Development Life Cycle (SDLC) includes the following phases:
i. Requirements Analysis
i. Architecture and Design
i. Testing
i. Deployment/Implementation
i. Operations/Maintenance
i. Decommission
a. During all phases of the SDLC where a system is not in production, the system must not have live data sets that contain information identifying actual people or corporate entities, actual financial data such as account numbers, security codes, routing information, or any other financially identifying data. Information that would be considered sensitive must never be used outside of production environments.
a. The following activities must be completed and/or considered during the requirements analysis phase:
i. Analyze business requirements.
i. Perform a risk assessment. More information on risk assessments is discussed in the Risk Assessment Policy (reference (a)).
i. Discuss aspects of security (e.g., confidentiality, integrity, availability) and how they might apply to this requirement.
i. Review regulatory requirements and the organizations policies, standards, procedures and guidelines.
i. Review future business goals.
i. Review current business and information technology operations.
i. Incorporate program management items, including:
1. Analysis of current system users/customers.
1. Understand customer-partner interface requirements (e.g., business-level, network).
1. Discuss project timeframe.
i. Develop and prioritize security solution requirements.
i. Assess cost and budget constraints for security solutions, including development and operations.
i. Approve security requirements and budget.
i. Make “buy vs. build” decisions for security services based on the information above.
a. The following must be completed/considered during the architecture and design phase:
i. Educate development teams on how to create a secure system.
i. Develop and/or refine infrastructure security architecture.
i. List technical and non-technical security controls.
i. Perform architecture walkthrough.
i. Create a system-level security design.
i. Create high-level non-technical and integrated technical security designs.
i. Perform a cost/benefit analysis for design components.
i. Document the detailed technical security design.
i. Perform a design review, which must include, at a minimum, technical reviews of application and infrastructure, as well as a review of high-level processes.
i. Describe detailed security processes and procedures, including: segregation of duties and segregation of development, testing and production environments.
i. Design initial end-user training and awareness programs.
i. Design a general security test plan.
i. Update the organizations policies, standards, and procedures, if appropriate.
i. Assess and document how to mitigate residual application and infrastructure vulnerabilities.
i. Design and establish separate development and test environments.
a. The following must be completed and/or considered during the development phase:
i. Set up a secure development environment (e.g., servers, storage).
i. Train infrastructure teams on installation and configuration of applicable software, if required.
i. Develop code for application-level security components.
i. Install, configure and integrate the test infrastructure.
i. Set up security-related vulnerability tracking processes.
i. Develop a detailed security test plan for current and future versions (i.e., regression testing).
i. Conduct unit testing and integration testing.
a. The following must be completed and/or considered during the testing phase:
i. Perform a code and configuration review through both static and dynamic analysis of code to identify vulnerabilities.
i. Test configuration procedures.
i. Perform system tests.
i. Conduct performance and load tests with security controls enabled.
i. Perform usability testing of application security controls.
i. Conduct independent vulnerability assessments of the system, including the infrastructure and application.
a. The following must be completed and/or considered during the deployment phase:
i. Conduct pilot deployment of the infrastructure, application and other relevant components.
i. Conduct transition between pilot and full-scale deployment.
i. Perform integrity checking on system files to ensure authenticity.
i. Deploy training and awareness programs to train administrative personnel and users in the systems security functions.
i. Require participation of at least two developers in order to conduct full-scale deployment to the production environment.
a. The following must be completed and/or considered during the operations/maintenance phase:
i. Several security tasks and activities must be routinely performed to operate and administer the system, including but not limited to:
1. Administering users and access.
1. Tuning performance.
1. Performing backups according to requirements defined in the System Availability Policy
1. Performing system maintenance (i.e., testing and applying security updates and patches).
1. Conducting training and awareness.
1. Conducting periodic system vulnerability assessments.
1. Conducting annual risk assessments.
i. Operational systems must:
1. Be reviewed to ensure that the security controls, both automated and manual, are functioning correctly and effectively.
1. Have logs that are periodically reviewed to evaluate the security of the system and validate audit controls.
1. Implement ongoing monitoring of systems and users to ensure detection of security violations and unauthorized changes.
1. Validate the effectiveness of the implemented security controls through security training as required by the Procedure For Executing Incident Response.
1. Have a software application and/or hardware patching process that is performed regularly in order to eliminate software bug and security problems being introduced into the organizations technology environment. Patches and updates must be applied within ninety (90) days of release to provide for adequate testing and propagation of software updates. Emergency, critical, break-fix, and zero-day vulnerability patch releases must be applied as quickly as possible.
a. The following must be completed and/or considered during the decommission phase:
i. Conduct unit testing and integration testing on the system after component removal.
i. Conduct operational transition for component removal/replacement.
i. Determine data retention requirements for application software and systems data.
i. Document the detailed technical security design.
i. Update the organizations policies, standards and procedures, if appropriate.
i. Assess and document how to mitigate residual application and infrastructure vulnerabilities.

73
example/policies/encryption.md
View File

@@ -7,5 +7,76 @@ majorRevisions:
- date: Jun 1 2018
comment: Initial document
---
# Purpose and Scope
a. This policy defines organizational requirements for the use of cryptographic controls, as well as the requirements for cryptographic keys, in order to protect the confidentiality, integrity, authenticity and nonrepudiation of information.
a. This policy applies to all systems, equipment, facilities and information within the scope of the organizations information security program.
a. All employees, contractors, part-time and temporary workers, service providers, and those employed by others to perform work on behalf of the organization having to do with cryptographic systems, algorithms, or keying material are subject to this policy and must comply with it.
# Background
a. This policy defines the high level objectives and implementation instructions for the organizations use of cryptographic algorithms and keys. It is vital that the organization adopt a standard approach to cryptographic controls across all work centers in order to ensure end-to-end security, while also promoting interoperability. This document defines the specific algorithms approved for use, requirements for key management and protection, and requirements for using cryptography in cloud environments.
# Policy
a. The organization must protect individual systems or information by means of cryptographic controls as defined in Table 3:
\pagebreak
+---------------------+-------------------+----------------+--------------+
| **Name of System/** | **Cryptographic** | **Encryption** | **Key Size** |
| **Type of** | **Tool** | **Algorithm** | |
| **Information** | | | |
+=====================+===================+================+==============+
| Public Key | OpenSSL | AES-256 | 256-bit key |
| Infrastructure for | | | |
| Authentication | | | |
+---------------------+-------------------+----------------+--------------+
| | | | |
+---------------------+-------------------+----------------+--------------+
| Data Encryption | OpenSSL | AES-256 | 256-bit key |
| Keys | | | |
+---------------------+-------------------+----------------+--------------+
| | | | |
+---------------------+-------------------+----------------+--------------+
| Virtual Private | OpenSSL and | AES-256 | 256-bit key |
| Network (VPN) | OpenVPN | | |
| keys | | | |
+---------------------+-------------------+----------------+--------------+
| | | | |
+---------------------+-------------------+----------------+--------------+
| Website SSL | OpenSSL, CERT | AES-256 | 256-bit key |
| Certificate | | | |
+---------------------+-------------------+----------------+--------------+
Table 3: Cryptographic Controls
 
b. Except where otherwise stated, keys must be managed by their owners.
c. Cryptographic keys must be protected against loss, change or destruction by applying appropriate access control mechanisms to prevent unauthorized use and backing up keys on a regular basis.
d. When required, customers of the organizations cloud-based software or platform offering must be able to obtain information regarding:
i. The cryptographic tools used to protect their information.
i. Any capabilities that are available to allow cloud service customers to apply their own cryptographic solutions.
i. The identity of the countries where the cryptographic tools are used to store or transfer cloud service customers data.
a. The use of organizationally-approved encryption must be governed in accordance with the laws of the country, region, or other regulating entity in which users perform their work. Encryption must not be used to violate any laws or regulations including import/export restrictions. The encryption used by the Company conforms to international standards and U.S. import/export requirements, and thus can be used across international boundaries for business purposes.
a. All key management must be performed using software that automatically manages access control, secure storage, backup and rotation of keys. Specifically:
i. The key management service must provide key access to specifically-designated users, with the ability to encrypt/decrypt information and generate data encryption keys.
i. The key management service must provide key administration access to specifically-designated users, with the ability to create, schedule delete, enable/disable rotation, and set usage policies for keys.
i. The key management service must store and backup keys for the entirety of their operational lifetime.
i. The key management service must rotate keys at least once every 12 months.
# Coming Soon

131
example/policies/media.md
View File

@@ -8,4 +8,133 @@ majorRevisions:
comment: Initial document
---
# Coming Soon
# Purpose and Scope
a. This removable media, cloud storage and Bring Your Own Device (BYOD) policy defines the objectives, requirements and implementing instructions for storing data on removable media, in cloud environments, and on personally-owned devices, regardless of data classification level.
a. This policy applies to all information and data within the organizations information security program, as well as all removable media, cloud systems and personally-owned devices either owned or controlled by the organization.
a. This policy applies to all users of information systems within the organization. This typically includes employees and contractors, as well as any external parties that come into contact with systems and information controlled by the organization (hereinafter referred to as “users”). This policy must be made readily available to all users.
# Background
a. This policy defines the procedures for safely using removable media, cloud storage and personally-owned devices to limit data loss or exposure. Such forms of storage must be strictly controlled because of the sensitive data that can be stored on them. Because each of these storage types are inherently ephemeral or portable in nature, it is possible for the organization to lose the ability to oversee or control the information stored on them if strict security standards are not followed.
a. This document consists of three sections pertaining to removable media, cloud storage, and personally-owned devices. Each section contains requirements and implementing instructions for the registration, management, maintenance, and disposition of each type of storage.
a. Within this policy, the term sensitive information refers to information that is classified as RESTRICTED or CONFIDENTIAL in accordance with the Data Classification Policy (reference (a)).
# References
a. Data Classification Policy
a. Asset Inventory
a. Security Incident Response Policy
a. Encryption Policy
# Policy
a. *Removable Media*
i. All removable media in active use and containing data pertinent to the organization must be registered in the organizations Asset Inventory (reference (b)).
i. All removable media listed in reference (b) must be re-inventoried on a quarterly basis to ensure that it is still within the control of the organization.
1. To re-inventory an item, the owner of the removable media must check in the item with the organizations Information Security Manager (ISM).
1. The ISM must treat any removable media that cannot be located as lost, and a security incident report must be logged in accordance with the Security Incident Response Policy (reference (c)).
i. The owner of the removable media must conduct all appropriate maintenance on the item at intervals appropriate to the type of media, such as cleaning, formatting, labeling, etc.
i. The owner of the removable media, where practical, must ensure that an alternate or backup copy of the information located on the device exists.
i. Removable media must be stored in a safe place that has a reduced risk of fire or flooding damage.
i. If the storage item contains sensitive information, removable media must:
1. Be stored in a locked cabinet or drawer.
1. Store only encrypted data that is securely enciphered in accordance with the Encryption Policy (reference (d)).
i. All data on removable media devices must be erased, or the device must be destroyed, before it is reused or disposed of.
i. When removable media devices are disposed, the device owner must inform the ISM so that it can be removed from reference (b).
a. *Cloud Storage*
i. All cloud storage systems in active use and containing data pertinent to the organization must be registered in reference (b). Registration may be accomplished by manual or automated means.
i. All cloud storage systems listed in reference (b) must be re-inventoried on a quarterly basis to ensure that it is still within the control of the organization. To re-inventory an item, the owner of the removable media must check in the item with the organizations Information Security Manager (ISM). Re-inventory may be accomplished by manual or automated means.
i. The owner of the cloud storage system must conduct all appropriate maintenance on the system at regular intervals to include system configuration, access control, performance monitoring, etc.
i. Data on cloud storage systems must be replicated to at least one other physical location. Depending on the cloud storage provider, this replication may be automatically configured.
i. The organization must only use cloud storage providers that can demonstrate, either through security accreditation, demonstration, tour, or other means that their facilities are secured, both physically and electronically, using best practices.
i. If the cloud storage system contains sensitive information, that information must be encrypted in accordance with reference (d).
i. Data must be erased from from cloud storage systems using a technology and process that is approved by the ISM.
i. When use of a cloud storage system is discontinued, the system owner must inform the ISM so that it can be removed from reference (b).
a. *Personally-owned Devices*
i. Organizational data that is stored, transferred or processed on personally-owned devices remains under the organizations ownership, and the organization retains the right to control such data even though it is not the owner of the device.
i. The ISM is responsible for conducting overall management of personally-owned devices, to include:
1. Installation and maintenance of Mobile Device Management (MDM) software that can effectively manage, control and wipe data under the organizations control from personally-owned devices.
1. Maintain a list of job titles and/or persons authorized to use personally-owned devices for the organizations business, as well as the applications and databases that may be accessed from such devices.
1. Maintain a list of applications prohibited from use on personally-owned devices, and ensuring that device users are aware of these restrictions.
i. Personally-identifiable information (PII) may not be stored, processed or accessed at any time on a personally-owned device.
i. The following acceptable use requirements must be observed by users of personally-owned devices:
1. All organizational data must be backed up at regular intervals.
1. MDM and endpoint protection software must be installed on the device at all times.
1. Sensitive information stored on the device must be encrypted in accordance with reference (d).
1. The device must be secured using a password, pin, unlock pattern, fingerprint or equivalent security mechanism.
1. The device must only connect to secure and encrypted wireless networks.
1. When using the device outside of the organizations premises, it must not be left unattended, and if possible, physically secured.
1. When using the device in public areas, the owner must take measures to ensure that the data cannot be read or accessed by unauthorized persons.
1. Patches and updates must be installed regularly.
1. Classified information must be protected in accordance with reference (a).
1. The device owner must install the ISM before the device is disposed of, sold, or provided to a third party for servicing.
1. It is prohibited to:
a. Allow device access for anyone except its owner.
a. Store illegal materials on the device.
a. Install unlicensed software.
a. Locally-store passwords.
a. Transfer organizational data to other devices which have not been approved by the organization.
i. The organization must reserve the right to view, edit, and/or delete any organizational information that is stored, processed or transferred on the device.
i. The organization must reserve the right to perform full deletion of all of its data on the device if it considers that necessary for the protection of company-related data, without the consent of the device owner.
i. The organization will not pay the employees (the owners of BYOD) any fee for using the device for work purposes.
i. The organization will pay for any new software that needs to be installed for company use.
i. All security breaches related to personally-owned devices must be reported immediately to the ISM.

48
example/policies/remote.md
View File

@@ -10,4 +10,50 @@ majorRevisions:
comment: Initial document
---
# Coming Soon
# Purpose and Scope
a. The purpose of this policy is to define requirements for connecting to the organizations systems and networks from remote hosts, including personally-owned devices, in order to minimize data loss/exposure.
a. This policy applies to all users of information systems within the organization. This typically includes employees and contractors, as well as any external parties that come into contact with systems and information controlled by the organization (hereinafter referred to as “users”). This policy must be made readily accessible to all users.
# Background
a. The intent of this policy is to minimize the organizations exposure to damages which may result from the unauthorized remote use of resources, including but not limited to: the loss of sensitive, company confidential data and intellectual property; damage to the organizations public image; damage to the organizations internal systems; and fines and/or other financial liabilities incurred as a result of such losses.
a. Within this policy, the following definitions apply:
i. *Mobile computing equipment:* includes portable computers, mobile phones, smart phones, memory cards and other mobile equipment used for storage, processing and transfer of data.
i. *Remote host:* is defined as an information system, node or network that is not under direct control of the organization.
i. *Telework:* the act of using mobile computing equipment and remote hosts to perform work outside the organizations physical premises. Teleworking does not include the use of mobile phones.
# Policy
a. *Security Requirements for Remote Hosts and Mobile Computing Equipment*
i. Caution must be exercised when mobile computing equipment is placed or used in uncontrolled spaces such as vehicles, public spaces, hotel rooms, meeting places, conference centers, and other unprotected areas outside the organizations premises.
i. When using remote hosts and mobile computing equipment, users must take care that information on the device (e.g. displayed on the screen) cannot be read by unauthorized persons if the device is being used to connect to the organizations systems or work with the organizations data.
i. Remote hosts must be updated and patched for the latest security updates on at least a monthly basis.
i. Remote hosts must have endpoint protection software (e.g. malware scanner) installed and updated at all times.
i. Persons using mobile computing equipment off-premises are responsible for regular backups of organizational data that resides on the the device.
i. Access to the organizations systems must be done through an encrypted and authenticated VPN connection with multi-factor authentication enabled. All users requiring remote access must be provisioned with VPN credentials from the organizations information technology team. VPN keys must be rotated at least twice per year. Revocation of VPN keys must be included in the Offboarding Policy.
i. Information stored on mobile computing equipment must be encrypted using hard drive full disk encryption.
a. *Security Requirements for Telework*
i. Employees must be specifically authorized for telework in writing from their hiring manager .
i. Only devices assigned owner is permitted to use remote nodes and mobile computing equipment. Unauthorized users (such as others living or working at the location where telework is performed) are not permitted to use such devices.
i. Devices must be authorized using certificates
i. Users performing telework are responsible for the appropriate configuration of the local network used for connecting to the Internet at their telework location.
i. Users performing telework must protect the organizations intellectual property rights, either for software or other materials that are present on remote nodes and mobile computing equipment.

128
example/policies/risk.md
View File

@@ -8,4 +8,130 @@ majorRevisions:
comment: Initial document
---
# Coming Soon
# Purpose and Scope
a. The purpose of this policy is to define the methodology for the assessment and treatment of information security risks within the organization, and to define the acceptable level of risk as set by the organizations leadership.
a. Risk assessment and risk treatment are applied to the entire scope of the organizations information security program, and to all assets which are used within the organization or which could have an impact on information security within it.
a. This policy applies to all employees of the organization who take part in risk assessment and risk treatment.
# Background
a. A key element of the organizations information security program is a holistic and systematic approach to risk management. This policy defines the requirements and processes for the organization to identify information security risks. The process consists of four parts: identification of the organizations assets, as well as the threats and vulnerabilities that apply; assessment of the likelihood and consequence (risk) of the threats and vulnerabilities being realized, identification of treatment for each unacceptable risk, and evaluation of the residual risk after treatment.
# References
a. Risk Assessment Report Template
# Policy
a. *Risk Assessment*
i. The risk assessment process includes the identification of threats and vulnerabilities having to do with company assets.
i. The first step in the risk assessment is to identify all assets within the scope of the information security program; in other words, all assets which may affect the confidentiality, integrity, and/or availability of information in the organization. Assets may include documents in paper or electronic form, applications, databases, information technology equipment, infrastructure, and external/outsourced services and processes. For each asset, an owner must be identified.
i. The next step is to identify all threats and vulnerabilities associated with each asset. Threats and vulnerabilities must be listed in a risk assessment table. Each asset may be associated with multiple threats, and each threat may be associated with multiple vulnerabilities. A sample risk assessment table is provided as part of the Risk Assessment Report Template (reference (a)).
i. For each risk, an owner must be identified. The risk owner and the asset owner may be the same individual.
i. Once risk owners are identified, they must assess:
1. Consequences for each combination of threats and vulnerabilities for an individual asset if such a risk materializes.
1. Likelihood of occurrence of such a risk (i.e. the probability that a threat will exploit the vulnerability of the respective asset).
1. Criteria for determining consequence and likelihood are defined in Tables 3 and 4.
i. The risk level is calculated by adding the consequence score and the likelihood score.
+-----------------+-----------------+--------------------------------------------------------------+
| **Consequence** | **Consequence** | **Description** |
| **Level** | **Score** | |
+=================+=================+==============================================================+
| Low | 0 | Loss of confidentiality, integrity, or availability will not |
| | | affect the organization's cash flow, legal, or contractual |
| | | obligations, or reputation. |
+-----------------+-----------------+--------------------------------------------------------------+
| | | |
+-----------------+-----------------+--------------------------------------------------------------+
| Moderate | 1 | Loss of confidentiality, integrity, or availability may incur|
| | | financial cost and has low or moderate impact on the |
| | | organization's legal or contractual obligations and/or |
| | | reputation. |
+-----------------+-----------------+--------------------------------------------------------------+
| | | |
+-----------------+-----------------+--------------------------------------------------------------+
| High | 2 | Loss of confidentiality, integrity, or availability will have|
| | | immediate and or/considerable impact on the organization's |
| | | cash flow, operations, legal and contractual obligations,and/|
| | | or reputation. |
+-----------------+-----------------+--------------------------------------------------------------+
| | | |
+-----------------+-----------------+--------------------------------------------------------------+
Table 3: Description of Consequence Levels and Criteria
+-----------------+-----------------+--------------------------------------------------------------+
| **Likelihood** | **Likelihood** | **Description** |
| **Level** | **Score** | |
+=================+=================+==============================================================+
| Low | 0 | Either existing security controls are strong and have so far |
| | | provided an adequate level of protection, or the probability |
| | | of the risk being realized is extremely low. No new incidents|
| | | are expected in the future. |
+-----------------+-----------------+--------------------------------------------------------------+
| | | |
+-----------------+-----------------+--------------------------------------------------------------+
| Moderate | 1 | Either existing security controls have most provided an |
| | | adequate level of protection or the probability of the risk |
| | | being realized is moderate. Some minor incidents may have |
| | | occured. New incidents are possible, but not highly likely. |
+-----------------+-----------------+--------------------------------------------------------------+
| | | |
+-----------------+-----------------+--------------------------------------------------------------+
| High | 2 | Either existing security controls are not in place or |
| | | ineffective; there is a high probability of the risk being |
| | | realized. Incidents have a high likelihood of occuring in the|
| | | future. |
+-----------------+-----------------+--------------------------------------------------------------+
| | | |
+-----------------+-----------------+--------------------------------------------------------------+
Table 4: Description of Likelihood Levels and Criteria
 
b. *Risk Acceptance Criteria*
i. Risk values 0 through 2 are considered to be acceptable risks.
i. Risk values 3 and 4 are considered to be unacceptable risks. Unacceptable risks must be treated.
c. *Risk Treatment*
i. Risk treatment is implemented through the Risk Treatment Table. All risks from the Risk Assessment Table must be copied to the Risk Treatment Table for disposition, along with treatment options and residual risk. A sample Risk Treatment Table is provided in reference (a).
i. As part of this risk treatment process, the CEO and/or other company managers shall determine objectives for mitigating or treating risks. All unacceptable risks must be treated. For continuous improvement purposes, company managers may also opt to treat other risks for company assets, even if their risk score is deemed to be acceptable.
i. Treatment options for risks include the following options:
1. Selection or development of security control(s).
1. Transferring the risks to a third party; for example, by purchasing an insurance policy or signing a contract with suppliers or partners.
1. Avoiding the risk by discontinuing the business activity that causes such risk.
1. Accepting the risk; this option is permitted only if the selection of other risk treatment options would cost more than the potential impact of the risk being realized.
i. After selecting a treatment option, the risk owner should estimate the new consequence and likelihood values after the planned controls are implemented.
a. *Regular Reviews of Risk Assessment and Risk Treatment*
i. The Risk Assessment Table and Risk Treatment Table must be updated when newly identified risks are identified. At a minimum, this update and review shall be conducted once per year. It is highly recommended that the Risk Assessment and Risk Treatment Table be updated when significant changes occur to the organization, technology, business objectives, or business environment.
a. *Reporting*
i. The results of risk assessment and risk treatment, and all subsequent reviews, shall be documented in a Risk Assessment Report.

38
example/policies/vendor.md
View File

@@ -8,4 +8,40 @@ majorRevisions:
comment: Initial document
---
# Coming Soon
# Purpose and Scope
a. This policy defines the rules for relationships with the organizations Information Technology (IT) vendors and partners.
a. This policy applies to all IT vendors and partners who have the ability to impact the confidentiality, integrity, and availability of the organizations technology and sensitive information, or who are within the scope of the organizations information security program.
a. This policy applies to all employees and contractors that are responsible for the management and oversight of IT vendors and partners of the organization.
# Background
a. The overall security of the organization is highly dependent on the security of its contractual relationships with its IT suppliers and partners. This policy defines requirements for effective management and oversight of such suppliers and partners from an information security perspective. The policy prescribes minimum standards a vendor must meet from an information security standpoint, including security clauses, risk assessments, service level agreements, and incident management.
# References
a. Information Security Policy
a. Security Incident Response Policy
# Policy
a. IT vendors are prohibited from accessing the organizations information security assets until a contract containing security controls is agreed to and signed by the appropriate parties.
a. All IT vendors must comply with the security policies defined and derived from the Information Security Policy (reference (a)).
a. All security incidents by IT vendors or partners must be documented in accordance with the organizations Security Incident Response Policy (reference (b)) and immediately forwarded to the Information Security Manager (ISM).
a. The organization must adhere to the terms of all Service Level Agreements (SLAs) entered into with IT vendors. As terms are updated, and as new ones are entered into, the organization must implement any changes or controls needed to ensure it remains in compliance.
a. Before entering into a contract and gaining access to the parent organizations information systems, IT vendors must undergo a risk assessment.
i. Security risks related to IT vendors and partners must be identified during the risk assessment process.
i. The risk assessment must identify risks related to information and communication technology, as well as risks related to IT vendor supply chains, to include sub-suppliers.
a. IT vendors and partners must ensure that organizational records are protected, safeguarded, and disposed of securely. The organization strictly adheres to all applicable legal, regulatory and contractual requirements regarding the collection, processing, and transmission of sensitive data such as Personally-Identifiable Information (PII).
a. The organization may choose to audit IT vendors and partners to ensure compliance with applicable security policies, as well as legal, regulatory and contractual obligations.

8
example/procedures/offboarding.md
View File

@@ -2,4 +2,10 @@ id: "offboard"
name: "Offboard User"
---
# Coming Soon
Resolve this ticket by executing the following steps:
- [ ] Immediately suspend user in SSO
- [ ] Append HR termination request e-mail to this ticket
- [ ] Look up manually-provisioned applications for this role or user
- [ ] Validate access revocation in each
- [ ] Append confirmation or revocation to this ticket

9
example/procedures/onboarding.md
View File

@@ -2,4 +2,11 @@ id: "onboard"
name: "Onboard New User"
---
# Coming Soon
Resolve this ticket by executing the following steps:
- [ ] Append HR add request e-mail to this ticket
- [ ] Proactively validate role assignment with manager (see HR request e-mail)
- [ ] Add user to default group for the specified role
- [ ] Provision any manually-provisioned applications by role
- [ ] Append manual provisioning confirmation to this ticket
- [ ] Proactively confirm with new user that they can access all provisioned systems

13
example/procedures/patch.md
View File

@@ -1,6 +1,15 @@
id: "patch"
name: "Apply OS patches"
cron: "0 0 1 * * *"
cron: "0 0 0 15 * *"
---
# Coming Soon
# OS Patch Procedure
Resolve this ticket by executing the following steps:
- [ ] Pull the latest scripts from the Ops repository
- [ ] Execute `ENV=staging patch-all.sh`
- [ ] Inspect output
- [ ] Errors? Investigate and resolve
- [ ] Execute `ENV=production patch-all.sh`
- [ ] Attach log output to this ticket

38
example/procedures/workstation.md
View File

@@ -1,6 +1,40 @@
id: "workstation"
name: "Collect Workstation Details"
cron: "0 0 * * * *"
cron: "0 0 0 15 4 *"
---
# Coming Soon
Resolve this ticket by executing the following steps:
- [ ] Send the communications below
- [ ] For any email replies, attach content to this ticket
- [ ] Validate responses are received from each
```
To: Desktop support
Subject: Annual workstation inventory
Please attach the current workstation inventory to the following ticket: [REPLACE WITH URL TO THIS TICKET]
The workstation inventory shall include the following fields:
* Serial number
* Custodian
* Full disk encryption status
* Malware protection status
```
```
To: Outsourced Call Center IT
Subject: Annual workstation inventory
As part of our ongoing compliance efforts and per our services agreement, we require a current inventory of workstations in use in the service of our account.
Please respond to this message with the current inventory.
The workstation inventory shall include the following fields:
* Serial number
* Custodian
* Full disk encryption status
* Malware protection status
```

122
internal/theme/themes_bindata.go
View File

@@ -137,7 +137,7 @@ func complyBlankReadmeMd() (*asset, error) {
return nil, err
}
info := bindataFileInfo{name: "comply-blank/README.md", size: 1965, mode: os.FileMode(420), modTime: time.Unix(1526668702, 0)}
info := bindataFileInfo{name: "comply-blank/README.md", size: 1965, mode: os.FileMode(420), modTime: time.Unix(1526687307, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}
@@ -157,7 +157,7 @@ func complyBlankTodoMd() (*asset, error) {
return nil, err
}
info := bindataFileInfo{name: "comply-blank/TODO.md", size: 1429, mode: os.FileMode(420), modTime: time.Unix(1526668702, 0)}
info := bindataFileInfo{name: "comply-blank/TODO.md", size: 1429, mode: os.FileMode(420), modTime: time.Unix(1526687307, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}
@@ -277,7 +277,7 @@ func complyBlankTemplatesDefaultLatex() (*asset, error) {
return nil, err
}
info := bindataFileInfo{name: "comply-blank/templates/default.latex", size: 7649, mode: os.FileMode(420), modTime: time.Unix(1526668702, 0)}
info := bindataFileInfo{name: "comply-blank/templates/default.latex", size: 7649, mode: os.FileMode(420), modTime: time.Unix(1526687307, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}
@@ -297,7 +297,7 @@ func complyBlankTemplatesIndexAce() (*asset, error) {
return nil, err
}
info := bindataFileInfo{name: "comply-blank/templates/index.ace", size: 7596, mode: os.FileMode(420), modTime: time.Unix(1526668702, 0)}
info := bindataFileInfo{name: "comply-blank/templates/index.ace", size: 7596, mode: os.FileMode(420), modTime: time.Unix(1526687307, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}
@@ -317,7 +317,7 @@ func complySoc2ReadmeMd() (*asset, error) {
return nil, err
}
info := bindataFileInfo{name: "comply-soc2/README.md", size: 1965, mode: os.FileMode(420), modTime: time.Unix(1526668702, 0)}
info := bindataFileInfo{name: "comply-soc2/README.md", size: 1965, mode: os.FileMode(420), modTime: time.Unix(1526687307, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}
@@ -337,7 +337,7 @@ func complySoc2TodoMd() (*asset, error) {
return nil, err
}
info := bindataFileInfo{name: "comply-soc2/TODO.md", size: 1429, mode: os.FileMode(420), modTime: time.Unix(1526668702, 0)}
info := bindataFileInfo{name: "comply-soc2/TODO.md", size: 1429, mode: os.FileMode(420), modTime: time.Unix(1526687307, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}
@@ -357,7 +357,7 @@ func complySoc2NarrativesReadmeMd() (*asset, error) {
return nil, err
}
info := bindataFileInfo{name: "comply-soc2/narratives/README.md", size: 96, mode: os.FileMode(420), modTime: time.Unix(1526668702, 0)}
info := bindataFileInfo{name: "comply-soc2/narratives/README.md", size: 96, mode: os.FileMode(420), modTime: time.Unix(1526687307, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}
@@ -377,7 +377,7 @@ func complySoc2NarrativesControlMd() (*asset, error) {
return nil, err
}
info := bindataFileInfo{name: "comply-soc2/narratives/control.md", size: 387, mode: os.FileMode(420), modTime: time.Unix(1526668702, 0)}
info := bindataFileInfo{name: "comply-soc2/narratives/control.md", size: 387, mode: os.FileMode(420), modTime: time.Unix(1526687307, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}
@@ -397,7 +397,7 @@ func complySoc2NarrativesOrganizationalMd() (*asset, error) {
return nil, err
}
info := bindataFileInfo{name: "comply-soc2/narratives/organizational.md", size: 2378, mode: os.FileMode(420), modTime: time.Unix(1526668702, 0)}
info := bindataFileInfo{name: "comply-soc2/narratives/organizational.md", size: 2378, mode: os.FileMode(420), modTime: time.Unix(1526687307, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}
@@ -417,7 +417,7 @@ func complySoc2NarrativesProductsMd() (*asset, error) {
return nil, err
}
info := bindataFileInfo{name: "comply-soc2/narratives/products.md", size: 232, mode: os.FileMode(420), modTime: time.Unix(1526668702, 0)}
info := bindataFileInfo{name: "comply-soc2/narratives/products.md", size: 232, mode: os.FileMode(420), modTime: time.Unix(1526687307, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}
@@ -437,7 +437,7 @@ func complySoc2NarrativesSecurityMd() (*asset, error) {
return nil, err
}
info := bindataFileInfo{name: "comply-soc2/narratives/security.md", size: 327, mode: os.FileMode(420), modTime: time.Unix(1526668702, 0)}
info := bindataFileInfo{name: "comply-soc2/narratives/security.md", size: 327, mode: os.FileMode(420), modTime: time.Unix(1526687307, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}
@@ -457,7 +457,7 @@ func complySoc2NarrativesSystemMd() (*asset, error) {
return nil, err
}
info := bindataFileInfo{name: "comply-soc2/narratives/system.md", size: 257, mode: os.FileMode(420), modTime: time.Unix(1526668702, 0)}
info := bindataFileInfo{name: "comply-soc2/narratives/system.md", size: 257, mode: os.FileMode(420), modTime: time.Unix(1526687307, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}
@@ -477,7 +477,7 @@ func complySoc2PoliciesReadmeMd() (*asset, error) {
return nil, err
}
info := bindataFileInfo{name: "comply-soc2/policies/README.md", size: 71, mode: os.FileMode(420), modTime: time.Unix(1526668702, 0)}
info := bindataFileInfo{name: "comply-soc2/policies/README.md", size: 71, mode: os.FileMode(420), modTime: time.Unix(1526687307, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}
@@ -497,7 +497,7 @@ func complySoc2PoliciesAccessMd() (*asset, error) {
return nil, err
}
info := bindataFileInfo{name: "comply-soc2/policies/access.md", size: 200, mode: os.FileMode(420), modTime: time.Unix(1526668702, 0)}
info := bindataFileInfo{name: "comply-soc2/policies/access.md", size: 200, mode: os.FileMode(420), modTime: time.Unix(1526687307, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}
@@ -517,12 +517,12 @@ func complySoc2PoliciesApplicationMd() (*asset, error) {
return nil, err
}
info := bindataFileInfo{name: "comply-soc2/policies/application.md", size: 8377, mode: os.FileMode(420), modTime: time.Unix(1526668702, 0)}
info := bindataFileInfo{name: "comply-soc2/policies/application.md", size: 8377, mode: os.FileMode(420), modTime: time.Unix(1526687307, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}
var _complySoc2PoliciesAvailabilityMd = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\x2c\x8b\xc1\xaa\xc2\x30\x10\x45\xf7\xf9\x8a\x0b\x6f\x9d\xf2\xe2\x4a\xb3\x2b\x59\xe9\xaa\x58\x7f\x60\x4c\xa3\x8c\x24\x33\xd0\xa4\x85\xfe\xbd\xb4\xb8\xba\x97\xc3\x39\x42\x25\x79\xf4\x2b\x71\xa6\x27\x67\x6e\x1b\x06\xcd\x1c\x37\x43\x71\x56\xd9\x8a\x47\x3f\x98\x4a\x8d\xeb\x8b\x53\xf5\x06\x78\x8c\x61\x1f\xc0\xa2\x77\x9d\xfb\xdd\x10\x2e\x9d\x33\x85\x3e\x3a\xdf\xd3\xca\x95\x55\x0e\xdb\x62\xa2\x96\x3c\x6e\x8b\xc0\xe1\xf4\xef\xce\x47\x10\xb5\x94\x24\xcd\xe3\x2a\xdc\x98\x32\x26\x8d\xcb\x4e\x8c\xb5\xd6\x98\x3f\x04\x2d\x2c\x6f\x8c\xaa\xf2\x0d\x00\x00\xff\xff\xcb\x6e\xaa\x43\xa4\x00\x00\x00")
var _complySoc2PoliciesAvailabilityMd = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xec\x58\x41\x6f\x5b\xb9\x11\xbe\xeb\x57\x0c\xb0\x17\x2b\x6b\xab\x71\x92\x43\x6b\xa0\x07\xaf\x8b\xa2\x2e\xbc\xdb\x20\x76\xb1\xe7\x11\xdf\x48\x8f\x35\x1f\xf9\xc2\x21\xad\xbc\x20\x87\xfc\x8d\x02\xed\x9f\xcb\x2f\x29\x66\xc8\x27\x3d\x59\x72\x92\x5d\x6c\xb1\x7b\x58\x5d\x6c\x51\xe4\x70\xf8\xcd\x37\xdf\x0c\xe9\xb1\xa3\x0b\xb8\x7c\x40\xeb\x70\x69\x9d\x4d\x03\xbc\x0e\xce\x9a\x61\x86\x26\x06\x3f\x74\x17\x70\xf9\x7a\xc6\x98\x2c\xaf\x2c\xf1\xc5\x0c\xe0\xee\xf6\x4a\xfe\x00\x9c\xc1\xe5\xf9\xe2\xbc\xfe\x7b\x75\xf5\xa7\xc5\xf9\xac\xc3\x7f\x85\xf8\x86\x1e\x2c\xdb\xe0\x75\xf6\x19\x34\x98\xe8\x02\xfe\x9e\x3d\x9c\xc3\x8b\xe7\xe7\x7f\xd4\x05\x26\x74\x1d\xf9\x74\x01\xd7\xde\x26\x8b\x0e\x9a\x60\xb2\x8c\xcc\xce\xce\xce\x66\xb3\x6f\xe0\x75\x8e\x7d\x60\x02\xf4\x0d\xdc\x9a\xd0\xd3\x6c\x86\x0b\xb8\x6b\x09\xfa\xfa\x4b\x58\x41\x6a\x2d\x43\xaf\xfe\x82\x65\x48\x01\x1a\x5a\x59\x4f\x10\xe9\x6d\xb6\x91\xc4\x20\xc3\x2a\x44\xe8\x63\xe8\x29\x82\x09\x3e\xc5\xe0\x74\x6a\x1f\x43\x22\x93\x20\xb5\x04\x38\x05\x40\x0d\x13\x84\xb8\x46\x6f\xdf\x63\xb2\xc1\x7f\xfa\xf8\x6f\x06\xeb\x57\x21\x76\xfa\x1d\x78\xe0\x44\x1d\x2f\xaa\x57\x3b\x37\xb0\xef\x9d\x25\xdd\x00\x9d\x83\xcc\x14\x59\x2c\x1e\x59\x0c\x1b\x9b\x5a\xeb\x0f\x36\xab\x06\xd3\xd0\x5b\x83\xce\x0d\x60\xbd\x71\xb9\x21\x06\xea\x7a\x17\x06\x22\x56\x58\xf4\x30\x68\x52\x88\x7c\x0a\xc8\xb0\x21\xe7\xe4\x2f\xfa\x01\xe8\x5d\xa2\xe8\xd1\x41\x8f\x31\xa9\x3f\x2d\x26\x41\x9d\xc0\xfa\x14\x74\x2d\x9a\xa4\x2e\x6c\xfd\x11\xa3\x53\x3f\x2b\x5a\x8e\x1a\x58\x0e\x07\x6e\xc2\x49\x4b\x91\xac\xc7\x55\xa2\x08\x91\x56\x14\x23\x35\x7a\x70\x86\x4f\x1f\xff\xa3\x47\xff\xf4\xf1\xbf\xf3\x7d\x80\xba\xcc\x09\x96\x04\x1d\x36\x12\x27\x6c\xac\x1b\x46\xfc\x1d\xed\xe1\xb6\x10\x22\x7c\x87\xe6\x7e\x1d\x43\xf6\xcd\x96\x01\xd6\x27\xf2\xe9\x38\x01\x3a\xeb\x6d\x67\xdf\x53\x09\x6b\x17\x72\x99\x98\x3d\xbd\xeb\xc9\x24\x6a\x20\x44\xc8\xbe\x77\xe8\x3d\x35\xd0\x84\x8d\x4f\xb6\x23\x38\x41\xc7\x01\xee\x7d\xd8\x78\xf1\x3f\xe4\x84\x6b\xe2\xf9\x53\xa1\xcb\xbe\xa1\x78\x9c\x26\x15\xb5\xfd\x53\xf7\x91\xd8\x44\xbb\x24\x06\xee\xc9\xd8\x95\x35\xd0\x11\x72\x8e\x54\x08\x7a\x80\xae\x06\x6c\x63\x9d\x93\xf0\x47\x42\xa6\xba\x39\x44\x6a\xb2\x6f\xd0\x9b\xe1\x54\xa0\x88\xa1\xc9\x86\x60\x85\xd6\x85\x07\x8a\xd0\x91\x69\xd1\x5b\xee\x84\x15\x12\xd1\xae\x77\x9a\x09\xd0\x05\x6f\x53\x88\xd6\xaf\x81\xb3\x69\xcb\x16\xf5\xa4\x80\x91\xc4\xcb\x07\xf2\x02\x12\x32\x74\x32\x05\xe5\x04\xcc\x76\xe9\x68\x01\x3f\x4a\xc0\xc5\xd3\x01\x0c\x7a\x1f\x34\x8e\xdb\x35\xa7\x5b\x53\xea\xf5\x92\xe0\x6d\xb6\xe6\xde\x0d\xd0\x50\x2a\xd0\x8b\x3b\x92\x95\x8d\xc5\x44\x4d\x49\x9e\x1f\xc7\x24\xd8\x82\x25\x6e\xef\x67\xa4\xe5\x9a\xd8\xea\x18\x82\x69\x51\x88\x4f\xd1\x72\xb2\xe6\x71\x8c\x42\x3c\x1a\x32\xeb\x61\xd3\x5a\xd3\x96\xb3\x3f\x5a\x30\x4e\x32\xe8\xc5\x73\x34\x86\x98\x0b\xef\x31\xa7\x36\x44\xfb\x9e\x1a\x20\x9f\xac\x66\xd3\xa6\x25\x4f\x02\xb6\x27\x6a\xf4\x24\xdf\xc0\x1b\xc9\x00\xf2\x86\x58\xcf\xf5\xc6\xf2\x3d\x5c\x32\x13\xb3\x82\x5f\x65\x55\xa4\xad\xfe\x87\x0b\xb8\x3e\xe2\xe7\x98\x20\x26\x78\xb6\x2c\x4c\x7f\x9c\x20\x26\xf8\x26\x9b\xa4\x70\x72\xee\xfb\x10\x13\x2c\x33\x5b\x4f\xcc\x20\x3a\xa7\x06\xab\x38\x3d\xb9\x45\x8b\x0f\x04\xb8\x03\x76\x0a\xb8\x71\xc8\x2c\x24\xd5\x75\xa7\x45\x26\xb0\x17\x15\x8d\x12\xbb\x9d\x90\x92\x17\xaf\x9a\xaa\x1d\x26\xc4\x3e\x44\x09\x6e\x91\x99\x86\x1e\xc8\x85\x5e\x01\x90\x19\xbd\x92\x55\x7d\xe9\x63\x50\x8c\x19\x96\x28\x48\x87\xca\x81\xfd\xad\xcb\x19\x6e\x0b\xf1\xc5\x82\xa7\xb4\x09\xf1\x5e\xe9\xae\xc9\x33\xc2\x15\x49\x70\x20\xdd\xa3\xeb\x05\xb3\x14\x8e\x27\xa8\x23\x6c\x34\xe7\xa6\xd0\xdc\x91\x69\x7d\x70\x61\x3d\xc0\xc9\xf5\xdd\x5c\x38\xd1\x10\xdb\xb5\xd7\xc3\x5c\xdf\x4d\x70\x85\x0e\x3d\xae\x29\x16\xdf\xfe\xa9\x0a\x3f\x7a\xe1\x43\xb2\x2b\x2b\xc7\x59\x01\x9b\x96\x9a\x2c\xe0\x8c\x89\x71\x42\x8b\xf5\xe2\x74\xcc\xe3\x0e\x55\xc8\xd0\x1b\x9a\x97\x5c\xac\x65\x0b\x7a\x8a\x36\x34\x5a\x37\x46\x81\xaa\x72\x52\xec\x17\x6c\xca\xa6\x45\x4e\x8a\x3c\x4b\xa9\x55\x94\x54\xd2\x6a\x1d\x3b\xdc\xed\x14\xb6\x62\xd8\xe4\x58\x43\x2c\xcb\xd0\x27\x6b\x6c\xaf\x47\xae\xcb\x24\x37\x28\x3e\x58\x23\x08\x73\xee\xfa\x22\x4e\xe2\x91\x1e\xff\x75\xb4\xa2\x5e\x61\x1a\xda\xcc\xb2\x05\x9a\x16\x3c\x6d\xd4\x82\x5d\x7b\x75\x5b\xb9\xdc\x85\xa6\x60\xa4\xb5\x72\x7a\x96\x4a\x49\x13\x44\xb2\xc4\x89\x28\x49\x84\xbb\x24\x52\x94\xb6\xe5\x70\x8f\xb2\x32\x95\x6b\xda\xed\x56\x4c\xd3\x69\x34\x6a\xbd\xe4\x77\x88\x22\xa1\x54\xa8\x2d\x38\x1d\x4f\x58\x38\x89\x63\x5e\xc3\x09\xce\xe7\xe5\xd4\x57\xd8\xa3\x91\x5d\x0b\x15\xb6\xfc\x76\x01\x1b\x58\xa2\x43\x6f\x44\x65\x93\x90\xca\xbe\xcd\x13\x9a\x66\x16\xa5\x44\x11\x34\x11\x42\xf0\x24\x59\x80\x71\x38\x15\x10\x5b\x72\xfd\x7e\x09\x2b\x08\x14\x19\x97\x82\x2d\xbc\x2a\x91\x19\x33\xe0\xe9\x34\x9f\x82\xea\xf7\xd2\xb7\xc1\x84\xb0\x44\x73\x9f\x7b\x90\x52\x58\x80\x25\xaf\xf5\xe8\x62\xa6\x2d\x9a\x5d\xc0\xa5\x73\xc0\xe4\xd9\x26\xfb\x50\x17\x55\x81\x8c\xc4\x29\x48\xb9\xaf\x3d\x0c\x4a\x29\xe7\xe0\x8b\x44\x09\xfb\x0a\x87\x17\x5b\x5b\x7f\xcd\x52\x14\x74\x4b\x25\xb6\x89\x36\x49\x7f\x23\xa6\x42\x8e\x66\x2c\x41\x14\xe5\x20\x45\x10\x30\x49\xb2\x72\x02\x84\x0d\x91\x94\x92\x25\xb2\xe5\x9d\xd1\x6b\x29\x8d\x82\x3e\xee\x6c\x4b\x66\xff\x44\xe3\x0d\xda\x43\xdb\xdf\x55\x7b\x9a\x18\xcc\xc1\x68\xd1\x02\xad\x5e\x6a\x4d\x33\x0a\x55\x3c\x65\x4f\x2c\x81\xcb\x5d\x6d\x4c\x62\x1a\xe0\xe4\xe5\xf3\x39\x34\x38\x70\x2d\x7d\xd3\xe9\xe3\xf6\xc1\x13\x9c\x9c\xcf\x61\x20\x8c\xa7\xa5\x78\x1d\xf0\xd3\xd1\x1a\x5d\xb5\xb1\xce\x0e\x53\x88\xc3\x5e\x93\x7b\xc4\xed\x48\x50\x63\x14\x56\xab\x33\xb6\xa9\xda\xea\xb2\x4b\xb6\x77\x04\x7d\xb0\x92\x20\x61\x35\xe9\x28\x46\x95\xae\x05\x5b\x8a\xca\x1a\xc8\x9b\x38\x94\xc4\x97\x9f\xef\x69\xca\xfb\xdd\xce\x77\xc4\xc5\x5c\x25\x96\xf2\x65\x52\xcd\x44\x1e\x14\x7a\xa3\x91\x80\xb7\x19\x63\xa2\x38\x59\x68\x82\x5f\xd9\x75\xde\xea\xec\xc1\xda\xb4\xb1\x75\xb1\xa0\xf5\x73\x98\xff\xe8\xa8\xdb\xae\x69\x97\x05\x1d\x51\x62\xcd\xbd\x55\x70\x2e\x6c\x04\x01\xe1\x13\x45\x8b\xbb\xd4\xf8\xa1\xd6\x21\xeb\x57\x11\x39\xc5\x6c\x52\xd6\xe6\x08\xd3\x58\x93\xf9\x18\x0d\x77\x8e\x15\x5f\xcf\x9c\x94\xc8\xa9\x5b\x27\x45\xdf\x64\xdb\x65\x4e\xa2\xf8\xe0\x6c\x67\x53\xed\xad\x81\x49\xf0\xc0\x38\x40\x1f\x36\x14\x75\x37\x37\x9c\x6e\x51\xb7\x7c\x7f\x86\x31\xe2\x50\x34\x7d\x37\x5d\x14\x30\x27\xed\xfe\x74\xeb\xf9\x02\xae\x46\x07\x4d\x88\x45\x22\x83\x57\xd5\xfc\xbc\x13\x31\xe4\x44\x72\xeb\xe0\x8d\x4d\xa6\xa5\xda\x69\x86\xd4\x92\x94\x4d\xa9\x16\x0c\xce\xfa\xfb\x32\xfd\xb6\x16\x90\x1b\x3d\xea\xe5\x3a\x52\xbd\x99\x9d\xdc\xde\x5c\xf2\x7c\xfe\x28\x5a\x46\xd4\x46\xea\xc4\x2e\xbf\xb8\xc7\x48\x0b\x90\xe9\x65\xf2\xb6\x52\xa2\xe0\x1c\xa9\x77\x68\x8a\x0c\x8f\x97\xaa\x0d\xf9\x34\x9c\xad\x42\x8e\x70\xf2\xe2\xd5\x1c\xda\x90\xe3\x24\x4d\xc4\x27\x29\xdc\xd3\x80\x7d\x3e\x5e\x63\x88\xd2\x14\x77\x5b\xef\x62\x7e\x4b\x87\x44\x71\x85\x86\xc0\x60\x6c\x78\x94\xd0\xb2\xd7\xaf\x78\xcc\xb1\xab\x2a\x1d\x74\x6b\xd7\xed\x7e\xf5\xd4\xdd\x32\x93\xd2\x07\x3a\x1b\xa3\xde\x13\xbe\xaa\x85\xdc\x4f\xb0\x6d\x23\x2a\x2d\xa2\xf5\x59\xac\xff\xd4\xe4\x7a\x43\x46\x92\x72\x28\x95\x44\xf0\x55\x2d\x71\x81\xb9\xd0\xb0\xc8\xdb\xd8\xba\x5a\x0f\x77\x5a\x78\x5e\x2e\xe0\x09\x1b\x7b\x0f\x02\x47\x0d\x8e\x62\x83\x8d\xdc\x72\x94\xb7\xe5\x72\x3c\x5e\xd7\xc6\x17\x8a\x82\x43\xbd\xb7\xcb\xc9\x76\x68\x5f\x85\xae\x97\xdb\x37\xfa\xe6\x0f\x21\xee\x2e\xe1\x87\xbc\x3a\x15\x11\xe3\xe0\x3d\xb9\xd3\x4a\xa0\xda\x07\x48\x2a\x46\x52\x72\x28\x47\xa6\x42\x38\xfa\x52\x5e\x05\x1a\xb9\x8e\x48\x48\x27\xe1\x1e\x9d\x8d\xc4\xbd\xdc\x1f\x34\xbc\x23\x49\x13\xf2\x7d\xa9\x8f\xe5\x67\x4d\xef\x14\x80\x3a\x8a\x6b\xf2\x66\x9c\xa7\x8d\x5e\x49\xfd\x83\x4b\xc5\xd6\x97\xda\x85\x35\xc7\x91\x10\xda\xd7\xf6\x4e\x02\xf3\xc5\xfa\xb5\x3b\x62\x7d\x6a\x92\x43\x7d\x7b\x76\xf8\x39\x32\xf6\x78\xe8\x6b\x97\xcd\x3e\x3c\x7b\x36\x7d\xf9\x7a\xf6\x0c\x00\x3e\xc0\xc1\xa0\x0c\xdd\x8e\xbd\x7c\xfd\xbe\x65\xd7\x9d\xed\xa8\x8e\xfd\x45\x28\x75\x23\x94\x0a\x51\x86\xc4\xfe\xd5\xde\x6d\x66\xbb\x78\x77\xf0\x3a\xf4\x0f\xbd\x21\xa8\x07\xc7\xa6\xe8\xd8\x75\xe9\x00\x65\x07\x1d\x9a\x7d\xfb\xe7\xc3\xcf\x91\xb1\xc7\x43\x5f\xbb\x6c\xf6\x01\xfe\x26\x42\xb1\xf7\xa9\x63\x29\x4c\x87\x5e\x3e\x97\xde\x27\x27\xe2\xf2\xfd\x5c\x65\x68\x7f\xd9\xf7\xd2\x1c\xa1\x9b\x0c\xcd\x3e\xc0\xe1\xe7\x03\x5c\x15\xdd\x08\x99\xb7\x43\x8f\xa7\x1c\x5b\x76\x38\xf4\xff\xe7\xcf\x57\x3a\xf2\xdb\xf5\xff\x7b\x6a\x6c\xee\xf6\x1d\xb9\x4d\x28\xfd\x42\x33\x19\x7a\x51\xca\xca\xf6\xfb\xab\xbd\xef\x75\x59\xe8\x68\xa2\xaa\x4f\xc7\x77\xef\xb1\xf9\xeb\xf1\xd1\xe7\x3d\x47\xf5\x71\x61\xf5\xb4\xfd\x2f\x0e\x3d\x61\x3f\xa9\xee\xb9\xa4\x2f\x45\x9f\xf1\xff\x67\xda\xd7\xc7\x30\x9a\x24\xc5\x2f\x6c\xbf\xdc\xc8\x4a\x71\xaa\xf6\x7f\xe7\xff\x97\xfc\xbf\x09\x9b\x03\x47\x6e\x6a\x9f\x3b\x19\x7a\xf5\x88\xff\x3f\xd0\xbb\xf4\x78\xd9\x2f\xc9\xff\x6d\xdd\x6d\x70\x18\xc7\x7e\xe7\xff\xe7\xed\xff\x0a\xfc\x9f\xd5\xae\xf3\x02\xf6\xda\x01\xed\x73\x76\xcd\xc0\x4d\xe9\x2f\x67\xff\x0b\x00\x00\xff\xff\x9b\xb5\x75\x45\x6b\x1b\x00\x00")
func complySoc2PoliciesAvailabilityMdBytes() ([]byte, error) {
return bindataRead(
@@ -537,7 +537,7 @@ func complySoc2PoliciesAvailabilityMd() (*asset, error) {
return nil, err
}
info := bindataFileInfo{name: "comply-soc2/policies/availability.md", size: 164, mode: os.FileMode(420), modTime: time.Unix(1526668702, 0)}
info := bindataFileInfo{name: "comply-soc2/policies/availability.md", size: 7019, mode: os.FileMode(420), modTime: time.Unix(1526687307, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}
@@ -557,12 +557,12 @@ func complySoc2PoliciesChangeMd() (*asset, error) {
return nil, err
}
info := bindataFileInfo{name: "comply-soc2/policies/change.md", size: 2793, mode: os.FileMode(420), modTime: time.Unix(1526668702, 0)}
info := bindataFileInfo{name: "comply-soc2/policies/change.md", size: 2793, mode: os.FileMode(420), modTime: time.Unix(1526687307, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}
var _complySoc2PoliciesClassificationMd = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\x1c\x8b\x31\xaa\xc3\x30\x10\x05\xfb\x3d\xc5\x83\x5f\xeb\x13\xa7\x8a\xd5\xca\x4d\x52\x99\x38\x17\x58\x64\x39\x6c\x90\x76\xc1\x92\x03\xbe\x7d\xb0\xab\x81\x61\x46\xb9\x24\x8f\x81\x1b\x23\x64\xae\x55\x16\x89\xdc\xc4\x14\xa3\x65\x89\x3b\x71\x5c\x4d\xf7\xe2\x31\x84\x91\x2a\x37\xa9\x8b\xa4\xea\x09\x78\x4d\xe1\x00\xe0\x10\x42\xff\xdf\x53\xe1\x8f\xad\xcf\xf4\x95\x2a\xa6\x67\xe2\x30\x73\x4b\x1e\x8f\x4d\xd1\xe1\x7a\xe9\x6e\xe7\x10\xad\x94\xa4\xcd\xe3\xae\xd2\x84\x33\x66\x8b\xdb\x61\xc8\x39\x47\xf4\x87\x60\x45\xf4\x8d\xc9\x4c\x7f\x01\x00\x00\xff\xff\x86\x01\x62\xfa\xa1\x00\x00\x00")
var _complySoc2PoliciesClassificationMd = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xec\x5b\xcb\x8e\x1b\x37\x97\xde\x17\xfe\x87\x38\x40\x80\x19\xbb\xa3\xd6\xc4\x33\x9b\x49\x07\x59\x74\x9c\x18\xe9\x41\x3c\x31\xdc\x1d\xcc\x66\x36\x14\xeb\x94\x8a\x69\x16\x59\x21\x59\x92\x2b\xe8\x85\x5f\x63\x80\xe4\xe5\xfc\x24\x83\x73\xc8\xba\x49\x25\xb5\xd4\xb6\xff\x6c\xd2\x1b\xc3\xc5\xdb\xb9\x7c\xe7\x4a\xca\x88\x0a\xaf\xe0\x7b\x11\x04\xbc\xd4\xc2\x7b\x55\x28\x29\x82\xb2\x06\xde\x58\xad\x64\x9b\x09\xe9\xac\x69\xab\x2b\xf8\xfe\xe5\x9b\xcc\x8b\xa0\x7c\xa1\xd0\x5f\x65\x00\x77\xb7\x2f\xe9\x1f\x80\x4b\x78\xf9\xf2\xeb\xe5\xd7\x59\x25\x7e\xb5\xee\x2d\x6e\x94\x57\xd6\xf0\x94\x4b\xc8\x45\xc0\x2b\xf8\xaf\xc6\xc0\x0b\xf8\xf7\xaf\x5e\xfc\x27\x2f\x90\xb6\xaa\xd0\x84\x2b\xb8\x31\x2a\x28\xa1\x21\xb7\xb2\xa1\x2f\xd9\xe5\xe5\x65\xf6\x05\x5c\xd7\x35\x9a\x5c\x49\xf4\x90\x65\xe9\x3f\xef\xe0\xfa\x0a\x7e\x14\x26\xd7\xca\xac\xc1\x16\x3d\xb9\x98\xc3\x8d\x29\xac\xab\x98\xec\xd1\xfc\xef\xae\xe0\x95\x75\x15\x91\x67\x4d\xa1\x72\x34\x74\x96\x0a\x2d\xdc\x06\x11\x90\xcf\xcb\xbe\x80\x37\x8d\xab\xad\x47\x10\x26\x87\x5b\x69\x6b\xcc\x32\xb1\x84\xbb\x52\x79\x22\x5e\x80\x9c\x8a\xa5\x66\xb1\x40\x8e\x85\x32\xe8\x21\x94\x08\x0e\x7f\x6b\x94\xe3\x0d\x3d\x04\x0b\x68\x7c\xe3\x10\x42\x29\x02\xa8\x81\x34\xd8\xaa\x50\x2a\xc3\x4b\xac\x5b\x0b\xa3\x7e\x8f\xdf\x95\x87\xda\xd9\x80\x32\x60\x0e\x22\x80\x30\x20\xea\xda\xd9\xda\x29\x11\x10\x34\x6e\x50\x2f\x47\x54\x25\x61\xd1\x24\xad\x90\x8f\xa4\x3d\x89\x3f\x87\xe0\x89\x07\x12\xd0\xee\x39\x1f\xde\xff\x9f\x9f\xd0\xe3\x51\x36\x8e\xe4\x51\x3b\xbb\x76\xa2\x5a\xc2\x0d\x11\x2c\x75\x93\xa3\x07\xa1\x35\x84\xb6\x46\x4f\x7b\x8d\x96\x2d\xc0\xe1\x5a\xb8\x5c\xa3\x8f\x43\xc1\x03\x0d\x2e\xc0\x37\xb2\x04\xe1\xa1\x16\x35\x3a\xb0\x0e\x50\xa3\x0c\xce\x1a\x25\x7b\xa2\xfd\x22\x92\x1d\xa5\xe9\x59\xea\x24\xe6\x95\xf0\x48\x63\x26\x87\x7b\x63\xb7\x1a\xf3\x35\x51\x3f\xa1\x37\x0a\xd4\x83\xb1\x01\xb6\x4e\x85\x80\x66\x24\x96\xa4\x98\x91\x50\x88\x03\x65\x72\xb5\x51\x79\x23\x74\x3c\xcb\xb7\x3e\x60\xe5\xe3\x5e\xa5\xd8\x20\x08\x29\x89\x93\x60\x27\x67\xdd\x63\x1d\x60\xd5\xee\x09\x71\x49\x90\xf9\x4e\xc8\xfb\xb5\xb3\x8d\xc9\xf7\x8e\x1f\xe3\xa2\x54\xeb\x32\x6a\x0f\xec\xea\x57\x94\x41\x6d\x30\x52\xa1\xaa\x5a\x33\x5e\x12\x00\x8c\x0f\xae\x91\x51\x22\x85\x75\xf3\xaa\x9b\x43\xa3\x97\x25\x56\x98\x48\xe8\x55\x37\x37\x93\xe9\x20\x09\x7b\xd8\xa2\xd6\xac\x27\x67\x25\xe6\x8d\xc3\xe1\xd0\xe9\xa2\x05\x68\xb1\x42\x36\x38\xa2\xba\x1c\x59\x1f\x1f\x71\x00\xd0\xcb\x3d\x83\xa3\xd5\xc6\x9a\xcb\x5c\x79\xa9\x2d\x5b\x87\x58\x3b\x4c\x26\x53\x09\x65\x82\x50\x06\xf3\x39\x89\x43\xd5\xf8\x00\x0e\x0b\x74\x68\x24\x99\x55\x2f\x6d\x56\xc6\xdb\x6e\xc4\xb3\x32\xde\x2a\x7f\x0f\xd7\xde\xa3\xf7\x6c\x24\xc9\x8d\xd1\xd0\x6d\x87\xf7\x1b\x23\x99\x3a\x78\x2d\x8c\x58\xe3\x64\xde\x17\xe3\x15\x37\x45\x2f\x11\xcc\x27\xf8\x50\x1e\x1c\x4a\x54\x1b\xcc\xa1\x70\xb6\x02\xdb\x04\xaf\x72\xdc\x23\x7f\xc1\x5f\x6a\x74\x9e\x3c\x40\x69\xbb\x65\x11\x22\xe3\x2d\x99\xcf\x74\x5c\x0b\x8a\x4c\x91\xc0\x69\x5d\x2e\x88\x6f\x12\x76\x74\x37\x8d\x46\x52\x1e\x7a\xe9\xd4\x8a\xe9\x9a\x08\x05\xee\x86\x03\x43\x89\x0e\x57\x2d\x6c\x95\xd6\xb0\x42\x69\xab\x44\xe1\xd6\x90\x89\x16\xbb\x44\x2c\x3f\x15\xdb\x03\x60\xc8\xa7\x91\x4f\x70\x81\xce\x5b\x35\x9e\xec\xc3\x83\xad\xd1\x75\x3e\x80\x2c\x43\x05\xb2\xda\x67\xb8\x5c\x2f\x17\x20\x1b\x1f\x6c\x85\x2e\xc2\x8c\xbc\xae\xb3\x1b\x95\x63\x0e\x52\xdb\x26\x07\x8f\x6e\x43\xe1\xe1\xf9\x62\x4f\x8a\xbb\x08\x1e\xe1\x7d\xc2\x38\x3b\xab\x89\x5b\x63\xf9\xaf\x10\x2a\x91\xe3\x21\xd9\xfb\x1a\x65\xbf\xb9\xef\x04\xe8\x90\xbe\x93\x79\x0f\x94\x27\x12\x07\x9c\xb3\x44\x2c\x29\x04\x34\xae\x85\x9e\x84\x8d\x28\xf7\xff\x29\xb1\x67\xa0\x25\x43\x9b\xd0\x47\x27\x25\x6f\x52\x80\xdc\xb1\x30\x8a\x0b\x18\xd0\x55\xc9\x8c\xae\x32\x8e\xb4\x2a\xa2\x61\x23\x74\x83\x33\xea\x5e\x00\xf9\xdd\x9c\x24\xac\xaa\x5a\xc8\xe0\x21\x6e\xca\x8a\xcf\x1b\x47\x44\x30\x87\x64\x55\x62\xb0\x2a\x76\x1d\xde\x2f\xe1\xb5\x75\x53\xf9\x5b\xb3\x3b\xd9\x47\xe2\x0a\xa6\x2c\xb9\x8b\x79\x2b\x85\x67\x83\x99\x3f\x13\xcf\x9f\x2f\x7b\x26\x6e\xd1\x78\xc5\x28\x89\xce\x44\x3a\x15\x94\x8c\xac\x1f\x65\xab\xf3\xc3\x48\x3e\x84\x0e\x95\x42\xcb\x46\x0b\x0a\xb5\xe4\xf4\x50\x4c\x61\x00\x2a\x60\x75\x84\xf3\x81\xa4\x9f\x48\x89\x1c\x0c\x69\x3b\xeb\x12\x61\xd6\x04\x27\x64\x68\x04\x39\x7d\xad\xd6\x11\x29\x4b\xc8\xb2\xec\xcb\xcb\xfd\xbf\x99\x6f\x73\xd3\x4e\x1a\xcb\x1e\x2e\x2e\x76\x3c\xef\xc5\xc5\x03\x5c\x5c\xfc\x44\x5e\xfc\xe2\x02\xd2\xdf\x03\xc0\xc5\xc5\x34\xdb\xeb\x07\x79\xec\x9a\x43\xe2\xb0\xa0\x1b\xcb\x1e\xf8\xdf\x8b\x8b\x9f\x08\x86\x69\xfc\x01\xf6\xfe\x1e\x78\xd2\x4b\xa7\x02\x3a\x25\xa6\xfb\x10\x3d\x6f\xd1\x07\xa7\x62\xbc\x1b\x8f\x3e\x64\x5f\x7e\xbb\xff\x37\xf3\x6d\x6e\xda\x29\x63\xdf\x7e\x99\x3d\xc0\x9b\x66\xa5\x95\x9c\xd2\xf4\xca\xba\xe9\xf7\x07\x78\x2d\xee\x3b\x0c\x8c\xf1\xc1\x63\x37\x53\x97\x28\x36\x42\x69\xb1\xd2\x18\x59\xcf\x66\x44\x02\x0f\xf0\x16\x35\x0a\x8f\xe3\x4f\x75\x3c\x92\xbd\x33\x65\x35\xa5\x70\x55\x37\x96\xb2\xba\x38\x65\x39\xa7\x87\x7d\xa1\xef\x7d\xda\xcf\x35\xcd\xe1\xe9\xfb\x5b\x9d\x7e\x90\x30\x2d\x6c\x45\xbb\x3c\x69\xfa\x30\xf6\x4f\xb0\x89\x53\x39\x38\x42\xe5\x5f\xcd\xc1\x8d\x09\xe8\x8c\xd0\xf0\x4b\x07\x9f\x99\x6f\x0f\xf0\x8b\x11\x4d\x28\xad\x53\xbf\x53\xcc\x8d\x69\xed\x30\xfd\x20\x62\x4f\x17\x51\x25\x5a\x90\xa2\xf1\x08\x95\x32\x96\xa2\x73\x25\xd6\x08\x1d\x5c\x29\xdf\xc6\xaa\xd6\xb6\xc5\x94\xe7\xf6\x5b\x9d\x03\xa4\xfc\xdf\x38\xef\x97\xd6\x6c\xd0\x28\x0e\x06\xdd\xd8\xc0\x5e\x28\x95\xcb\x39\xab\x50\xe8\x97\x4f\x41\x6c\xb2\xaf\x69\xe2\x9a\xc6\xfe\x86\xe5\x29\x1c\x74\x6e\x1c\xf3\x81\xa4\xbd\x6f\xf3\xb0\x0c\x16\x3e\x1d\x2c\x27\x49\x74\x0f\xd1\x5e\xcb\xa2\xcf\xda\x80\x8a\xb6\x9a\x12\x86\xf3\xbc\xa8\xb4\x86\x92\x5c\xc7\x94\x25\xd0\x77\x1c\x4c\x01\x4f\x9c\x76\xac\x9e\xe9\xa6\xfb\xcc\x38\x59\xc0\x30\x36\x41\xfa\x44\xc9\x4f\x8e\x03\xff\xea\x8f\x4c\x7f\xca\x01\x0e\xeb\x26\x8c\x8d\xe8\xd8\xf4\xd9\xb1\xbf\x6d\xee\x14\x0e\xc6\xf9\x5d\x3a\x76\xe6\xd3\x53\x6d\x6e\xac\x8e\x4f\x62\x7e\xd6\xe8\x96\x0e\xee\x2d\x30\xf6\x63\x2e\xcf\x33\x3f\x11\x84\x0f\xce\xd6\xa5\x92\xbb\xe6\x17\x3b\x3b\xa9\xaa\xd8\x51\xc7\xc9\x07\xec\x9a\xde\xb0\xd7\xc3\x5c\x7c\x38\xff\x80\x1d\xd3\x1b\x19\xcb\x5f\x0c\xa8\xec\x8e\x35\xff\x1f\x57\x13\x54\xec\xb6\x6f\x38\xdd\xf7\x59\xf6\x2f\x66\xe5\xeb\x6f\xb2\x2c\x5f\x4e\xa6\x77\x85\xf3\xa8\x67\xd0\xd7\x5f\xbb\x75\x6a\x6c\x43\x51\x35\x3e\xaa\x08\x13\x11\xcb\x2c\xc3\xe9\xce\xdc\x2b\x1b\x77\x2c\xb9\x7b\x17\x8b\x78\x0f\xbe\xb4\x8d\xce\x21\x38\x86\x18\x81\x8e\x4b\x64\xbb\xa5\x62\x6f\xf6\xe0\xd8\xf6\x8b\xfd\x59\xcf\x7d\xd6\x1c\x7f\x6b\xfa\x26\x2b\x45\x86\xd4\x89\xed\x2a\x6e\xee\x9e\x88\x8d\x55\x39\x15\x03\x8d\x31\x48\xb6\x24\x1c\x37\x4d\xf3\xd8\xb3\x03\x69\x3d\x97\xf0\xc5\x94\xfa\x91\x3c\x84\x87\x0f\xef\xff\x18\x82\xe3\x87\xf7\x7f\x82\x75\xf4\x6d\x2c\x6b\xfa\xda\x09\x53\x48\x69\xab\x5a\x18\x15\xbb\x62\x02\xb4\xf2\xdc\x41\x19\x19\x76\x6c\xf2\x30\xfc\xb7\xa5\x92\xe5\x5e\xb1\x12\xbb\x1d\xc9\xf8\x52\xcb\xc9\x88\x0a\x3d\x1d\xfe\xab\x5d\x41\xd1\x18\xd9\xb7\x32\xba\xed\xb6\xa5\x8d\xad\xd1\x58\xff\xae\xcb\xc0\x61\x34\x79\x91\x9d\xae\xf6\x32\xcb\xd6\x8f\xb0\x3d\x4e\x55\x9f\xca\x22\x3b\x12\x55\x4c\xfa\xb9\x07\x7b\x4f\x5c\x4f\xed\x34\x77\x69\x52\xd7\x84\x5e\x66\x59\x79\x0e\xd0\x52\x07\x72\xa3\x70\x1b\xbb\xa4\xb3\xd8\x8a\x7d\x08\x35\xed\x59\x0b\xef\x31\x78\xc0\x0d\xba\x16\x0a\xb5\x41\x68\x51\xb8\x94\x2c\x70\x57\x01\xb6\x25\x72\x57\xe8\xf0\xce\x09\xe8\x64\x62\xa5\x30\x6b\xcc\xb9\x55\xe4\x68\x53\xa8\xad\xf7\x6a\xa5\x71\x71\xc8\xd4\x86\xc5\x64\x19\x0e\xf3\xd8\x6b\xa2\x8a\x97\x9b\x69\x97\xd1\x56\xbd\x2d\xc2\x56\x38\xec\x7b\x6b\x43\xcf\x2d\xd8\xbe\xad\xe5\x17\x3b\xa2\x69\x4c\xde\x93\x4e\xba\x6c\xb9\x55\xcd\x5d\x10\xab\xa3\xe0\x84\xf6\xf6\x89\xd2\xeb\xba\xf5\xa2\x08\xb3\x2d\xb5\x28\x0e\x46\x73\x9c\x22\x7a\x4a\x99\x0e\xde\x89\x4b\xeb\xbe\xd3\x91\x44\x47\xc5\x8a\xdd\x46\xe0\xed\xed\xeb\xcf\x15\xe6\x9c\x37\xe4\xd6\x79\x8c\xbe\xd6\xb1\xf7\x48\x28\x2c\x2c\x1d\xad\xcc\x7a\xe8\xd1\xbd\xe1\x1b\x93\xfe\x8e\xe4\xea\x88\x9c\xb8\xcf\x9f\x13\x33\x43\x83\x2b\xd8\x9a\x01\xb5\xb2\x21\xd8\x8a\x44\xc9\x6d\xad\xfe\xa2\xa8\x16\x6b\xfc\x86\x3b\xca\x3e\x6a\x63\x6f\x87\xc2\x59\x13\xba\x4e\x9a\xb4\x9b\x74\x7f\x63\x36\xa8\x6d\x8d\x20\x85\x73\xdc\x90\x8c\x57\x3c\xa3\x2b\xa8\xa1\xbb\xda\xed\xa4\xf8\x8a\xa0\xb0\x9a\x80\x31\xf1\x4c\xfd\x2a\xe5\xc1\x07\x4b\xd2\x83\x9b\x62\xbc\x5d\xba\xdc\x49\xa2\x5b\xf0\xdd\x52\x8e\x85\x68\x74\xd8\xbd\xcf\x50\x7e\x52\x02\x0f\x7d\xb9\x1f\x66\x2e\x9d\x3e\x87\x40\x3f\x07\xed\x37\xfb\xd8\x3f\x4a\xba\x39\x72\x99\xd6\x03\x71\x8f\xbb\x64\xc1\xc9\x37\x7a\xe9\x10\xa7\x8d\xf2\x6e\x1e\x8f\x90\x7f\x32\x90\x2b\x5f\x6b\x31\x60\x60\x12\x01\x88\xfa\x19\xf1\x57\x42\xe9\x93\x25\xaf\x3a\xf8\x38\x1f\x40\x2b\xd3\xb7\xab\x91\xb6\x81\x95\xcd\x5b\x96\xb8\x3a\x57\xd2\xfb\x01\xe8\x20\xc1\x04\x4a\x4a\x2e\x2b\xcc\x95\x80\x67\xb9\xf2\xf7\x7e\x01\x15\x56\xd6\x51\x5a\xeb\x72\xbf\x00\x0c\x72\xf9\xfc\x18\x57\x07\xc5\x4e\xa0\xf2\x8d\x2b\x84\xec\x79\xe3\x83\x3e\x0f\x5b\x63\x28\x05\x27\x8c\xaf\x54\x60\x62\x9c\xd0\xba\x3d\xc6\xc0\xe0\xe3\x08\xd7\xca\xf2\x85\x02\x16\xd6\x21\xa1\x40\x36\xde\xef\x5c\x4d\x74\xed\x72\xe2\xec\x32\xd8\x4b\xe6\x50\xda\xaa\x6a\x4c\x7f\x0d\xb3\x6a\x21\xa0\xc6\xba\xb4\x06\x17\xec\xaf\x4d\x9b\x6e\x43\x2a\x14\x31\xff\x20\xd2\xa6\xeb\x12\x4b\x62\x09\xd7\x5a\xf7\xb9\x40\x04\x2e\x9d\x78\xe0\x96\x8a\x55\x10\xdd\x2c\xf3\xb9\x6e\x54\x8e\x9a\xef\x65\x29\xc5\x88\x68\x1b\xde\x15\x2c\x48\x98\x8f\x3f\x2d\x58\x7e\x78\xff\x67\xf6\x34\x5a\x28\x36\x6a\x0c\xf1\x91\x81\x6f\x56\x95\x0a\x20\x0e\x3f\x4b\x48\x91\x82\x82\x61\xc5\x10\x09\x08\xbe\xa9\x29\x4c\x79\xcb\x9e\x39\x05\x5b\xa8\xad\x32\xe1\xd2\x16\x97\x14\x71\x85\x0c\x4b\xb8\x06\x2f\xe8\xb0\x23\xbb\xb3\xdd\x0d\xfc\x7f\xd7\xc5\xb0\x78\x29\x4a\xe5\x49\xbc\x1f\x49\xf1\x4a\x55\xb5\xb3\x14\x9f\xc6\xf7\xbf\xc7\xb8\x5d\x21\x55\x38\xd6\x25\x41\xcf\xdd\xa3\x9d\x70\x15\x3b\xb9\x0c\x5a\x3d\x7f\x1e\xb1\xf0\x8f\xec\x7f\xc9\xf9\xae\x1c\x8a\x7b\xc8\x86\xb7\x22\x27\x3f\x0f\x79\x3c\xeb\x1b\x3c\x67\x7f\x7f\x79\x30\x84\x8f\xa0\x75\x71\xc5\x62\x8c\xa1\xfc\xfb\x2e\xf2\xec\xd8\xe4\x60\xb0\xd1\xe7\xd3\xdf\x8b\x25\xfc\x4c\xd9\xed\x4c\xd6\x4b\xe5\xf4\x28\x8f\x5d\xf6\x6b\xc6\x8b\x6f\x0a\xf0\x24\xb6\xe3\x37\xd0\x7d\x9c\xea\x98\xf3\x29\x7e\x3b\x5c\x93\x4d\x38\xcc\xd9\x61\x2f\x27\x84\xf5\x7c\x30\x29\x9c\x84\xaf\x30\x3e\x8e\x50\x06\x9c\xb5\x95\x67\xa5\xda\x26\x74\x97\x19\x1d\xa9\x07\xb6\xe9\x01\x52\xd9\x0d\xe6\x80\xef\x6a\xcc\x55\x50\xb6\xf1\xba\x8d\x57\xca\xb5\x53\x24\xa7\x18\xce\x0a\xf1\x0e\x2a\x21\x4b\x92\xf0\x10\x27\x87\x42\x6a\x72\xcc\xdd\x2c\x9f\x9c\x69\x30\x10\x41\x5b\x79\x8f\x39\x48\xb1\x52\x06\xc3\x31\x56\x57\x18\xbd\x66\x81\x8e\x56\xa7\x97\x0e\x7c\x85\x7b\xa8\xea\x88\x25\x0a\x1d\x23\xb5\xa5\x94\xba\x4b\x9f\xa6\xe7\x3c\x51\x5d\xa4\x9b\x44\x08\x08\x70\x18\x1a\x67\xe2\x5d\x7c\x1d\xba\x0c\xf6\xa8\xd0\x7b\x57\x12\x75\xd8\x29\xe0\x24\x91\x8f\x61\x3a\xa1\x2e\x16\x98\xdc\xf5\xb1\x75\xbb\x5b\x64\x9d\xb8\x34\x27\x6d\xda\xd9\xd5\x6a\xfa\x96\x24\xdb\x47\xff\xa3\x3a\xf7\xa2\xd8\x11\xcc\x74\xc9\x47\x28\x9b\x8b\xd6\xe0\x1a\x1f\xb6\xd6\x85\xb2\xed\x5e\x5d\x8c\x41\xc0\x1e\x1f\x85\x3e\x88\x87\x57\xe2\x5d\x77\xcf\xb8\x9b\x4b\xd6\xe8\x62\xd4\x7e\x9c\xfe\xa8\xc1\xbc\xaf\x93\x69\xbb\x3d\x87\x12\x13\x6f\x61\xd8\x95\x19\x7c\x17\xfa\x4b\xc6\xa8\xff\x18\x08\x46\x09\xd1\xe0\xc6\x3e\x9d\x0b\x1b\x2f\xe2\x07\x0f\x7d\x96\x0e\x54\x7e\xe2\xbb\x54\xe3\xc2\x46\x09\x68\x0c\x1a\xe9\xda\x9a\xaf\xeb\x95\x46\xf0\xa5\xe0\x5c\xa3\xaf\x52\xbb\x47\x67\xaf\xee\xde\xb0\xe5\xb4\x3d\x08\x6a\xe1\xfd\xd6\xba\x7c\x78\x5c\x37\x3d\xfc\x7a\xd2\x1b\x98\xa9\xfe\xb7\x5c\x28\xce\x57\x2e\xc3\x29\xfd\xcb\x3d\x46\x03\x21\xd9\xac\xfb\xb3\xf7\x15\x97\x92\x6a\x7b\xa8\x30\x4a\x89\xf6\xe8\x04\xd1\x04\x4b\x84\x49\x4a\xdc\x3a\x17\x16\xcb\xdd\x17\x5f\x41\xa5\x4c\x13\xba\x47\x7a\xe9\x25\x4d\xfb\xa8\xa7\x64\x6d\xf5\xfd\x1e\xf6\x29\x49\x75\x51\x02\xf1\x3d\xd8\xf8\xb1\x21\xe9\xb1\x6f\x01\x61\xff\x9e\xe7\x11\xd1\x8d\x77\x18\xaa\xbe\xf3\x30\x30\xaf\x77\x5b\x70\x0a\x19\xda\x1a\x77\xf4\xde\x23\xe6\x74\x0f\x84\x4e\x78\x3c\xc5\xff\x9c\xe1\x79\x46\xc0\xb5\xae\x7a\xdc\x82\xd3\x4a\x36\x60\x7e\x9c\xe9\x36\xe4\x91\x23\x4a\x48\x2a\xa9\xa9\xa2\xe7\x9f\xc9\x3d\x72\x40\x17\xba\x49\x8e\x47\xe5\xca\xfd\x3d\x56\x42\x4f\x7f\x67\x62\x3f\xde\xdd\xbd\xb9\x8d\xef\x64\x6f\x7f\x5c\xc2\xab\xc6\x51\xfe\x7e\x20\x5e\x0d\xcb\x69\xc1\x60\x25\x29\x80\x11\x2a\x47\x76\x12\x8b\xcc\x91\x13\xde\xef\xab\xdc\xc6\xe4\xec\x33\x79\xa2\x47\x9d\xc1\x47\xda\xfb\xc7\x1b\xf3\x68\xcf\x39\xf2\x22\x88\x58\xcd\xda\xf6\x25\xf5\x90\xa1\x8d\xe1\x53\x97\xad\x27\x0a\xa6\x92\x38\xec\x2d\x7e\xf1\x7d\x17\x54\xdb\x35\x05\xc5\x23\xa6\x1f\x83\x4f\x12\x75\xc0\xaa\xb6\x4e\x38\x45\xa0\x76\x1c\xd0\x84\x41\x13\x88\x4a\x2c\x02\xef\xb1\xb5\xee\xbe\xd6\x62\x2f\x7d\x11\x41\x0c\x68\x72\xe9\x42\x41\xb7\x09\x41\x06\x84\x5e\x5b\xa7\x42\x59\x4d\xbb\xfa\xfc\xaa\x19\x21\x47\x8d\x23\xbb\x38\x66\xc8\x27\xeb\x7e\x24\xc2\x50\x3a\xdb\xac\x4b\xa8\x1a\x1d\x14\x55\xbc\x81\x6a\xda\x26\x94\xb4\x7f\xaa\xd2\x9f\xbd\x7e\x75\xfd\xfc\x64\xed\x75\x16\xaa\x8c\x0f\x82\xcf\x18\x79\x81\x73\x6d\xff\x91\x33\xce\x45\x48\xac\x94\x58\x76\xa1\xed\xbb\xbb\x7c\x65\x60\xa9\xd6\x1c\xaa\x60\xbe\x32\xb0\xb6\xda\x4b\x25\x5e\x0b\xa5\x3f\x93\xed\xb2\x99\x21\x37\xa2\x63\xb5\x2d\x1c\x16\x0d\xd9\x97\x2c\x51\xde\xa7\x27\x9a\x52\xd5\x6a\x2f\x2d\xa5\x52\x3e\xbe\xa7\xf5\x81\x25\x12\xfb\xd9\x1f\xde\xff\x31\x53\x17\x7e\x78\xff\x27\xf7\xdb\x1e\x0f\xaf\x3f\x70\xcf\x6a\xdf\x15\xaa\x47\x72\xff\x13\xc0\x7a\x60\xeb\x3d\x79\xdf\xa6\x5e\xd6\x6b\x4a\xfa\x3f\x93\xe0\x79\x6f\xb2\x6b\x0a\x25\xfe\xe4\xc4\xeb\xb4\x0a\x88\xaa\x95\xa6\x3a\xaf\x5c\xbd\x1b\xad\x3b\x5a\xaf\x7e\x8c\x37\x8c\x5c\x73\xa5\x34\x61\xfb\x40\xde\x11\xa7\x9f\x5b\x8d\x3e\x49\x46\xe7\xd7\x88\x7d\x52\x94\x76\xda\x4d\x89\xac\x9b\x54\x67\x71\xd6\x09\x28\x3d\xcc\xf4\x7e\x39\x96\xe6\x7e\x86\x3a\x2c\xf6\x77\x1e\xab\xc5\x76\xf2\x8c\xbb\x51\xb3\xf4\x67\x6e\x96\x7e\x32\xeb\xd9\xf9\x91\xc9\x54\x0c\x93\x27\x1b\xfd\x06\x24\x41\x2a\x05\x39\xf3\x40\x86\x44\xea\x94\x13\x98\x53\xda\xb4\xe3\xf0\x95\x1f\x75\x51\x7b\x38\x1e\x6f\x9b\xf0\x6e\xbd\xbe\x6c\x63\xf2\xcb\xda\x59\x5b\xec\xdb\x17\xbf\xcb\x73\x7e\xd4\xef\x4b\xf4\x39\x94\xd6\xe5\xe3\xf3\x0e\xc2\xe3\xe5\x78\x0f\x69\x4d\xde\x70\x46\xd5\x05\xd5\xd1\xef\x86\x62\x73\xf8\x11\x13\xfb\x6f\x1b\x71\x23\x1d\x01\xbd\xbf\xc5\x1a\xd3\x29\x7a\x47\xb0\xcc\xb2\x1b\x33\x2d\x4d\x16\x9d\x3b\x88\xe5\x47\xff\xeb\x1c\x32\xce\xa6\x6a\xb4\x08\x6a\x83\xba\x5d\x30\x35\x31\xca\x89\x30\xac\x29\x52\x3b\xfb\xc0\x2d\x47\x55\x27\x1b\xdb\xf9\xd5\x4f\x7c\xc5\x1f\xb7\xe8\x1e\x43\xd0\x56\x7c\xb3\x78\xe8\x02\xf2\x92\x63\x48\xf7\xc4\x6e\x42\xf6\xe8\x17\x21\x4c\x51\x7c\xf7\x7e\x60\x27\xf6\x1f\xc9\x7c\x38\xbf\x3f\x24\x81\x65\xf6\x8f\x2c\xcb\xb2\xff\x0f\x00\x00\xff\xff\x20\x25\x48\x59\x28\x38\x00\x00")
func complySoc2PoliciesClassificationMdBytes() ([]byte, error) {
return bindataRead(
@@ -577,7 +577,7 @@ func complySoc2PoliciesClassificationMd() (*asset, error) {
return nil, err
}
info := bindataFileInfo{name: "comply-soc2/policies/classification.md", size: 161, mode: os.FileMode(420), modTime: time.Unix(1526668702, 0)}
info := bindataFileInfo{name: "comply-soc2/policies/classification.md", size: 14376, mode: os.FileMode(420), modTime: time.Unix(1526687307, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}
@@ -597,7 +597,7 @@ func complySoc2PoliciesConductMd() (*asset, error) {
return nil, err
}
info := bindataFileInfo{name: "comply-soc2/policies/conduct.md", size: 4492, mode: os.FileMode(420), modTime: time.Unix(1526668702, 0)}
info := bindataFileInfo{name: "comply-soc2/policies/conduct.md", size: 4492, mode: os.FileMode(420), modTime: time.Unix(1526687307, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}
@@ -617,7 +617,7 @@ func complySoc2PoliciesConfidentialityMd() (*asset, error) {
return nil, err
}
info := bindataFileInfo{name: "comply-soc2/policies/confidentiality.md", size: 3653, mode: os.FileMode(420), modTime: time.Unix(1526668702, 0)}
info := bindataFileInfo{name: "comply-soc2/policies/confidentiality.md", size: 3653, mode: os.FileMode(420), modTime: time.Unix(1526687307, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}
@@ -637,7 +637,7 @@ func complySoc2PoliciesContinuityMd() (*asset, error) {
return nil, err
}
info := bindataFileInfo{name: "comply-soc2/policies/continuity.md", size: 5043, mode: os.FileMode(420), modTime: time.Unix(1526668702, 0)}
info := bindataFileInfo{name: "comply-soc2/policies/continuity.md", size: 5043, mode: os.FileMode(420), modTime: time.Unix(1526687307, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}
@@ -657,7 +657,7 @@ func complySoc2PoliciesCyberMd() (*asset, error) {
return nil, err
}
info := bindataFileInfo{name: "comply-soc2/policies/cyber.md", size: 4805, mode: os.FileMode(420), modTime: time.Unix(1526668702, 0)}
info := bindataFileInfo{name: "comply-soc2/policies/cyber.md", size: 4805, mode: os.FileMode(420), modTime: time.Unix(1526687307, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}
@@ -677,12 +677,12 @@ func complySoc2PoliciesDatacenterMd() (*asset, error) {
return nil, err
}
info := bindataFileInfo{name: "comply-soc2/policies/datacenter.md", size: 3014, mode: os.FileMode(420), modTime: time.Unix(1526668702, 0)}
info := bindataFileInfo{name: "comply-soc2/policies/datacenter.md", size: 3014, mode: os.FileMode(420), modTime: time.Unix(1526687307, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}
var _complySoc2PoliciesDevelopmentMd = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\x1c\x8d\x31\x8a\xc3\x30\x10\x45\x7b\x9d\xe2\xc3\xd6\x5a\xd6\x5b\x19\xb5\x72\xb3\x8b\x0b\x13\xe5\x02\x42\x1e\x87\x09\xd2\x4c\xb0\x64\x07\xdf\x3e\xd8\xd5\x87\xcf\x7b\x3c\x89\x85\x1c\x82\x2e\xed\x1d\x57\xc2\x40\x3b\x65\x7d\x15\x92\x86\x91\x17\x4a\x47\xca\x84\x49\x33\xa7\xc3\xc4\xb4\xaa\x1c\xc5\x21\x0c\xa3\x9f\x4c\x8d\x8d\xeb\xc2\x54\x9d\x01\xee\xc1\x9f\x03\x58\x78\xdf\x7f\x77\xa6\xc4\xa7\xae\x37\xda\xb9\xb2\xca\x85\x58\xcc\xb1\x91\xc3\xff\x26\xe8\xf0\xfb\xd3\xf5\x97\x90\xb4\x9c\x39\x87\x3f\xe1\xc6\x31\x63\xd6\xb4\x9d\x8f\xb1\xd6\x1a\xf3\x05\xaf\x85\xe5\x81\xa0\x2a\x9f\x00\x00\x00\xff\xff\x38\xd7\x26\x45\xae\x00\x00\x00")
var _complySoc2PoliciesDevelopmentMd = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xcc\x5a\xcf\x92\xdc\xb6\xf1\xbe\xef\x53\x74\xd5\xef\xb2\x5b\x35\x33\x6b\xfd\x4e\x8e\x72\x92\x77\x9d\x8a\x52\x76\x65\x4b\x92\x93\x33\x06\x68\x92\xf0\x82\x00\x0d\x80\x33\xa6\x4e\x7a\x8d\x54\xc5\x2f\xa7\x27\x49\x75\x03\x20\x41\xce\xac\x2d\x57\x7c\x88\x2f\x9a\x9d\x01\x81\x46\xf7\xf7\x7d\xfd\x87\xb6\xa2\xc7\xd7\xf0\xde\x35\xf1\x2c\x3c\xc2\x23\x9e\xd0\xb8\xa1\x47\x1b\xe1\x3b\xdd\xa0\x9c\xa4\x41\x78\x72\x46\xcb\xe9\x46\x48\xef\xec\xd4\xbf\x86\xf7\x8f\xdf\x3d\x3c\xdd\x04\x11\x75\x68\x34\x86\xd7\x37\x00\x1f\xde\x3f\xd0\x3f\x00\x7b\x78\x78\xf8\xfa\xf0\xea\xa6\x17\x3f\x3a\xff\x0e\x4f\x3a\x68\x67\x79\xc9\x1e\x94\x88\xf8\x1a\xfe\x36\x5a\x78\x05\xff\xff\xd5\xab\xaf\xf9\x01\xe9\x7a\x3a\xee\x35\xbc\xb5\x3a\x6a\x61\x40\x39\x39\xd2\x37\x37\xfb\xfd\xfe\xe6\xe6\xff\xe0\x69\xf4\x83\x0b\x08\xc2\x2a\x78\x2f\xdd\x80\x37\x37\xe2\x00\x1f\x3a\x84\x21\xff\xe2\x1a\x88\x9d\x0e\x30\xb0\x9d\xa0\x03\x44\x07\x0a\x1b\x6d\x11\x3c\xfe\x34\x6a\x8f\xb4\x61\x80\xc6\x79\xc0\x10\xc5\xd1\xe8\xd0\x69\xdb\xf2\x9e\xbd\xd0\x36\x0a\x6d\xe9\xef\xa3\x08\x68\xe8\xb1\xc1\xbb\x88\x32\x6a\x67\x21\x44\x61\x95\xf0\x2a\x3d\x2e\x5d\x3f\x08\x3b\x41\xc8\x2e\xdb\x81\xc5\x78\x76\xfe\x19\x14\x9e\xb4\xc4\xb0\x83\x80\xfe\x84\x3e\xec\x78\x77\x85\xe1\x39\xba\x21\x1c\xb2\xd5\x8b\x99\x62\x18\x8c\x46\xb6\x55\x18\x03\x63\x40\x1f\x60\x40\xdf\x38\xdf\x93\x2d\xe5\x04\xda\xb8\x04\x65\x07\x61\x0a\x11\x7b\x10\xaa\xd7\x56\x87\xe8\x05\xd9\xb8\xcb\x17\xb1\xa2\xe5\x9b\x26\x8f\x20\x39\x4d\x46\x7d\xd2\x91\xce\x39\xeb\xd8\x69\x4b\xdf\x83\xf3\xad\xb0\xfa\x23\x3f\x9b\x8d\x8a\xd3\xa0\xa5\x30\x66\x02\x6d\xa5\x19\x15\x06\xc0\x7e\x30\x6e\x42\x0c\xbc\xbb\x74\x36\x7a\x21\xa3\xe3\x9b\x05\x38\xa3\x31\xf4\x2f\x39\xc3\xa3\xc1\x93\xb0\x11\xf0\xe7\x88\xde\x0a\x03\x83\xf0\x7c\xa8\xb6\x27\x67\x4e\xa8\x20\x9d\xbc\xb6\xe8\xb6\x43\x8f\xda\x8a\x26\xa2\x07\x8f\x0d\x7a\x8f\x8a\xfd\x11\xe0\xf3\xa7\x7f\xb3\x47\x3e\x7f\xfa\xe5\x6e\xed\xb7\x7e\x0c\x11\x8e\x08\xbd\x50\x14\x5e\xa1\xb4\x99\x40\x9c\x84\x36\xe2\x68\x70\xe5\xce\x2b\x4e\x37\xc1\xd5\x9e\x47\x1b\xd1\x0f\x5e\x07\xdc\x9f\xb5\xc2\xec\xde\x74\x63\x5e\x26\xd9\x49\xa1\x04\x01\x15\x1c\xa7\x0b\x1f\x82\xf3\xe0\x2c\x1c\xb1\x13\xa6\xc9\xce\x5f\x2f\x20\xe8\x0c\xde\xa9\x31\x61\x4a\xf7\x83\xe1\x48\xa5\x10\x10\xcc\xbf\x11\xf2\xb9\xf5\x6e\xb4\x6a\xc6\xb7\xb6\x71\x0e\xe6\x16\xde\x68\xc3\xe8\x11\x04\xc7\x61\x9f\xc0\xae\x08\x7b\x92\xbf\x4e\x01\x0b\x3a\xf0\x0e\x83\x77\x12\x43\x02\x30\xa3\x84\xf0\x45\x36\xa2\x8d\xda\x23\x98\x99\xea\xae\x59\x70\x47\x9b\x68\x4b\x70\x4c\x77\xc8\xbe\xd9\x41\xe3\x5d\x0f\x3a\xd3\x75\x45\x30\x61\x85\x99\x82\x0e\x30\xda\xa8\x4d\x01\xab\x42\x22\xb9\x0e\x21\xc3\x0d\xcb\x55\x92\xd9\x81\x4d\x61\x1b\xd5\x48\x8c\xf2\xce\x60\xa6\x8f\xc7\x30\xd0\x3d\x8e\xda\x30\x66\x76\x89\xc3\x42\x76\xc4\xcb\x16\x8b\xb3\xaf\x91\x65\xb9\x56\xc2\xc1\x3f\x0b\x01\x66\x5f\xee\xbe\xe0\xd9\xe2\xc7\x40\x47\x5d\xbd\xec\x0e\x84\x97\x9d\x26\xbd\x28\xbe\x57\x18\x74\x6b\x77\x6b\xea\x46\x0c\x51\xdb\x96\xbe\x25\x62\xd1\x97\xf7\x6b\x20\xec\xc0\x0d\x98\x28\x1d\xee\x59\x97\xd0\x0a\x2b\xb1\x48\xc9\xc6\x8d\x01\x4b\x64\x31\x40\x2f\x26\x62\x45\xe3\x8c\x71\xe7\x44\x38\xa2\x26\x85\xef\xcf\xfc\x07\x9c\x45\x44\xdf\x10\x39\x7a\xa7\xd0\xec\x40\xc7\xf2\x94\x18\x06\xef\x06\xaf\x45\x64\x02\xa5\x4d\x96\xb0\x84\x00\xa4\x8a\xc2\x9b\x69\x07\xe7\x4e\x1b\x4c\xdb\x83\x68\xe9\x73\xed\xb7\xbc\x75\xfd\xa8\x14\x44\x0d\xf0\x38\xa0\x88\xc5\x32\xd0\x91\x6f\x7a\x42\x68\x44\xe8\x0a\x0b\xde\x91\x0a\xa0\x95\x18\x38\x64\xef\x74\x78\x86\x37\x74\xbf\xc0\xbb\xe7\x4c\x44\x59\x21\x7f\xca\x54\xa9\xc9\xf6\xf9\xd3\xbf\xc2\xcb\x29\x0d\x1e\x38\xaa\xb7\x94\xc4\xee\x16\xb1\x23\x83\xd3\xb5\x89\x1b\x43\x27\x02\x25\x36\xce\x50\xfa\x00\xef\xea\xb8\xbf\xc9\x71\x9f\x7f\x7d\xb3\x0d\xff\x23\x87\x7f\xfe\xfd\x43\x0a\xfc\xfc\xf7\xe3\x12\xff\xb7\xab\xf8\xcf\x2b\xfe\xbe\xc0\xe0\xfb\x05\x06\xd5\x06\x0b\x12\xd8\x05\x8f\xa3\xe7\x74\x66\x4c\x36\xbd\xf0\x82\x6e\x09\x67\xd2\x59\x10\x85\x8e\x3a\x80\x75\x91\xc2\xb0\x28\x52\x66\x42\x5a\xc0\x0a\x4b\x4b\x3a\x71\x22\x71\x38\x21\xa5\x6e\x01\x01\x23\x39\x4a\x44\x4e\x06\x42\xdb\x95\x3c\x68\x45\x6a\xd2\x4c\x6c\x88\x8c\x23\x65\x01\x74\x03\x89\x0a\xa5\x4d\x3f\x38\x4f\xf0\xa2\x45\x89\xc9\x79\x51\xa3\xe9\x72\x9c\xf9\xf9\x90\x51\x76\x9c\x57\xa4\x74\xa3\x8d\x60\xc7\xfe\xc8\xd9\x94\xa5\x4d\xc7\x09\xa4\x53\xf4\xb8\x77\x23\x79\xb5\xb6\x61\x47\x47\x11\xea\x5d\xec\xd0\x2f\x3b\x53\x56\xab\xac\xa3\x73\x0e\xf0\xb6\xb2\x9d\x2f\x75\x76\xa3\x51\x84\x54\x66\xbc\x42\x4a\x46\x01\x6d\xd0\x8c\xd2\xe4\x14\x3c\xa1\xa7\x25\x63\x40\x05\x6e\x8c\xb4\x8e\x7c\x5d\x69\x3b\xda\x93\xf6\xce\x32\x56\x0e\x33\x40\x17\x6c\x55\x09\xb0\xa4\x32\x2a\x2a\x0c\x12\x37\x84\x55\xf7\xec\xae\xd9\x02\x95\x42\x4b\xe1\xb9\x2e\xb5\x1c\xf0\x05\xaa\x8c\xce\x8f\x08\xc7\x31\x90\xb6\x86\xd5\x53\x87\x79\xd9\x53\x2a\x34\x40\x80\x27\x8e\x89\x99\x63\x07\xf8\xde\x79\x5c\x45\xd6\xd9\xed\xa2\x40\x20\x52\x3a\xc8\x31\x84\x39\xb9\xbf\xc0\x56\xb8\xf5\x85\xd4\x70\x2b\xee\xee\x16\x1b\x1e\xd3\x06\x20\xc2\x80\x32\x09\xec\x1c\xe4\x5b\x3c\xb4\x87\x1d\x39\xa2\x49\xa1\x13\x46\xc7\x69\xc7\x39\xb1\xf5\xfc\x31\xe7\x7c\xca\x0c\xd3\x1d\xf3\xae\x4b\xa2\x35\x41\xaf\xdb\x2e\x72\x02\x9f\x48\xcf\x58\xf2\x2b\x3f\x1c\x2a\x62\x9f\x34\x9e\xc1\x63\x3b\x1a\x11\x9d\x9f\xb6\x4e\x56\x17\xb9\x9c\xe5\x85\xf3\x07\xa3\x78\x2e\x0f\x77\x4b\x0a\x4b\x0f\xb6\xa3\x56\x5c\x4d\x86\x8b\xf3\x9a\x91\xb5\x62\x8e\x51\xeb\x84\xb9\x5c\x25\x47\xef\xc9\x8f\xf3\xb2\x6d\x46\x8e\x28\x3b\xeb\x8c\x6b\xa7\x2a\x71\x2c\xdb\xbc\xb5\x0b\xed\x06\xef\x5a\x2f\xfa\xba\x48\xd4\x29\x9b\x27\x09\xd4\xb6\xcd\x18\xa2\xff\x5e\x1d\x66\x95\xa3\xa8\x14\x43\xb2\x3e\x70\x6d\x75\x2f\xc7\x10\x5d\x9f\xaa\xac\xea\xb9\x1f\xac\x42\xcf\x4e\x81\xb2\x62\x4f\xd5\xa0\x45\xcf\xc1\xf3\x8d\x90\x1b\x28\xe7\x58\x97\x6b\xee\x0d\x49\xf6\x5c\x58\xdf\xad\xf7\x2f\xa0\x19\xbc\xfb\x11\x65\x84\xa8\x7b\x6c\xbc\xe8\xb1\xc2\x55\x92\x7c\x76\xd7\xe0\xb5\xf3\x3a\xea\x8f\xb8\x60\x2b\x38\x33\xb2\xff\xae\x53\x23\x21\x18\xa4\x0b\x91\xb7\x38\x8e\xaa\x45\xd6\x3c\xaa\xb7\x75\x69\x24\x2e\xb6\xab\x7d\xb9\xca\x89\xb4\xc9\xb5\xf8\xbc\xa1\xac\x7b\xaa\x0c\xbb\xc0\x5e\x3a\x7a\x79\xe2\x7b\xf1\x8c\x54\x1a\x1f\xc7\x09\x4e\xe1\x00\xc7\x51\x1b\xf5\xf9\xd3\x2f\x54\x1b\xa4\x4e\x6b\x63\x1a\x7a\x6e\x4a\xb8\xb1\x51\xe0\x12\x4f\x6b\x08\x89\xa3\x3b\xe1\x35\x99\xba\xd0\xa6\xfb\xeb\xa2\xf4\x42\xed\xb3\x95\xa5\x6f\xd5\x28\x09\x87\xb5\x5f\x22\x8a\x3e\x90\x51\xcc\x5b\x07\xd2\x53\x81\x40\x89\x2a\x55\xb1\x09\x6e\x57\xe3\x4a\x22\xe9\x53\x87\xa7\x6d\xe3\x45\x88\x7e\x4c\x26\xcc\x77\xaf\x0d\x5b\xf6\xf8\x4e\x87\x98\x78\x43\xed\x0e\x1b\x6c\x9d\xdd\x2f\xdf\x54\x69\xc6\x46\xef\xcc\x35\xcd\xac\xaf\x7c\x16\xe6\x39\x76\xde\x8d\x6d\xb7\xac\x7c\x98\x6f\xc2\x57\x48\x88\x5e\xb6\x4e\x2e\xba\x58\xde\xe9\xb6\xcb\x4b\xd7\x36\x25\xde\x93\xf0\x71\x01\x75\xc5\xd8\xb4\xe3\x55\x7d\x27\x1c\xdf\x1f\xd1\x62\xa3\xe3\x92\x35\x08\x26\x39\x52\x14\x61\x67\xd7\x1c\x78\xcc\x4d\x38\x87\x58\x61\x14\xda\xfc\xda\xc1\xd7\xce\xcd\xbb\x7b\xd6\x32\x2e\x1b\x65\x97\x50\x95\x8b\xae\x1d\x88\x08\x02\xa8\x91\xed\xc7\x7e\x57\xed\x9e\x9e\x61\xe9\xa9\x9a\xb0\x22\x7f\x55\xb4\xd7\x9d\x68\x7e\x8e\x1e\xab\x5c\x39\x97\xc8\x35\x90\x82\xf4\xfa\x58\xdd\x6c\xbe\xcf\x52\x50\x27\xf5\x28\x8a\x5e\xeb\x24\x04\x6c\x3d\xb6\x39\x39\x36\xa0\x46\xce\xe6\xf4\xc0\xf6\x97\x2b\xf5\x7f\xd9\xf8\x6a\xbd\x00\xb5\x8d\xe4\xbe\xd2\x66\xa1\x55\x7b\xd2\x5d\x60\x09\x2a\xdb\x08\x2a\x71\x39\x35\x64\x7d\x5f\x5f\x92\x36\x10\xd0\xa2\x45\x5f\xc7\x8c\x0c\x81\xc1\x88\x2a\x6c\x3f\x0c\x8a\x6b\xff\x2f\xce\x75\x17\xde\x69\xea\x26\xe2\x42\x4c\x59\x18\x0a\xa6\x32\xdd\x7b\x1d\x75\x4b\xa7\x7a\x0c\x5a\x51\x29\xf8\xeb\xc1\x86\xd3\x68\xe8\x26\xa5\x17\xbc\xbc\xaa\x55\xcb\x78\x07\x02\x0e\xc2\x6f\x25\x87\x13\x3a\x5d\xff\xb7\xaa\xb4\xdf\x59\x9a\xd5\x67\x6c\x94\xef\x3d\x46\x18\x87\x45\xd5\xea\xa5\x95\x15\x25\x0b\xce\xd3\xa3\x10\x9d\x17\x2d\x56\xf5\xd2\x07\x9f\x6b\xee\xda\x29\xb3\x88\x6a\x1b\xa2\x30\x66\xf1\x1e\xd7\x4e\xed\xe8\x67\x34\x66\xf7\x1e\x0d\x56\xe3\x2b\x3d\x77\xb5\xea\x52\x69\xa9\xd4\x66\xa9\xa8\x22\xb3\x15\xb3\x6b\xf2\xf1\x36\xd9\xb2\x9b\x6d\xc0\xb5\x86\xb1\xcf\x38\x0e\xeb\xdb\x1c\xb6\x5e\x2b\xa7\xec\x3d\x1a\xd6\xbe\x1a\x03\x13\x91\x41\x3e\x73\xc3\x76\x8d\xe4\x39\x5b\x5c\x61\xf9\xcc\x80\x34\xd3\xcb\xe5\x0d\x99\x98\x2b\x33\x0a\x01\xa7\xd3\x5b\x7d\xc0\xc3\x8e\x0a\x44\x8f\xdc\x6f\x15\x1a\x57\x71\x79\x70\x96\xc8\x0c\xa3\xd5\x71\xc5\xf2\x72\xdf\xea\xb1\x3f\x00\x6b\xe5\x84\x0d\xce\x6a\xc5\x57\x78\x05\x01\x59\x1d\x73\xb2\x82\xa3\x8b\x3c\x44\x89\x5a\x26\x7a\x4e\x56\xf4\xfc\xb9\x2a\xfc\x68\xa7\xe8\xe6\xee\xe9\x82\x82\xb0\x6a\x72\x37\x07\x2e\xfa\x70\x99\x1f\x72\x29\x49\x77\x09\x97\x9e\xcc\x63\x50\x6a\x7a\xd9\x36\xe3\x44\xe2\x6d\x1a\x63\x5e\x26\x69\x40\x4b\xb8\x56\x97\x07\x8d\x61\x06\x4b\xf6\xdb\x26\xab\x5c\x4b\xf8\x5b\x7b\xb4\x55\x38\xa0\x25\x2f\x6c\x10\x58\xf7\x44\x65\x16\xc5\x57\xab\x8b\xc1\x5c\x74\xd5\xb4\xdd\x0c\x18\xff\x10\x09\x2a\x53\x85\x2d\x32\x66\xaf\x6a\xe3\x62\xbd\x2e\x1b\x7c\x91\x53\x37\x32\x9c\xba\xe9\x79\xc8\x7b\x8d\xf0\xe5\x88\xe8\x05\x37\xcc\x3c\x0d\x8d\x67\x44\x9b\x4f\x4d\xdc\x32\x66\x1f\xa4\x30\xb5\xb1\x97\x11\x9b\x5b\x3c\x90\x1d\x26\x7a\xcf\xd3\x47\x68\xb4\xc1\xd5\x00\x74\x8c\x1d\x61\x53\xea\x38\x1d\x36\x13\x96\xdf\xca\x95\xdc\x1a\xb2\xa6\xd6\xe3\xf4\x13\x12\xfc\x82\xb3\x16\x53\xe5\x95\x26\xf3\xb9\xc7\x4d\x66\x70\x5e\x9c\x81\xd3\x8c\x56\x6e\x4a\xfb\x3c\x30\x4a\x73\x70\xa9\x87\x45\x83\x23\x18\x14\x54\x83\x9e\xdd\x3c\x54\x4e\xdb\x3b\xaf\x28\xbf\x3b\x8a\x2f\x3b\xf3\xaa\xbf\x52\x3f\x8b\x2f\x54\x10\x7f\x00\x8e\xae\x8f\x20\x2f\xb3\xda\x69\x53\x54\x88\xf0\x9c\xe7\xe6\x97\x03\x8e\x34\xab\x41\x33\x15\x66\xa7\x39\x7f\x3a\x2a\x93\x21\x87\x80\x5c\x70\x95\x44\xc7\x31\x0d\xa5\x8c\xee\x35\x57\xc1\x6e\xd3\xb0\xce\x1b\xd0\xea\x14\xb4\x64\x0e\x65\x86\x75\x13\xf9\x61\x64\x58\x54\x32\xb3\xfe\xfd\x69\x79\x0d\x73\x14\xf2\x79\x1c\xd2\x3c\xca\x27\x36\xbb\x75\xa3\x96\x87\xef\x05\x21\xef\x13\x50\xdf\x54\xd3\x89\x32\x09\x79\xe9\x8c\x32\x77\xab\xdc\x9d\xf3\x4e\x9d\x4d\x78\x9c\xc1\xcb\x8b\xcf\x47\xae\xda\x72\xa9\x2a\xa2\xec\x30\x6c\xba\xe5\xcc\x4b\x36\xfb\x2a\x19\x5e\x5c\x3e\xa0\xd7\x4e\x69\x59\x8c\x7b\x51\xf6\x5e\xdc\x41\x58\x4b\x45\xdd\x76\x74\x74\xb8\x9c\x72\x0a\x33\xbf\x78\x21\xc4\xac\xe3\xfa\x0d\xe6\xcc\x95\x30\x93\x79\xcf\x13\x3b\x06\xca\x56\xbe\x77\x29\xb3\x89\x31\xba\x5e\x64\xb4\x43\x2f\xc8\x96\x1d\x08\x8f\x33\x5d\xc9\x46\xe9\xbc\x47\x19\xcd\x94\x8a\xc7\xa6\x41\x02\x2f\x9a\x69\x7d\xab\xbf\xf2\x20\xd4\xb5\x79\xfc\x49\xbb\x14\xff\xf0\x74\x71\x65\xe0\x49\x98\xb1\xd4\x38\xb3\x75\xab\xdc\xc0\x87\x9d\x84\xd1\x5c\x74\x8b\x51\xe9\xb8\x6d\x37\xf3\xc1\xf3\x7c\x18\x9c\x6d\x1d\xb3\xd9\x59\x1d\x9d\xcf\x89\xac\x7e\x5f\x95\x20\xbf\xb8\x48\x61\x79\x85\x59\x0f\xd6\x4e\xda\x99\xfc\x4e\x8b\x1f\xb2\xa4\xa0\xce\xeb\x8f\xa8\x40\x76\xc2\xb6\xb8\x31\xe1\x1f\xc5\x4e\x7e\x61\x54\x3c\xc4\x42\x5a\xf2\x47\x31\xb2\x2e\xb1\xe6\xcc\x5c\xea\x8d\x45\x29\x66\x20\xce\x43\xb9\xf9\xad\xda\x53\x29\x19\xe0\x2f\xce\xc3\xb7\x3f\xa3\x4c\x43\xde\xb7\x56\x72\x0d\x02\xef\xd2\x0b\x21\xbc\x12\x1f\x51\xbd\xba\x5a\x67\x30\x12\xbb\x4e\x78\xc5\xbf\x31\x51\xaa\x9a\x31\x85\x54\x87\x4a\x9a\xd2\x38\xd0\xf3\xcb\xd0\x45\x96\x91\x94\xc7\x92\x27\xe6\x73\x8e\x63\x9b\xdb\xbe\xa5\x7d\x3c\x1a\x0a\xc8\x11\xd3\x6c\x3a\xb2\x4c\xb3\x3a\x64\xe1\xbe\xe8\xaf\xaa\x29\x5e\xad\xe4\xf0\x94\x18\x9d\xc2\x94\x99\x5e\x04\x35\xbd\xc2\x54\xe5\xa5\xae\xd5\x16\xe3\x04\xb7\x7f\xfa\xea\x0e\x94\x98\xf2\xbb\x2a\x4a\x34\x5c\xbe\x0d\xde\x9d\x74\xa9\xe4\x15\xfe\x94\xe0\xb9\x6e\x47\x07\xb1\xb4\xad\xf3\xfd\xf2\xb1\x07\xf8\xb6\x47\xdf\xa2\x95\xd3\x0e\xa4\xd7\x91\x60\xbf\x83\xa3\x47\xf1\xbc\x6f\xf4\xcf\xa9\x1d\xfc\x88\xde\xed\x95\x98\x36\x52\xc1\xfe\x2e\xd6\x5c\xde\x40\x04\xf8\x69\xd4\xf2\x99\x28\x48\xbd\x66\x08\xfa\x68\xbe\x6c\x22\xf5\x5b\xf5\xd0\xf2\x92\xe4\xa5\x8a\xe8\x4b\x2a\xf6\x32\x35\x2b\xd4\xe5\xb7\xd5\x73\x0d\x04\x1e\x7b\x77\x12\xe6\xb2\x14\x72\x95\xba\x55\x65\x51\xf9\x9f\x08\x56\x4f\xdf\x7b\x1c\x8c\x90\x9b\xe1\xf4\x23\x46\xa4\x04\x91\x5f\xbf\x78\x8c\x54\xe9\x6c\xe6\x96\xdb\xf6\x6c\xfd\xfe\xb6\xe8\x03\xbf\xf2\xf8\xef\xa7\x3b\xbf\x73\x4c\xf0\x3f\x32\x25\xf8\x4f\x00\x00\x00\xff\xff\xbe\x37\xed\x94\xe5\x22\x00\x00")
func complySoc2PoliciesDevelopmentMdBytes() ([]byte, error) {
return bindataRead(
@@ -697,7 +697,7 @@ func complySoc2PoliciesDevelopmentMd() (*asset, error) {
return nil, err
}
info := bindataFileInfo{name: "comply-soc2/policies/development.md", size: 174, mode: os.FileMode(420), modTime: time.Unix(1526668702, 0)}
info := bindataFileInfo{name: "comply-soc2/policies/development.md", size: 8933, mode: os.FileMode(420), modTime: time.Unix(1526687307, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}
@@ -717,12 +717,12 @@ func complySoc2PoliciesDisasterMd() (*asset, error) {
return nil, err
}
info := bindataFileInfo{name: "comply-soc2/policies/disaster.md", size: 10315, mode: os.FileMode(420), modTime: time.Unix(1526668702, 0)}
info := bindataFileInfo{name: "comply-soc2/policies/disaster.md", size: 10315, mode: os.FileMode(420), modTime: time.Unix(1526687307, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}
var _complySoc2PoliciesEncryptionMd = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\x1c\x8b\xc1\xca\xc2\x30\x10\x06\xef\xfb\x14\x1f\xfc\xe7\xfc\x58\x4f\x36\xd7\xd0\x83\x9e\x8a\xf5\x05\x42\x1a\x65\xa5\xbb\x2b\x4d\x2a\xe4\xed\xa5\x3d\x0d\x0c\x33\x1a\x25\x7b\x0c\x9a\xd6\xf6\xa9\x6c\x8a\xd1\x16\x4e\x8d\x62\x5a\x4d\x9b\x78\x0c\x23\x95\x58\xb9\x3c\x39\x17\x4f\xc0\x63\x0a\x3b\x00\x87\x10\xfa\xff\x9e\x24\xbe\x6d\xbd\xe7\x2f\x17\x36\x3d\x12\x87\x39\xd6\xec\x71\xdb\x14\x1d\xce\xa7\xee\x72\x0c\xc9\x44\xb2\x56\x8f\xab\x72\xe5\xb8\x60\xb6\xb4\xed\x86\x9c\x73\x44\x7f\x08\x26\xac\x2f\x4c\x66\xfa\x0b\x00\x00\xff\xff\xd5\x3c\x94\xf4\x97\x00\x00\x00")
var _complySoc2PoliciesEncryptionMd = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xcc\x58\xcd\x8e\x1c\xb7\xf1\xbf\xf7\x53\x14\x60\xe0\x8f\x7f\x56\x33\xa3\x48\x81\x8d\x78\x83\x1c\x94\xcd\x1e\x14\x07\xca\xc2\xbb\x91\x2f\xb9\x54\x93\x35\xdd\xe5\x65\x93\x1d\x92\x3d\xe3\x16\x74\xf0\x6b\xf8\xf5\xfc\x24\x41\x15\xbb\xe7\x7b\x01\x59\xf2\x61\xfb\x32\x33\x35\x64\xb1\x3e\x7e\x55\xac\x5f\x7b\xec\xe8\x1a\x6e\xbd\x89\x63\x9f\x39\x78\xb8\x0b\x8e\xcd\x58\xa1\x89\xc1\x8f\xdd\x35\xdc\xde\x55\x09\x33\xa7\x35\x53\xba\xae\x00\x1e\xee\x6f\xe4\x03\x60\x09\x37\x37\xdf\xae\xbe\xad\x3a\xfc\x31\xc4\xef\x69\xc3\x89\x83\xd7\x25\x4b\xb0\x98\xe9\x1a\xfe\x31\x78\x78\x05\xaf\xff\xf8\xea\xcf\xba\xc1\x84\xae\x23\x9f\xaf\xe1\xad\xe7\xcc\xe8\xc0\x06\x33\x88\xa4\x5a\x2e\x97\xd5\x57\x70\x37\xc4\x3e\x24\x02\xf4\x16\xee\x4d\xe8\xa9\xaa\x70\x05\x0f\x2d\x27\xe8\xd5\x28\xb0\xb4\x66\x4f\x09\x42\x6c\xd0\xf3\x07\x14\x83\xd1\x41\xa4\xff\x0e\x1c\x49\x54\x25\x58\x87\x08\xb9\x25\x18\x12\x41\x58\x83\xfa\x15\x9a\x88\x7d\xcb\x06\x4c\xf0\x39\x06\x97\x16\x80\x09\xb6\xe4\x9c\x7c\xca\xea\x33\x15\xc7\xfb\x1e\x69\x4c\x0b\x60\x0f\x21\x5a\x8a\x90\x03\xf4\x31\x64\x32\x59\x37\x9b\xe0\xd7\x6c\xc9\x8b\x53\x9c\x47\x59\x98\xa9\x89\xfa\x15\x87\xdc\xca\x3f\x86\xf3\xa8\x9e\xf9\xe0\x23\xf5\x83\x65\xb5\x5e\x4c\x64\xbf\x0e\xb1\xd3\x9f\xab\x33\x97\xb1\xef\x1d\x53\x92\x23\xd1\x39\x48\x63\xca\xd4\xa5\x05\x88\xbd\xbd\x98\xbb\x80\x35\x1a\x76\x9c\x65\x95\x1c\x70\xa0\x0e\xb6\x9c\x5b\xf6\x6a\x64\x92\x88\xca\x71\xf2\xe3\x30\x80\xbf\xfe\xfc\x4b\x3a\xda\x94\xc8\x0c\x62\xbc\xf8\xd8\x44\xec\x8a\x51\x6f\x9c\x03\xea\x7a\x17\x46\xa2\xb4\x28\x91\x44\x93\x43\x4c\x0b\xe8\x31\xe6\x65\xe6\xae\xe4\x2e\x53\xd7\x87\x88\x71\x84\x6d\x88\x8f\x24\x0b\x12\xc5\x0d\x1b\x12\x8d\x1b\xb6\x2a\xd2\x95\xad\xe4\x7b\xd2\x6a\xa1\x1e\x21\xe4\x96\xa2\x7a\xdb\x53\x14\x93\x54\x07\x04\x0f\x35\xb5\xe8\xd6\x97\x1c\x80\x16\x37\xec\x1b\xd9\x64\x83\xba\x7c\x92\xbd\x5d\xd0\xd0\x35\x21\x72\x6e\xe5\x7b\x88\x92\x55\xd9\xd7\x61\xa6\x28\x78\xc4\x48\x90\x86\xfa\x47\xcd\x6b\x80\x7c\x98\x06\x6f\xa1\x1b\x52\x16\x10\xf7\x6e\x2c\xa7\x70\x5e\x55\xd5\x57\xf0\x37\x34\x8f\x4d\x0c\x83\xb7\x4f\x02\x56\x4c\x6e\xb9\x69\xc1\xd1\x86\x1c\x04\x3d\x83\x37\x73\xc6\xba\xde\x29\xf4\x8a\x3b\xec\x53\x8e\x83\x91\xef\x7b\x38\x9f\x65\xec\x22\xbe\xf7\x0e\xaa\x62\x81\xed\x0a\xde\x66\xe0\x04\x1b\xce\xe8\x20\xb7\x98\xcf\x03\x88\x36\xf4\x19\x10\x52\x46\x6f\x31\x5a\x41\x5d\x0c\x68\x5a\x09\xc3\xe5\x0a\x02\x69\x10\x29\x29\x28\x35\x45\x86\x7c\x96\xd4\x1d\x16\x09\xf9\x34\x44\x02\xf2\x76\x99\xc3\x92\xbc\xdd\x61\x6b\x01\xdb\x96\x1d\x01\xba\xa4\xb5\xd4\x85\x2c\xa9\x90\xc2\x89\xa1\xa7\x88\xb5\x40\x7a\x9c\xa2\x39\x37\x8a\xa3\x78\xa6\x9e\x0c\xaf\x4f\x9c\x16\xbb\x37\x64\x35\x6c\x43\xa2\xc5\x79\x61\x3f\xd2\x08\x1d\x7a\x6c\x54\xa6\x61\x9a\x6a\x99\x83\x2f\xb0\x3c\xdb\x33\x24\x31\xee\x20\x10\xa3\xb8\x69\x5c\x18\x2c\x90\xdf\x70\x0c\x5e\x17\x2b\x1c\xa6\x06\x5a\xa0\x70\x12\x68\x85\xd0\xdc\x3a\xd8\x5b\xde\xb0\x1d\x70\x57\xd6\x02\xca\xc3\x4a\xac\x47\xe8\x08\x7d\x7a\xba\x91\x49\xff\x2a\x41\x91\xc2\x87\x07\xac\x1d\xc1\x9f\xae\xa1\xaa\xfe\xd3\x63\x43\x75\x24\x7c\x84\xaa\x7a\xb1\xbc\xf4\x5c\x92\x9e\xc9\x4e\x04\x2f\xaa\x8f\x70\x75\xf5\x0e\x3b\x45\xdf\xbd\xda\xfd\xf2\xea\x0a\x44\x7a\x73\x68\xe2\x24\xdb\xdf\x2c\x93\xe0\x3b\x1a\xe1\x9e\x3f\x90\xfc\x54\x5d\x0f\xa3\xf6\xa5\xab\x2b\x98\x1f\x95\x86\xe0\x0e\x44\x2a\x7b\x33\x27\x5a\xfe\xf8\x08\x47\x4f\xd1\xf5\x76\x1f\xbc\x69\xf3\xc9\xb2\xcb\xb2\x33\x5d\x2f\xfe\x7a\xe9\xb9\x24\x3d\x93\x9d\x08\x24\x5e\x77\x43\xed\xd8\x80\x78\x7e\x78\xe4\xbf\x7a\xf2\xf7\xf7\xff\x3c\x94\xbd\xb9\xbd\x5f\xbe\xfe\xfa\x9b\xbd\xe0\xf5\xd7\xdf\x2c\x6b\xce\x8a\x5a\xf5\xf1\xad\x5f\x47\x2c\xfd\x41\x4a\x4b\xd0\xf9\x99\x3e\x7e\x84\x37\xf3\xdd\x54\xd0\xf6\x25\xf1\xfa\x5d\xf1\x75\xe9\x79\x0e\x76\xfd\x1d\x33\x1e\x8e\x4a\xf0\x05\x79\xfc\x8e\xc6\xf4\x1c\x7d\x7c\xae\xb1\x7f\xcf\x31\x4b\xa7\xbc\x8b\xbc\xc1\x4c\xa7\xb1\x97\xb6\xfd\xc9\xb1\x7f\x47\x59\xaf\xac\xff\x7f\x7f\xf7\xee\x0f\x7b\xf3\x45\xd7\xfb\xbb\x77\xbf\xc5\xc7\x8f\x7a\xc5\x3e\xc7\x78\x5d\x7a\x9e\x83\x5d\x3f\x50\x9d\x38\x13\x1c\x16\xcc\x3e\x8f\x0b\xb8\xb9\xfd\xfe\x01\x3e\x31\x8f\x37\x14\xb3\x4c\x00\x33\x1e\x3e\xdb\x47\xf8\x5d\x9d\xac\x76\xb7\xf0\xd1\x85\x08\x37\xf3\x9d\x5d\x55\xff\xe7\xeb\xd4\xff\xa5\xaa\xea\x15\xdc\xfe\x64\xa8\xcf\xb0\x6d\x29\x52\x19\x7f\xb7\x9c\x48\x46\xb1\x4c\x76\x51\xf0\xa5\x63\x43\x4d\xd3\xdc\xa2\x83\x72\x6e\x89\x23\x84\xad\xa7\x28\x63\x87\x59\x9d\x1c\x76\xb4\x6f\x9a\x38\xc8\x02\x36\x28\xe3\x25\xb8\x90\x64\x88\x6f\xd1\x37\x32\xa2\x80\xa5\xdd\xcc\x29\xda\x85\x75\xe8\x6c\xac\x03\x55\x1f\x59\x42\x8c\xc6\x50\x4a\xf3\xe8\x01\x1d\xc9\x76\x4e\x5d\x19\xd7\x23\x6d\x64\x9e\x1a\xbc\x30\x9e\x10\xf9\x03\x59\x9d\x51\xa5\x32\x6b\x34\x8f\xa2\x6d\xe8\x8b\x5d\x32\x72\x42\xa4\x66\x70\x18\xa1\xc6\xc4\xe2\x82\x5d\xc1\x0f\x2d\xf9\x79\xfa\xb2\x0b\x30\x43\xca\xa1\x93\xa1\xf2\x29\xda\xa2\x23\xd8\xb2\xc6\x44\x16\x52\x58\xe7\xad\x8c\xf0\x21\x42\xef\x30\x2b\x7b\x08\xeb\x35\x45\x1d\xf2\xa7\x50\x68\x6a\x72\x80\x50\x67\x64\x7f\x34\x6d\x45\x6a\x30\x5a\xf6\xcd\x75\xa5\x7c\x95\xcb\x00\x77\x3c\x78\xe5\x20\x19\x1c\xe4\xc0\x63\x16\xc8\xf1\x84\xc8\x4d\x2a\xde\xf8\x11\x0c\xf6\x65\xa0\x55\x26\x27\x23\xb8\xd8\x89\x1b\x64\x37\xdb\x83\xce\x85\xed\x34\x52\xce\x6c\x69\xef\xbf\x2c\x90\x94\xec\xd3\x7e\x4a\x71\x82\x1b\x94\x30\xac\x8e\x6c\x2f\xac\x34\x8f\x73\x00\x4d\x18\x7c\x8e\x62\x45\xc1\x5b\x7e\xc2\x3f\x31\x6f\xf6\x31\xe5\x50\x82\x9a\x23\xfa\xb4\xa6\xf8\x94\x95\xbf\xfe\xfc\x8b\x10\x7f\x5c\xed\x66\xdf\x89\xa3\x1c\xd3\x75\x37\x2e\x77\x63\x3a\xed\x2f\xd3\x39\x41\x4d\xd8\x50\x9c\xc6\x59\x34\x26\x44\x8b\xde\x50\x21\x5c\x62\xae\xc3\x6d\x3a\x76\x67\x94\x29\xbf\xd1\xe9\x3d\xc4\x52\x42\x13\xb8\x94\x53\x4c\x11\x60\x2f\x94\xc3\xb4\x62\x54\x4c\x3b\x7a\x59\x02\x2a\xd7\xc1\xea\xf0\x6a\x57\x6b\x7c\x50\x8b\xe6\x40\x6c\x38\x38\xad\x03\x3f\x4e\x56\xec\xcf\x11\xaa\xc6\xde\xb8\xc1\x2a\x8d\x11\x02\x9c\x5f\xd2\x4f\xf2\x01\x51\x6a\x8b\x0b\x9f\x2b\x71\x39\x70\x5b\x95\x97\x7a\x86\x9b\xd0\xf5\xa2\xdc\x04\x05\x92\xa6\x5d\x19\x91\x9f\xdf\x74\xcc\x04\xad\xd0\xbb\x7f\xaf\xee\x57\x67\x67\xed\xa9\xcb\xcc\xb1\x87\x04\x06\xfd\xce\x93\x89\xb8\x1d\x2b\xae\x85\xbe\xa2\x22\x43\x46\xca\x5a\x18\x8f\x14\x7b\x5f\xde\xc9\xa4\xfd\x3b\x80\x13\xfe\xb4\x6b\x31\x25\x9e\x5a\xf4\x12\x82\x5d\x35\x16\xb8\x0f\x39\x48\x61\x18\x49\xff\xb4\x3d\x9d\x34\x94\x45\x21\x87\xa4\x80\xc3\x86\x16\xda\x36\x86\xbe\x50\xb2\x90\x77\xef\x4b\x0a\xab\xbd\x9f\xe8\x9f\x68\xd4\x82\x9d\x20\x7f\x62\xdf\x8c\xd2\x99\x79\x6d\xd8\x96\x35\xd3\xe1\x02\xf0\x03\x4d\x4b\x4b\x89\x1b\x2f\xbd\xb7\x00\x65\xb1\x47\xde\xc4\x49\x0b\xb1\xd5\x04\xbe\xb4\xa4\x9f\x47\x6d\x44\xcc\x6d\xc8\x53\x14\xac\x48\x3d\x1c\xa6\x5b\x6d\xff\x1c\x6b\x6d\xc7\x9e\x53\x8e\xd3\x19\x5f\x62\xbc\x89\x84\x99\x16\x90\x4c\x4b\x76\x70\x04\x96\x1c\x89\x80\xbc\x74\xa3\x97\x96\x93\x76\xa5\x39\xe6\x05\x47\x89\x32\x0c\x09\x1b\x2a\xef\x36\x66\xa4\xfc\x16\x87\x4a\x27\x99\x2f\x84\xf9\x32\x98\xdf\x70\x48\x9d\x46\xda\xf5\x2a\x69\x73\x3d\xc5\x19\xa0\x8e\xd7\x94\xb9\xa3\x4f\x3d\x4b\x8d\xa7\x72\x02\x66\x70\x84\x29\x43\x90\x4e\x42\x1b\x8a\x23\xbc\x7a\x0d\x5d\xf0\xb9\x15\xe3\xab\xff\x05\x00\x00\xff\xff\x69\xcf\x17\x8d\x05\x15\x00\x00")
func complySoc2PoliciesEncryptionMdBytes() ([]byte, error) {
return bindataRead(
@@ -737,7 +737,7 @@ func complySoc2PoliciesEncryptionMd() (*asset, error) {
return nil, err
}
info := bindataFileInfo{name: "comply-soc2/policies/encryption.md", size: 151, mode: os.FileMode(420), modTime: time.Unix(1526668702, 0)}
info := bindataFileInfo{name: "comply-soc2/policies/encryption.md", size: 5381, mode: os.FileMode(420), modTime: time.Unix(1526687307, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}
@@ -757,7 +757,7 @@ func complySoc2PoliciesIncidentMd() (*asset, error) {
return nil, err
}
info := bindataFileInfo{name: "comply-soc2/policies/incident.md", size: 8552, mode: os.FileMode(420), modTime: time.Unix(1526668702, 0)}
info := bindataFileInfo{name: "comply-soc2/policies/incident.md", size: 8552, mode: os.FileMode(420), modTime: time.Unix(1526687307, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}
@@ -777,7 +777,7 @@ func complySoc2PoliciesInformationMd() (*asset, error) {
return nil, err
}
info := bindataFileInfo{name: "comply-soc2/policies/information.md", size: 5359, mode: os.FileMode(420), modTime: time.Unix(1526668702, 0)}
info := bindataFileInfo{name: "comply-soc2/policies/information.md", size: 5359, mode: os.FileMode(420), modTime: time.Unix(1526687307, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}
@@ -797,12 +797,12 @@ func complySoc2PoliciesLogMd() (*asset, error) {
return nil, err
}
info := bindataFileInfo{name: "comply-soc2/policies/log.md", size: 4307, mode: os.FileMode(420), modTime: time.Unix(1526668702, 0)}
info := bindataFileInfo{name: "comply-soc2/policies/log.md", size: 4307, mode: os.FileMode(420), modTime: time.Unix(1526687307, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}
var _complySoc2PoliciesMediaMd = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\x1c\x8b\xc1\x4a\xc6\x30\x10\x06\xef\x79\x8a\x0f\x3c\x47\xac\x07\x95\x5c\x73\x52\x28\x94\xd6\x17\x58\x93\xb5\xec\x4f\xb2\x0b\x4d\x5a\xe8\xdb\xff\xb4\xa7\x81\x61\x46\xa9\x72\xc0\xcc\xd5\x0e\xfa\x2b\x8c\x91\xb3\x10\x48\x33\x62\xb1\x3d\x63\xe9\xb6\xd1\xca\x98\xac\x48\x3a\x1d\xa5\xcd\xf4\xac\x01\x63\x9c\x5c\xa3\x2e\xed\x5f\xb8\x05\x07\xfc\x2e\xf1\x02\xe0\x11\xe3\xc7\xeb\xa7\xab\xf4\xb0\x6d\xe6\x43\x9a\x98\xde\x89\x47\xa6\xce\x01\x3f\xbb\x62\xc0\xfb\xdb\xf0\x75\x0f\xc9\x6a\x65\xed\x01\xdf\x2a\x5d\xa8\x20\x5b\xda\x2f\xe3\xbc\xf7\xce\xbd\x20\x5a\x15\x5d\xb1\x98\xe9\x33\x00\x00\xff\xff\xac\xf1\x27\xb5\xaf\x00\x00\x00")
var _complySoc2PoliciesMediaMd = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xcc\x5a\xcd\x6e\x1c\x47\x92\xbe\xf3\x29\x02\xf0\x85\x32\x9a\xdc\xf5\x1e\x76\x17\xba\x59\xa4\x06\xe8\x81\x69\x09\x24\x01\xc3\xc7\xe8\xac\xa8\xae\x30\xb3\x32\xcb\x99\x59\xdd\x6a\x9f\xfc\x1a\x03\xcc\xbc\x9c\x9f\x64\x10\x91\x59\x7f\xfd\x43\x49\x83\x19\xc0\x3a\x48\x54\x77\x65\xc6\xff\x17\x5f\x44\xd1\x61\x4b\x6f\xe1\x91\x5a\xbf\xc3\x8d\x25\x78\xa0\x8a\x11\xd0\x55\x70\x67\x7d\x5f\xc1\x53\xf2\x01\xb7\x04\x1f\xbd\x65\x73\xb8\x42\x13\xbc\x3b\xb4\x6f\xe1\xe1\xee\xe3\x55\xc4\xc4\xb1\x66\x8a\x6f\xaf\x00\x9e\x9f\xee\xe4\x1f\x80\x1b\xb8\xbb\xfb\xdf\xdb\xff\xbb\x6a\xf1\x17\x1f\x1e\x69\xc7\x91\xbd\xd3\x47\x6e\xa0\xc2\x44\x6f\xe1\xaf\xbd\x83\xef\xe0\x7f\xfe\xfb\xbb\xff\xd7\x03\xc6\xb7\x2d\xb9\xf4\x16\xd6\x8e\x13\xa3\x85\xca\x9b\x5e\x3e\xb9\xba\xb9\xb9\xb9\xba\xfa\x06\x3e\xf6\xa1\xf3\x91\x54\xab\x27\xe3\x3b\xba\xba\xc2\x5b\x78\x6e\x38\x42\x18\x15\x6f\x45\xf1\x15\x18\xd5\x3a\x16\xad\xe5\xc4\xbb\xc0\x6e\x0b\x3f\xfb\x3e\xc0\x87\xbd\x83\x7b\xda\xb1\x21\xb8\x7e\xf7\xf3\x87\xfb\x37\xd0\xa9\x59\x50\x51\xcd\x8e\x22\xa4\x86\xc0\x6f\x7e\x21\x93\x78\x47\x71\x05\x81\x7e\xed\x39\x90\x28\x13\xf5\x32\x6e\x3b\xab\xff\x95\x3b\xd9\xc5\x14\x7a\x93\xc4\x3e\xa8\x7d\x50\xb1\xf2\x45\x85\x09\xc1\xbb\x53\xed\xd8\x15\x05\xc9\xed\x38\x78\xa7\x17\xaf\xf4\x66\xef\xa0\xa3\x10\xbd\x43\x6b\x0f\x37\x7e\xef\xa8\x82\x4a\x75\x55\x3d\xb6\x18\x2a\x4b\x31\x82\xaf\xf3\xf5\xc6\x62\x8c\x5c\xb3\x41\x91\x0f\x96\x76\x64\x6f\x27\xc7\x14\xc3\xb0\xeb\x2c\x8b\x61\x1e\xd0\x5a\x60\x57\xfb\xd0\xe6\x13\x22\x54\x6f\xda\x73\x6a\xd8\x65\xdb\xc3\x16\x1d\xff\xa6\x0f\xfc\xf1\xfb\xdf\xe2\xe2\x40\x24\xd3\x07\x4e\x07\xe8\x82\xdf\x06\x6c\x57\x80\x11\xf6\x64\xad\xfc\x2b\xb7\x5f\x0a\xc6\x21\x26\x6a\xb3\xff\x2e\x99\x08\xc4\xa9\xa1\x00\xf9\x43\x1f\xc0\x78\x97\x82\xb7\x96\x2a\xd8\x1c\x4e\x74\xfb\xac\xa1\x7d\xa4\xa0\xbe\x5a\x18\x50\x14\xb9\x60\x70\xb9\x30\x1d\x3a\x36\xa2\x21\xb0\x33\xb6\xaf\x44\xb9\xb6\xb3\xfe\x40\x94\x6d\x50\xd5\xd0\x24\x1f\xe2\xd2\x05\xee\x00\xf4\x29\x51\x70\x68\xa1\xc3\x90\x54\x9f\x06\x93\x64\x38\x01\xbb\xe4\xf5\x2c\x9a\xa4\x2a\x2c\x1c\x33\xd7\xf3\x75\xdb\xe1\xba\xa1\x40\xec\xb0\x4e\x14\x20\x50\x4d\x21\x50\xa5\x86\x47\xf8\xe3\xf7\xbf\xab\xe9\x7f\xfc\xfe\x8f\x37\x4b\x07\xb5\x7d\x4c\xb0\x21\x68\xb1\x22\x08\x84\x15\xdb\x03\xe0\x0e\xd9\x6a\xc4\xe6\x7e\xbb\x95\xa2\x7b\x87\xe6\x65\x1b\x7c\xef\xaa\x13\x5f\xcf\xab\xa5\x0b\xde\x50\xd5\x07\x2a\x15\x80\x35\xd9\x03\xf4\x51\xca\xe0\x4b\xaa\xf3\x62\x42\x24\x0f\x96\x5b\x4e\x39\x47\xad\x97\xd4\x0f\x40\x9f\x3a\x1f\xfb\x40\xb7\x00\x4f\xbd\x69\x44\x66\xab\x71\x1e\xee\x1c\xcc\x8c\x29\xb0\x49\xf6\xb0\x70\x26\x19\xec\x23\xc9\xe3\xa2\x7a\x24\x17\x59\x0a\x3d\x8b\xc8\x91\x42\x97\x4f\x7b\xf1\xa9\xd7\x24\x69\x6f\xe1\x5d\x39\x49\x68\x9a\x72\x3c\xd2\x28\x33\x1d\x3a\x49\x8d\x20\x31\x96\xd8\x38\x91\x4b\x5d\x43\x2d\x05\xb4\xa2\x76\xe7\x43\x52\x3f\xb0\x03\x87\xa9\x0f\xb4\x02\x4e\xa0\x2e\x8d\x91\xe5\x1b\xf1\xde\x49\xa8\xc5\x09\x82\x7c\xf2\x05\x6e\xd8\x4a\xf5\x25\x0f\x7e\x47\x21\x12\xcd\xea\x44\x9f\x58\xe4\xfa\xc2\x02\xe0\xba\x78\x64\xaa\xe2\x98\xd0\x55\x18\xaa\xac\xb9\xf3\x09\x6a\x6f\xad\xdf\x53\x35\xab\xae\x01\x8a\x45\x4e\xe4\x98\x62\xb6\x3e\x90\xb8\xaf\x20\x5f\x47\x21\x21\x3b\x89\x78\xf2\x9f\x89\xf9\xea\xd5\xa0\xdf\xc2\x7b\x71\x70\xb9\x39\x17\x0b\xbb\xf8\xb5\x30\x2c\xbe\x08\xb4\xe5\x98\x82\x3a\x63\x05\x2d\x3a\xdc\xea\x01\xf9\x99\x5d\x22\x87\xce\x14\x6d\x2a\x8e\x9d\x97\x4c\xf0\x4e\xac\xd3\x18\x4b\x48\x67\x69\x95\x3d\xf2\xd3\x80\x1b\x63\x29\xac\x54\x56\xa2\xd0\xce\xb2\x69\x1e\x06\x2d\x4f\x4d\xe6\xf9\xa7\x9a\x6a\x1c\x47\x0c\xa7\x4a\x6a\xf7\xf1\xfd\xd3\xf3\xe3\xfa\xee\xf9\xfd\xbd\x04\xf6\xee\xc3\x8f\x7f\x59\xdf\xbf\xff\xf1\x79\xfd\xfd\x0f\x92\x36\x68\x8c\x0f\x95\x68\x9d\xc1\x43\x04\xdf\x4b\xde\xde\x2d\x1b\x41\x6e\xd4\x70\xad\x92\x49\x1e\xbf\xc6\x37\x6f\xb4\xa4\x1f\x87\x8f\xa2\x9a\x73\xf9\xb4\x7e\xfd\x7d\x8c\x94\x60\xed\x76\xe4\x92\x0f\xf9\xb3\xa7\x21\x79\xd6\xce\x70\x25\x79\xf1\x48\xb1\xf3\x2e\xd2\xfc\xe4\x7b\x67\xc2\xa1\x5b\xdc\xf7\xcd\xfc\xfb\x6f\x8f\xe8\xc6\xb7\x57\xca\x03\xf8\x16\xbe\x3f\xed\x22\xd9\x76\x75\x6c\x5f\x38\x40\xc9\x8b\xb1\xd3\x4a\x02\xb2\x13\x6d\x92\x3f\xad\xa1\x01\x11\x72\x46\x90\x54\xc5\xa5\x6e\x77\x64\xf2\xc2\x89\x1b\x75\xe2\x2b\x7a\x5a\xb9\x5d\xef\x5e\x9c\x9a\xc9\xbf\xe1\x72\x33\xe7\xca\x44\xf8\xb5\xc7\x90\x28\xd8\x03\x6c\x30\xb2\xe6\x09\x39\xc1\xb7\x92\x22\x9a\x25\x31\xb1\xb5\xf3\xa6\x35\xd4\x7c\xc1\xb1\xa3\xc6\x08\xe5\xcf\x77\xb7\xf0\xec\xe7\x52\x0f\x80\x0e\x38\x51\x9b\xb3\x56\x2a\x2f\x0c\x77\x1c\x1b\xa3\x4a\x9b\x86\xcc\xcb\xe0\x2c\x39\x38\x65\xde\x89\xeb\xd6\xb3\xf4\x1e\xb3\xe4\x41\xcb\x2e\xc0\xf5\xfa\xe9\xe1\xcd\x91\x6a\x0d\xc1\xfa\xe9\x21\x0b\x4a\x81\x30\x69\xff\x3c\xd6\x63\x00\x65\x81\xa7\x0d\x81\xf5\x06\x53\xae\x16\xeb\x63\xca\xf5\x8b\x13\xa6\xf1\x90\x96\x81\x04\x72\x47\xdf\x5b\xbf\xdd\xe6\xd8\x9c\x2b\xa3\xcf\x66\xf5\x22\x11\xcc\x3c\x11\x9e\xbf\xcc\x91\xde\x55\xbd\x49\xda\x61\xb1\xeb\x82\xef\x02\x63\xa2\x39\x14\x15\xa4\xce\x6e\x96\xd0\xbb\x44\x61\x87\x36\x2e\x0e\x94\xfc\x1e\xd0\xa9\x20\x6c\x94\x4e\x88\x02\x27\x84\x52\x15\x2b\xc8\xb1\x48\xfa\xb3\xc5\x0d\x59\xfd\x89\x92\xf9\x72\xcd\x57\xb0\x97\x5e\x06\x9d\x50\x1d\x21\x44\xab\x6c\xcb\x3c\x3f\xd1\x01\x5a\x25\x3c\x49\x9b\xd1\x06\xcd\x4b\xdf\x81\xf1\xdd\x61\xb8\x75\x0e\x7b\x43\xf4\x8a\xa9\x19\xf4\x81\x3e\x49\x5f\x99\x14\x7b\x3c\xe7\xc1\xa9\x27\x4b\x0c\x95\x66\x40\x67\xd1\x14\x45\x1a\xa1\x5f\x10\xa8\xea\x0d\x55\x10\x38\xbe\x88\xfc\x9a\x83\xaa\x55\x5b\xef\xab\x8c\x16\xad\x80\x39\x8c\xb2\xd6\x85\x09\x94\x46\xae\xce\x1f\xbb\xce\x59\x44\x5f\x9d\x8d\xf0\xdb\x45\x6e\xbf\x5b\x2a\x6b\xbd\x79\xa1\x0a\x0c\x6e\xd8\x51\x12\x85\xaa\x80\x7b\x0a\xcb\x82\x90\x41\x4b\xb2\x40\xa8\x43\xc6\x4f\xaa\x66\xc4\x44\x70\x40\xd2\x94\xf2\xf7\xdc\x35\x03\x92\x9d\xcb\xe8\x13\x04\x5e\x64\x70\x75\x0c\x65\x17\xe6\x95\x91\x8b\x0d\x21\xa0\x80\x91\xaa\x15\x94\x1e\x5b\x02\x38\x7c\x5b\x51\x4c\xc1\x1f\xe4\x81\x0d\xd5\x62\x4d\xc6\xaf\x40\x7d\xcc\xa4\x3e\x77\x5a\xf9\xb9\x9e\x14\xf8\xa9\xa1\xcb\x92\x85\x9a\x0c\xa7\x56\x73\xa1\x39\x75\x55\x74\x8e\x8e\x7e\x29\x88\x12\xfd\x08\x9e\x85\xcd\xe9\xe5\x54\x41\x1d\x7c\xbb\x04\xe7\xdc\xd7\xbf\x5d\x8c\xba\xcb\x6e\xb4\x64\xac\x03\x63\xff\xcf\xf4\xa4\xa5\x6a\xf0\x38\xa3\x30\xd0\xe2\x41\x0e\x48\xb0\xdb\xce\x72\x6c\xf2\x70\xd0\xa2\xeb\x33\xc5\xc4\x3e\xf9\x56\xcb\xab\x25\x74\x52\x4f\x9f\x37\xe3\xcf\xd1\xb2\xfe\x64\x6d\x0a\x1e\xe7\xba\xfc\x0b\x7e\xbf\x04\xb0\xe7\x62\xf0\xd5\xfd\xa1\x1c\x43\x69\x71\xdb\xde\x62\x98\x75\x0a\x65\x99\x3a\xb2\x0e\x8f\x19\xef\x6a\xde\xf6\x03\x0d\x46\x63\x28\xc6\x21\x18\x2b\x49\x52\x75\x87\xdc\xdf\x7a\xc7\x79\x7d\x71\xd4\x28\xee\x0b\x38\x9c\x4f\xa1\x29\x55\x3a\xcb\x19\xde\x65\x94\x4c\x60\x09\x63\x02\xef\x08\xbc\x4e\xf6\x5d\x73\x88\xd2\x46\x72\x17\xd0\xb8\xdf\x53\x47\x4e\x81\xb9\x18\xb7\x14\xd1\x05\xbf\xe3\x8a\xc2\x2a\x33\xee\x41\xc2\xbc\x1a\xb2\xef\xcb\xb8\x3e\x18\xab\x03\xcc\x3c\x08\x27\x95\xa7\x28\x2b\x95\x7b\x5e\x60\x9c\x66\xc1\x8a\x5a\xef\xb4\x08\x69\x35\xec\x28\x52\x13\x7c\xbf\x6d\x26\xd6\x81\xc6\x04\xaa\x38\x15\x2f\x4f\x67\xf4\xbf\xc9\xf7\x41\x21\x33\xfb\x41\xb3\x24\x0b\x48\x0d\x71\x80\x1a\x8d\x0c\x76\x5c\xd0\x2e\xa3\xbc\x60\xa8\x4f\xcd\xe8\x35\x99\xd5\x5d\x05\x64\xc9\xa4\xe0\x5d\xfe\x68\x55\xe6\xec\x0d\xc5\x34\xf4\x69\x9a\x65\xe0\xfa\x95\xbc\xfb\x5c\x97\xcb\xc5\x3c\xab\x96\xb1\x07\x8c\xcd\xe9\x4c\xef\x59\x34\x99\xa3\x14\x5a\x36\x91\x0c\xc6\xfa\xd7\xf9\xc4\xca\xa6\x21\x24\x32\x8d\xf3\xd6\x6f\xb3\x07\x74\xdf\x10\xe3\xd8\x14\xb5\x5c\x76\xd3\xa6\x64\xfd\xf4\x30\xeb\xef\xda\x5b\xca\xc8\x8f\xe7\x1d\x21\x43\x2e\x47\x71\x07\xbb\x7e\x68\x32\xe5\xbb\x7f\x6b\x93\xf9\x78\x3c\xf4\xe6\x4d\x64\x9c\xfa\xcd\x87\x59\xa2\xa2\x3d\x6a\xfe\x4a\x28\x56\x90\x02\xba\x58\x56\x3e\x3e\x0c\xee\xa0\x57\xf7\x87\xa2\x9b\xc6\xba\x77\x15\x9d\x6e\x19\x14\x18\xd5\xd4\xd8\x70\x97\x39\xf5\x49\xc7\x0a\x94\xd3\x45\x51\x98\xb7\x8d\xf6\xb5\x01\xd5\x95\x80\xaa\xba\xb4\x23\x29\x65\xad\x8f\xdc\x0a\x84\xb9\x9f\xe0\x78\x56\x6c\x59\xa6\xe2\x56\x2d\x73\xa5\xde\xe3\x4e\xa4\x60\xa3\xa2\xc4\x8e\x82\x40\xe4\x34\xcd\xcb\x7d\x97\xb7\xa6\x13\x1e\x2e\xf9\xd9\xda\xc5\x84\xd6\x4e\x6b\xd0\x05\xce\xd6\xf0\xe0\x37\x6c\x69\xd8\x14\x3f\x4c\xd2\xae\x1f\xee\x1f\xde\x40\xf4\x75\xda\xe3\xd0\xf0\x24\xfc\x54\xd7\x79\x65\x6c\x0f\x45\xb9\xd5\xe8\x1b\xb9\x7f\xcf\x5d\x59\x32\xbd\x12\x81\xe1\x80\x26\xd0\xc5\x0d\xc9\xc2\x90\x07\xd1\x1b\x33\xc9\xe4\xa8\xde\xf8\xc5\x6f\x20\x71\xb2\x79\x57\xf9\x5f\x92\x22\x7a\x55\x14\xb0\x6c\x7c\xe0\xdf\x32\x42\x4b\x51\x5c\xcc\x97\x73\xbb\x28\xd5\x71\x23\x55\x49\x71\xb9\xf7\xd4\xe5\x54\x37\x82\x73\x1c\x37\xcb\x1b\x8c\xc3\x06\x74\x6a\xa3\x39\x5b\xd5\xc8\x9c\x36\x5f\x68\xd8\x42\x42\x17\x7c\xc3\x1b\x4e\xc3\x4d\x5a\xe2\xaf\x2d\xd0\x15\x3c\x85\xa6\xe8\x96\x4a\x34\x2a\x3c\x32\x2f\x8a\x25\x9a\xa8\x31\x1d\x97\x7b\x81\xf2\xc2\x4c\xe4\x4d\x89\x3a\x2b\x62\x9d\x14\xb9\xe6\xb2\xd7\x9b\x90\xf2\xfa\xe3\x7a\xfd\x46\x2d\x2e\x53\xeb\x50\xbb\xb3\x62\x0d\x93\x2b\xca\xe4\x9b\xb8\xa5\xcc\xb0\x2e\x58\xb1\xac\x96\xbc\xab\x53\x88\x34\x86\xba\xbc\x5d\xec\x55\xef\xd9\xae\x6c\xc0\x5c\xbf\x89\x14\x0a\x4a\x8e\xab\xf1\x4b\xde\x5a\x16\x8b\xb0\x47\x7f\x06\x98\x86\xab\x65\xe6\xa3\x0a\xfa\xee\x2c\x27\x39\x0a\xeb\xfd\x43\x89\x44\xd5\x79\x76\xd2\xb4\x7c\x2a\xcb\xbe\xb1\xaa\x86\x8b\x39\x57\xe9\xc9\xbc\x88\x99\x27\x89\xbf\x8e\xae\x7f\x3a\xbb\x82\x5b\x6c\x42\x8f\x67\x96\xaf\xee\x66\xb3\xf5\xc5\xd1\x55\xa5\x71\x8f\x8d\xab\xc3\x18\xf7\x3e\x48\xdc\xd9\xad\xa0\x77\x32\x07\x42\x87\x49\x06\xe6\x15\xd4\xec\xb6\x14\xba\x20\x6e\xf0\x01\x24\x6a\x3b\xb4\x82\x32\x23\xaf\x68\xc9\x34\xe8\x38\xb6\xaf\xcb\x56\x36\x63\xbc\x73\x64\x14\x95\xb3\x22\xc5\xd1\x83\x79\x7b\x0e\xa4\xef\x8f\x1c\xa5\xbd\x0f\x2f\x47\xae\x2b\x8d\x32\x57\xc7\x34\x64\xf5\x29\x72\x45\xe7\x58\xbb\xc2\x41\x17\xa8\xe5\x28\xf5\xc5\x65\xd7\x32\xec\x69\xa8\x4e\xd0\x3b\xb1\xd5\x55\x92\xfa\xba\xb4\xad\xc7\x6d\xf7\x6a\x4e\x6c\x8a\xe3\xbe\x44\x21\x76\xd0\xf5\x1b\xcb\x46\x2a\x16\xe3\x7c\x42\xc8\x8b\x24\x7c\x91\xd1\x00\xa3\xbe\x90\x38\x1a\x4d\xf4\x1e\x7d\x75\x36\xee\x93\x02\xe1\xb2\x18\xa5\x3e\xdc\x0c\x29\x0b\x78\x2e\x75\xfb\x88\xc9\x34\xe5\x65\x50\xdf\x55\x98\x66\x23\xf2\x94\xb5\xa5\x16\xec\x61\x79\xf8\x6e\xda\xf9\x9e\xa3\x57\xa5\x22\x3e\x9b\x90\x78\x39\x21\x17\xac\x45\xb5\x19\x69\x4b\x99\xcb\xe7\x1e\x8d\xf3\xa9\x7c\x05\xd1\xdb\x3c\xe0\x17\x32\x9c\xe9\xbc\x30\xf0\x50\xe9\x4b\xad\x43\x7e\xcf\x43\x61\xc7\x86\xdd\x76\xa9\xc5\x3a\xbf\xd3\x98\xd0\x39\xf9\x19\x9a\xc8\x1f\x54\x44\xf1\xfb\xb1\x9a\xf3\x48\x22\x77\xa2\x3b\xc8\xb8\x40\x9f\x04\xcf\x80\x53\x21\x25\xb7\xe3\xf9\xe3\x8b\xf2\xca\x84\xad\xa5\x2d\x0a\x2b\x48\x14\x58\xe6\xa0\x45\xa9\xdf\x9e\xc8\x2f\xed\x5f\x2a\x92\x0d\x39\xb1\x7c\x00\x9f\xd3\x87\x7f\xf0\x9a\xa4\x37\x8a\x22\x63\x4d\xc7\xd3\x07\x9f\x0b\x31\x3b\x0b\x96\xc9\x17\xf6\x3f\x74\xd8\x7d\xc3\xa6\x81\x06\x77\x54\x4a\x86\xdc\x09\x95\x3d\xb3\xd7\xbd\x38\xd1\x04\x52\x80\x5f\xd2\xb3\x1d\xd3\x7e\x05\x32\x99\xac\x06\x32\x50\x91\xa5\x44\xda\x70\x8e\xf4\x3c\xf7\x7e\xe2\x6c\xe3\x5a\x30\xd0\x33\x9e\xfe\x3a\x1d\xcb\x08\x0a\x75\x6f\x6d\xd6\xae\xbc\x86\x91\x08\xf9\x5a\xd3\x60\x58\x4f\xcd\xd3\xb6\x56\xea\x2d\x44\x71\x1a\xd8\x1c\x89\x96\x18\x0e\x23\x81\x99\xf5\x17\x5f\x83\x8c\xf0\xe8\x0e\x37\x81\x2c\x0e\xdb\xb5\x95\x56\x96\xef\xd3\xb0\xa6\x88\x85\x56\x1e\xef\x9a\x5e\xb1\x6e\xcf\xd6\x6a\x18\x3b\xcc\x91\x9b\xde\x17\x5f\x8f\x00\xa5\x2d\x37\xff\xd2\x81\x78\xbf\xa6\x4c\x6f\x4f\x20\x4e\x3e\x14\x80\x86\x2e\xff\xd6\xc3\xf1\x46\xe1\x44\xb0\x08\x2d\xe5\x03\x8e\xf6\x47\xf4\xd4\x11\x55\x8a\x84\x0b\x6c\xca\xc4\x5a\xbd\x21\x7c\x60\xb9\x0d\x1c\xfb\xcf\x26\x10\x2a\xd0\x0d\x0e\xcb\xf1\x3a\xcf\x19\x67\x8b\x00\x1f\x14\xbf\x5a\xdd\xd1\x24\x21\xc5\x65\x07\x96\x87\xb3\x7f\x06\x00\x00\xff\xff\xae\x5e\x22\x54\x73\x22\x00\x00")
func complySoc2PoliciesMediaMdBytes() ([]byte, error) {
return bindataRead(
@@ -817,7 +817,7 @@ func complySoc2PoliciesMediaMd() (*asset, error) {
return nil, err
}
info := bindataFileInfo{name: "comply-soc2/policies/media.md", size: 175, mode: os.FileMode(420), modTime: time.Unix(1526668702, 0)}
info := bindataFileInfo{name: "comply-soc2/policies/media.md", size: 8819, mode: os.FileMode(420), modTime: time.Unix(1526687307, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}
@@ -837,7 +837,7 @@ func complySoc2PoliciesOfficeMd() (*asset, error) {
return nil, err
}
info := bindataFileInfo{name: "comply-soc2/policies/office.md", size: 3927, mode: os.FileMode(420), modTime: time.Unix(1526668702, 0)}
info := bindataFileInfo{name: "comply-soc2/policies/office.md", size: 3927, mode: os.FileMode(420), modTime: time.Unix(1526687307, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}
@@ -857,7 +857,7 @@ func complySoc2PoliciesPasswordMd() (*asset, error) {
return nil, err
}
info := bindataFileInfo{name: "comply-soc2/policies/password.md", size: 1796, mode: os.FileMode(420), modTime: time.Unix(1526668702, 0)}
info := bindataFileInfo{name: "comply-soc2/policies/password.md", size: 1796, mode: os.FileMode(420), modTime: time.Unix(1526687307, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}
@@ -877,7 +877,7 @@ func complySoc2PoliciesPolicyMd() (*asset, error) {
return nil, err
}
info := bindataFileInfo{name: "comply-soc2/policies/policy.md", size: 892, mode: os.FileMode(420), modTime: time.Unix(1526668702, 0)}
info := bindataFileInfo{name: "comply-soc2/policies/policy.md", size: 892, mode: os.FileMode(420), modTime: time.Unix(1526687307, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}
@@ -897,7 +897,7 @@ func complySoc2PoliciesPrivacyMd() (*asset, error) {
return nil, err
}
info := bindataFileInfo{name: "comply-soc2/policies/privacy.md", size: 346, mode: os.FileMode(420), modTime: time.Unix(1526668702, 0)}
info := bindataFileInfo{name: "comply-soc2/policies/privacy.md", size: 346, mode: os.FileMode(420), modTime: time.Unix(1526687307, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}
@@ -917,12 +917,12 @@ func complySoc2PoliciesProcessingMd() (*asset, error) {
return nil, err
}
info := bindataFileInfo{name: "comply-soc2/policies/processing.md", size: 210, mode: os.FileMode(420), modTime: time.Unix(1526668702, 0)}
info := bindataFileInfo{name: "comply-soc2/policies/processing.md", size: 210, mode: os.FileMode(420), modTime: time.Unix(1526687307, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}
var _complySoc2PoliciesRemoteMd = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\x4c\xcb\x31\x8a\xc3\x30\x10\x85\xe1\x5e\xa7\x78\xb0\xb5\x96\xb5\x8b\xdd\x45\x9d\x11\x29\x92\xca\xd8\xb9\x80\x90\x27\x61\x82\x67\x06\x2c\x39\xe0\xdb\x07\xbb\x72\xf5\x7e\x1e\x7c\x9a\x84\x02\x06\x12\xab\x84\x2e\x67\x2a\x05\xbd\xcd\x9c\x37\x97\xf2\x62\xba\x49\xc0\x70\xe9\x7a\x57\x52\xe5\xf2\x60\x2a\xc1\x01\xf7\x31\xee\x03\x78\xc4\xf8\xfb\xdd\x9c\xba\x3d\xf5\x9f\x93\xf4\xb2\x65\xa0\x37\x17\x36\x3d\xa8\xc7\x94\x2a\x05\xdc\x56\x45\x83\xf6\xa7\xf9\x3f\x40\x36\x11\xd2\x1a\x70\x55\xae\x9c\x66\x4c\x96\xd7\xfd\x71\xde\x7b\xe7\xbe\x10\x4d\x58\x9f\x18\xcd\xf4\x13\x00\x00\xff\xff\x4e\x47\x83\x97\xb4\x00\x00\x00")
var _complySoc2PoliciesRemoteMd = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\x94\x57\xcd\x72\xdc\xc8\x0d\xbe\xcf\x53\xa0\x2a\x17\x5b\x35\x9a\x8d\xf7\x90\xa4\xb4\x27\x47\x71\x55\x9c\xaa\x64\x55\xb2\x37\x7b\xee\x69\x82\x43\x44\xcd\x06\x83\x06\x35\xa6\x4f\x7e\x8d\x54\x25\x2f\xe7\x27\x49\x01\x4d\x72\x46\x96\x64\x25\xa7\xf9\x61\xff\x7c\xc0\xf7\xe1\x03\x98\x43\x8f\x57\x70\x8b\x3d\x2b\xc2\xdb\x18\xb1\x14\xb8\xe1\x44\x71\xda\x84\x28\x9c\xa7\xfe\x0a\x6e\xdf\xbd\xbd\xd9\x94\xa0\x54\x5a\xc2\x72\xb5\x01\xf8\xf8\xe1\xda\x3e\x00\x2e\xe1\xfa\xfa\x77\xbb\x37\x67\xdf\x7f\x3c\xfb\xfe\xfb\x4d\x1f\xfe\xc1\x72\x8b\xf7\x54\x88\xb3\x6f\xbd\x84\x26\x28\x5e\xc1\x5f\xc6\x0c\x6f\xe0\xc7\xdf\xbe\xf9\x83\x6f\x88\xdc\xf7\x98\xf5\x0a\xde\x67\x52\x0a\x09\x1a\x8e\xa3\xfd\xb3\xb9\xbc\xbc\xdc\x6c\x7e\x03\x37\xa3\x0c\x5c\x10\x42\x6e\xe0\x43\xe4\x01\x37\x9b\xb0\x83\x8f\x1d\xc2\x30\x3f\xe1\x16\xb4\xa3\x02\x83\xc3\x07\x2a\xa0\x0c\x0d\xb6\x94\x11\x04\xff\x39\x92\xa0\x1d\x58\xa0\x65\x81\xc8\x39\x63\x54\xca\x07\x5b\xa5\x1d\x02\xcb\x21\x64\xfa\x1c\x94\x38\x7f\xfd\xf2\xaf\x02\x65\x2a\x8a\x7d\xf1\x1b\x33\xea\x91\xe5\xae\x40\x2b\xdc\x83\xd4\x74\x75\x5c\xb4\x6c\x81\x72\x4c\x63\x63\x27\x0d\x28\x85\x73\x48\x69\xba\xe4\x63\xc6\x06\x1a\xbc\xa7\x88\xbe\x06\x58\x1a\x14\xbb\xac\xa7\x4c\x3d\x7d\x46\x4b\x44\x80\xc4\xa5\xfc\x80\x9f\x06\x2e\xa3\xe0\x6e\x0e\xea\x14\x45\x18\x86\x44\xe8\xa1\x84\x94\x60\x2c\x28\xc5\x22\xa5\xdc\xb2\xf4\x0e\x76\x05\x7a\x24\xed\x28\x3f\x0a\x66\x3e\x50\xa7\x81\xa2\x61\x9b\x01\x63\x01\xec\x87\xc4\x13\x62\x8d\x31\x72\x56\x09\x51\x59\xca\x16\x42\x81\x23\xa6\x64\x9f\x21\x4f\x80\x9f\x14\x25\x87\x04\x43\x10\x75\x3c\x5d\x50\x23\x0d\x81\xb2\xb2\xef\x0d\x51\x1d\xc2\x83\xc4\x9d\xe3\xf4\x0b\x38\x25\x6c\x60\x3f\x3d\x82\x09\xaf\x3a\x14\xa4\x1c\x5a\x45\x01\xc1\x16\x45\xb0\xf1\xc0\x0b\x7c\xfd\xf2\x6f\x0f\xfd\xeb\x97\xff\xbc\x7e\x98\xa0\x7e\x2c\x0a\x7b\x84\x3e\x34\x46\x73\x68\x28\x4d\x10\x5c\xc8\xb4\x4f\xf8\x20\x71\x3b\x13\xd2\x1f\x43\xbc\x3b\x08\x8f\xb9\x59\x15\x44\x59\x31\xeb\xd3\x02\x5a\xd9\x7a\x52\x23\x0b\x71\x2e\xb5\xd0\x87\x03\x16\x38\x76\x14\x3b\xe8\xc3\x04\x82\x65\x4c\x5a\x35\x63\xdb\xc7\x1c\x46\xed\x58\xe8\x33\x36\x8b\x88\xc6\xaa\x5c\xc1\xc2\xa3\xcc\x5a\x59\xf4\xb4\x1f\x15\x32\x2b\x24\xea\x49\x3d\x17\x57\x7e\x8e\x69\xc6\x36\x15\xcc\x85\x94\xee\x71\x6b\x54\x0c\x46\x54\xe4\xdc\x52\x83\xb9\xd6\x90\x09\xac\xb2\xa0\x98\x12\x46\x1d\x8d\x42\xe1\x01\x45\xa7\x9f\x66\xc4\xcf\x16\xc0\x30\xee\x13\x45\x20\x5b\xf4\xe2\x62\xbb\xc2\x15\x32\xb3\xff\x93\x5f\x6c\xc5\xe7\x42\xf8\x81\x05\x58\x3b\x14\xfb\x2b\xe4\x68\xf0\x12\x85\x3d\x25\x72\x3d\x51\x8e\xa3\xf3\x6d\x82\x5b\x12\x67\x21\x8e\xb1\xf3\x78\xb1\xd4\xe2\xf8\x75\x11\xf9\x4a\xd4\xd6\x01\xb5\x9c\x12\x1f\x2d\x6b\x5e\xf2\x64\xc0\x8a\x97\xcf\x74\xb5\x71\x8b\xa1\x1d\x5c\xfc\x95\xf7\x94\xd0\xb3\x35\x7a\xf1\x9b\x2f\x0c\xee\x3c\x17\xa7\xba\x18\x58\x34\xec\xd7\x75\x68\x05\xd1\xd7\x9d\x43\xc7\xd9\x48\x2a\x7d\x10\x5d\x7f\xf5\xd8\xb3\x4c\x10\x83\x34\x55\xf6\x35\xd4\x79\xcf\x7a\x87\x91\xdd\xb8\xfd\x14\x65\x09\x07\xdc\x1a\x19\x2e\xd5\x7c\xf0\x7d\x2a\x21\x97\x16\xc5\x42\x37\xf6\x76\x27\xe8\xb7\x27\xd3\x31\xac\x65\xb6\xb6\x9a\xb1\xfc\x84\x21\x6c\x21\x73\x63\x4c\x2d\xee\x55\x8b\x96\x8a\x6b\x6a\xcc\x66\x47\x0d\x09\x46\x5d\x2a\xb3\x56\xc0\x37\xee\x71\x42\xf0\x11\x13\xda\x39\x57\x17\xbe\xca\xea\x9d\x5b\x18\x1d\x7c\xff\x6c\x62\x3d\xae\x73\xc7\x34\x09\x0d\x28\x06\x17\x1c\x16\x8f\x5a\xa8\x79\xa6\xc2\x86\x6e\x2a\xe6\x5b\x30\x08\xf6\x64\x32\x80\x05\x87\x93\xcd\x58\xe3\x99\xc9\xab\x75\x56\x6b\xea\x01\x65\x5e\xfb\x73\x67\x33\x1d\x5d\x7c\xc0\x38\x0a\xe9\x04\xb7\xdf\xf6\x86\x39\xd3\x7f\x76\xb0\x86\x7e\x56\xcd\xf5\x1a\xdc\xbb\x25\xb8\x8b\x35\x3b\xd7\x61\xf4\xdc\x2f\x7e\x84\x9f\x50\x22\x19\xdf\xc7\x0e\xf3\xf7\xf2\x63\x42\x4e\x21\x62\x63\x54\xb9\x42\x28\xc3\x98\xcf\xdc\xb2\x0c\x21\x62\xa9\xb5\x10\x0a\xdc\x63\x47\x31\x99\xee\xe6\x0a\xad\xcf\xb7\xd0\xb1\x62\x02\x61\xee\x5d\x93\xe8\x17\xf9\xd9\x65\xeb\xce\x80\x82\x39\x22\x44\xcc\x55\xd4\x27\xa9\x8e\x79\x10\x56\x8c\x66\x33\x41\x30\x94\x17\x58\x59\xc8\x58\xe3\xff\xd5\xa2\xac\x5a\x78\x40\xb6\x5d\xf1\x7c\xf0\xdb\xb9\xa3\x79\xd6\x34\xdc\xa1\xd5\x10\xce\x42\x3d\x53\x34\xd7\xb6\x56\xfb\x29\xbc\xc2\xdd\x61\x07\x0d\x95\x21\x85\xc9\xf2\x56\x9f\x96\x28\x88\xf9\x35\xc4\x90\x4d\x11\xfb\xda\x0f\xac\xd7\x3c\x30\xde\xda\xa5\x0b\x50\x7b\x7e\x26\x15\xd8\xa3\x61\x73\x06\x6a\x4b\xb3\x09\xe1\xc5\xf1\x80\xa5\xaa\xd8\x5b\xdf\x93\x2b\x1f\x16\xf2\xed\x79\x76\x16\xb5\x8c\x83\x4d\x45\x8d\x67\x6b\x08\x1a\xbb\xd9\x27\xdc\xed\x83\x62\x51\x28\x8b\x5e\xeb\xda\x62\x51\x07\x85\x84\xa1\x28\x04\xe8\x39\x6b\x97\x26\xd8\x87\x42\xe5\x7b\xb7\x75\xe1\x1e\x01\x73\x33\x30\x65\x85\x99\x75\x77\x0d\x6e\xf5\x68\xd9\xaf\xe9\xed\x43\xf2\x5f\xc5\xd2\x89\xf2\x1a\x28\x17\x0d\xae\x47\x43\xb9\x22\x56\xef\xaf\x4a\xfd\xb9\x1a\x6e\xe6\x1c\xbf\x68\x0e\xdc\xb6\x97\x8b\x98\x4c\x78\x66\xfd\x03\xe7\xda\xbb\x2d\x03\x82\x87\x31\x05\x81\x7d\x88\x77\xe3\xe0\x6d\xef\x3c\xc1\x4b\x97\x73\xc5\x08\x9a\x62\xcb\xa2\x87\x13\xbb\x27\x60\xf3\x88\xfb\x12\xa9\x0b\x2f\x0d\x67\x3b\x47\x78\x3c\x74\xe6\xb2\x98\xa3\x4c\xc3\xc2\x94\x89\xca\x5a\x6d\xf4\x4c\xfc\xfd\xe6\x6f\xeb\x58\xc9\xb9\xea\xa1\x1f\x93\xd2\x65\xeb\x53\xd5\xf9\x72\x5b\x80\xd9\x7a\x4c\xb3\x83\xb7\xeb\x60\x57\xc7\xd4\xb3\x1a\xaa\x83\xcc\x0a\x67\x10\xae\xa3\xb4\xd9\x8a\x9d\xef\x77\x0a\xce\x0d\xbf\x9c\x46\x8d\x27\xfa\xf3\xa9\x9a\x14\x63\x97\x39\xf1\x61\x02\xc5\xd0\xef\xfc\x98\x3b\x9c\x4e\x17\x09\xeb\xc2\x6e\x15\x98\x1e\xad\x48\x06\x14\x98\x30\x88\xe9\xea\x9e\xe7\x38\xb8\x7d\xbc\x7f\x76\x63\xb7\x32\x83\xf3\x73\xdb\xee\x39\x88\x4f\x35\xd5\x84\x77\xb0\x72\xf2\xfe\xbc\x75\x29\x4b\xad\xe8\xef\x88\x66\xf5\xd8\x95\x8d\xaa\xb3\x2e\x48\x03\x8d\xd0\x3d\x42\x3b\xa6\x64\x0e\x71\xb7\x2c\xaa\xad\xec\xfb\xc6\xbf\x34\x96\x93\xab\xbf\x5b\x27\xe4\xe5\xce\x32\x60\xa4\x76\x9e\xa4\xcf\x5c\xc5\xab\x75\xde\x6f\x51\x1f\x85\x1c\xf5\xc2\x08\x09\x74\x95\xda\x3e\xe4\x70\x40\x81\x93\x28\x7f\xce\x69\x9a\x95\xea\x5c\x85\x52\xe8\x60\x1c\xdb\x5b\x84\x78\x83\x40\xe9\x49\xeb\x0c\xe8\xed\x6d\xd6\x87\x75\xf8\x97\x3c\x76\x07\xbf\x9c\xdb\x5f\x55\xda\xab\xa5\x99\xb8\xfd\x17\x48\x74\x6f\x9b\x66\x33\xf3\x71\x44\xe7\x59\x73\xa6\xf9\x68\xe3\xf9\x59\x88\x65\x69\xe2\xd8\xbc\xf6\xca\x35\xcf\x7d\x84\xd3\xaf\x99\x5f\x83\x4e\x01\xff\xa9\xfe\xb1\x26\xf5\x01\x3c\xbb\x3c\xa2\xa8\x67\x59\xb1\xac\xbb\x7e\x71\xe4\xf3\xad\xfe\xe6\xb6\x80\x79\xca\x38\x7c\x44\x19\x6c\xd8\x15\x0a\x8a\x75\x32\x3e\x8c\xb2\x8a\x76\x89\x2e\xad\xf3\xd1\x3a\x9e\x3d\x7e\x3b\x7c\xef\xe3\x2d\xea\x9c\x16\x3a\x23\x7b\xc9\xd0\xee\x7f\x00\xea\x01\xcf\x9e\xfb\xfc\x1c\xfd\x68\x54\x07\xa1\x43\x67\xef\x9a\x48\x75\x86\xb6\x11\x72\xb1\xeb\x75\xb2\xee\x83\xa2\xb8\x0d\xb8\x1b\xda\xb3\x41\xb0\xb8\xcd\xe6\xff\x4b\x31\x9b\xff\x06\x00\x00\xff\xff\xfd\x98\xef\x1a\x17\x10\x00\x00")
func complySoc2PoliciesRemoteMdBytes() ([]byte, error) {
return bindataRead(
@@ -937,7 +937,7 @@ func complySoc2PoliciesRemoteMd() (*asset, error) {
return nil, err
}
info := bindataFileInfo{name: "comply-soc2/policies/remote.md", size: 180, mode: os.FileMode(420), modTime: time.Unix(1526668702, 0)}
info := bindataFileInfo{name: "comply-soc2/policies/remote.md", size: 4119, mode: os.FileMode(420), modTime: time.Unix(1526687307, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}
@@ -957,12 +957,12 @@ func complySoc2PoliciesRetentionMd() (*asset, error) {
return nil, err
}
info := bindataFileInfo{name: "comply-soc2/policies/retention.md", size: 6811, mode: os.FileMode(420), modTime: time.Unix(1526668702, 0)}
info := bindataFileInfo{name: "comply-soc2/policies/retention.md", size: 6811, mode: os.FileMode(420), modTime: time.Unix(1526687307, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}
var _complySoc2PoliciesRiskMd = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\x1c\x8d\x41\x0a\xc2\x30\x10\x45\xf7\x73\x8a\x0f\xae\x23\xd6\x95\x66\x57\xb2\xaa\xab\xd2\x7a\x81\x90\x46\x19\x6d\x66\xa0\x93\x0a\xbd\xbd\xb4\xab\x0f\x9f\xf7\x78\x12\x4b\xf6\x18\xd8\xbe\x68\xcd\xb2\x59\xc9\x52\xd1\xeb\xcc\x69\xa3\x98\x16\x95\xad\x78\x0c\x5d\xdb\x93\xc5\xca\xf6\xe2\x6c\x9e\x80\xe7\x18\xf6\x01\x1c\x42\xb8\x9f\x1b\x2a\xf1\xa3\xcb\x90\x7f\x6c\xac\x72\x20\x0e\x53\xac\xd9\xe3\xb1\x0a\x1a\x5c\x2f\xcd\xed\x10\x92\x96\xbd\xe1\xd1\x09\x57\x8e\x33\x26\x4d\xeb\xfe\x90\x73\x8e\xe8\x84\xa0\x85\xe5\x8d\x51\x55\xfe\x01\x00\x00\xff\xff\x7a\xe5\x35\x49\x9e\x00\x00\x00")
var _complySoc2PoliciesRiskMd = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xec\x5a\xcd\x92\x1b\xb7\x11\xbe\xf3\x29\xba\x2a\x55\x89\xbc\xa6\xc6\x96\xed\x43\xb2\xaa\x1c\x36\x8a\x53\x51\x4a\xb1\x5d\xab\xcd\x03\x80\x98\x1e\x0e\x2c\x0c\x30\x46\x63\xc8\xa5\x4b\x87\xbc\x46\x5e\x2f\x4f\x92\xea\x06\xe6\x97\xdc\x15\xe9\xad\x52\x2e\xcb\x8b\xad\x59\x00\xfd\xf7\xe1\xeb\x06\x1a\x4e\x35\x78\x0d\xb7\x86\x3e\xc0\x0d\x11\x12\x35\xe8\x22\xfc\xe4\xad\xd1\x87\x95\xd2\xc1\xbb\x43\x73\x0d\xb7\x6f\x6f\x7e\x5a\x91\x8a\x86\x2a\x83\x74\xbd\x02\xb8\x7b\xff\x86\xff\x03\xf0\x12\xde\xbc\xf9\x53\xf1\x6a\xd5\xa8\x9f\x7d\xb8\xc5\x9d\x21\xe3\x9d\x0c\x79\x09\xa5\x8a\x78\x0d\xff\xe8\x1c\xbc\x82\x6f\xbe\x7e\xf5\x47\x99\xa0\x7d\xc3\x32\xae\xe1\xad\x33\xd1\x28\x0b\xa5\xd7\x1d\x7f\x59\xbd\x7c\xf9\x72\xb5\xfa\x1d\xfc\xd4\x85\xd6\x13\x82\x72\x25\xbc\xd7\xbe\xc5\xd5\x4a\x15\x70\x57\x23\xb4\xf9\x2f\xbe\x82\x58\x1b\x82\x56\xd4\x04\x43\x10\x3d\x94\x58\x19\x87\x10\x6b\x84\x06\x63\xed\x4b\x6f\xfd\xf6\x00\x95\x0f\xf2\x4d\x8d\xd6\xf1\xc2\x31\xa0\x8a\xf2\x2f\x5f\x81\x71\x95\x0f\x8d\x8a\xc6\x3b\x20\xd4\x5d\x30\xf1\x00\xc1\xd0\x07\x82\xbd\x89\xb5\x71\xb2\x82\x0f\x5b\xe5\xcc\xaf\x32\x6c\x9d\x16\x99\x49\x55\x5a\x63\x1b\xd5\xc6\x22\x58\xdc\xa1\xe5\x95\x79\x11\x50\x04\x84\x11\x36\x87\xa3\x65\xfe\xfb\xef\xff\x10\x58\x54\x25\x06\xaa\x4d\x5b\x88\xa5\xb7\x69\xce\x4c\x5d\x59\x67\xd4\x59\x05\x04\xd5\xb6\xd6\xa0\x28\xc1\xcb\xa2\x8b\x26\x20\x10\x3b\x2c\x39\xe8\x84\xa8\x93\x86\xb6\xc1\x6f\x83\x6a\x06\x93\x94\xb5\x22\x3e\x12\xec\x6b\xa3\x6b\x91\xd6\x11\x96\x0f\x39\x03\x7c\xc8\x23\xb5\xef\x6c\x09\xb5\xda\x71\xf4\xc0\x34\xad\xd2\x11\xbc\x3b\x2d\x37\xaf\x66\x62\x91\x03\x3c\x46\x34\xd9\x46\xbd\x36\xd8\xb4\xd6\x1f\x10\xe9\x94\x61\xb0\xaf\x3d\x44\xf5\x01\xa1\x55\x21\x82\x71\xbd\xd3\x1f\x71\x60\xc1\x38\xfb\x8b\xd2\x1f\xb6\xc1\x77\xae\x14\xf9\x37\xf0\x01\x0f\x80\x16\x7b\x54\x5c\xec\x41\x06\xa2\x82\xda\x5b\x43\xd1\x68\x11\x4b\x07\x8a\xc8\xc3\x35\xdb\x14\xbc\xd2\x35\x1b\x25\xda\x34\xca\xa9\xad\x48\x9b\x1b\x9f\x20\x45\x22\x3f\xe0\x2f\x9d\x09\x32\x88\x64\xc1\x36\x78\x8d\x6c\xda\x00\xec\x99\x2f\xa2\x07\x53\x32\x14\xaa\xc3\x23\xa8\xce\xbb\x29\x2d\x05\xda\x3b\x32\x14\xc5\xb9\x95\xef\x82\xf8\x91\xae\xfb\x85\x8c\xce\x41\x7e\xc0\x23\x09\x2a\x6b\x46\xf9\x1e\x05\x3a\x32\x2e\xd6\xec\xec\xa4\xf4\xae\xb3\x0e\x83\xda\x18\x6b\xa2\x84\xb5\x56\x51\x62\x7c\x78\x3d\x8d\x53\x96\x60\xcd\x07\xb4\xa6\xf6\xbe\x94\xc9\xac\x1e\xfe\xd2\xa1\xd3\x08\x2f\x58\xfd\x2f\xfa\x81\x8f\x89\xd8\xa0\x71\x5b\x08\xa8\xac\xf9\x15\xcb\xf5\x29\x63\x86\xdd\xc4\x9e\x44\x8e\x4c\xe7\x26\x7b\x98\x45\xa5\x3d\x81\x3b\x65\xbb\x99\x13\x02\x92\x29\x3b\x65\x33\xd4\xaa\x88\x61\x01\xae\x5b\xac\x30\xb0\xce\x34\xee\xe9\x09\xc1\xde\x62\xeb\x43\x84\x3b\x46\xb6\x8a\x28\xb4\x97\x38\x97\x47\x5f\x2d\x86\x5f\xad\x84\x39\x4d\x8a\xdb\x12\xde\x7d\x1c\x8d\xd3\xb6\x2b\x33\x70\x4e\x05\xef\x61\x6f\xd5\x6a\xc7\xee\x62\x3e\xf3\xb2\x2f\x99\xa5\x5b\xe5\x0e\x39\xba\xc5\x4c\x81\xca\x04\x8a\x40\x11\x5b\xc8\x6c\xb0\x54\x29\x31\xf2\x80\xc4\x29\xa3\x8c\x14\x32\xa3\xaa\xc7\xf6\xd5\x6b\x16\xe3\x63\x8d\x01\xf6\x3e\x94\x8c\xb5\x25\x45\x35\xea\x00\xaa\xaa\x50\x47\x59\x4d\x7b\x57\x25\xe9\xca\x9a\x78\x58\x83\x71\x11\xb7\x41\xfe\x57\xb9\xf2\x2b\x1f\x40\xed\x94\xb1\xc9\x03\x87\x65\x0e\x38\xc1\x71\x85\x84\x23\x92\x48\xca\x9e\x1e\x32\x17\xfb\x1e\x5a\xd5\x62\x60\x2a\x44\x8b\x3a\x06\xef\x8c\x66\x64\x31\xaf\x32\x9b\xa5\x40\xd0\x9a\x93\xa2\xda\x28\x42\x5a\xcf\x64\x46\xd4\xb5\x4b\x29\x8b\xf7\x7c\xcb\xeb\xca\x88\xa0\x28\x86\x4e\xc7\x2e\x60\x86\xe3\x7d\xc4\xe0\x94\xfd\xca\x77\x91\x7c\x17\x34\x96\x40\x18\x76\x46\xe3\x82\x23\x0a\xf8\x5b\x0f\x6d\xf1\x16\xcf\x07\xbf\x77\x18\xa0\xe9\x28\xc2\x66\xc4\x09\x96\xf3\x18\x3b\xbc\xef\x43\x7c\x1c\xcb\xc7\xa0\xa4\x88\xbc\x36\x2a\xe6\x74\x31\x91\xce\x0b\x3f\x3c\xaf\x57\x88\xc9\x13\x4b\x76\xa8\x3a\x82\x95\x6c\xcc\x02\xbe\x1f\x96\x94\x68\x6c\xf0\x48\x68\xd3\xd9\x68\x5a\x3b\x50\x44\x76\x9c\xb0\xaf\x7c\xf9\xe4\xc4\x85\x7a\x9c\x1e\x48\x35\xad\x3d\xc6\x7a\x62\x0b\xa6\xef\xe0\x77\xa6\xc4\x92\x19\x50\x52\x51\x86\xf6\x27\xf6\x3e\xbc\x08\x3d\x57\xc0\x0b\xf5\xc5\x17\x63\x1c\x86\xe0\xf5\x54\xf4\x70\xec\x46\x62\x48\x43\x24\x95\xe7\xaa\x27\xf6\xd3\x92\xc9\xb2\xf5\x54\xc3\x5b\xae\x34\x3b\xa1\xb1\x51\xe4\x8f\xac\xc5\xb8\x0e\x49\xee\x1f\xe5\xac\x79\xf6\x21\x29\x90\x5c\x70\x9d\xa6\xf2\xef\x55\x01\x6f\x46\xae\xa6\x91\x56\xb5\x6f\x36\xc6\x9d\x45\x44\x3c\x87\x2b\x87\x41\xb5\x6c\x81\xa9\x80\x3a\x8e\x7a\x9f\x3a\x23\x06\x23\xdc\x4e\x05\xcc\x54\x78\x37\x66\x0f\x5f\x81\xd7\xba\x0b\xc9\xb7\x7e\xbe\xc4\x0b\x53\x60\x21\xce\x68\x83\xdf\xf4\x44\x90\x32\x53\x0f\x92\xbd\xe1\xe2\xe3\xbe\xb5\xde\x24\x5e\x99\xaa\x7b\x98\x24\x83\x16\x75\x34\xbb\xec\xee\x3e\x82\xbd\x4f\x82\x11\x65\xc5\xb6\x12\x23\x86\xc6\x38\x66\xdb\x69\x62\x63\x5f\x4c\xf3\x5e\xc0\x5c\x06\xc8\x4e\xb8\x63\x88\x11\x7c\x2b\xc3\xbe\x2b\x64\xf5\xa3\x8c\x90\x6a\x4e\x43\xa0\x95\xd5\x9d\x15\x4c\x6f\x0e\xa0\xca\x52\xa8\x3d\xb1\xe2\x20\x90\xb4\x0f\x38\xc0\x64\x22\x5a\xfe\x50\xac\x56\x5f\xbe\x5c\xfe\xce\xf9\x72\xd1\xef\xcb\xd5\x47\xb8\xba\x9a\x60\xe6\xea\x0a\x4e\x7f\xf9\x2b\x92\x0e\xa6\x65\x04\x5d\x5d\xc1\x45\xbf\x8f\x20\x52\xde\xb1\x77\x86\xb9\xfc\xe5\x3d\x1b\x3a\xf9\xf2\xa4\xdf\xc7\xd5\x97\x7f\x5e\xfe\xce\xf9\x72\xd1\x8f\xfd\xf5\xce\xef\x17\xe6\x7d\x7d\x64\xf0\x3b\x4f\x52\xcc\x3d\x96\x05\x97\x19\x50\xa0\xee\x7c\xcc\x8e\x58\x1d\xfb\xe3\xd4\x97\x49\xca\x9d\x26\xcb\x3f\x30\x08\xa9\x86\xca\xfa\xfd\x1a\x2c\x6e\x95\x15\x89\xda\xbb\x18\x94\x8e\xbc\xaf\x1f\x70\xf9\x99\x82\xfd\xc6\x9a\x6d\x9f\x51\x7d\x80\x80\x6d\x17\x73\xa2\x3e\x27\x58\x9f\x07\xdc\xe7\x58\xf2\xa4\xdf\x47\x80\xcf\x65\xcb\x3f\x7d\x89\x81\xd3\xd5\x20\xfa\xd5\x91\x32\xbf\x05\x78\xb9\x9e\xea\xc2\x45\xc0\xab\x8c\x53\x4e\x1b\x65\x41\x7b\x4a\x27\xbc\x5a\x11\x58\xbf\x67\x01\x4d\xaf\xeb\x78\x02\x65\x88\x3e\xea\xf4\x73\x81\x37\x87\xb9\x60\x7b\x09\xed\x09\x38\xfb\x6a\x33\x4f\x3f\x53\xc8\x45\x68\x3e\x9a\xfe\x8c\xee\xcb\x6d\xf9\xbb\xd9\xd6\x73\xd1\xdf\x1c\x29\xf3\x9b\x69\xb5\x56\x3b\xbc\x08\xdd\xa6\x69\xb0\xe4\xaa\x54\x80\xed\xc3\x57\x72\x44\x67\x4c\x4b\xa9\x39\x03\xf5\x02\x90\x4f\x43\xf7\x84\xb5\x7d\xcb\x5b\x28\x11\x6c\x42\x79\x3e\x8c\x9f\x82\xf9\x9a\x61\x7e\x2e\xba\x2f\xa5\xeb\xf9\xf4\x67\x74\x5f\x6a\xcb\x4a\xca\x47\xf8\xf6\x1a\x26\x65\x14\x03\x79\x52\x67\x81\xd4\x47\xa9\x26\xef\x0b\xd6\xcf\x58\x03\x8e\x45\x3b\x17\x64\xa7\xbf\x3c\xd7\x80\x97\xd4\x80\xdf\x1b\xb9\x2f\xc1\x7b\x43\x91\xeb\xff\xe1\x4e\x45\x76\xb0\xb7\xe9\x64\x47\x31\x78\xb7\xcd\xe9\x73\x87\x40\x1e\x2a\x15\x2e\xab\x01\xc7\x63\xaf\x03\x55\xe2\x2f\x1d\xf3\xd6\x70\x01\xde\x06\x1f\xf9\x70\xe4\x9d\x90\xe3\xf2\xbc\xf5\xa4\x54\x5c\x8d\x77\x4f\xf3\xeb\x3e\x3e\x05\xe1\x7d\x0c\xd8\xa0\x3d\x70\x51\x50\xc0\x0f\x1e\x1c\xee\xb9\xd2\x10\xea\xa6\x73\xc9\x8a\xbd\x84\xf7\x7c\xbe\x4b\x47\x31\x96\x58\x75\xb1\x0b\xf8\x5c\x68\xfe\xff\x0a\xcd\x4f\xa3\x5b\xe0\xdc\x70\x6d\x38\xc5\xe7\xc4\x15\xe7\xc6\xff\x11\x44\x9f\x02\xf4\x14\x94\x4f\x42\xf7\x31\xa2\xfb\xaa\xb6\x80\xf7\xbe\x41\x68\x8c\xf3\x61\x04\xb4\x14\xd2\x62\xf5\x05\x85\xa6\x5c\x8f\x60\x59\xc0\x0f\xd3\xbd\x21\xa0\x6f\x3d\x91\xd9\x58\x5c\xc3\xa6\x8b\x72\x32\xac\xcd\xb6\xe6\xed\xc4\xcc\x7c\x28\x9e\xd1\xfd\x9b\x6c\x39\xa7\xd0\x3c\x8f\xbb\x39\x24\xc6\x41\x6b\x95\xe6\x2a\x70\x98\x7e\x6e\x8d\xe9\x50\x0e\xef\x66\x87\xaf\x19\xb2\x01\x73\xfb\x8a\x15\x7c\x08\xd1\x09\x94\x4f\x03\x76\x0f\xe9\x02\xde\x0e\x80\x4b\x1d\xc3\x24\xdb\x1e\x5f\xe0\xb1\xd0\xc4\xbd\xe7\x5a\x77\x36\x45\x4f\x67\x3d\xe3\xf9\x52\x5b\x72\x69\xf9\xdd\x51\x69\x39\xb9\x85\x3d\x59\x59\xfe\xde\x6d\xa8\x7d\xbd\x5a\x6d\x86\x66\x57\x6a\xbc\x71\x29\xda\x8f\x1a\xbb\x5e\x32\x62\xa7\x6c\x87\x04\x5f\x43\xac\x83\xef\xb6\x35\x7c\x23\xdb\xa0\x3f\x1a\xa5\x4e\xf8\x66\xd6\x86\x4f\xcd\xce\x93\xcb\xe4\xbb\xd4\xd3\x4b\x1c\xf5\x01\xa9\x80\x7f\x1d\x7d\x1b\xee\xe1\xa5\xf3\x27\x0d\x14\xdd\x9b\x73\xd7\x37\x03\x17\x46\x8c\x4d\x47\x43\x7c\x90\x4b\xdd\x66\x16\x9c\x8d\x1a\x1a\x06\xc3\x0a\xe9\xf6\xb7\x80\x1b\x6b\xb3\xdc\x2a\xf8\xe6\x64\x67\x21\x45\xa3\x57\x4b\xfb\x76\xf2\x3e\xe0\xd4\xa2\xe9\x4a\xda\x50\xeb\xc9\xe4\x57\x0d\x96\xeb\x41\x69\x85\x4c\x5e\x48\xb4\xc3\x5d\xc6\xbc\xf3\x39\xe9\x8a\x9c\x5c\x7e\xda\x14\x31\x0e\x66\x7d\x8e\x31\x2c\x37\xd3\x76\x89\xa1\xe5\x5b\x87\xdc\xcd\x92\xd6\x03\xbc\xf9\xfe\xc7\xfe\x4a\x25\x35\x04\xfb\x3e\x65\x6a\xa6\x07\x02\xaa\x95\xb5\xc3\x3d\x3b\x82\xdf\xfc\x9c\x58\x2e\x35\x17\x1a\x13\xe5\xd0\xea\xb6\x92\xbd\x59\x8a\xe4\xd9\x14\x64\xf6\xf1\x71\xf0\x8f\x02\x2d\x9d\x19\x26\x63\xe3\x3a\xdf\x49\x20\x83\xdf\xa5\x87\x03\xf9\x8d\x0a\xad\x8f\x55\x93\x26\xa5\x25\xcf\x0e\x95\xb0\x48\x93\x21\xd9\x91\x23\xeb\xc3\xa2\xf3\xba\x06\xdc\xa1\x03\x23\x24\x6c\xd2\xb8\x7c\x79\x6f\x08\x4a\xc4\xe6\x04\xf0\x27\xad\xbc\xa3\x20\xb2\x88\x24\xac\xef\x62\x4a\x49\xeb\xad\xf5\x7b\xf1\x4a\x1a\x37\xef\xeb\xbc\x97\x9e\x66\x2e\x79\x4a\xde\xd0\xbe\xed\x5b\xf6\xcb\xec\xf4\x82\x16\x0d\x90\xbb\xa0\x1c\x55\x18\x42\xdf\x87\x48\xe2\xa3\x97\x46\x8b\x09\xa5\x84\xff\xf0\x3a\x35\x8c\xee\x05\x4f\x6b\xd8\x1c\xd8\x95\xba\x56\x64\xe4\x84\x02\xc6\x51\x17\x84\x20\xf2\x3b\x09\x1f\x80\xcc\x56\x5a\x29\x6a\xb8\x98\x48\xd8\xa5\x4e\x1e\x90\x04\xe2\x41\xbc\xba\xc3\x40\x73\xad\x6e\x76\xde\x94\x53\x8d\x58\x62\x69\x28\x87\xb5\xff\xcb\xa6\x23\xe3\x90\x08\x14\x83\x68\x68\x11\x69\xd5\x11\x52\x6a\x28\xc9\x4e\x98\xaf\x2d\x91\x98\x2e\xfe\x3a\x41\x3b\x39\x57\xf6\x05\xc3\x33\xf2\xce\xf7\xce\x1e\x72\x7c\x81\x46\x3f\x57\x13\x60\x9c\xd8\x8b\x7b\x79\x69\x23\x97\x9f\x0d\x83\x21\xd6\x2a\x1d\x4e\x5a\x1f\xd3\xd5\xd4\x70\x4f\xf4\xe0\x31\x69\xb2\x05\xe5\x05\x43\x96\x2e\xfe\x5c\x4a\x5c\x8f\x8b\xa4\x6e\x22\xd5\xa2\x01\x52\x34\x0d\xd7\xc7\x51\x9a\xc6\xfb\xc7\xba\x5a\x99\x7a\xf3\x73\x09\xd6\xd5\x2a\xe7\xb0\x9c\xd7\x35\x13\x56\x2c\xf2\x6b\x08\xdc\x76\x56\x05\xb8\xc5\x9d\xc1\xbd\xdc\xc1\x2d\x99\x8f\x25\x3d\x44\xbc\x77\x0f\x32\xe5\xf1\xac\x05\x85\x76\x6d\x99\x7a\xc3\x35\x3a\xb6\x8e\x23\x35\x34\x43\x33\x8e\xe7\x1d\xd2\x02\x6e\x22\x28\x2e\xce\x4d\xd3\x35\xeb\x14\xf6\xb4\x4c\xe6\x4f\xb6\x21\xb3\x94\x90\xb4\x2b\x3b\x9d\x70\xc0\xd0\xc6\x00\x07\x54\xa1\x80\xb7\x92\x22\x72\xcd\x1d\x30\xbd\x9a\x2b\x25\x53\xa8\x78\x92\xfd\x1f\xb4\x66\x69\x88\xec\x9a\xca\x68\xe5\x22\xe8\x5a\xb9\x2d\x52\xaa\xb3\xfa\x5c\x31\x7f\xe9\x36\xbe\x4c\x58\x8f\xdb\x61\xa4\x55\x39\xd7\x0f\xdf\xd1\xed\x4c\xf0\x2e\xbf\x83\x49\xd1\x6b\x7d\x60\x54\x2d\x5e\xb1\x20\x75\x36\x3d\x3a\xfa\xf4\x7b\xad\xd4\xbf\x67\x97\x51\xb7\x49\xf0\x8a\xd9\x95\xb4\x1e\x9d\xd9\xbf\xc7\xe8\xdf\x0f\x9c\xee\xbc\x17\xab\xd5\xff\x02\x00\x00\xff\xff\x01\x6b\x63\xbb\xf6\x28\x00\x00")
func complySoc2PoliciesRiskMdBytes() ([]byte, error) {
return bindataRead(
@@ -977,12 +977,12 @@ func complySoc2PoliciesRiskMd() (*asset, error) {
return nil, err
}
info := bindataFileInfo{name: "comply-soc2/policies/risk.md", size: 158, mode: os.FileMode(420), modTime: time.Unix(1526668702, 0)}
info := bindataFileInfo{name: "comply-soc2/policies/risk.md", size: 10486, mode: os.FileMode(420), modTime: time.Unix(1526687307, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}
var _complySoc2PoliciesVendorMd = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\x1c\x8d\xc1\xaa\x83\x30\x10\x45\xf7\xf9\x8a\x0b\x6f\x9d\x47\x75\xd5\x66\x9b\x55\x0b\x82\xd4\xe2\x7e\x88\x53\x99\x62\x66\xc0\xc4\x82\x7f\x5f\x74\x75\xe1\x72\x0e\x47\x29\x73\xc0\xc8\x3a\xd9\x8a\x8e\x94\x66\xce\xac\x15\xbd\x2d\x92\x76\x47\x69\x35\xdd\x73\xc0\xd8\xf5\xae\x50\x95\xf2\x16\x2e\xc1\x01\xaf\x21\x1e\x03\x78\xc4\x78\xfb\x6f\x5d\xa6\x8f\xad\x4f\xfe\x4a\x11\xd3\x13\xf1\x98\xa8\x72\xc0\x63\x53\x34\x68\x2f\xcd\xf5\x14\x92\xe5\x23\x11\x70\x57\xa9\x42\x0b\x26\x4b\xdb\xf1\x38\xef\xbd\x73\x7f\x88\x96\x45\x67\x0c\x66\xfa\x0b\x00\x00\xff\xff\x8a\x18\x1b\xc5\x9f\x00\x00\x00")
var _complySoc2PoliciesVendorMd = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\x8c\x56\xcd\x6e\x1b\x47\x0c\xbe\xeb\x29\x08\xe4\x62\x03\xb2\xd0\xe4\xd4\xfa\xe6\xe4\xa4\x22\x01\x8c\x58\xc8\x9d\x9a\xa1\x76\xd9\xcc\xce\x6c\xc9\x59\x19\xdb\x53\x5f\xa3\xaf\xd7\x27\x29\x38\xb3\x2b\xad\x63\xc9\xe9\xc9\xf2\xce\x0f\x3f\x7e\xfc\xf8\x71\x22\x76\x74\x0f\xdf\x28\xfa\x24\xf0\x05\x23\x36\xd4\x51\xcc\xf0\x98\x02\xbb\x71\x85\x4e\x52\x1c\xbb\x7b\xf8\xf6\xe5\x71\xa5\x98\x59\x0f\x4c\x7a\xbf\x02\xd8\x3d\x7d\xb2\x3f\x00\x77\xf0\xe9\xd3\x6f\x9b\x0f\xab\x0e\xff\x48\xf2\x95\x8e\xac\x9c\x62\xd9\x72\x07\x1e\x33\xdd\xc3\xef\x43\x84\xf7\xf0\xe1\x97\xf7\xbf\x96\x03\x2e\x75\x16\xe2\x1e\xb6\x91\x33\x63\x00\x9f\xdc\x60\x5f\x56\x77\x77\x77\xab\xd5\x3b\x78\x1c\xa4\x4f\x4a\x80\xd1\xc3\x93\x4b\x3d\xad\x56\xb8\x81\x5d\xcb\x0a\x7d\x81\x05\x9e\x0e\x1c\x49\x21\xb7\x04\x32\x04\x52\x38\x24\x01\xa1\x80\xd9\x82\xb7\xdc\x2b\x3c\x73\x6e\xcb\x86\x24\x0d\x46\xfe\xab\x2c\xfd\xfb\xf7\x3f\x0a\xdb\x78\x48\xd2\x95\xff\x61\x47\xae\x8d\x29\xa4\x66\x84\x9b\xed\xee\x16\x8e\x85\x09\x2d\xb1\x7b\x94\x1c\x49\x74\x03\xaf\x00\x60\xdf\x07\x36\x00\x09\x30\x04\xd8\xee\x2e\x1e\x84\xe7\x36\x41\x8b\x47\x2a\x38\x70\xcf\x81\xf3\x68\x67\xb8\xeb\xd1\xe5\xf2\xd5\xa5\x78\x60\x4f\xd1\x98\xe0\x3c\xae\x81\x63\xa6\x46\xca\x4f\xbb\x0b\x8f\xc8\x61\x3e\x9a\x0e\x97\x33\xca\xe7\x2c\xec\x8c\x52\x54\xce\x7c\x24\xe0\x73\xaa\x6b\x48\x52\x00\xa1\x50\x21\x87\x63\xb9\x4c\x8d\xe1\xab\x37\x2f\x2e\x00\x25\x37\x18\x30\xe8\x25\x35\x82\xdd\xe6\x67\xb4\x50\xd7\x87\x34\x12\x55\x56\x5c\x8a\x59\xd0\x65\x63\x29\xb7\x98\x0b\x10\x21\xed\x53\x54\xde\x07\x2a\x35\x34\x10\xdd\x59\x86\x76\x2e\x1d\x49\x94\x9b\x36\x1b\xc8\x6b\x4c\x5f\xc0\x6f\x65\x7b\x07\x1f\xd1\x7d\x6f\x24\x0d\xd1\x4f\x68\xa9\x5c\x68\xf0\x4e\xf9\x5c\x38\x0c\xac\xd0\x72\xd3\x06\x13\x5b\x4f\xd1\x2a\x04\x69\x62\x6c\x71\x8e\xb3\x9e\x12\x1b\x30\x5c\xd2\xa0\x6d\xd9\xee\x40\x87\x42\xce\x2b\x6d\x5d\xd2\x35\x08\xfd\x39\xb0\x14\x0e\xaa\xb6\xe9\x70\x20\x57\x4a\xfa\x16\x3b\x3a\xb8\xf6\x4a\x20\x38\x48\xea\x00\xe3\x95\x8a\x92\x68\x5f\x03\x54\x8e\x26\x40\xbd\x90\x3a\xe1\x3d\x29\x74\x1c\xb9\x1b\x3a\xd0\x8c\xd1\xa3\x78\x05\x9c\x4a\x01\xdd\xa0\x19\x3a\xa2\xfc\x76\x90\x72\xb2\x4f\x1c\xb3\xa9\xdc\x85\xc1\x73\x6c\xce\xcb\x2e\xe0\xa0\xa4\x6b\x10\xd6\xef\x80\xaa\xa4\x5a\x08\x58\x83\x92\x1c\xd9\x11\x04\x3a\x52\x00\x6c\x84\x68\x5a\xb1\x14\x39\xba\xd2\x41\x0b\x6a\x36\x56\xfa\xaf\x74\x20\xa1\xe8\x48\x4b\xe9\x97\x6d\xff\x34\x07\x9d\x7c\xce\xd6\x4f\xdf\xb6\xf3\x7d\x5f\xab\x38\xe9\xb4\xeb\xdd\x72\xff\x52\x8a\x42\xd6\x14\x2d\xef\x39\x93\x9f\x58\x70\x8e\x54\x2d\xc3\xff\xdf\x58\x96\x74\x56\x18\x62\xe6\x00\x80\x27\x65\x95\x1f\xc8\xf1\x25\x5f\xb6\x98\x82\x9a\x54\x0b\x25\xbe\xf4\x9d\xf5\x3f\x37\x91\x3c\xec\xc7\xea\x3b\x7d\x2f\xa9\x17\xc6\x4c\x45\x0d\x4c\x5a\x3b\xf7\xe1\xa5\x73\x95\x2a\xba\xd4\xf5\x61\x3c\x9b\xe7\x59\x21\x96\xb8\xf5\x76\xd5\xa8\x2f\x81\x3c\x09\x1f\xe7\x84\x6d\xfb\x1b\x1c\xc3\x8d\xcc\xf5\x80\x1b\xbc\xbd\x9d\x5c\xf5\x61\xd9\x88\x73\x25\xd5\xb0\x2f\xa0\x25\x39\xeb\xb8\xc0\xdc\xd3\x69\x6a\x90\x09\xc0\xd8\x4e\xe2\xd1\x2e\xbf\x6e\xfc\x3f\xad\xf0\x0b\x8c\xfb\xdb\xdb\x2a\xaf\xae\x23\x6f\xec\x85\xd1\x5a\xf1\x19\xc5\x57\xaa\xaf\x26\x5c\xe7\xa8\xc0\xcd\xf6\xe9\xcb\xed\x69\x7a\xfc\x60\x30\x25\x0f\xf4\x2d\x09\xcd\x97\x65\x92\xae\x58\x99\xb9\xd3\xd3\xa4\xf9\xcf\x45\xf3\x0f\x27\xcd\xc3\xcd\xd3\xe7\x07\xbd\x05\x4b\x5d\x4a\xf2\x39\xd5\x9c\xcf\x84\x6d\xe0\x41\xa7\xdb\x4c\x9a\x43\x6f\x83\xd8\x4f\x03\x45\x21\xd2\x33\x24\xf3\x19\x5b\x5c\xde\xb3\x7e\xed\x83\x05\x26\x77\x7d\x98\x2d\x67\x04\xd7\x62\x6c\xa8\x54\xe5\xa4\xc1\x48\x34\xb1\x42\x51\x07\x21\xe0\x0c\x42\x1d\x72\x34\xa9\x57\x59\xb1\x95\x67\xa2\xe3\x23\x1d\xd2\x1c\xdc\x54\x5d\xb2\x58\x08\xde\x90\x36\x93\xe2\x6b\x27\xcd\x24\xf5\x28\xc5\x8b\xdf\x6c\xa8\x51\x33\x75\xba\x7e\x25\xef\x21\x7a\x92\xc6\x22\xfd\x60\x32\x06\xcb\x1e\x27\xbc\xf0\x01\xdb\xa2\xd5\xd1\x6b\x6a\xd7\x86\xcf\x2c\xc9\x3a\xc7\x0f\x4c\x1e\xfc\x20\x73\xeb\xff\x10\xc9\x8c\xc2\xf2\xd9\x40\x09\x38\x47\xdd\x5d\xd8\x59\xb9\xaf\x97\x5e\x80\xb3\xcc\xb8\x0e\xd8\xae\x1b\x22\xbb\xfa\xe5\xfc\x26\x58\x5b\xcd\x9f\x29\x04\xfb\x7b\x3d\xa9\x3a\x38\x4a\x79\x39\xea\xba\x46\x30\x97\x26\xd0\x61\x7f\x77\x1a\x2b\x53\x05\xdf\x24\x63\x12\x41\x19\xf3\xcb\x4a\x95\x09\x69\x9d\x7a\xf2\xcc\x4c\xae\x48\x53\xf1\x40\xcd\x50\x7a\xab\xea\xd4\xb3\xda\x2b\xd0\x97\xb9\x66\x25\xa1\x30\x5e\x68\x23\xcd\xc2\x2e\x87\x71\x6a\xa5\xd3\xdb\xa3\x3c\x45\x1c\xda\xbb\x22\x50\x83\x61\x0d\x42\xcd\x10\x30\x27\x19\x5f\x3c\x47\xea\xd4\x5e\x8c\x5b\xa1\x06\xc5\xcf\xd5\x73\x29\x04\x1b\x8c\xf6\x80\x9a\x2a\xc7\xb1\xa9\x10\xb3\x60\xd4\x8e\xd5\x5e\xbc\x15\xe6\xfc\xee\xf2\x98\xb1\x4e\x63\x54\x78\x24\x51\x4b\x3d\x8c\x77\xdb\x49\x21\x05\xd7\xd2\x3b\x6e\x1e\xb7\xdb\xeb\x56\x81\x56\x95\x64\x6f\x62\xcb\x6e\xf0\x9c\xaf\xd2\x7f\xee\xc0\x73\xcf\x55\x7b\x58\x30\xf2\xca\xd5\x5f\x48\xe4\xe7\x7c\xa5\x7d\xe0\xa6\xbe\x73\x36\xab\xff\x02\x00\x00\xff\xff\x5f\xf9\x43\x4e\x43\x0c\x00\x00")
func complySoc2PoliciesVendorMdBytes() ([]byte, error) {
return bindataRead(
@@ -997,7 +997,7 @@ func complySoc2PoliciesVendorMd() (*asset, error) {
return nil, err
}
info := bindataFileInfo{name: "comply-soc2/policies/vendor.md", size: 159, mode: os.FileMode(420), modTime: time.Unix(1526668702, 0)}
info := bindataFileInfo{name: "comply-soc2/policies/vendor.md", size: 3139, mode: os.FileMode(420), modTime: time.Unix(1526687307, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}
@@ -1017,7 +1017,7 @@ func complySoc2PoliciesWorkstationMd() (*asset, error) {
return nil, err
}
info := bindataFileInfo{name: "comply-soc2/policies/workstation.md", size: 1791, mode: os.FileMode(420), modTime: time.Unix(1526668702, 0)}
info := bindataFileInfo{name: "comply-soc2/policies/workstation.md", size: 1791, mode: os.FileMode(420), modTime: time.Unix(1526687307, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}
@@ -1037,12 +1037,12 @@ func complySoc2ProceduresReadmeMd() (*asset, error) {
return nil, err
}
info := bindataFileInfo{name: "comply-soc2/procedures/README.md", size: 92, mode: os.FileMode(420), modTime: time.Unix(1526668702, 0)}
info := bindataFileInfo{name: "comply-soc2/procedures/README.md", size: 92, mode: os.FileMode(420), modTime: time.Unix(1526687307, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}
var _complySoc2ProceduresOffboardingMd = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xca\x4c\xb1\x52\x50\xca\x4f\x4b\x4b\xca\x4f\x2c\x4a\x51\xe2\xca\x4b\xcc\x4d\xb5\x52\x50\xf2\x87\x0a\x28\x84\x16\xa7\x16\x29\x71\xe9\xea\xea\x72\x71\x29\x2b\x38\xe7\xe7\x66\xe6\xa5\x2b\x04\xe7\xe7\xe7\x01\x02\x00\x00\xff\xff\x79\xa2\x7a\x63\x37\x00\x00\x00")
var _complySoc2ProceduresOffboardingMd = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\x54\x8e\xb1\x6e\x2a\x31\x10\x45\xfb\xfd\x8a\xab\xed\xf7\x07\xe8\x5e\xf7\x22\x45\x42\x02\x25\x4d\x94\x62\xf0\xce\x86\x11\xb6\xc7\x99\x19\x93\xf0\xf7\x11\xb0\x05\x94\xf6\x9c\x73\x75\x64\xde\x60\xd4\x65\x39\x28\xd9\x3c\x0e\x95\x0a\x6f\x30\x6e\xd7\x0f\xbc\x39\xdb\x38\x4c\xd3\x34\x0c\x3b\x76\xcd\x67\x46\x1c\xc5\x11\x92\x4e\x1c\x38\x5c\xc0\xbf\x9c\x7a\x48\xfd\x42\x1c\x19\x8b\xe6\xac\x3f\xd7\x97\x07\x37\xdf\x0c\xc3\x84\x0f\x7c\xe2\xa5\x14\x9e\x85\x82\xf3\x05\xde\xbd\x71\x9d\xd1\x9d\x0d\x52\xb1\xdf\x6f\x57\xea\x5f\xbb\x1d\xfe\xef\x10\x6c\x45\x2a\x85\x68\x85\xf1\x77\x67\x0f\xf0\x54\x48\x32\x42\x1f\x13\x56\xf3\x55\xf5\x84\xde\x50\xa8\x76\xca\xf9\x32\x35\xd3\xb3\xb8\x68\xe5\x19\xd4\x5a\x96\x74\x1b\x73\x2c\x6a\x77\xdf\x34\x33\xd4\x6e\x19\xeb\xca\x3b\x65\x99\x29\x18\x94\x12\xbb\xc3\xf8\xac\x77\xef\xda\xc9\x94\x8e\xcf\xa1\x49\xeb\x22\x56\xee\x84\xda\x23\xff\x5c\xf9\x17\x00\x00\xff\xff\xdb\xfb\x69\xca\x66\x01\x00\x00")
func complySoc2ProceduresOffboardingMdBytes() ([]byte, error) {
return bindataRead(
@@ -1057,12 +1057,12 @@ func complySoc2ProceduresOffboardingMd() (*asset, error) {
return nil, err
}
info := bindataFileInfo{name: "comply-soc2/procedures/offboarding.md", size: 55, mode: os.FileMode(420), modTime: time.Unix(1526668702, 0)}
info := bindataFileInfo{name: "comply-soc2/procedures/offboarding.md", size: 358, mode: os.FileMode(420), modTime: time.Unix(1526687307, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}
var _complySoc2ProceduresOnboardingMd = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xca\x4c\xb1\x52\x50\xca\xcf\x4b\xca\x4f\x2c\x4a\x51\xe2\xca\x4b\xcc\x4d\xb5\x52\x50\xf2\x87\xf0\x15\xfc\x52\xcb\x15\x42\x8b\x53\x8b\x94\xb8\x74\x75\x75\xb9\xb8\x94\x15\x9c\xf3\x73\x33\xf3\xd2\x15\x82\xf3\xf3\xf3\x00\x01\x00\x00\xff\xff\x25\x8d\x3b\x1b\x39\x00\x00\x00")
var _complySoc2ProceduresOnboardingMd = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\x84\x90\xb1\x6e\xeb\x30\x0c\x45\x77\x7f\xc5\x85\xa7\xf7\x06\xff\x40\xb6\x6e\x9d\xda\x22\x40\xa7\xa2\x03\x23\xd1\x36\x51\x59\x52\x45\xda\xae\xff\xbe\x90\x93\xb4\xc9\xd4\x91\x82\x0e\xcf\xe5\x15\x7f\x40\x9b\xe2\x29\x51\xf1\x6d\x13\x69\xe2\x03\xda\xe7\xf3\x8c\x27\x5e\xf1\xaa\x5c\xda\xa6\xeb\xba\xa6\x39\xb2\xa6\xb0\x30\x6c\x14\x85\x89\xfb\x60\xc3\x69\x03\x7f\xb1\x9b\x4d\xe2\x00\x1b\x19\x7d\x0a\x21\xad\x75\x52\xe3\xac\x87\xa6\xe9\xf0\x86\x77\x3c\xe4\xcc\xd1\xe3\xf1\x08\xf2\x1e\x85\x3f\x67\x56\x03\x77\x13\x49\x80\xa5\xdb\xa5\x17\xe2\xa5\x24\x72\x26\x0b\x87\x0d\x0b\x05\xf1\x64\x8c\x92\x02\x83\x54\x65\x88\x13\x47\xc3\x2a\x36\x62\xa2\x48\x03\x17\xfc\x53\xe6\x6a\xb8\xdf\xfe\xff\x9a\xc0\x7b\xcc\xca\xa5\xda\x3c\xf7\x34\x07\xc3\x50\xd2\x9c\xd1\xa7\xb2\x67\xd7\xcc\x4e\x7a\x61\xbf\x6b\x7e\x63\x2c\xa2\x92\x22\x28\x6e\x55\x35\x53\x08\x5b\x97\xaf\xcf\xec\x41\x39\x07\x71\x64\x92\xa2\xd6\x46\x76\x1a\x00\xee\x4e\x3f\xa3\xf8\x01\x6b\x47\x2e\xc5\x5e\xca\xb4\xa3\x7f\xb7\x70\xf9\x7d\x3e\x3a\xf2\x7a\x39\x67\x24\xab\xf1\x37\x38\x8a\x20\xe7\x58\x15\x14\x6e\x4c\xec\xa1\x9b\x1a\x4f\xfa\x1d\x00\x00\xff\xff\x15\x19\xab\x13\xef\x01\x00\x00")
func complySoc2ProceduresOnboardingMdBytes() ([]byte, error) {
return bindataRead(
@@ -1077,12 +1077,12 @@ func complySoc2ProceduresOnboardingMd() (*asset, error) {
return nil, err
}
info := bindataFileInfo{name: "comply-soc2/procedures/onboarding.md", size: 57, mode: os.FileMode(420), modTime: time.Unix(1526668702, 0)}
info := bindataFileInfo{name: "comply-soc2/procedures/onboarding.md", size: 495, mode: os.FileMode(420), modTime: time.Unix(1526687307, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}
var _complySoc2ProceduresPatchMd = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xca\x4c\xb1\x52\x50\x2a\x48\x2c\x49\xce\x50\xe2\xca\x4b\xcc\x4d\xb5\x52\x50\x72\x2c\x28\xc8\xa9\x54\xf0\x0f\x56\x00\x0b\xa7\x16\x2b\x71\x25\x17\xe5\xe7\x59\x29\x28\x19\x28\x18\x28\x18\x2a\x68\x81\xa0\x12\x97\xae\xae\x2e\x17\x97\xb2\x82\x73\x7e\x6e\x66\x5e\xba\x42\x70\x7e\x7e\x1e\x20\x00\x00\xff\xff\xc9\x3a\x76\x1b\x4b\x00\x00\x00")
var _complySoc2ProceduresPatchMd = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\x6c\x90\x31\x4b\x03\x41\x10\x85\xfb\xfd\x15\x8f\xb3\x0b\x9c\x68\x61\x73\x20\x92\x22\x45\x1a\x13\x14\x6c\x44\xc8\xba\x37\xb9\x5b\xdc\xec\x2c\x33\xb3\xd1\xfc\x7b\xb9\xf3\x0a\x8b\x30\xd5\x3c\xbe\x79\x8f\x37\xb1\xef\xd0\x14\x6f\x61\x6c\x5c\xf6\x27\xea\xd0\xac\x4b\x49\x17\xec\x5e\x31\xcb\xa4\x8d\x0b\xc2\xb9\x43\x73\x87\x69\xee\x1f\xb0\xc2\xaa\x71\x6d\xdb\x3a\x77\x33\x71\xfb\x89\xc3\x5e\x38\x50\x5f\x85\x9c\x7b\x21\xe5\x74\x26\xd8\x18\x15\x16\xc3\x17\x19\x3e\x2f\xa0\x1f\x0a\xd5\x62\x1e\x60\x23\xe1\xc8\x29\xf1\xf7\xb4\xa9\x51\xd1\xce\xb9\x16\xef\xf8\xc0\xbe\xa6\x34\x03\xc9\x1b\xa9\x41\x83\xc4\x62\x8a\xa3\xf0\x69\xd6\x77\x45\x21\x54\x58\xa3\xb1\x5c\x96\xab\xcd\xec\x4d\x38\x6c\x9e\xdf\x1e\xd5\xfc\x30\x19\xcf\x05\x5a\x9f\xd2\xad\x8e\x87\x05\xdc\x66\x2d\x14\x0c\x5c\xad\x54\x73\x00\xb0\x38\x88\xb0\xe8\x13\xb6\xf9\x4c\x6a\x71\xf0\x46\xf0\xb9\x87\xfc\x95\xb9\x96\x53\x84\xfb\x1a\x2c\x72\xbe\x1a\xb5\x36\xf3\x61\x44\xe2\x61\x49\x83\xf1\xff\x9f\xfc\x06\x00\x00\xff\xff\xb4\x3f\x07\x6a\x7c\x01\x00\x00")
func complySoc2ProceduresPatchMdBytes() ([]byte, error) {
return bindataRead(
@@ -1097,12 +1097,12 @@ func complySoc2ProceduresPatchMd() (*asset, error) {
return nil, err
}
info := bindataFileInfo{name: "comply-soc2/procedures/patch.md", size: 75, mode: os.FileMode(420), modTime: time.Unix(1526668702, 0)}
info := bindataFileInfo{name: "comply-soc2/procedures/patch.md", size: 380, mode: os.FileMode(420), modTime: time.Unix(1526687307, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}
var _complySoc2ProceduresWorkstationMd = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xca\x4c\xb1\x52\x50\x2a\xcf\x2f\xca\x2e\x2e\x49\x2c\xc9\xcc\xcf\x53\xe2\xca\x4b\xcc\x4d\xb5\x52\x50\x72\xce\xcf\xc9\x49\x4d\x2e\x51\x08\x47\xc8\x29\xb8\xa4\x96\x24\x66\xe6\x14\x2b\x71\x25\x17\xe5\xe7\x59\x29\x28\x19\x28\x18\x28\x68\x41\xa0\x12\x97\xae\xae\x2e\x17\x97\xb2\x82\x73\x7e\x6e\x66\x5e\xba\x42\x70\x7e\x7e\x1e\x20\x00\x00\xff\xff\x20\xf0\xa9\x34\x5c\x00\x00\x00")
var _complySoc2ProceduresWorkstationMd = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xd4\x92\x41\x4f\x1b\x31\x10\x85\xef\xfe\x15\x4f\x39\x22\x82\x5a\xa9\xbd\xec\x0d\x05\x10\x51\xa9\x40\x64\x5b\x0e\x08\x09\xc7\x3b\x9b\xb8\xf1\xce\x6c\x3d\xe3\xa4\xf9\xf7\xd5\x86\x10\xd2\xaa\x95\x7a\xad\xf6\xb0\x1a\x7b\xec\xf7\xfc\xbd\x89\x4d\x85\xd1\x46\xf2\x4a\xcd\x5b\x14\x1e\x39\xf6\x1d\x55\x18\x4d\x24\x25\x0a\x86\x87\xb7\x3d\x5c\x90\xf9\x98\x74\xe4\x42\x16\xae\x30\x7a\x87\xe1\x7b\xff\x11\x1f\x70\x32\x72\xe3\xf1\xd8\xb9\x7b\x52\x49\x6b\x82\x2d\xa3\xc2\x62\x58\x91\x61\xbe\x05\xfd\xa0\x50\x2c\xf2\x02\xb6\x24\xb4\x92\x92\x6c\x86\x4a\x8d\x7a\xad\x9c\x1b\xe3\x11\x4f\x98\x11\x37\xbb\x86\x20\x5d\x57\x38\x86\x9d\xac\x62\x4e\x49\x36\xfb\x9e\x2b\xc9\xf0\xbc\x05\x75\x3e\x26\x64\xea\x53\x24\x3d\x85\x37\xf3\x61\x89\x20\x6c\xc4\x06\x93\x63\x07\xfb\xa3\x5f\x7d\x8a\x8d\x37\x42\x26\xed\x85\x95\x14\x3e\x0f\x55\xa0\xb8\xa6\x06\x6d\x96\x0e\xe4\xc3\xd2\x39\xf7\xfc\xfc\xec\x6a\xa9\x70\x41\xba\x32\xe9\xa1\xa5\xef\x25\x9b\x9b\x95\xf9\x37\x0a\x56\xe1\x9c\xb9\xf8\x84\x23\x74\x88\xbc\x26\x36\xc9\x5b\xe7\xee\x12\x79\xa5\x57\x57\xbb\x27\x95\x9c\x07\x67\x7f\x3c\xf0\xe2\xf7\x18\xcc\x8b\xf1\x0a\x8f\xf7\x97\x77\x37\xe7\x93\x4b\x3c\x4c\xeb\x6b\x7c\xb9\xbf\x41\x7d\x8b\xfa\x7a\x3a\x43\x3d\x9d\x7c\xba\xac\x9f\x9c\xab\x97\xf4\x97\x5b\x75\xe9\x53\x42\xe4\x90\x4a\x43\xbf\x09\xb4\x91\x52\xa3\x95\x03\x80\x13\xcc\x28\x47\x9f\xc0\xa5\x9b\x53\xde\xaf\x4d\x8a\x9a\x34\xd1\xf3\xbe\xbe\x2a\x29\xa1\x89\xba\x02\x71\xc8\xdb\x7e\x27\x36\x88\x16\xdd\x77\x7c\xf6\x69\x33\x10\xed\xb3\x18\x85\xe3\xfd\x01\xe7\x1b\xd4\xdb\x62\x2a\x25\x07\x6a\x30\x19\x1c\x4e\x88\x8d\x32\xa6\xf5\xbf\xe2\x3d\x57\xf4\x3e\x1b\xa4\x85\x94\x0c\xe1\x85\x0c\x6f\x0a\xd2\xf5\x29\x7a\x0e\x04\x6a\x5b\xc9\xa6\xf0\xdc\xa0\xa7\xbc\x6b\x53\xca\xeb\x18\x86\xd4\x17\x99\xa8\x23\xb6\x53\x6c\x86\xfc\xbf\x97\x98\x09\xfe\x90\xd1\x1b\x41\x69\x8f\x2d\x28\x22\xa3\x28\x0d\xbf\x81\xe6\xfe\xc2\x57\x1b\x3e\x04\x29\x6c\x67\x87\xf8\x5f\xe6\xac\x39\x4c\x63\x47\xaa\x7e\x41\xd8\x44\xfb\x75\x28\x0e\x82\x67\xff\x4d\x9c\x3f\x03\x00\x00\xff\xff\x89\xd2\xee\x65\x39\x04\x00\x00")
func complySoc2ProceduresWorkstationMdBytes() ([]byte, error) {
return bindataRead(
@@ -1117,7 +1117,7 @@ func complySoc2ProceduresWorkstationMd() (*asset, error) {
return nil, err
}
info := bindataFileInfo{name: "comply-soc2/procedures/workstation.md", size: 92, mode: os.FileMode(420), modTime: time.Unix(1526668702, 0)}
info := bindataFileInfo{name: "comply-soc2/procedures/workstation.md", size: 1081, mode: os.FileMode(420), modTime: time.Unix(1526687307, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}
@@ -1137,7 +1137,7 @@ func complySoc2StandardsReadmeMd() (*asset, error) {
return nil, err
}
info := bindataFileInfo{name: "comply-soc2/standards/README.md", size: 282, mode: os.FileMode(420), modTime: time.Unix(1526668702, 0)}
info := bindataFileInfo{name: "comply-soc2/standards/README.md", size: 282, mode: os.FileMode(420), modTime: time.Unix(1526687307, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}
@@ -1157,7 +1157,7 @@ func complySoc2StandardsTsc2017Yml() (*asset, error) {
return nil, err
}
info := bindataFileInfo{name: "comply-soc2/standards/TSC-2017.yml", size: 16305, mode: os.FileMode(420), modTime: time.Unix(1526668702, 0)}
info := bindataFileInfo{name: "comply-soc2/standards/TSC-2017.yml", size: 16305, mode: os.FileMode(420), modTime: time.Unix(1526687307, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}
@@ -1177,7 +1177,7 @@ func complySoc2TemplatesDefaultLatex() (*asset, error) {
return nil, err
}
info := bindataFileInfo{name: "comply-soc2/templates/default.latex", size: 7649, mode: os.FileMode(420), modTime: time.Unix(1526668702, 0)}
info := bindataFileInfo{name: "comply-soc2/templates/default.latex", size: 7649, mode: os.FileMode(420), modTime: time.Unix(1526687307, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}
@@ -1197,7 +1197,7 @@ func complySoc2TemplatesIndexAce() (*asset, error) {
return nil, err
}
info := bindataFileInfo{name: "comply-soc2/templates/index.ace", size: 7596, mode: os.FileMode(420), modTime: time.Unix(1526668702, 0)}
info := bindataFileInfo{name: "comply-soc2/templates/index.ace", size: 7596, mode: os.FileMode(420), modTime: time.Unix(1526687307, 0)}
a := &asset{bytes: bytes, info: info}
return a, nil
}

90
themes/comply-soc2/policies/availability.md
View File

@@ -9,4 +9,92 @@ majorRevisions:
comment: Initial document
---
# Coming Soon
# Purpose and Scope
a. The purpose of this policy is to define requirements for proper controls to protect the availability of the organizations information systems.
a. This policy applies to all users of information systems within the organization. This typically includes employees and contractors, as well as any external parties that come into contact with systems and information controlled by the organization (hereinafter referred to as “users”). This policy must be made readily available to all users.
# Background
a. The intent of this policy is to minimize the amount of unexpected or unplanned downtime (also known as outages) of information systems under the organizations control. This policy prescribes specific measures for the organization that will increase system redundancy, introduce failover mechanisms, and implement monitoring such that outages are prevented as much as possible. Where they cannot be prevented, outages will be quickly detected and remediated.
a. Within this policy, an availability is defined as a characteristic of information or information systems in which such information or systems can be accessed by authorized entities whenever needed.
# References
a. Risk Assessment Policy
# Policy
a. Information systems must be consistently available to conduct and support business operations.
a. Information systems must have a defined availability classification, with appropriate controls enabled and incorporated into development and production processes based on this classification.
a. System and network failures must be reported promptly to the organizations lead for Information Technology (IT) or designated IT operations manager.
a. Users must be notified of scheduled outages (e.g., system maintenance) that require periods of downtime. This notification must specify the date and time of the system maintenance, expected duration, and anticipated system or service resumption time.
a. Prior to production use, each new or significantly modified application must have a completed risk assessment that includes availability risks. Risk assessments must be completed in accordance with the Risk Assessment Policy (reference (a)).
a. Capacity management and load balancing techniques must be used, as deemed necessary, to help minimize the risk and impact of system failures.
a. Information systems must have an appropriate data backup plan that ensures:
i. All sensitive data can be restored within a reasonable time period.
i. Full backups of critical resources are performed on at least a weekly basis.
i. Incremental backups for critical resources are performed on at least a daily basis.
i. Backups and associated media are maintained for a minimum of thirty (30) days and retained for at least one (1) year, or in accordance with legal and regulatory requirements.
i. Backups are stored off-site with multiple points of redundancy and protected using encryption and key management.
i. Tests of backup data must be conducted once per quarter. Tests of configurations must be conducted twice per year.
a. Information systems must have an appropriate redundancy and failover plan that meets the following criteria:
i. Network infrastructure that supports critical resources must have system-level redundancy (including but not limited to a secondary power supply, backup disk-array, and secondary computing system). Critical core components (including but not limited to routers, switches, and other devices linked to Service Level Agreements (SLAs)) must have an actively maintained spare. SLAs must require parts replacement within twenty-four (24) hours.
i. Servers that support critical resources must have redundant power supplies and network interface cards. All servers must have an actively maintained spare. SLAs must require parts replacement within twenty-four (24) hours.
i. Servers classified as high availability must use disk mirroring.
a. Information systems must have an appropriate business continuity plan that meets the following criteria:
i. Recovery time and data loss limits are defined in Table 3.
i. Recovery time requirements and data loss limits must be adhered to with specific documentation in the plan.
i. Company and/or external critical resources, personnel, and necessary corrective actions must be specifically identified.
i. Specific responsibilities and tasks for responding to emergencies and resuming business operations must be included in the plan.
i. All applicable legal and regulatory requirements must be satisfied.
+-------------------+------------------+---------------+-------------------+------------------+
|**Availability** | **Availability** | **Scheduled** | **Recovery Time** | **Data Loss or** |
|**Classification** | **Requirements** | **Outage** | **Requirements** | **Impact Loss** |
+===================+==================+===============+===================+==================+
| High | High to | 30 minutes | 1 hour | Minimal |
| | Continuous | | | |
+-------------------+------------------+---------------+-------------------+------------------+
| | | | | |
+-------------------+------------------+---------------+-------------------+------------------+
| Medium | Standard | 2 hours | 4 hours | Some data loss |
| | Availability | | | is tolerated if |
| | | | | it results in |
| | | | | quicker |
| | | | | restoration |
+-------------------+------------------+---------------+-------------------+------------------+
| | | | | |
+-------------------+------------------+---------------+-------------------+------------------+
| Low | Limited | 4 hours | Next | Some data loss |
| | Availability | | business day | is tolerated if |
| | | | | it results in |
| | | | | quicker |
| | | | | restoration |
+-------------------+------------------+---------------+-------------------+------------------+
Table 3: Recovery Time and Data Loss Limits

276
themes/comply-soc2/policies/classification.md
View File

@@ -7,5 +7,279 @@ majorRevisions:
- date: Jun 1 2018
comment: Initial document
---
# Appendices
Appendix A: Handling of Classified Information
Appendix B: Form - Confidentiality Statement
# Purpose and Scope
a. This data classification policy defines the requirements to ensure that information within the organization is protected at an appropriate level.
a. This document applies to the entire scope of the organizations information security program. It includes all types of information, regardless of its form, such as paper or electronic documents, applications and databases, and knowledge or information that is not written.
a. This policy applies to all individuals and systems that have access to information kept by the organization.
# Background
a. This policy defines the high level objectives and implementation instructions for the organizations data classification scheme. This includes data classification levels, as well as procedures for the classification, labeling and handling of data within the organization. Confidentiality and non-disclosure agreements maintained by the organization must reference this policy.
# References
a. Risk Assessment Policy
a. Security Incident Management Policy
# Policy
a. If classified information is received from outside the organization, the person who receives the information must classify it in accordance with the rules prescribed in this policy. The person thereby will become the owner of the information.
a. If classified information is received from outside the organization and handled as part of business operations activities (e.g., customer data on provided cloud services), the information classification, as well as the owner of such information, must be made in accordance with the specifications of the respective customer service agreement and other legal requirements.
a. When classifying information, the level of confidentiality is determined by:
i. The value of the information, based on impacts identified during the risk assessment process. More information on risk assessments is defined in the Risk Assessment Policy (reference (a)).
i. Sensitivity and criticality of the information, based on the highest risk calculated for each information item during the risk assessment.
i. Legal, regulatory and contractual obligations.
+-------------------+------------------+---------------------------+---------------------------+
|**Confidentiality**| **Label** | **Classification** | **Access** |
| **Level** | | **Criteria** | **Restrictions** |
+===================+==================+===========================+============================+
| Public | For Public | Making the information | Information is available |
| | Release | public will not harm | to the public. |
| | | the organization in | |
| | | any way. | |
+-------------------+------------------+---------------------------+---------------------------+
| | | | |
+-------------------+------------------+---------------------------+---------------------------+
| Internal Use | Internal Use | Unauthorized access | Information is available |
| | | may cause minor damage | to all employees and |
| | | and/or inconvenience | authorized third parties. |
| | | to the organization. |
+-------------------+------------------+---------------------------+---------------------------+
| | | | |
+-------------------+------------------+---------------------------+---------------------------+
| Restricted | Restricted | Unauthorized access to | Information is available |
| | | information may cause | to a specific group of |
| | | considerable damage to | employees and authhorized |
| | | the business and/or | third parties. |
| | | the organization's | |
| | | reputation. | |
+-------------------+------------------+---------------------------+---------------------------+
| | | | |
+-------------------+------------------+---------------------------+---------------------------+
| Confidential |Confidential | Unauthorized access to | Information is available |
| | | information may cause | only to specific indivi- |
| | | catastrophic damage to | duals in the |
| | | business and/or the | organization. |
| | | organization's reputation.| |
+-------------------+------------------+---------------------------+---------------------------+
Table 3: Information Confidentiality Levels
 
d. Information must be classified based on confidentiality levels as defined in Table 3.
e. Information and information system owners should try to use the lowest confidentiality level that ensures an adequate level of protection, thereby avoiding unnecessary production costs.
f. Information classified as “Restricted” or “Confidential” must be accompanied by a list of authorized persons in which the information owner specifies the names or job functions of persons who have the right to access that information.
g. Information classified as “Internal Use” must be accompanied by a list of authorized persons only if individuals outside the organization will have access to the document.
h. Information and information system owners must review the confidentiality level of their information assets every five years and assess whether the confidentiality level should be changed. Wherever possible, confidentiality levels should be lowered.
a. For cloud-based software services provided to customers, system owners under the companys control must also review the confidentiality level of their information systems after service agreement changes or after a customers formal notification. Where allowed by service agreements, confidentiality levels should be lowered.
a. Information must be labeled according to the following:
i. Paper documents: the confidentiality level is indicated on the top and bottom of each document page; it is also indicated on the front of the cover or envelope carrying such a document as well as on the filing folder in which the document is stored. If a document is not labeled, its default classification is Internal Use.
i. Electronic documents: the confidentiality level is indicated on the top and bottom of each document page. If a document is not labeled, its default classification is Internal Use.
i. Information systems: the confidentiality level in applications and databases must be indicated on the system access screen, as well as on the screen when displaying such information.
i. Electronic mail: the confidentiality level is indicated in the first line of the email body. If it is not labeled, its default classification is “Internal Use”.
i. Electronic storage media (disks, memory cards, etc.): the confidentiality level must be indicated on the top surface of the media. If it is not labeled, its default classification is “Internal Use”.
i. Information transmitted orally: the confidentiality level should be mentioned before discussing information during face-to-face communication, by telephone, or any other means of oral communication.
a. All persons accessing classified information must follow the guidelines listed in Appendix A, “Handling of Classified Information.”
a. All persons accessing classified information must complete and submit a Confidentiality Statement to their immediate supervisor or company point-of-contact. A sample Confidentiality Statement is in Appendix B.
a. Incidents related to the improper handling of classified information must be reported in accordance with the Security Incident Management Policy (reference (b)).
\pagebreak
# Appendix A: Handling of Classified Information
Information and information systems must be handled according to the following guidelines*:
a. Paper Documents
i. Internal Use
1. Only authorized persons may have access.
1. If sent outside the organization, the document must be sent as registered mail.
1. Documents may only be kept in rooms without public access.
1. Documents must be removed expeditiously from printers and fax machines.
i. Restricted
1. The document must be stored in a locked cabinet.
1. Documents may be transferred within and outside the organization only in a closed envelope.
1. If sent outside the organization, the document must be mailed with a return receipt service.
1. Documents must immediately be removed from printers and fax machines.
1. Only the document owner may copy the document.
1. Only the document owner may destroy the document.
i. Confidential
1. The document must be stored in a safe.
1. The document may be transferred within and outside the organization only by a trustworthy person in a closed and sealed envelope.
1. Faxing the document is not permitted.
1. The document may be printed only if the authorized person is standing next to the printer.
a. Electronic Documents
i. Internal Use
1. Only authorized persons may have access.
1. When documents are exchanged via unencrypted file sharing services such as FTP, they must be password protected.
1. Access to the information system where the document is stored must be protected by a strong password.
1. The screen on which the document is displayed must be automatically locked after 10 minutes of inactivity.
i. Restricted
1. Only persons with authorization for this document may access the part of the information system where this document is stored.
1. When documents are exchanged via file sharing services of any type, they must be encrypted.
1. Only the document owner may erase the document.
i. Confidential
1. The document must be stored in encrypted form.
1. The document may be stored only on servers which are controlled by the organization.
1. The document may only be shared via file sharing services that are encrypted such as HTTPS and SSH. Further, the document must be encrypted and protected with a string password when transferred.
a. Information Systems
i. Internal Use
1. Only authorized persons may have access.
1. Access to the information system must be protected by a strong password.
1. The screen must be automatically locked after 10 minutes of inactivity.
1. The information system may be only located in rooms with controlled physical access.
i. Restricted
1. Users must log out of the information system if they have temporarily or permanently left the workplace.
1. Data must be erased only with an algorithm that ensures secure deletion.
i. Confidential
1. Access to the information system must be controlled through multi-factor authentication (MFA).
1. The information system may only be installed on servers controlled by the organization.
1. The information system may only be located in rooms with controlled physical access and identity control of people accessing the room.
a. Electronic Mail
i. Internal Use
1. Only authorized persons may have access.
1. The sender must carefully check the recipient.
1. All rules stated under “information systems” apply.
i. Restricted
1. Email must be encrypted if sent outside the organization.
i. Confidential
1. Email must be encrypted.
a. Electronic Storage Media
i. Internal Use
1. Only authorized persons may have access.
1. Media or files must be password protected.
1. If sent outside the organization, the medium must be sent as registered mail.
1. The medium may only be kept in rooms with controlled physical access.
i. Restricted
1. Media and files must be encrypted.
1. Media must be stored in a locked cabinet.
1. If sent outside the organization, the medium must be mailed with a return receipt service.
1. Only the medium owner may erase or destroy the medium.
i. Confidential
1. Media must be stored in a safe.
1. Media may be transferred within and outside the organization only by a trustworthy person and in a closed and sealed envelope.
a. Information Transmitted Orally
i. Internal Use
1. Only authorized persons may have access to information.
1. Unauthorized persons must not be present in the room when the information is communicated.
i. Restricted
1. The room must be sound-proof.
1. The conversation must not be recorded.
i. Confidential
1. Conversation conducted through electronic means must be encrypted.
1. No transcript of the conversation may be kept.
In this document, controls are implemented cumulatively, meaning that controls for any confidentiality level imply the implementation of controls defined for lower confidentiality levels - if stricted controls are prescribed for a higher confidentiality level, then only such controls are implemented.
# Coming Soon

186
themes/comply-soc2/policies/development.md
View File

@@ -8,4 +8,188 @@ majorRevisions:
comment: Initial document
---
# Coming Soon
# Purpose and Scope
a. The purpose of this policy is to define requirements for establishing and maintaining baseline protection standards for company software, network devices, servers, and desktops.
a. This policy applies to all users performing software development, system administration, and management of these activities within the organization. This typically includes employees and contractors, as well as any relevant external parties involved in these activities (hereinafter referred to as “users”). This policy must be made readily available to all users.
a. This policy also applies to enterprise-wide systems and applications developed by the organization or on behalf of the organization for production implementation.
# Background
a. The intent of this policy is to ensure a well-defined, secure and consistent process for managing the entire lifecycle of software and information systems, from initial requirements analysis until system decommission. The policy defines the procedure, roles, and responsibilities, for each stage of the software development lifecycle.
a. Within this policy, the software development lifecycle consists of requirements analysis, architecture and design, development, testing, deployment/implementation, operations/maintenance, and decommission. These processes may be followed in any form; in a waterfall model, it may be appropriate to follow the process linearly, while in an agile development model, the process can be repeated in an iterative fashion.
# References
a. Risk Assessment Policy
# Policy
a. The organizations Software Development Life Cycle (SDLC) includes the following phases:
i. Requirements Analysis
i. Architecture and Design
i. Testing
i. Deployment/Implementation
i. Operations/Maintenance
i. Decommission
a. During all phases of the SDLC where a system is not in production, the system must not have live data sets that contain information identifying actual people or corporate entities, actual financial data such as account numbers, security codes, routing information, or any other financially identifying data. Information that would be considered sensitive must never be used outside of production environments.
a. The following activities must be completed and/or considered during the requirements analysis phase:
i. Analyze business requirements.
i. Perform a risk assessment. More information on risk assessments is discussed in the Risk Assessment Policy (reference (a)).
i. Discuss aspects of security (e.g., confidentiality, integrity, availability) and how they might apply to this requirement.
i. Review regulatory requirements and the organizations policies, standards, procedures and guidelines.
i. Review future business goals.
i. Review current business and information technology operations.
i. Incorporate program management items, including:
1. Analysis of current system users/customers.
1. Understand customer-partner interface requirements (e.g., business-level, network).
1. Discuss project timeframe.
i. Develop and prioritize security solution requirements.
i. Assess cost and budget constraints for security solutions, including development and operations.
i. Approve security requirements and budget.
i. Make “buy vs. build” decisions for security services based on the information above.
a. The following must be completed/considered during the architecture and design phase:
i. Educate development teams on how to create a secure system.
i. Develop and/or refine infrastructure security architecture.
i. List technical and non-technical security controls.
i. Perform architecture walkthrough.
i. Create a system-level security design.
i. Create high-level non-technical and integrated technical security designs.
i. Perform a cost/benefit analysis for design components.
i. Document the detailed technical security design.
i. Perform a design review, which must include, at a minimum, technical reviews of application and infrastructure, as well as a review of high-level processes.
i. Describe detailed security processes and procedures, including: segregation of duties and segregation of development, testing and production environments.
i. Design initial end-user training and awareness programs.
i. Design a general security test plan.
i. Update the organizations policies, standards, and procedures, if appropriate.
i. Assess and document how to mitigate residual application and infrastructure vulnerabilities.
i. Design and establish separate development and test environments.
a. The following must be completed and/or considered during the development phase:
i. Set up a secure development environment (e.g., servers, storage).
i. Train infrastructure teams on installation and configuration of applicable software, if required.
i. Develop code for application-level security components.
i. Install, configure and integrate the test infrastructure.
i. Set up security-related vulnerability tracking processes.
i. Develop a detailed security test plan for current and future versions (i.e., regression testing).
i. Conduct unit testing and integration testing.
a. The following must be completed and/or considered during the testing phase:
i. Perform a code and configuration review through both static and dynamic analysis of code to identify vulnerabilities.
i. Test configuration procedures.
i. Perform system tests.
i. Conduct performance and load tests with security controls enabled.
i. Perform usability testing of application security controls.
i. Conduct independent vulnerability assessments of the system, including the infrastructure and application.
a. The following must be completed and/or considered during the deployment phase:
i. Conduct pilot deployment of the infrastructure, application and other relevant components.
i. Conduct transition between pilot and full-scale deployment.
i. Perform integrity checking on system files to ensure authenticity.
i. Deploy training and awareness programs to train administrative personnel and users in the systems security functions.
i. Require participation of at least two developers in order to conduct full-scale deployment to the production environment.
a. The following must be completed and/or considered during the operations/maintenance phase:
i. Several security tasks and activities must be routinely performed to operate and administer the system, including but not limited to:
1. Administering users and access.
1. Tuning performance.
1. Performing backups according to requirements defined in the System Availability Policy
1. Performing system maintenance (i.e., testing and applying security updates and patches).
1. Conducting training and awareness.
1. Conducting periodic system vulnerability assessments.
1. Conducting annual risk assessments.
i. Operational systems must:
1. Be reviewed to ensure that the security controls, both automated and manual, are functioning correctly and effectively.
1. Have logs that are periodically reviewed to evaluate the security of the system and validate audit controls.
1. Implement ongoing monitoring of systems and users to ensure detection of security violations and unauthorized changes.
1. Validate the effectiveness of the implemented security controls through security training as required by the Procedure For Executing Incident Response.
1. Have a software application and/or hardware patching process that is performed regularly in order to eliminate software bug and security problems being introduced into the organizations technology environment. Patches and updates must be applied within ninety (90) days of release to provide for adequate testing and propagation of software updates. Emergency, critical, break-fix, and zero-day vulnerability patch releases must be applied as quickly as possible.
a. The following must be completed and/or considered during the decommission phase:
i. Conduct unit testing and integration testing on the system after component removal.
i. Conduct operational transition for component removal/replacement.
i. Determine data retention requirements for application software and systems data.
i. Document the detailed technical security design.
i. Update the organizations policies, standards and procedures, if appropriate.
i. Assess and document how to mitigate residual application and infrastructure vulnerabilities.

73
themes/comply-soc2/policies/encryption.md
View File

@@ -7,5 +7,76 @@ majorRevisions:
- date: Jun 1 2018
comment: Initial document
---
# Purpose and Scope
a. This policy defines organizational requirements for the use of cryptographic controls, as well as the requirements for cryptographic keys, in order to protect the confidentiality, integrity, authenticity and nonrepudiation of information.
a. This policy applies to all systems, equipment, facilities and information within the scope of the organizations information security program.
a. All employees, contractors, part-time and temporary workers, service providers, and those employed by others to perform work on behalf of the organization having to do with cryptographic systems, algorithms, or keying material are subject to this policy and must comply with it.
# Background
a. This policy defines the high level objectives and implementation instructions for the organizations use of cryptographic algorithms and keys. It is vital that the organization adopt a standard approach to cryptographic controls across all work centers in order to ensure end-to-end security, while also promoting interoperability. This document defines the specific algorithms approved for use, requirements for key management and protection, and requirements for using cryptography in cloud environments.
# Policy
a. The organization must protect individual systems or information by means of cryptographic controls as defined in Table 3:
\pagebreak
+---------------------+-------------------+----------------+--------------+
| **Name of System/** | **Cryptographic** | **Encryption** | **Key Size** |
| **Type of** | **Tool** | **Algorithm** | |
| **Information** | | | |
+=====================+===================+================+==============+
| Public Key | OpenSSL | AES-256 | 256-bit key |
| Infrastructure for | | | |
| Authentication | | | |
+---------------------+-------------------+----------------+--------------+
| | | | |
+---------------------+-------------------+----------------+--------------+
| Data Encryption | OpenSSL | AES-256 | 256-bit key |
| Keys | | | |
+---------------------+-------------------+----------------+--------------+
| | | | |
+---------------------+-------------------+----------------+--------------+
| Virtual Private | OpenSSL and | AES-256 | 256-bit key |
| Network (VPN) | OpenVPN | | |
| keys | | | |
+---------------------+-------------------+----------------+--------------+
| | | | |
+---------------------+-------------------+----------------+--------------+
| Website SSL | OpenSSL, CERT | AES-256 | 256-bit key |
| Certificate | | | |
+---------------------+-------------------+----------------+--------------+
Table 3: Cryptographic Controls
 
b. Except where otherwise stated, keys must be managed by their owners.
c. Cryptographic keys must be protected against loss, change or destruction by applying appropriate access control mechanisms to prevent unauthorized use and backing up keys on a regular basis.
d. When required, customers of the organizations cloud-based software or platform offering must be able to obtain information regarding:
i. The cryptographic tools used to protect their information.
i. Any capabilities that are available to allow cloud service customers to apply their own cryptographic solutions.
i. The identity of the countries where the cryptographic tools are used to store or transfer cloud service customers data.
a. The use of organizationally-approved encryption must be governed in accordance with the laws of the country, region, or other regulating entity in which users perform their work. Encryption must not be used to violate any laws or regulations including import/export restrictions. The encryption used by the Company conforms to international standards and U.S. import/export requirements, and thus can be used across international boundaries for business purposes.
a. All key management must be performed using software that automatically manages access control, secure storage, backup and rotation of keys. Specifically:
i. The key management service must provide key access to specifically-designated users, with the ability to encrypt/decrypt information and generate data encryption keys.
i. The key management service must provide key administration access to specifically-designated users, with the ability to create, schedule delete, enable/disable rotation, and set usage policies for keys.
i. The key management service must store and backup keys for the entirety of their operational lifetime.
i. The key management service must rotate keys at least once every 12 months.
# Coming Soon

131
themes/comply-soc2/policies/media.md
View File

@@ -8,4 +8,133 @@ majorRevisions:
comment: Initial document
---
# Coming Soon
# Purpose and Scope
a. This removable media, cloud storage and Bring Your Own Device (BYOD) policy defines the objectives, requirements and implementing instructions for storing data on removable media, in cloud environments, and on personally-owned devices, regardless of data classification level.
a. This policy applies to all information and data within the organizations information security program, as well as all removable media, cloud systems and personally-owned devices either owned or controlled by the organization.
a. This policy applies to all users of information systems within the organization. This typically includes employees and contractors, as well as any external parties that come into contact with systems and information controlled by the organization (hereinafter referred to as “users”). This policy must be made readily available to all users.
# Background
a. This policy defines the procedures for safely using removable media, cloud storage and personally-owned devices to limit data loss or exposure. Such forms of storage must be strictly controlled because of the sensitive data that can be stored on them. Because each of these storage types are inherently ephemeral or portable in nature, it is possible for the organization to lose the ability to oversee or control the information stored on them if strict security standards are not followed.
a. This document consists of three sections pertaining to removable media, cloud storage, and personally-owned devices. Each section contains requirements and implementing instructions for the registration, management, maintenance, and disposition of each type of storage.
a. Within this policy, the term sensitive information refers to information that is classified as RESTRICTED or CONFIDENTIAL in accordance with the Data Classification Policy (reference (a)).
# References
a. Data Classification Policy
a. Asset Inventory
a. Security Incident Response Policy
a. Encryption Policy
# Policy
a. *Removable Media*
i. All removable media in active use and containing data pertinent to the organization must be registered in the organizations Asset Inventory (reference (b)).
i. All removable media listed in reference (b) must be re-inventoried on a quarterly basis to ensure that it is still within the control of the organization.
1. To re-inventory an item, the owner of the removable media must check in the item with the organizations Information Security Manager (ISM).
1. The ISM must treat any removable media that cannot be located as lost, and a security incident report must be logged in accordance with the Security Incident Response Policy (reference (c)).
i. The owner of the removable media must conduct all appropriate maintenance on the item at intervals appropriate to the type of media, such as cleaning, formatting, labeling, etc.
i. The owner of the removable media, where practical, must ensure that an alternate or backup copy of the information located on the device exists.
i. Removable media must be stored in a safe place that has a reduced risk of fire or flooding damage.
i. If the storage item contains sensitive information, removable media must:
1. Be stored in a locked cabinet or drawer.
1. Store only encrypted data that is securely enciphered in accordance with the Encryption Policy (reference (d)).
i. All data on removable media devices must be erased, or the device must be destroyed, before it is reused or disposed of.
i. When removable media devices are disposed, the device owner must inform the ISM so that it can be removed from reference (b).
a. *Cloud Storage*
i. All cloud storage systems in active use and containing data pertinent to the organization must be registered in reference (b). Registration may be accomplished by manual or automated means.
i. All cloud storage systems listed in reference (b) must be re-inventoried on a quarterly basis to ensure that it is still within the control of the organization. To re-inventory an item, the owner of the removable media must check in the item with the organizations Information Security Manager (ISM). Re-inventory may be accomplished by manual or automated means.
i. The owner of the cloud storage system must conduct all appropriate maintenance on the system at regular intervals to include system configuration, access control, performance monitoring, etc.
i. Data on cloud storage systems must be replicated to at least one other physical location. Depending on the cloud storage provider, this replication may be automatically configured.
i. The organization must only use cloud storage providers that can demonstrate, either through security accreditation, demonstration, tour, or other means that their facilities are secured, both physically and electronically, using best practices.
i. If the cloud storage system contains sensitive information, that information must be encrypted in accordance with reference (d).
i. Data must be erased from from cloud storage systems using a technology and process that is approved by the ISM.
i. When use of a cloud storage system is discontinued, the system owner must inform the ISM so that it can be removed from reference (b).
a. *Personally-owned Devices*
i. Organizational data that is stored, transferred or processed on personally-owned devices remains under the organizations ownership, and the organization retains the right to control such data even though it is not the owner of the device.
i. The ISM is responsible for conducting overall management of personally-owned devices, to include:
1. Installation and maintenance of Mobile Device Management (MDM) software that can effectively manage, control and wipe data under the organizations control from personally-owned devices.
1. Maintain a list of job titles and/or persons authorized to use personally-owned devices for the organizations business, as well as the applications and databases that may be accessed from such devices.
1. Maintain a list of applications prohibited from use on personally-owned devices, and ensuring that device users are aware of these restrictions.
i. Personally-identifiable information (PII) may not be stored, processed or accessed at any time on a personally-owned device.
i. The following acceptable use requirements must be observed by users of personally-owned devices:
1. All organizational data must be backed up at regular intervals.
1. MDM and endpoint protection software must be installed on the device at all times.
1. Sensitive information stored on the device must be encrypted in accordance with reference (d).
1. The device must be secured using a password, pin, unlock pattern, fingerprint or equivalent security mechanism.
1. The device must only connect to secure and encrypted wireless networks.
1. When using the device outside of the organizations premises, it must not be left unattended, and if possible, physically secured.
1. When using the device in public areas, the owner must take measures to ensure that the data cannot be read or accessed by unauthorized persons.
1. Patches and updates must be installed regularly.
1. Classified information must be protected in accordance with reference (a).
1. The device owner must install the ISM before the device is disposed of, sold, or provided to a third party for servicing.
1. It is prohibited to:
a. Allow device access for anyone except its owner.
a. Store illegal materials on the device.
a. Install unlicensed software.
a. Locally-store passwords.
a. Transfer organizational data to other devices which have not been approved by the organization.
i. The organization must reserve the right to view, edit, and/or delete any organizational information that is stored, processed or transferred on the device.
i. The organization must reserve the right to perform full deletion of all of its data on the device if it considers that necessary for the protection of company-related data, without the consent of the device owner.
i. The organization will not pay the employees (the owners of BYOD) any fee for using the device for work purposes.
i. The organization will pay for any new software that needs to be installed for company use.
i. All security breaches related to personally-owned devices must be reported immediately to the ISM.

48
themes/comply-soc2/policies/remote.md
View File

@@ -10,4 +10,50 @@ majorRevisions:
comment: Initial document
---
# Coming Soon
# Purpose and Scope
a. The purpose of this policy is to define requirements for connecting to the organizations systems and networks from remote hosts, including personally-owned devices, in order to minimize data loss/exposure.
a. This policy applies to all users of information systems within the organization. This typically includes employees and contractors, as well as any external parties that come into contact with systems and information controlled by the organization (hereinafter referred to as “users”). This policy must be made readily accessible to all users.
# Background
a. The intent of this policy is to minimize the organizations exposure to damages which may result from the unauthorized remote use of resources, including but not limited to: the loss of sensitive, company confidential data and intellectual property; damage to the organizations public image; damage to the organizations internal systems; and fines and/or other financial liabilities incurred as a result of such losses.
a. Within this policy, the following definitions apply:
i. *Mobile computing equipment:* includes portable computers, mobile phones, smart phones, memory cards and other mobile equipment used for storage, processing and transfer of data.
i. *Remote host:* is defined as an information system, node or network that is not under direct control of the organization.
i. *Telework:* the act of using mobile computing equipment and remote hosts to perform work outside the organizations physical premises. Teleworking does not include the use of mobile phones.
# Policy
a. *Security Requirements for Remote Hosts and Mobile Computing Equipment*
i. Caution must be exercised when mobile computing equipment is placed or used in uncontrolled spaces such as vehicles, public spaces, hotel rooms, meeting places, conference centers, and other unprotected areas outside the organizations premises.
i. When using remote hosts and mobile computing equipment, users must take care that information on the device (e.g. displayed on the screen) cannot be read by unauthorized persons if the device is being used to connect to the organizations systems or work with the organizations data.
i. Remote hosts must be updated and patched for the latest security updates on at least a monthly basis.
i. Remote hosts must have endpoint protection software (e.g. malware scanner) installed and updated at all times.
i. Persons using mobile computing equipment off-premises are responsible for regular backups of organizational data that resides on the the device.
i. Access to the organizations systems must be done through an encrypted and authenticated VPN connection with multi-factor authentication enabled. All users requiring remote access must be provisioned with VPN credentials from the organizations information technology team. VPN keys must be rotated at least twice per year. Revocation of VPN keys must be included in the Offboarding Policy.
i. Information stored on mobile computing equipment must be encrypted using hard drive full disk encryption.
a. *Security Requirements for Telework*
i. Employees must be specifically authorized for telework in writing from their hiring manager .
i. Only devices assigned owner is permitted to use remote nodes and mobile computing equipment. Unauthorized users (such as others living or working at the location where telework is performed) are not permitted to use such devices.
i. Devices must be authorized using certificates
i. Users performing telework are responsible for the appropriate configuration of the local network used for connecting to the Internet at their telework location.
i. Users performing telework must protect the organizations intellectual property rights, either for software or other materials that are present on remote nodes and mobile computing equipment.

128
themes/comply-soc2/policies/risk.md
View File

@@ -8,4 +8,130 @@ majorRevisions:
comment: Initial document
---
# Coming Soon
# Purpose and Scope
a. The purpose of this policy is to define the methodology for the assessment and treatment of information security risks within the organization, and to define the acceptable level of risk as set by the organizations leadership.
a. Risk assessment and risk treatment are applied to the entire scope of the organizations information security program, and to all assets which are used within the organization or which could have an impact on information security within it.
a. This policy applies to all employees of the organization who take part in risk assessment and risk treatment.
# Background
a. A key element of the organizations information security program is a holistic and systematic approach to risk management. This policy defines the requirements and processes for the organization to identify information security risks. The process consists of four parts: identification of the organizations assets, as well as the threats and vulnerabilities that apply; assessment of the likelihood and consequence (risk) of the threats and vulnerabilities being realized, identification of treatment for each unacceptable risk, and evaluation of the residual risk after treatment.
# References
a. Risk Assessment Report Template
# Policy
a. *Risk Assessment*
i. The risk assessment process includes the identification of threats and vulnerabilities having to do with company assets.
i. The first step in the risk assessment is to identify all assets within the scope of the information security program; in other words, all assets which may affect the confidentiality, integrity, and/or availability of information in the organization. Assets may include documents in paper or electronic form, applications, databases, information technology equipment, infrastructure, and external/outsourced services and processes. For each asset, an owner must be identified.
i. The next step is to identify all threats and vulnerabilities associated with each asset. Threats and vulnerabilities must be listed in a risk assessment table. Each asset may be associated with multiple threats, and each threat may be associated with multiple vulnerabilities. A sample risk assessment table is provided as part of the Risk Assessment Report Template (reference (a)).
i. For each risk, an owner must be identified. The risk owner and the asset owner may be the same individual.
i. Once risk owners are identified, they must assess:
1. Consequences for each combination of threats and vulnerabilities for an individual asset if such a risk materializes.
1. Likelihood of occurrence of such a risk (i.e. the probability that a threat will exploit the vulnerability of the respective asset).
1. Criteria for determining consequence and likelihood are defined in Tables 3 and 4.
i. The risk level is calculated by adding the consequence score and the likelihood score.
+-----------------+-----------------+--------------------------------------------------------------+
| **Consequence** | **Consequence** | **Description** |
| **Level** | **Score** | |
+=================+=================+==============================================================+
| Low | 0 | Loss of confidentiality, integrity, or availability will not |
| | | affect the organization's cash flow, legal, or contractual |
| | | obligations, or reputation. |
+-----------------+-----------------+--------------------------------------------------------------+
| | | |
+-----------------+-----------------+--------------------------------------------------------------+
| Moderate | 1 | Loss of confidentiality, integrity, or availability may incur|
| | | financial cost and has low or moderate impact on the |
| | | organization's legal or contractual obligations and/or |
| | | reputation. |
+-----------------+-----------------+--------------------------------------------------------------+
| | | |
+-----------------+-----------------+--------------------------------------------------------------+
| High | 2 | Loss of confidentiality, integrity, or availability will have|
| | | immediate and or/considerable impact on the organization's |
| | | cash flow, operations, legal and contractual obligations,and/|
| | | or reputation. |
+-----------------+-----------------+--------------------------------------------------------------+
| | | |
+-----------------+-----------------+--------------------------------------------------------------+
Table 3: Description of Consequence Levels and Criteria
+-----------------+-----------------+--------------------------------------------------------------+
| **Likelihood** | **Likelihood** | **Description** |
| **Level** | **Score** | |
+=================+=================+==============================================================+
| Low | 0 | Either existing security controls are strong and have so far |
| | | provided an adequate level of protection, or the probability |
| | | of the risk being realized is extremely low. No new incidents|
| | | are expected in the future. |
+-----------------+-----------------+--------------------------------------------------------------+
| | | |
+-----------------+-----------------+--------------------------------------------------------------+
| Moderate | 1 | Either existing security controls have most provided an |
| | | adequate level of protection or the probability of the risk |
| | | being realized is moderate. Some minor incidents may have |
| | | occured. New incidents are possible, but not highly likely. |
+-----------------+-----------------+--------------------------------------------------------------+
| | | |
+-----------------+-----------------+--------------------------------------------------------------+
| High | 2 | Either existing security controls are not in place or |
| | | ineffective; there is a high probability of the risk being |
| | | realized. Incidents have a high likelihood of occuring in the|
| | | future. |
+-----------------+-----------------+--------------------------------------------------------------+
| | | |
+-----------------+-----------------+--------------------------------------------------------------+
Table 4: Description of Likelihood Levels and Criteria
 
b. *Risk Acceptance Criteria*
i. Risk values 0 through 2 are considered to be acceptable risks.
i. Risk values 3 and 4 are considered to be unacceptable risks. Unacceptable risks must be treated.
c. *Risk Treatment*
i. Risk treatment is implemented through the Risk Treatment Table. All risks from the Risk Assessment Table must be copied to the Risk Treatment Table for disposition, along with treatment options and residual risk. A sample Risk Treatment Table is provided in reference (a).
i. As part of this risk treatment process, the CEO and/or other company managers shall determine objectives for mitigating or treating risks. All unacceptable risks must be treated. For continuous improvement purposes, company managers may also opt to treat other risks for company assets, even if their risk score is deemed to be acceptable.
i. Treatment options for risks include the following options:
1. Selection or development of security control(s).
1. Transferring the risks to a third party; for example, by purchasing an insurance policy or signing a contract with suppliers or partners.
1. Avoiding the risk by discontinuing the business activity that causes such risk.
1. Accepting the risk; this option is permitted only if the selection of other risk treatment options would cost more than the potential impact of the risk being realized.
i. After selecting a treatment option, the risk owner should estimate the new consequence and likelihood values after the planned controls are implemented.
a. *Regular Reviews of Risk Assessment and Risk Treatment*
i. The Risk Assessment Table and Risk Treatment Table must be updated when newly identified risks are identified. At a minimum, this update and review shall be conducted once per year. It is highly recommended that the Risk Assessment and Risk Treatment Table be updated when significant changes occur to the organization, technology, business objectives, or business environment.
a. *Reporting*
i. The results of risk assessment and risk treatment, and all subsequent reviews, shall be documented in a Risk Assessment Report.

38
themes/comply-soc2/policies/vendor.md
View File

@@ -8,4 +8,40 @@ majorRevisions:
comment: Initial document
---
# Coming Soon
# Purpose and Scope
a. This policy defines the rules for relationships with the organizations Information Technology (IT) vendors and partners.
a. This policy applies to all IT vendors and partners who have the ability to impact the confidentiality, integrity, and availability of the organizations technology and sensitive information, or who are within the scope of the organizations information security program.
a. This policy applies to all employees and contractors that are responsible for the management and oversight of IT vendors and partners of the organization.
# Background
a. The overall security of the organization is highly dependent on the security of its contractual relationships with its IT suppliers and partners. This policy defines requirements for effective management and oversight of such suppliers and partners from an information security perspective. The policy prescribes minimum standards a vendor must meet from an information security standpoint, including security clauses, risk assessments, service level agreements, and incident management.
# References
a. Information Security Policy
a. Security Incident Response Policy
# Policy
a. IT vendors are prohibited from accessing the organizations information security assets until a contract containing security controls is agreed to and signed by the appropriate parties.
a. All IT vendors must comply with the security policies defined and derived from the Information Security Policy (reference (a)).
a. All security incidents by IT vendors or partners must be documented in accordance with the organizations Security Incident Response Policy (reference (b)) and immediately forwarded to the Information Security Manager (ISM).
a. The organization must adhere to the terms of all Service Level Agreements (SLAs) entered into with IT vendors. As terms are updated, and as new ones are entered into, the organization must implement any changes or controls needed to ensure it remains in compliance.
a. Before entering into a contract and gaining access to the parent organizations information systems, IT vendors must undergo a risk assessment.
i. Security risks related to IT vendors and partners must be identified during the risk assessment process.
i. The risk assessment must identify risks related to information and communication technology, as well as risks related to IT vendor supply chains, to include sub-suppliers.
a. IT vendors and partners must ensure that organizational records are protected, safeguarded, and disposed of securely. The organization strictly adheres to all applicable legal, regulatory and contractual requirements regarding the collection, processing, and transmission of sensitive data such as Personally-Identifiable Information (PII).
a. The organization may choose to audit IT vendors and partners to ensure compliance with applicable security policies, as well as legal, regulatory and contractual obligations.

8
themes/comply-soc2/procedures/offboarding.md
View File

@@ -2,4 +2,10 @@ id: "offboard"
name: "Offboard User"
---
# Coming Soon
Resolve this ticket by executing the following steps:
- [ ] Immediately suspend user in SSO
- [ ] Append HR termination request e-mail to this ticket
- [ ] Look up manually-provisioned applications for this role or user
- [ ] Validate access revocation in each
- [ ] Append confirmation or revocation to this ticket

9
themes/comply-soc2/procedures/onboarding.md
View File

@@ -2,4 +2,11 @@ id: "onboard"
name: "Onboard New User"
---
# Coming Soon
Resolve this ticket by executing the following steps:
- [ ] Append HR add request e-mail to this ticket
- [ ] Proactively validate role assignment with manager (see HR request e-mail)
- [ ] Add user to default group for the specified role
- [ ] Provision any manually-provisioned applications by role
- [ ] Append manual provisioning confirmation to this ticket
- [ ] Proactively confirm with new user that they can access all provisioned systems

13
themes/comply-soc2/procedures/patch.md
View File

@@ -1,6 +1,15 @@
id: "patch"
name: "Apply OS patches"
cron: "0 0 1 * * *"
cron: "0 0 0 15 * *"
---
# Coming Soon
# OS Patch Procedure
Resolve this ticket by executing the following steps:
- [ ] Pull the latest scripts from the Ops repository
- [ ] Execute `ENV=staging patch-all.sh`
- [ ] Inspect output
- [ ] Errors? Investigate and resolve
- [ ] Execute `ENV=production patch-all.sh`
- [ ] Attach log output to this ticket

38
themes/comply-soc2/procedures/workstation.md
View File

@@ -1,6 +1,40 @@
id: "workstation"
name: "Collect Workstation Details"
cron: "0 0 * * * *"
cron: "0 0 0 15 4 *"
---
# Coming Soon
Resolve this ticket by executing the following steps:
- [ ] Send the communications below
- [ ] For any email replies, attach content to this ticket
- [ ] Validate responses are received from each
```
To: Desktop support
Subject: Annual workstation inventory
Please attach the current workstation inventory to the following ticket: [REPLACE WITH URL TO THIS TICKET]
The workstation inventory shall include the following fields:
* Serial number
* Custodian
* Full disk encryption status
* Malware protection status
```
```
To: Outsourced Call Center IT
Subject: Annual workstation inventory
As part of our ongoing compliance efforts and per our services agreement, we require a current inventory of workstations in use in the service of our account.
Please respond to this message with the current inventory.
The workstation inventory shall include the following fields:
* Serial number
* Custodian
* Full disk encryption status
* Malware protection status
```