Security Policy Updates

[reynoldsalec]

Lando

• Policy of forcing partners to not give us "real" websites
• Switch off of Qbox.
• Audit of current data. Think about ways we can change data collection to get better data/reduce footprint.
• Eliminate email storage on our systems (allow providers the opportunity to store)
• Separation of partner data storage/make it easier to send them exclusive stream of data.
• Making it clear that our dependencies (particularly those interfacing with integration partners like P.sh/Pantheon/etc.) have separate privacy policies. Make the liability distinct.
• Security scanning of Docker images/using official Docker images.
• Dependency scanning -> way to keep more up-to-speed.

Tandem

• Limiting usage of public unprotected networks. Promote cell phone?
• VPN
• Rotating SSH keys/passwords.
• Go through training checklist.
• Review compliance with individual team members.
• Initial project audit for sensitive data.
• Response if someone's computer is compromised/off-boarding a user.