This repository has been archived by the owner on Apr 23, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 3
/
README.txt
90 lines (64 loc) · 3.85 KB
/
README.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
━━━━━━━━━━━━━━
OUR POLICIES
Corwin Brust
━━━━━━━━━━━━━━
Table of Contents
─────────────────
1. Information Security Disclosure: Risk, Control, and Measurement Documentation
1 Information Security Disclosure: Risk, Control, and Measurement Documentation
═══════════════════════════════════════════════════════════════════════════════
We use this documentation set, considering them as intents ("outward
commitments") coupled with on-going empirical measurements of the
practical effects of our project.
To do this requires carefully gathering and maintaining verifiable and
accessible versions of certain information, for example sometimes
detailed or "verbatim" records (e.g. notes, recordings, etc.) of our
internal or other communications and routine (or unusual) work.
Just as with the work underlying maintenance for any complex
inter-networked tool-set (FOSS or otherwise), these "requests" (and
any such similarly intended requirements) can feel cumbersome. They
often seem to come when (and particularly frustrate us just as) we are
reaching particularly interesting times, from an SDLC perspective.
Moreover, they increase our overall risk potential in case of serious
incident involving loss or theft of information not classified by
Fosshost as appropriate for some actual dissemination.
To mitigate potential harm in case of such incident we have
established certain guidelines:
‣ We do not store information we don't need or expect to need.
‣ We prioritize and normalize removing information we do not need as
part of daily operation.
‣ Where possible for confidential information (or otherwise where
necessary) we mask data.
‣ We undertake to publicly disclose the general types of information
we are regularly storing.
However:
‣ We collect and retain certain information as a part of our everyday
operation.
‣ We are generally free to measure and use this information as needed.
‣ Rules within our Our Policies must help us classify and safeguard
information.
‣ Risks and Controls allow us to measure the actual safety of
information in our charge.
‣ The information kept for measurement purposes can expose us to
additional risk.
‣ We (generally) identify risks and select and measure controls at our
digression.
Meaning more specifically that:
At our sole and absolute digression (except and always per/according
to due process of law and the will of our regulators, community,
volunteers, etc.), we may (and sometimes must if, for example,
according to Our Policies, etc.) identify/measure certain risks and
controls.
At times, these such measurements may influence and/or include (or
be accompanied by, e.g. link) outcomes, which we may document such
as to include and/or reference the names (etc.) of our tenants or
volunteers, for example and especially our directors and officers,
etc.) and other sensitive or potentially sensitive information, and
to incorporate some or all of the this/these into the extracts we
create of/from/respecting Our Policies.
As with any information we possess, should we become aware via use
of this information of misconduct, for example violations of our
terms of service, et. al. (for example, including violations of any
volunteering or sponsorship agreements, of Our Policies by someone
who has accepted and affirmed them, etc. our articles, etc.), then
we may (and in some cases must) act on such information.