G-Cubed Github usage policy
Table of contents
This document establishes a framework that ensures the secure distribution of models and software to clients via GitHub, safeguarding against unauthorised access, data breaches, and other security risks.
This policy applies to all employees, contractors, and third parties involved in the development, maintenance, and distribution of G-Cubed models and related software through GitHub.
GitHub Repository Access
- Use GitHub Teams to manage access to repositories by clients and MSG staff that are working with the client.
- Require new team members to supply proof of their ownership of the Github account with the username that will be added to the team before that username is added to the team to ensure that username errors do not result in unauthorised access.
- Grant the principle of least privilege, ensuring MSG and client users have only the access necessary for their role.
- Perform a a complete audit of a Github Team’s memberships and permissions whenever a change is made to that team.
Authentication
- Require two-factor authentication (2FA) for all MSG staff accounts with access to the organisation’s GitHub repositories. Clients require Github accounts to access resources distributed by McKibbin Software Group. The authentication of client accounts is the responsibility of the client. Github provides advice on ensuring account security.
- Use strong, unique passwords for GitHub accounts and rotate passwords regularly.
- For automated processes, utilise personal access tokens (PATs) with limited scopes instead of username/password authentication.
Repository Configuration
- Enable branch protection rules to prevent unauthorised changes to critical branches.
- Require pull-request reviews before merging changes into critical branches.
- Enforce signed commits to verify the identity of commit authors.
- Enable Dependabot alerts for dependency vulnerabilities.
Data Sensitivity and Classification
- Classify data and software according to sensitivity levels (e.g., Public, Internal, Confidential).
- Restrict access to Confidential data repositories to authorised personnel only.
- Do not store sensitive information, such as credentials or API keys, in repositories.
- It is the responsibility of clients to ensure that their own policies with regard to confidential/private data are adhered to. For example, some clients require repositories to be configured to prevent users from being able to push model changes that they have made to git repositories that are hosted outside of the client infrastructure.
Encryption
- Use encryption protocols (e.g., HTTPS, SSH) for all data transmission. This is enforced by Github.
Monitoring and Logging
- Enable GitHub’s audit log functionality to track repository access and changes.
- Monitor Github access logs for suspicious activities and unauthorised access to repositories.
Backups
- Maintain off-platform backups of all Github repositories.
- Store backups in a secure, encrypted location separate from GitHub.
Incident Response
- Use the following incident response plan for addressing security breaches.
- Regularly train employees on incident response procedures.
- Immediately revoke access for compromised accounts and investigate suspicious activities.
- Identification:
- Monitor GitHub audit logs and alerts for unusual activity.
- Notify the MSG CTO immediately upon detection of a suspected breach.
- Containment:
- Revoke access for compromised accounts.
- Temporarily disable affected repositories if necessary to prevent further unauthorised access.
- Update permissions and reset personal access tokens.
- Investigation:
- Analyse audit logs and repository changes to determine the scope and impact of the breach.
- Identify the root cause and any affected systems or data.
- Eradication:
- Remove malicious actors, code, or scripts from the affected repositories.
- Patch vulnerabilities and strengthen security configurations.
- Recovery:
- Restore repositories from backups if required.
- Verify integrity of software and data.
- Gradually re-enable access and normal operations.
- Post-Incident Review:
- Document findings and actions taken.
- Update policies and training to prevent future incidents.
- Share a summary of the incident and resolutions with relevant stakeholders.
Security Procedures
Onboarding and Offboarding
- During onboarding, ensure new team members are added to the appropriate GitHub Teams and are familiar with this policy.
- During offboarding, immediately revoke access to GitHub accounts and confirm the removal of PATs and SSH keys.
Code Review and Quality Assurance
- Require code to undergo peer review before merging into main branches.
- Conduct weekly security reviews of repositories to identify and mitigate vulnerabilities.
- Use code analysis tools to detect insecure code.
Vulnerability Management
- Respond to GitHub Dependabot alerts within 7 days.
- Patch known vulnerabilities in dependencies and frameworks used within the software within 7 days.
Third-Party Integrations
- Evaluate the security of third-party tools and integrations before use.
- Limit scopes and permissions of third-party integrations to the minimum necessary.
Enforcement and Compliance
- Non-compliance with these policies may result in disciplinary action, including termination of access.
Review and Updates
This policy is reviewed at least annually and as-needed, based on emerging security threats or organisational changes.