Adding Security Requirments (#12)

Adding security requirements doc
esdc-edsc · Jun 7, 2019 · 4a10d49 · 4a10d49
1 parent 7355cd3
commit 4a10d49
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 0 deletions.
diff --git a/Guides/Security.md b/Guides/Security.md
@@ -0,0 +1,25 @@
+# Security Requirements
+
+ESDC IT Security has a few requirements to working on project outside the network (in the Cloud).
+If you are working on a project in this space you must be following the requirements listed below.
+
+## Two Factor Authentication (2FA)
+
+For all accounts that are given access to code hosted publicly, their account **must** be enabled with 2FA. 
+This requires a project to be hosted under a group, where the group can have this setting enforced.
+Users with 2FA enabled will require an access token to authenticate from git.  
+https://help.github.com/en/articles/securing-your-account-with-two-factor-authentication-2fa
+
+## Gated Approvals
+
+Merge request or pull request approvals are **required** when modifying code. 
+When changing the "source of truth" aka *master* branch, there must be some kind of approval by someone who did not change the code.
+This is is also just good practice and should be done even inside the network.  
+https://help.github.com/en/articles/enabling-required-status-checks
+
+**Note:** Under the open GoC license or Crown Copyright you can not accept pull requests from citizens. You can only accept pull requests from GoC employees (from any department).
+
+## Verified Commits
+
+When pushing code to public git repositories, the commit **must** be signed by a GPG key created on the computer you are committing code from and registered with against your user. 
+https://help.github.com/en/articles/managing-commit-signature-verification
diff --git a/README.md b/README.md
@@ -15,6 +15,7 @@ ESDC has a few other organization groups on diffrent platforms where teams can a
 
 We have a number of starter projects that will help you start developing in GitHub or other Git Platforms.
 
+* [Security Requirements](/Guides/Security.md) - These will help you keep your code safe, and are just good practices to have.
 * [ESDC Templates](https://gccode.ssc-spc.gc.ca/iitb-dgiit/esdc-templates) (internal) - Guides for writing standard files all Git repos expect to have.
 * [ESDC Development Setup](https://github.com/esdc-edsc/esdc-development-setup) - Making sure you can connect to External Git repos. It also has some Git tricks.