-
Notifications
You must be signed in to change notification settings - Fork 15
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
update issue template for onboarding compliance team member
- Loading branch information
Showing
2 changed files
with
48 additions
and
37 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -15,7 +15,7 @@ assignees: '' | |
| - A: | ||
| - [ ] A: System Owner creates this issue | ||
| - B: | ||
| - [ ] B.1: System owner emails [email protected] and [email protected] with their authorization | ||
| - [ ] B.1: System owner emails <[email protected]> and <[email protected]> with their authorization | ||
| - [ ] B.2: An operator adds a link to the Google Group conversation that includes the authorizing email. | ||
| - **Please only use first names.** | ||
|
|
||
|
|
@@ -54,18 +54,18 @@ These items help us fulfill security and compliance requirements (including for | |
|
|
||
| For the three trainings list at the top, your onboarding buddy will create a separate ticket to track the trainings once scheduling has been finished. This will help consolidate trainings for multiple new members to the team and prevent them from blocking progress on this onboarding ticket. Once the trainings are scheduled, they can be marked as complete here. | ||
|
|
||
| * [ ] Coordinate with your onboarding buddy to go through Contingency Planning training within 60 days (and annually after that). This will cover the following document, which you should also review before or after training: | ||
| * [ ] Read the [Contingency Plan](https://cloud.gov/docs/ops/contingency-plan/). | ||
| * [ ] Coordinate with your onboarding buddy to go through [Incident Response Training](https://docs.google.com/presentation/d/1AZjQE8zBzMRWZIFUuJPkJLted1ykGtALrLPoPRx5Vls/edit#slide=id.p) within 60 days of joining the team (and annually after that). This will cover the following document, which you should also review before or after training: | ||
| * [ ] Read the [Incident Response Guide](https://cloud.gov/docs/ops/security-ir/). | ||
| * [ ] Coordinate with your onboarding buddy to go through [nonpublic information training](https://docs.google.com/presentation/d/1uB4MlGCu8ZYUxjKVZKwicQ95MvLxaT4Mh93y6w79GPw/edit#slide=id.p) within 60 days of joining the team (and annually after that). This will cover the following documents, which you should also review before or after training: | ||
| * [ ] Review the [cloud.gov open source policy guidance about protecting sensitive information](https://github.com/18F/open-source-policy/blob/master/practice.md#protecting-sensitive-information). | ||
| * [ ] Read our [sharing secret keys](https://cloud.gov/docs/ops/secrets/#sharing-secret-keys) policy. | ||
| * [ ] Review the [TTS requirements for password management](https://handbook.tts.gsa.gov/general-information-and-resources/tech-policies/password-requirements/). | ||
| * [ ] Read the [Continuous Monitoring Strategy](https://cloud.gov/docs/ops/continuous-monitoring/), particularly the [cloud.gov team responsibilities](https://cloud.gov/docs/ops/continuous-monitoring/#cloud-gov-team). | ||
| * [ ] Read the [Configuration Management Plan](https://cloud.gov/docs/ops/configuration-management/). | ||
| * [ ] Read the [cloud.gov Security Policies and Procedures](https://github.com/cloud-gov/cg-compliance-docs). These documents explain the high-level policies and procedures we must comply with while running cloud.gov, sorted into security control "families" They explain that we follow GSA IT security policy, and they provide a summary of the procedures in our System Security Plan. | ||
| * [ ] Review the System Security Plan (the latest version lives on [Google Drive](https://drive.google.com/drive/u/0/folders/0B6fPl5s12igNX3JwR2xFZVpmek0); look for "cloud.gov System Security Plan (SSP)" as a *.docx* file). Of particular note for onboarding: Section 9 (System Description) and Section 10 (System Environment) | ||
| - [ ] Coordinate with the compliance team to go through Contingency Planning training within 60 days (and annually after that). This will cover the following document, which you should also review before or after training: | ||
| - [ ] Read the [Contingency Plan](https://cloud.gov/docs/ops/contingency-plan/). | ||
| - [ ] Coordinate with the compliance team to go through [Incident Response Training](https://docs.google.com/presentation/d/1AZjQE8zBzMRWZIFUuJPkJLted1ykGtALrLPoPRx5Vls/edit#slide=id.p) within 60 days of joining the team (and annually after that). This will cover the following document, which you should also review before or after training: | ||
| - [ ] Read the [Incident Response Guide](https://cloud.gov/docs/ops/security-ir/). | ||
| - [ ] Coordinate with the compliance team to go through [nonpublic information training](https://docs.google.com/presentation/d/1uB4MlGCu8ZYUxjKVZKwicQ95MvLxaT4Mh93y6w79GPw/edit#slide=id.p) within 60 days of joining the team (and annually after that). This will cover the following documents, which you should also review before or after training: | ||
| - [ ] Review the [cloud.gov open source policy guidance about protecting sensitive information](https://github.com/18F/open-source-policy/blob/master/practice.md#protecting-sensitive-information). | ||
| - [ ] Read our [sharing secret keys](https://cloud.gov/docs/ops/secrets/#sharing-secret-keys) policy. | ||
| - [ ] Review the [TTS requirements for password management](https://handbook.tts.gsa.gov/general-information-and-resources/tech-policies/password-requirements/). | ||
| - [ ] Read the [Continuous Monitoring Strategy](https://cloud.gov/docs/ops/continuous-monitoring/), particularly the [cloud.gov team responsibilities](https://cloud.gov/docs/ops/continuous-monitoring/#cloud-gov-team). | ||
| - [ ] Read the [Configuration Management Plan](https://cloud.gov/docs/ops/configuration-management/). | ||
| - [ ] Read the [cloud.gov Security Policies and Procedures](https://github.com/cloud-gov/cg-compliance-docs). These documents explain the high-level policies and procedures we must comply with while running cloud.gov, sorted into security control "families" They explain that we follow GSA IT security policy, and they provide a summary of the procedures in our System Security Plan. | ||
| - [ ] Review the System Security Plan (the latest version lives on [Google Drive](https://drive.google.com/drive/u/0/folders/0B6fPl5s12igNX3JwR2xFZVpmek0); look for "cloud.gov System Security Plan (SSP)" as a _.docx_ file). Of particular note for onboarding: Section 9 (System Description) and Section 10 (System Environment) | ||
|
|
||
| ### Getting to know cloud.gov | ||
|
|
||
|
|
@@ -87,23 +87,33 @@ very quickly, so your onboarding buddy will walk through this list with you at a | |
|
|
||
| Your onboarding buddy will add you to these Slack channels: | ||
|
|
||
| - [ ] `#cloud-gov` - bots post announcements here | ||
| - [ ] `#cg-billing` - private business development channel (if applicable) | ||
| - [ ] `#cg-incidents` - private channel for incident response | ||
| - [ ] `#cg-priv-all` - private channel for in-team discussion | ||
| - [ ] `#cg-priv-gov` (Federal employees only) - may contain discussion of contracting-related or other private, federal-employee-only comms | ||
| - [ ] `#cg-aws-security` - channel for alerts posted by automation about possible AWS security issues | ||
|
|
||
| You can add yourself to these channels: | ||
|
|
||
| - [ ] `#cg-ask-aws` - channel to communicate with representations from AWS | ||
| - [ ] `#cg-business` - business development (if applicable) | ||
| - [ ] `#cg-compliance` - compliance-related information and discussion | ||
| - [ ] `#cg-offtopic` - off-topic team sharing | ||
| - [ ] `#cg-platform` - platform operations | ||
| - [ ] `#cg-platform-news` - bots post platform alerts | ||
| - [ ] `#cg-general` - program-level information and discusion | ||
| - [ ] `#cg-support` - support requests and assistance within TTS | ||
| - [ ] `#cg-incidents` - private channel for incident response | ||
| - [ ] `#cg-priv-all` - private channel for in-team discussion | ||
| - [ ] `#cg-priv-gov` (Federal employees only) - may contain discussion of contracting-related or other private, federal-employee-only comms | ||
|
|
||
| Once you're added to these channels, you probably want to mute these channels until you're on support rotation: | ||
| You probably want to mute these channels: | ||
|
|
||
| - [ ] `#cg-support` - support requests and assistance within TTS | ||
| - [ ] `#cg-platform-news` - platform alerts | ||
| - [ ] `#cloud-gov` - bots post announcements here | ||
|
|
||
| You might also be interested in these channels: | ||
|
|
||
| - [ ] `#g-security-compliance` - Channel for the Security & Compliance guild | ||
| - [ ] `#dev` - general chat for all TTS engineers | ||
|
|
||
| ## Compliance-role specific items | ||
|
|
||
|
|
@@ -112,8 +122,8 @@ Please let your onboarding buddy know and they will help you request [local admi | |
|
|
||
| ### Other tooling and access for compliance | ||
|
|
||
| - [ ] New person: Request Microsoft Office, per [TTS handbook instructions](https://handbook.tts.gsa.gov/tools/office/) | ||
| - [ ] Compliance lead: Request access to cloud.gov's FedRAMP repository in max.gov by email to [email protected]. | ||
| - [ ] New person: Request Microsoft Office, per [TTS handbook instructions](https://handbook.tts.gsa.gov/tools/office/) | ||
| - [ ] **Compliance lead only**: Request access to cloud.gov's FedRAMP repository in max.gov by email to <[email protected]>. | ||
|
|
||
| ### Cloud Operations account management | ||
|
|
||
|
|
@@ -124,24 +134,25 @@ Before starting this section, you must complete: | |
|
|
||
| AWS user names should be identical across accounts so that permissions can be correctly managed by Terraform. | ||
|
|
||
| * [ ] Create [AWS Accounts](https://cloud.gov/docs/ops/aws-onboarding/) via the AWS web console (not Terraform) and provide one-time credentials - these will be setup with read-only/auditor permissions, and once the 3 mandatory cloud.gov trainings are complete they will be added to the [audit input file](https://github.com/cloud-gov/cg-compliance/blob/master/audit/inputs.yml): | ||
| * [ ] AWS Commercial accounts | ||
| * [ ] AWS GovCloud accounts | ||
| * [ ] Add them to Nessus Manager via the GUI | ||
| * [ ] [Make them an admin](https://cloud.gov/docs/ops/managing-users/#managing-admins) of the platform. | ||
| * [ ] Add them to the [`platform-ops`](https://github.com/orgs/cloud-gov/teams/platform-ops) team in GitHub. | ||
| * [ ] Add them as an admin on the cg-django-uaa [docs](https://readthedocs.org/projects/cg-django-uaa/) | ||
| * [ ] Add them to [the cloud.gov team Google Group](https://groups.google.com/a/gsa.gov/forum/?hl=en#!forum/cloud-gov) so they can participate in team-wide internal communication. | ||
| * [ ] Add them to [our dockerhub org](https://hub.docker.com/orgs/cloudgov) and ensure we're not over our license count | ||
| * [ ] Business Unit Only - Add them to the [cloud.gov inquiries Google Group](https://groups.google.com/a/gsa.gov/forum/#!forum/cloud-gov-inquiries) so they can keep apprised of prospective new clients. | ||
| - [ ] Create [AWS Accounts](https://cloud.gov/docs/ops/aws-onboarding/) via the AWS web console (not Terraform) and provide one-time credentials - these will be setup with read-only/auditor permissions, and once the 3 mandatory cloud.gov trainings are complete they will be added to the [audit input file](https://github.com/cloud-gov/cg-compliance/blob/master/audit/inputs.yml): | ||
| - [ ] AWS Commercial accounts | ||
| - [ ] AWS GovCloud accounts | ||
| - [ ] Add them to Nessus Manager via the GUI | ||
| - [ ] [Make them an admin](https://cloud.gov/docs/ops/managing-users/#managing-admins) of the platform. | ||
| - [ ] Add them to the [`platform-ops`](https://github.com/orgs/cloud-gov/teams/platform-ops) team in GitHub. | ||
| - [ ] Add them to [the cloud.gov team Google Group](https://groups.google.com/a/gsa.gov/forum/?hl=en#!forum/cloud-gov) so they can participate in team-wide internal communication. | ||
| - [ ] Add them to the `cloud-gov-assurance-team` Google Group for meeting invites and communications | ||
| - [ ] Add them to [our dockerhub org](https://hub.docker.com/orgs/cloudgov) and ensure we're not over our license count | ||
| - [ ] **If necessary:** Add them as an admin on the cg-django-uaa [docs](https://readthedocs.org/projects/cg-django-uaa/) | ||
| - [ ] Business Unit Only - Add them to the [cloud.gov inquiries Google Group](https://groups.google.com/a/gsa.gov/forum/#!forum/cloud-gov-inquiries) so they can keep apprised of prospective new clients. | ||
|
|
||
| Your onboarding buddy will create a separate ticket tied to this one to track the AWS accounts being granted full admin access. | ||
|
|
||
| ### Additional compliance setup/review | ||
|
|
||
| * [ ] Install `caulking` git leak prevention by following the [README](https://github.com/cloud-gov/caulking/blob/master/README.md) | ||
| * [ ] Verify `caulking` by running `make audit` and pasting a screenshot as a comment on this GitHub issue | ||
| * [ ] Set GPG signing set up for GitHub (instructions [here](https://docs.google.com/document/d/11UDxvfkhncyLEs-NUCniw2u54j4uQBqsR2SBiLYPUZc/edit)) | ||
| - [ ] Install `caulking` git leak prevention by following the [README](https://github.com/cloud-gov/caulking/blob/master/README.md) | ||
| - [ ] Verify `caulking` by running `make audit` and pasting a screenshot as a comment on this GitHub issue | ||
| - [ ] Set GPG signing set up for GitHub (instructions [here](https://docs.google.com/document/d/11UDxvfkhncyLEs-NUCniw2u54j4uQBqsR2SBiLYPUZc/edit)) | ||
|
|
||
| ### Install a development environment for cloud.gov | ||
|
|
||
|
|
@@ -177,6 +188,6 @@ Your onboarding buddy will create a separate ticket tied to this one to track th | |
|
|
||
| These are items that are only necessary for someone stepping into a compliance role, but you can still subscribe to the alerts and mailing lists if you're interested: | ||
|
|
||
| - [ ] Subscribe to US-CERT alerts: https://us-cert.cisa.gov/mailing-lists-and-feeds | ||
| - [ ] Subscribe to FedRAMP mailing lists: https://public.govdelivery.com/accounts/USGSA/subscriber/topics?qsp=USGSA_2224 | ||
| - [ ] Read Compliance Lead documents at root of the [Google Drive Security and Compliance](https://drive.google.com/drive/u/0/folders/1_vAXZsdVFYssR1DRCaavBCoDE_uxQCI5) folder | ||
| - [ ] Subscribe to CISA alerts/updates: <https://www.cisa.gov/about/contact-us/subscribe-updates-cisa> | ||
| - [ ] Subscribe to FedRAMP mailing lists: <https://public.govdelivery.com/accounts/USGSA/subscriber/topics?qsp=USGSA_2224> | ||
| - [ ] **Compliance Lead only**: Read Compliance Lead documents at root of the [Google Drive Security and Compliance](https://drive.google.com/drive/u/0/folders/1_vAXZsdVFYssR1DRCaavBCoDE_uxQCI5) folder | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters