#205 baseline permissions (#209)

Author: iw-ezequiel

practices/security-repository.md

@@ -8,11 +8,15 @@ This guide lays out security best practice for Github repositories. This set of
 * The guidelines in this page are a necessary, but not a sufficient, condition for code overall being secure.
 
 ## Access controls
-* All users must have MFA enabled, and this should be enforced at the organisation level.
+### Organisation-level settings
+* All users must have MFA enabled.
+* Baseline visibility for private repositories must be "no permission".
+* Ability to change repository view from private to public must be reserved to admins only.
+
+### Repository-specific settings
 * In line with the [Service Manual](https://service-manual.nhs.uk/service-standard/12-make-new-source-code-open), new repositories should be public by default, unless there is good reason not to - this avoids costly rework to secure private information further down the line.
 * Private repositories must disable forking.
 * There must be no outside collaborators in private repositories.
-* Ability to change repository view from private to public must be reserved to admins only, and this should be enforced at the organisation level.
 
 ## Code security
 * Enable, at a minimum, [Dependabot](https://github.blog/2020-06-01-keep-all-your-packages-up-to-date-with-dependabot/) alerts for vulnerabilities and respond to them appropriately.