Update baseline.yaml - NEW - OSPS-DO-16 #119
Conversation
added suggestion for criteria OSPS-DO-16 which covers project roles & responsibilities Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com>
|
Not 100% convinced this is a "docs", but open to alternate landing suggestions |
baseline.yaml
Outdated
| Projects need to document the Roles and | ||
| Responsibilities of the project to provide for | ||
| Seperation of Duties, Dual Control, and other | ||
| requirements. |
There was a problem hiding this comment.
How does this differ from OSPS-DO-11?
The project documentation MUST have a policy that code contributors are reviewed prior to granting escalated permissions to sensitive resources.
There was a problem hiding this comment.
do-11 is about access review of those that get the commit-bit, this is broader, "document whom can do what" within the project
|
It feels like there is probably a "governance" section waiting to happen. I'd nominate OSPS-DO-01, OSPS-DO-02, OSPS-DO-06, OSPS-DO-11 for inclusion, or it could be combined with the LE- line if desired. |
SecurityCRob
added
documentation
Co-authored-by: Evan Anderson <evan.k.anderson@gmail.com> Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com>
...yeah, I was thinking that today too. What does the rest of the group think? |
|
I'm in favor of creating a Governance category, as proposed. |
|
A general comment on this PR: there are a lot of capital letters in places I don't expect. Maybe that's something for Eddie to include in the style guide (#112) |
Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com>
added suggestion for criteria OSPS-DO-16 which covers project roles & responsibilities