From 4ea81ab462bd068482bb44209545ba7fc6a975b7 Mon Sep 17 00:00:00 2001
From: Mayara Ferreira Santos <mayara.santos@rocket.chat>
Date: Thu, 24 Aug 2023 16:07:16 +0000
Subject: [PATCH] GITBOOK-870: Security policy update / added new policies and
 directed them to Internal Handbook

---
 SUMMARY.md                                    |  18 +-
 .../data-retention-and-disposal.md            |  15 ++
 .../internal-controls-policy.md               |  13 ++
 .../security-policy/network-security.md       |  16 ++
 .../security-policy/secure-data-transfer.md   |  13 ++
 .../security-policy/secure-development.md     |  19 ++
 .../vulnerability-and-patch-management.md     |   9 +
 .../vulnerability-management-process.md       |  13 +-
 .../security/security-policy.md               | 168 ++++++++++++------
 .../security-policy/access-control.md         |   4 +-
 .../security-policy/assets-management.md      |   4 +
 .../authentication-and-password-policies.md   |   8 +-
 .../security-policy/awareness-and-training.md |   4 +
 ...siness-continuity-and-disaster-recovery.md |  69 ++-----
 .../cryptography-and-key-management.md        |   4 +
 .../README.md                                 |  30 ++--
 .../security/security-policy/remote-work.md   |  12 +-
 .../security-policy/supplier-relationship.md  |   2 +
 18 files changed, 267 insertions(+), 154 deletions(-)
 create mode 100644 departments-and-operations/security/security-policy/data-classification-and-management/data-retention-and-disposal.md
 create mode 100644 departments-and-operations/security/security-policy/internal-controls-policy.md
 create mode 100644 departments-and-operations/security/security-policy/network-security.md
 create mode 100644 departments-and-operations/security/security-policy/secure-data-transfer.md
 create mode 100644 departments-and-operations/security/security-policy/secure-development.md
 create mode 100644 departments-and-operations/security/security-policy/vulnerability-and-patch-management.md

diff --git a/SUMMARY.md b/SUMMARY.md
index 22be83a..9f0de68 100644
--- a/SUMMARY.md
+++ b/SUMMARY.md
@@ -150,24 +150,30 @@
 * [🔐 Security](departments-operations/security/README.md)
   * [Roles and Responsibilities](departments-operations/security/roles-and-responsibilities.md)
   * [Security Policy](departments-operations/security/security-policy.md)
+    * [Internal Controls Policy](departments-and-operations/security/security-policy/internal-controls-policy.md)
     * [Assets Management](departments-operations/security/security-policy/assets-management.md)
-    * [Data Classification and Management](departments-operations/security/security-policy/data-classification-and-management/README.md)
-      * [Google docs data classification](departments-operations/security/security-policy/data-classification-and-management/google-docs-data-classification.md)
-    * [Remote work](departments-operations/security/security-policy/remote-work.md)
-    * [Cryptography and Key management](departments-operations/security/security-policy/cryptography-and-key-management.md)
     * [Authentication and Password policies](departments-operations/security/security-policy/authentication-and-password-policies.md)
     * [Access Control](departments-operations/security/security-policy/access-control.md)
+    * [Network Security](departments-and-operations/security/security-policy/network-security.md)
+    * [Remote work](departments-operations/security/security-policy/remote-work.md)
+    * [Cryptography and Key management](departments-operations/security/security-policy/cryptography-and-key-management.md)
+    * [Data Classification and Management](departments-operations/security/security-policy/data-classification-and-management/README.md)
+      * [Google docs data classification](departments-operations/security/security-policy/data-classification-and-management/google-docs-data-classification.md)
+      * [Data Retention and Disposal](departments-and-operations/security/security-policy/data-classification-and-management/data-retention-and-disposal.md)
+    * [Secure Data Transfer](departments-and-operations/security/security-policy/secure-data-transfer.md)
+    * [Secure Development](departments-and-operations/security/security-policy/secure-development.md)
     * [Changes Management](departments-operations/security/security-policy/changes-management/README.md)
       * [Rocket.Chat code](departments-operations/security/security-policy/changes-management/rocket.chat-code/README.md)
         * [Delegation letter](departments-operations/security/security-policy/changes-management/rocket.chat-code/delegation-letter.md)
-    * [Supplier Relationship](departments-operations/security/security-policy/supplier-relationship.md)
+    * [Vulnerability and Patch Management](departments-and-operations/security/security-policy/vulnerability-and-patch-management.md)
     * [Business Continuity and Disaster Recovery](departments-operations/security/security-policy/business-continuity-and-disaster-recovery.md)
+    * [Supplier Relationship](departments-operations/security/security-policy/supplier-relationship.md)
     * [Awareness and Training](departments-operations/security/security-policy/awareness-and-training.md)
   * [Playbooks](departments-operations/security/playbooks/README.md)
     * [Vulnerability Management Process](departments-operations/security/playbooks/vulnerability-management-process.md)
+    * [Vulnerability Reports & Disclosure](departments-operations/security/playbooks/vulnerability-reports-and-disclosure.md)
     * [Security Logs ingestion and review](departments-operations/security/playbooks/security-logs-ingestion-and-review.md)
     * [Alerts and Incident Management](departments-operations/security/playbooks/alerts-and-incident-management.md)
-    * [Vulnerability Reports & Disclosure](departments-operations/security/playbooks/vulnerability-reports-and-disclosure.md)
     * [Pentest](departments-operations/security/playbooks/pentest.md)
     * [Tasks & Project Management](departments-operations/security/playbooks/tasks-and-project-management.md)
     * [Code Analysis](departments-operations/security/playbooks/code-analysis.md)
diff --git a/departments-and-operations/security/security-policy/data-classification-and-management/data-retention-and-disposal.md b/departments-and-operations/security/security-policy/data-classification-and-management/data-retention-and-disposal.md
new file mode 100644
index 0000000..e626d97
--- /dev/null
+++ b/departments-and-operations/security/security-policy/data-classification-and-management/data-retention-and-disposal.md
@@ -0,0 +1,15 @@
+---
+description: This policy applies to all employees and contractors.
+---
+
+# Data Retention and Disposal
+
+## Purpose
+
+The purpose of this Data Retention Policy is to establish guidelines for the appropriate management of data throughout its lifecycle. This policy aims to ensure compliance with relevant regulations and protect the privacy and security of data.
+
+## Policy
+
+[Data retention and disposal policy](https://app.gitbook.com/o/-M41dOPtnjO7qK6KCyrt/s/-M7iRWz196Rdn-5pW5QY/\~/changes/1876/security/security-policies/security-policy/data-classification-and-management/data-retention-and-disposal) is available to all employees and contractors within our internal handbook[.](https://app.gitbook.com/o/-M41dOPtnjO7qK6KCyrt/s/-M7iRWz196Rdn-5pW5QY/\~/changes/1876/security/security-policies/security-policy/data-classification-and-management/data-retention-and-disposal)&#x20;
+
+##
diff --git a/departments-and-operations/security/security-policy/internal-controls-policy.md b/departments-and-operations/security/security-policy/internal-controls-policy.md
new file mode 100644
index 0000000..9c2b708
--- /dev/null
+++ b/departments-and-operations/security/security-policy/internal-controls-policy.md
@@ -0,0 +1,13 @@
+---
+description: This policy applies to all employees and contractors.
+---
+
+# Internal Controls Policy
+
+## Purpose
+
+The objective of our internal control policy is to establish and maintain effective information security controls that safeguard the confidentiality, integrity, and availability of Rocket.Chat’s assets and operations.
+
+## Policy
+
+[Internal Controls policy](https://app.gitbook.com/o/-M41dOPtnjO7qK6KCyrt/s/-M7iRWz196Rdn-5pW5QY/\~/changes/1876/security/security-policies/security-policy/internal-controls-policy) is available to all employees and contractors within our internal handbook.
diff --git a/departments-and-operations/security/security-policy/network-security.md b/departments-and-operations/security/security-policy/network-security.md
new file mode 100644
index 0000000..25acea7
--- /dev/null
+++ b/departments-and-operations/security/security-policy/network-security.md
@@ -0,0 +1,16 @@
+---
+description: Applicable to all employees and contractors.
+---
+
+# Network Security
+
+## Purpose
+
+The purpose of the network security policy is to establish guidelines and responsibilities to ensure the security and integrity of the organization's network infrastructure and data. It aims to protect sensitive information, prevent unauthorized access, mitigate security risks, and maintain compliance with relevant regulations.
+
+## Policy
+
+[Network security policy](https://app.gitbook.com/o/-M41dOPtnjO7qK6KCyrt/s/-M7iRWz196Rdn-5pW5QY/\~/changes/1876/security/security-policies/security-policy/network-security) is available to all employees and contractors within our internal handbook.
+
+
+
diff --git a/departments-and-operations/security/security-policy/secure-data-transfer.md b/departments-and-operations/security/security-policy/secure-data-transfer.md
new file mode 100644
index 0000000..978c429
--- /dev/null
+++ b/departments-and-operations/security/security-policy/secure-data-transfer.md
@@ -0,0 +1,13 @@
+---
+description: This policy applies to all employees and contractors.
+---
+
+# Secure Data Transfer
+
+## Purpose&#x20;
+
+The purpose of Secure Data transfer policy is to establish guidelines and procedures for the secure transfer of sensitive data, both externally and internationally. It aims to protect the confidentiality, integrity, and availability of the organization's information assets during data transfers, while ensuring compliance with applicable laws, regulations, and contractual obligations.
+
+## Policy
+
+[Secure Data Transfer policy](https://app.gitbook.com/o/-M41dOPtnjO7qK6KCyrt/s/-M7iRWz196Rdn-5pW5QY/\~/changes/1876/security/security-policies/security-policy/secure-data-transfer)
diff --git a/departments-and-operations/security/security-policy/secure-development.md b/departments-and-operations/security/security-policy/secure-development.md
new file mode 100644
index 0000000..a715dcd
--- /dev/null
+++ b/departments-and-operations/security/security-policy/secure-development.md
@@ -0,0 +1,19 @@
+---
+description: >-
+  This policy applies to employees, contractors, and third-party vendors engaged
+  in software development activities within Rocket.Chat.
+---
+
+# Secure Development
+
+## Purpose
+
+The purpose of the secure development policy is to ensure that our software development processes prioritize security and incorporate robust security measures at every stage. This policy aims to protect our software applications, sensitive data, and customer information from unauthorized access, data breaches, and other security threats. By following this policy, we aim to deliver secure and reliable software solutions to our clients, comply with relevant regulations, and maintain the trust of our customers.
+
+## Policy
+
+[Secure Development Policy](https://app.gitbook.com/o/-M41dOPtnjO7qK6KCyrt/s/-M7iRWz196Rdn-5pW5QY/\~/changes/1876/security/security-policies/security-policy/secure-development)
+
+\
+
+
diff --git a/departments-and-operations/security/security-policy/vulnerability-and-patch-management.md b/departments-and-operations/security/security-policy/vulnerability-and-patch-management.md
new file mode 100644
index 0000000..002873b
--- /dev/null
+++ b/departments-and-operations/security/security-policy/vulnerability-and-patch-management.md
@@ -0,0 +1,9 @@
+# Vulnerability and Patch Management
+
+## Purpose
+
+The policy outlines the procedures for detecting, assessing vulnerabilities, and applying patches in software applications and infrastructure components used by our company. The primary objective is to enhance security by proactively identifying vulnerabilities and addressing them in a timely manner.
+
+## Policy
+
+Available at this [link](https://app.gitbook.com/o/-M41dOPtnjO7qK6KCyrt/s/-M7iRWz196Rdn-5pW5QY/\~/changes/1876/security/security-policies/security-policy/vulnerability-and-patch-management). &#x20;
diff --git a/departments-operations/security/playbooks/vulnerability-management-process.md b/departments-operations/security/playbooks/vulnerability-management-process.md
index af377b8..25c196f 100644
--- a/departments-operations/security/playbooks/vulnerability-management-process.md
+++ b/departments-operations/security/playbooks/vulnerability-management-process.md
@@ -76,18 +76,7 @@ QA: QA Engineers are responsible for testing if the solution has fixed the vulne
 
 
 
-| Week        | Frontend          | Backend          |
-| ----------- | ----------------- | ---------------- |
-| 14-Nov-2022 | Tiago Evangelista | Luciano Pierdona |
-| 21-Nov-2022 | Tiago Evangelista | Luciano Pierdona |
-| 28-Nov-2022 | Tiago Evangelista | David Alen       |
-| 5-Dec-2022  | Tiago Evangelista | David Alen       |
-| 12-Dec-2022 | Yash Rajpal       | David Alen       |
-| 19-Dec-2022 | Julia Forresti    | David Alen       |
-| 26-Dec-2022 | Holidays          | Holidays         |
-| 2-Jan-2023  | Pedro Rorato      | Matheus Barbosa  |
-| 9-Jan-2023  | Pedro Rorato      | Matheus Barbosa  |
-| 22-Feb-2023 | Gabriel Henriques | Rafael Tapia     |
+<table><thead><tr><th width="217.33333333333334">Week</th><th>Frontend</th><th>Backend</th></tr></thead><tbody><tr><td>14-Nov-2022</td><td>Tiago Evangelista</td><td>Luciano Pierdona</td></tr><tr><td>21-Nov-2022</td><td>Tiago Evangelista</td><td>Luciano Pierdona</td></tr><tr><td>28-Nov-2022</td><td>Tiago Evangelista</td><td>David Alen</td></tr><tr><td>5-Dec-2022</td><td>Tiago Evangelista</td><td>David Alen</td></tr><tr><td>12-Dec-2022</td><td>Yash Rajpal</td><td>David Alen</td></tr><tr><td>19-Dec-2022</td><td>Julia Forresti</td><td>David Alen</td></tr><tr><td>26-Dec-2022</td><td>Holidays</td><td>Holidays</td></tr><tr><td>2-Jan-2023</td><td>Pedro Rorato</td><td>Matheus Barbosa</td></tr><tr><td>9-Jan-2023</td><td>Pedro Rorato</td><td>Matheus Barbosa</td></tr><tr><td>22-Feb-2023</td><td>Gabriel Henriques</td><td>Rafael Tapia</td></tr></tbody></table>
 
 \
 
diff --git a/departments-operations/security/security-policy.md b/departments-operations/security/security-policy.md
index 73c77ab..fa75065 100644
--- a/departments-operations/security/security-policy.md
+++ b/departments-operations/security/security-policy.md
@@ -1,6 +1,8 @@
 # Security Policy
 
-We have created a general information security policy and specific policies for related topics and are working to put them in place. These policies are necessary to set up secure processes and demonstrate our compliance with industry standards towards our customers. You can also find the annual acknowledgment forms here.
+## Introduction and general guidelines
+
+We have created a general information security policy and specific policies for related topics and are continuously working to put them in place. These policies are necessary to set up secure processes and demonstrate our compliance with industry standards towards our customers. You can also find the annual acknowledgment forms here.
 
 In case of any questions, contact the security team. More information on [this page](https://rocket.chat/handbook/departments/security/)
 
@@ -8,10 +10,17 @@ Do you want a short summary? You can find a [security one-pager here!](https://d
 
 ## Mandatory Acknowledgment & Secure Configuration
 
-Because we all must follow our security policies, we have set up GoogleForms that you can fill out and submit. Use the following three checklists to set yourself up securely:
+Because we all must follow our security policies, we have set up a Zoho Sign term that must be filled out and signed by all Rocketeers.
+
+* [Policy Acknowledgment,](https://sign.zoho.com/signform?form\_link=234b4d535f495623d7afa605b2c4f12ecea8c219fde51f54332f67b4dacec1104dff6619576027ca9bb31be732284cc8fa4601fcd081cf3d616fb616760bf4d69625a87df702dd0b) an acknowledgment of our current policies. Mandatory to complete all employees and contractors.
+
+And to set yourself up securely, please follow the guidelines and fill out the form provided in the link below::
 
-* [Policy Acknowledgment](https://docs.google.com/forms/d/e/1FAIpQLSe5NwjKNXQl9gQPhgF93iB2clFPY2tiYVIE3PKEL\_ZaswTkkw/viewform?usp=sf\_link), an acknowledgment of our current policies. Mandatory to complete annually by all employees
-* [Security configuration](https://docs.google.com/forms/d/e/1FAIpQLSffmdQUSHaE2WWX6UHo8BAqT6VM0ijBPxyWwJCkmgeRvSpvkA/viewform?usp=sf\_link) a checklist to set up a basic secure configuration of your tools. Mandatory to complete annually by all employees.
+* [Security configuration](https://docs.google.com/forms/d/e/1FAIpQLSffmdQUSHaE2WWX6UHo8BAqT6VM0ijBPxyWwJCkmgeRvSpvkA/viewform?usp=sf\_link) a checklist to set up a basic secure configuration of your tools. Mandatory to complete all employees and contractors.
+
+{% hint style="info" %}
+If you have already signed it during the onboarding training, no need to sign again.
+{% endhint %}
 
 ## Overall Security Policy
 
@@ -23,6 +32,8 @@ Rocket.Chat places a great emphasis on protecting its information. Such informat
 
 At Rocket.Chat, we aim to ensure at all times that the information we manage is appropriately secured to protect against the consequences of breaches of confidentiality, failures of integrity or interruptions to the availability of that information.
 
+### Objectives
+
 Our objectives are:
 
 * We will meet all applicable requirements in properly protecting our information, including laws, regulations, industry standards, and contractual commitments
@@ -39,11 +50,11 @@ This information security policy provides management direction and support for i
 
 Everyone handling Rocket.Chat information has the responsibility to keep the information safe, no matter where the information is located. This includes our staff members, contractors, students, etc., but also our suppliers (e.g. those that provide us with our tools to work) and other recipients of that information.
 
-To determine the appropriate levels of security measures applied to information systems, a process of risk assessment is carried out to identify the probability and impact of security failures.
-
+To determine the appropriate levels of security measures applied to information systems, a process of risk assessment is carried out to identify the probability and impact of security failures.\
+\
 To manage information security within the organisation an information security oversight committee is established, chaired by Rocket.Chat´s Security Lead and consisting of senior members of our relevant teams. The objective of this committee is to ensure that there is clear direction and visible management support for security initiatives. This oversight group shall promote security through appropriate commitment and adequate resourcing.
 
-An information security working party, comprising management representatives from all relevant parts of the organisation, shall devise and coordinate the implementation of information security controls. The responsibility for ensuring the protection of information systems and ensuring that specific security processes are carried out shall lie with the head of the department managing that information system.
+An information security working party, comprising management representatives from all relevant parts of the organization, shall devise and coordinate the implementation of information security controls. The responsibility for ensuring the protection of information systems and ensuring that specific security processes are carried out shall lie with the head of the department managing that information system.
 
 Specialist advice on information security is available throughout the organization. Any member of the organization can contact his manager or Rocket.Chat´s Security Lead directly.
 
@@ -51,6 +62,23 @@ Rocket.Chat will establish and maintain appropriate contacts with other organiza
 
 Violations of our policies will be handled in accordance with the severity of the violation and applicable rules and regulations, including up to termination of the contract for severe violations.
 
+### Organization
+
+We maintain a [RASCI-chart](https://docs.google.com/spreadsheets/d/1XHI3Ks2mywKaxK1lGteT7U5olNkaegyHrnsF7tBGjF4/edit?usp=sharing) that contains the responsibilities around information security. Conflicts of interest in these responsibilities must be avoided and tasks that create these conflicts be assigned to different persons. Where this is not possible, compensating controls (e.g. four-eyes principle) should be considered.
+
+Current conflicting roles identified:
+
+* None
+
+The company maintains relevant contacts with authorities and agencies, those relevant for Rocket.Chat being mostly:
+
+* Data protection agencies - outlined at [Breach Notification: Contact With Authorities](http://127.0.0.1:5000/s/-M7iRWz196Rdn-5pW5QY/privacy-and-security/data-privacy-compliance/breach-notification-contact-with-authorities "mention")
+* NIST
+* ISO
+* Open Source Community
+
+In project management, the project leads are responsible to ensure security is properly addressed in a project.
+
 ### Review
 
 This policy is reviewed and updated regularly to ensure that it remains appropriate in the light of any relevant changes to the law, our other policies or contractual obligations. We will inform relevant parties about the updates.
@@ -61,53 +89,53 @@ The implementation of the information security policy shall be reviewed independ
 
 The following are sub-policies related to specific areas and supplement the general policy.
 
-## Organization
+### Personnel Security
 
-We maintain a [RASCI-chart](https://docs.google.com/spreadsheets/d/1XHI3Ks2mywKaxK1lGteT7U5olNkaegyHrnsF7tBGjF4/edit?usp=sharing) that contains the responsibilities around information security. Conflicts of interest in these responsibilities must be avoided and tasks that create these conflicts be assigned to different persons. Where this is not possible, compensating controls (e.g. four-eyes principle) should be considered.
+All personnel are screened before entering a position and subject to Terms of employment, including a duty of confidentiality. The screening process is in relation to the applicable laws and regulations as well as the requirements of the position. All personnel are subject to contractual terms that describe their duties. The Information Security Team ensures that all personnel are aware of Rocket.Chat´s Security policies.&#x20;
 
-Current conflicting roles identified:
+The details of these processes are implemented and the records kept by the People Team.
 
-* The roles of data protection officer and security lead are currently taken by one person and cases of conflict of interest will be raised to the management team to resolve.
+### Internal Controls Policy
 
-The company maintains relevant contacts with authorities and agencies, those relevant for Rocket.Chat being mostly:
+This internal controls policy is to establish and maintain effective information security controls that safeguard the confidentiality, integrity, and availability of Rocket.Chat’s assets and operations.&#x20;
 
-* Data protection agencies
-* NIST
-* ISO
-* Open Source Community
+It is everyone’s responsibility to familiarize yourselves with the company’s internal controls and comply with its requirements. See [Internal Controls](../../departments-and-operations/security/security-policy/internal-controls-policy.md) policy for details.
 
-In project management, the project leads are responsible to ensure security is properly addressed in a project.
+### Asset Management and Acceptable Use
 
-## Personnel Security
+An asset is something of value for Rocket.Chat such as, but not limited to, information itself, a device, intellectual property.
 
-All personnel is screened before entering a position and subject to a Terms of employment, including a duty of confidentiality. The screening process is in relation to the applicable laws and regulations as well as the requirements of the position. All personnel is subject to contractual terms that describe their duties. The Information Security Team ensures that all personnel is aware of Rocket.Chat´s Security policies. Personnel that is leaving Rocket.Chat must certify that all assets have been returned to the company and then will be de-registered from the user directories.
+[Asset Management policy](https://handbook.rocket.chat/departments-and-operations/security/security-policy/assets-management) cover important security aspects and guidelines that help rocketeers to protect and avoid any misuse of company owned assets.
 
-The details of these processes are implemented and the records kept by the Human Resources Team.
+The lists of assets can be found [here.](https://docs.google.com/spreadsheets/d/1Nh8T3FP7QGR35jAdbd9j6HQnnirQDNcnC7X9Dg-Kdvo/edit?usp=sharing)
 
-## Asset Management
+### Authentication and Password Policy
 
-An asset is something of value for Rocket.Chat such as, but not limited to, information itself, a device, intellectual property.
+Authentication is the process of verifying the identity of a user or system entity. It is a security mechanism that helps to ensure that only authorized individuals or systems are granted access to a particular resource, such as a system, network, or application.
 
-[This policy](security-policy/assets-management.md) cover important security aspects and guidelines that help rocketeers to protect and avoid any misuse of company owned assets.
+Here you can find our detailed [Authentication](security-policy/authentication-and-password-policies.md#authentication) and [Password policy](security-policy/authentication-and-password-policies.md#password-policy)
 
-The lists of assets can be found [here.](https://docs.google.com/spreadsheets/d/1Nh8T3FP7QGR35jAdbd9j6HQnnirQDNcnC7X9Dg-Kdvo/edit?usp=sharing)
+### Access Control Policy
 
-## Data Classification & Lifecycle Policy
+Access to sensitive or internal systems is critical for the security and confidentiality of Rocket.Chat.
 
-Refer to [Data Classification and Management](security-policy/data-classification-and-management/) Session
+Refer to this [link](https://handbook.rocket.chat/departments-and-operations/security/security-policy/access-control) to access policy and procedure.
 
-## Physical Security, incl. Homeoffice
+### Network Security Policy
 
-### Porto Alegre
+This document applies to all individuals and entities who have authorized access to the organization's resources for work-related purposes.
 
-* Read the rules that are pinned in the office
-* Join the Rocket.chat channel to be informed about news
+Please refer to this [link](../../departments-and-operations/security/security-policy/network-security.md) .
 
-### Homeoffice / Remote Work
+### Homeoffice / Remote Work Policy
 
-Refer to [Remote work policy](security-policy/remote-work.md)
+Rocket.Chat primarily is a remote and global company and this policy outlines the security guidelines, clear screen and security requirements for remote workers to follow.&#x20;
 
-## Cryptography and Key management
+Refer to [Remote work policy](security-policy/remote-work.md).
+
+Porto Alegre’ office building  is available for those in that location. It does not contain or house critical assets or operations. To have access to it, please contact Patricia Ferreira for guidance. Make sure the rules pinned in the office are followed.
+
+### Cryptography and Key management
 
 Cryptography is the practice of securing information by transforming it into an unreadable format, which can only be understood by those who have the key to unlock it. Cryptography is used in various applications, such as secure communication, digital signatures, and data protection.
 
@@ -115,13 +143,32 @@ Key management is the practice of protecting and managing the cryptographic keys
 
 For detailed information and guidelines refer to [Cryptography and Key management](security-policy/cryptography-and-key-management.md) session
 
-## Authentication and Password Policy
+### Data Classification & Lifecycle Policy
 
-Authentication is the process of verifying the identity of a user or system entity. It is a security mechanism that helps to ensure that only authorized individuals or systems are granted access to a particular resource, such as a system, network, or application.
+To ensure data is classified and handled appropriately and securely throughout its lifecycle, check the policies below:
 
-Here you can find our detailed [Authentication](security-policy/authentication-and-password-policies.md#authentication) and [Password policy](security-policy/authentication-and-password-policies.md#password-policy)
+[Data Classification and Management](security-policy/data-classification-and-management/)
+
+[Data Retention and Disposal](../../departments-and-operations/security/security-policy/data-classification-and-management/data-retention-and-disposal.md)
+
+[Secure Data Transfer](../../departments-and-operations/security/security-policy/secure-data-transfer.md)
+
+### Accessing Customer Data
+
+For access to customer data, you must adhere to the following:
+
+You may only access customer data if
+
+* The customer specifically requests it (e.g. support request) _or_
+* When it is necessary for us to fulfill our contractual obligations (e.g. to act proactively to prevent an instance from failing)
+
+Access is strictly limited to the data needed to fulfill the request. You may not access data of other customers. No customer data may be extracted unless this is strictly requested by the customer. All data extracted must be stored safely and deleted when it is no longer necessary.
+
+You must terminate the session immediately after the reason for your access has been resolved.&#x20;
 
-## Secure Development & Change Management
+You must as soon as possible inform the customer of the outcome of your access.
+
+### Secure Development & Change Management
 
 Secure engineering basic principles:
 
@@ -134,20 +181,17 @@ Features or changes involving components that could affect overall system securi
 
 Changes to assets should only occur when a change is necessary. All changes must be controlled. All changes related to source code must occur through the authorized version control system (e.g. GitHub). In case a change is urgent, the change control process may be shortened by decision of management, in order to mitigate potential damages to the organization.
 
-## Accessing Customer Data
-
-For access to customer data, you must adhere to the following:
+Please consult our [Secure Development policy](../../departments-and-operations/security/security-policy/secure-development.md) and [Change Management session](security-policy/changes-management/).
 
-You may only access customer data if
+### Vulnerability and Patch Management
 
-* The customer specifically requests it (e.g. support request) _or_
-* When it is necessary for us to fulfill our contractual obligations (e.g. to act proactively to prevent an instance from failing)
+This policy applies to all software applications and infrastructure components utilized by our company, including those hosted on SaaS platforms, AWS (Amazon Web Services), and OVH bare metals.
 
-Access is strictly limited to the data needed to fulfill the request. You may not access data of other customers. No customer data may be extracted unless this is strictly requested by the customer. All data extracted must be stored safely and deleted when it is no longer necessary.
+Software administrators, SRE and security teams must be aware of this policy and their roles in having it implemented.&#x20;
 
-You must terminate the session immediately after the reason for your access has been resolved. You must as soon as possible inform the customer of the outcome of your access.
+Details available in this [link](../../departments-and-operations/security/security-policy/vulnerability-and-patch-management.md) .
 
-## Incident Management
+### Incident Management
 
 An incident is any event that has the potential to affect the confidentiality, integrity or availability of Rocket.Chat information, in any format, or IT systems in which this information is held. Violations of laws, policies, contractual obligations or also external requests should also be considered as incidents in this sense.
 
@@ -162,26 +206,40 @@ Examples of incidents include:
 
 The Rocket.Chat's incident response plan is an internal Document that can be found here: [Incident Response Plan](https://docs.google.com/document/d/17yZJ9oP3OJl3oWYTSNKNeXy54OEr7dn3ldpDKi52Ksc/edit#heading=h.wytzxqmvrwlq)
 
-## Business Continuity and Disaster Recovery
+In addition to that we also have in place an Incident Communication protocol available in this link.&#x20;
+
+### Business Continuity and Disaster Recovery
 
-Refer to [Business Continuity and Disaster Recovery](security-policy/business-continuity-and-disaster-recovery.md)
+The purpose of this policy is to outline the components and steps necessary to ensure the continuity of Rocket.Chat operations in the event of a disaster or disruptive event.&#x20;
 
-## Procurement
+Please check the [Business Continuity and Disaster Recovery](security-policy/business-continuity-and-disaster-recovery.md) page.
 
-All Systems procured must comply with defined information security requirements. Those requirements are defined before a procurement decision is made.
+### Procurement
 
-## Supplier Relationship
+Before a procurement decision is made on behalf of Rocket.Chat, please check our internal Procurement [page](https://app.gitbook.com/o/-M41dOPtnjO7qK6KCyrt/s/-M7iRWz196Rdn-5pW5QY/procurement/procurement-at-rocket.chat/procurement-policy). Within it  there are all the tips you shall be aware of and also the Financial, Security and Privacy requirements. &#x20;
 
+In addition to that, it is recommended that you check if the system or solution you are interested in meets the recommendations outlined in our Information Security Requirements guide. \<link to document playbook>
 
+### Supplier Relationship
 
-Refer to the new page [Supplier Relationship](https://handbook.rocket.chat/departments-operations/security/security-policy/supplier-relationship).
+This policy applies to the security and compliance of supplier relationships.
 
+Please refer to [Supplier Relationship](https://handbook.rocket.chat/departments-operations/security/security-policy/supplier-relationship) page.
 
+## Security Awareness and Training
+
+Please refer to [Awareness and Training session](security-policy/awareness-and-training.md)
 
 ## Auditing
 
-The Information Security Team will audit the design and implementation of these policies on a regular basis, with a focus on risks identified in the risk management process. Where a potential conflict of interest takes place, the audit will be delegated to another individual with such conflict or other compensating controls be taken.
+The design and implementation of these policies will be audited on a regular basis, with a focus on risks identified in the risk management process. Where a potential conflict of interest takes place, the audit will be delegated to another individual with such conflict or other compensating controls be taken.
 
-## Security Awareness and Training
+## Compliance and Enforcement
 
-Please refer to [Awareness and Training session](security-policy/awareness-and-training.md)
+Rocket.Chat will conduct periodic reviews and audits to ensure compliance with this policy. These reviews may include code inspections, security assessments, and process evaluations. Monitoring may also involve the use of automated tools or manual checks.
+
+Any suspected or observed non-compliance with this policy should be promptly reported to the policy owner, GRC team or through the designated reporting channels.
+
+Non-compliance with this policy may result in disciplinary actions, including but not limited to verbal or written warnings, suspension, termination of employment or engagement, and legal actions as deemed necessary.
+
+\
diff --git a/departments-operations/security/security-policy/access-control.md b/departments-operations/security/security-policy/access-control.md
index 0529069..ad16320 100644
--- a/departments-operations/security/security-policy/access-control.md
+++ b/departments-operations/security/security-policy/access-control.md
@@ -1,7 +1,7 @@
 ---
 description: >-
   This session establish guidelines for requesting access to sensitive or
-  internal systems within the organization
+  internal systems within the organization. This policy applies to all.
 ---
 
 # Access Control
@@ -69,5 +69,3 @@ Roles and responsibilities
     \
     For Tier 2 and 3 applications, the review of access and privileges shall be done annually by the asset owners or designated person.
 
-
-
diff --git a/departments-operations/security/security-policy/assets-management.md b/departments-operations/security/security-policy/assets-management.md
index 9d4fca9..2347e51 100644
--- a/departments-operations/security/security-policy/assets-management.md
+++ b/departments-operations/security/security-policy/assets-management.md
@@ -1,3 +1,7 @@
+---
+description: This policy applies to all employees and contractors.
+---
+
 # Assets Management
 
 ## Asset Management
diff --git a/departments-operations/security/security-policy/authentication-and-password-policies.md b/departments-operations/security/security-policy/authentication-and-password-policies.md
index 2e01f7d..bdaf8ab 100644
--- a/departments-operations/security/security-policy/authentication-and-password-policies.md
+++ b/departments-operations/security/security-policy/authentication-and-password-policies.md
@@ -1,3 +1,7 @@
+---
+description: This policy applies to all employees and contractors.
+---
+
 # Authentication and Password policies
 
 ## Authentication Policy
@@ -20,8 +24,6 @@ In terms of authentication methods, you should always opt for using SSO/SAML aut
 
 For systems that do not support Google Sign Up or SSO/SAML, follow the following Password Policy while creating a password to access the service or account.
 
-
-
 ## Password Policy
 
 While creating passwords to access company assets we recommend the employees to use Password Wallets, preferred [Zoho Vault](https://vault.zoho.com/app#/login) (using your rocket.chat email to access Zoho).
@@ -32,8 +34,6 @@ Remember also to change your password periodically. In the case of a password le
 
 Systems that allow password policy enforcement will be configured to expire password after 90 days and only accept passwords that comply with the Password Creation Rule below:
 
-
-
 ### Password Creation Rules
 
 * Passwords must be at least 12 characters long and include a mix of uppercase and lowercase letters, numbers, and special characters.
diff --git a/departments-operations/security/security-policy/awareness-and-training.md b/departments-operations/security/security-policy/awareness-and-training.md
index 396cded..20d69e4 100644
--- a/departments-operations/security/security-policy/awareness-and-training.md
+++ b/departments-operations/security/security-policy/awareness-and-training.md
@@ -1,3 +1,7 @@
+---
+description: This policy applies to all employees and contractors.
+---
+
 # Awareness and Training
 
 Awareness means putting someone´s attention on security challenges. Training means giving people the right level of security skills for their job.
diff --git a/departments-operations/security/security-policy/business-continuity-and-disaster-recovery.md b/departments-operations/security/security-policy/business-continuity-and-disaster-recovery.md
index 63a4c4a..6201c50 100644
--- a/departments-operations/security/security-policy/business-continuity-and-disaster-recovery.md
+++ b/departments-operations/security/security-policy/business-continuity-and-disaster-recovery.md
@@ -1,61 +1,28 @@
+---
+description: This policy applies to all employees and contractors.
+---
+
 # Business Continuity and Disaster Recovery
 
 ## Purpose
 
-The purpose of this plan is to ensure the continuity of Rocket.Chat operations in the event of a disaster or disruptive event. The plan outlines the steps to be taken to minimize the impact of the event on Rocket.Chat operations, ensure the safety of personnel, and enable the timely recovery of critical business functions.
-
-## Scope
-
-This plan applies to all Rocket.Chat operations and systems, including but not limited to, servers, databases, network infrastructure, and personnel.
-
-## Disaster Recovery Team
-
-The Disaster Recovery Team will be responsible for implementing this plan. The team will consist of key personnel from Security, Operations, Management, and the owners of the system affected. The team will be responsible for:
-
-* Activating the plan in the event of a disaster or disruptive event.
-* Assessing the impact of the event on Rocket.Chat operations and systems.
-* Initiating recovery operations to restore critical business functions.
-* Coordinating with external agencies and vendors as needed.
-
-## Disaster prevention:
-
-Disaster prevention is everyone´s responsibility. This means that every employee must actively prevent disasters from occurring and report potential risks of a disaster to management. Most controls to prevent disasters are taken on a system level by the respective system administrator and will be performed against a system specific control catalog (e.g. backup configuration). Since many of our systems rely on third party providers, following our policies for third parties is critical. Disaster Prevention controls include:
-
-* **Preventing vendor lock-ins**
-* **Trusted partners**\
-  We should always choose partners that provide an adequate level of security (e.g. SaaS providers with high reputation)
-* **Storing data offsite and off-client**
-* **Backup and Recovery**\
-  Regular backups will be taken of all critical data and systems. The backups will be stored offsite in a secure location. The recovery process will be tested regularly to ensure its effectiveness.
-* **Redundancy**\
-  Redundant systems and infrastructure will be implemented to ensure continuity of operations in the event of a system failure.
-* **High Availability**\
-  Critical systems will be designed for high availability to minimize downtime.
-* **Cloud Services**\
-  Cloud services will be used to provide redundancy and disaster recovery capabilities.
-* **Emergency Communications**\
-  Emergency communication protocols will be established to enable communication with employees, customers, and vendors in the event of a disaster.
-
-## Business Impact Analysis
-
-A Business Impact Analysis will be conducted to identify critical business functions, dependencies, and recovery time objectives (RTO) and recovery point objectives (RPO) for each function.
-
-Rocket.Chat maintains a list of all systems, including a rating of their criticality on our business processes. This criticality is mostly based on tolerable downtime. The criticality ratings are defined in specific DR documents. Criticality ratings to a system may be adjusted on a case-by-case basis where the circumstances justify the adjustment. Rocket.Chat also runs a risk management program to identify and manage risks, including risks of a disaster occurency.
-
-You can find the asset list [here](https://docs.google.com/spreadsheets/d/1Fmei\_-OGpXvUwsHzd8K87ke-CgCLOGpzerrPEQo9e0Q).
-
-## Risk Assessment
-
-A Risk Assessment will be conducted to identify potential hazards and threats to Rocket.Chat operations and systems. The assessment will include a review of physical security, environmental risks, and cyber threats.
-
+The purpose of our policy is to outline the components and steps necessary to ensure the continuity of Rocket.Chat operations in the event of a disaster or disruptive event.
 
+## Business Continuity
 
-## Disaster Recovery:
+The components and steps necessary for ensuring continuity of Rocket.Chat services are the following:
 
-In case of a disaster, we will form an incident response team consisting of the respective members of our management team, security and other individuals, depending on the type of disaster. The members of the team will communicate using Rocket.Chat - or where this is not possible - email or phone. We will inform all affected employees via the Rocket.Chat channel "important" or others where relevant. In case the disaster has taken down the rocket.chat servers, we will notify via email or - where warranted - contact you via the phone numbers you have given us during on-boarding. The incident response team will also ensure that affected customers are informed via the proper methods.
+* Risk Assessment
+* Business Impact Analysis&#x20;
+* Business Continuity Plan&#x20;
+* Backup Policy&#x20;
+* Disaster Recovery Planning&#x20;
+* Disaster Recovery Team&#x20;
+* Disaster prevention
+* Disaster Recovery Response&#x20;
+* Testing
 
-Refer to the the [Incident Response Plan](https://docs.google.com/document/d/17yZJ9oP3OJl3oWYTSNKNeXy54OEr7dn3ldpDKi52Ksc/edit#heading=h.wytzxqmvrwlq)
+## Policy&#x20;
 
-## Testing:
+For details, check our [Business Continuity and Disaster Recovery policy](https://app.gitbook.com/o/-M41dOPtnjO7qK6KCyrt/s/-M7iRWz196Rdn-5pW5QY/\~/changes/1876/security/security-policies/security-policy/business-continuity-and-disaster-recovery) in the internal handbook
 
-Annually, we test our business continuity and disaster recovery capabilities. The scope and method of testing are related to our risk management process and decided by management. The results of these tests are shared in the company and may lead to updates to this policy.
diff --git a/departments-operations/security/security-policy/cryptography-and-key-management.md b/departments-operations/security/security-policy/cryptography-and-key-management.md
index 6f0db07..99b28f5 100644
--- a/departments-operations/security/security-policy/cryptography-and-key-management.md
+++ b/departments-operations/security/security-policy/cryptography-and-key-management.md
@@ -1,3 +1,7 @@
+---
+description: This policy applies to all employees and contractors.
+---
+
 # Cryptography and Key management
 
 Cryptographic requirements are adressed in the other parts of the subpolicies and must follow the general principles as described by [OWASP](https://www.owasp.org/index.php/Guide\_to\_Cryptography) Cryptography in our products will be described in the product documentation.
diff --git a/departments-operations/security/security-policy/data-classification-and-management/README.md b/departments-operations/security/security-policy/data-classification-and-management/README.md
index ad175ad..3a50b8e 100644
--- a/departments-operations/security/security-policy/data-classification-and-management/README.md
+++ b/departments-operations/security/security-policy/data-classification-and-management/README.md
@@ -1,23 +1,22 @@
 ---
-description: >-
-  Purpose: Ensure that data is classified and handled appropriately and securely
-  throughout its lifecycle, reducing the risk of data breaches, protecting
-  sensitive data, and ensuring compliance.
+description: This policy applies to all employees and contractors.
 ---
 
 # Data Classification and Management
 
+## Purpose
 
+Ensure that data is classified and handled appropriately and securely throughout its lifecycle, reducing the risk of data breaches, protecting sensitive data, and ensuring compliance.
 
-Scope: This data classification policy applies to all data and to all user-developed data sets and systems that may access these data, regardless of the environment where the data reside (including cloud systems, servers, personal computers, mobile devices, etc.).&#x20;
+## Scope
+
+This data classification policy applies to all data and to all user-developed data sets and systems that may access these data, regardless of the environment where the data reside (including cloud systems, servers, personal computers, mobile devices, etc.).&#x20;
 
 The policy applies regardless of the media on which data reside (including electronic, microfiche, printouts, CD, etc.) or the form they may take (text, graphics, video, voice, etc.)\
 \
 Note: Your private opinion, e.g. what you share on social media under your personal name, is not in scope of this policy. You should always make clear if you are posting in the name of Rocket.Chat or privately, if the context leaves room for ambiguity.
 
-
-
-### Types of data handled within our organization 
+## Types of data handled within our organization
 
 There are a variety of data types handled within Rocket.Chat, such as personal data, financial data, intellectual property, confidential data, etc. and for each system or repository within our [Asset Register](https://docs.google.com/spreadsheets/d/1Fmei\_-OGpXvUwsHzd8K87ke-CgCLOGpzerrPEQo9e0Q), data must be identified and classified according to the following types:&#x20;
 
@@ -34,12 +33,11 @@ There are a variety of data types handled within Rocket.Chat, such as personal d
 
 
 
-### Data Classification and Handling&#x20;
+## Data Classification and Handling&#x20;
 
-#### For in-house and third-party applications
-
-All data stored within our applications (in-house and third-party) shall be classified based on its sensitivity level.\
+### For in-house and third-party applications
 
+All data stored within our applications (in-house and third-party) shall be classified based on its sensitivity level.
 
 * Public data: This type of data is freely accessible to the public (i.e. all employees/company personnel). It can be freely used, reused, and redistributed without repercussions. An example might be first and last names, job descriptions, or press releases.
 * Internal-only data: This type of data is strictly accessible to internal company personnel or internal employees who are granted access. This might include internal-only memos or other communications, business plans, etc.
@@ -52,9 +50,7 @@ The handling requirements for each category consist of access controls to ensure
 
 For Google Docs, refer to [Google docs data classification](google-docs-data-classification.md) session
 
-####
-
-#### User-developed data (Internal files and documents, email content, …)&#x20;
+### User-developed data (Internal files and documents, email content, …)&#x20;
 
 As a Rocket.Chat employee or contractor, all data created, modified, received or otherwise processed in connection with Rocket.Chat, must be handled confidentially and protected according to the risk related to it. (Confidential Data). Your NDA includes more details on what is considered confidential and what not. We do not distinguish between various levels of confidentiality (like secret, top secret, super secret, ...).
 
@@ -73,7 +69,7 @@ Note: Other handling and marking methods depending on tools and systems you use
 
 Please keep in mind that Data minimization is a critical component of our data management policy. We strive to collect and share only the minimum amount of data necessary to achieve our business objectives. We encourage all employees and stakeholders to exercise caution when sharing data and to consider the need for and appropriateness of data sharing before doing so.
 
-### Documentation and Approval
+## Documentation and Approval
 
 You can write and find documentation, procedures and guidelines in different sourcers across the organization, such as
 
@@ -95,7 +91,7 @@ You can do it by clicking on **File -> Approvals** and then **Make a request** o
 
 If you don't want the file to be altered after sending the request, check the appropriate box. Remember that any change on the document will reset the approval and make it lost its integrity assurance.
 
-### Deletion of data
+## Deletion of data
 
 Once data is considered no longer necessary, it should be deleted. Keep in mind that we are required to keep certain data for a minimum or maximum amount of time (e.g. due to legal or regulatory requirements) - In such cases, we will ensure that appropriate measures are taken to secure the data and minimize the risk of harm to individuals. If you have any questions or concerns about the sharing of data, please send a request to privacy@rocket.chat for review and guidance.
 
diff --git a/departments-operations/security/security-policy/remote-work.md b/departments-operations/security/security-policy/remote-work.md
index 69a0d5b..30240dd 100644
--- a/departments-operations/security/security-policy/remote-work.md
+++ b/departments-operations/security/security-policy/remote-work.md
@@ -1,14 +1,16 @@
 ---
-description: Remote Work Security Policy for Rocket.Chat
+description: >-
+  Remote Work Security Policy for Rocket.Chat - this policy applies all
+  employees and contractors.
 ---
 
 # Remote work
 
-#### Purpose&#x20;
+## Purpose&#x20;
 
 The purpose of this policy is to ensure that Rocket.Chat employees who work remotely maintain the confidentiality, integrity and availability of company assets, data and information. This policy outlines the security guidelines, clear screen and security requirements for remote workers to follow.
 
-#### **Rules**
+## **Rules**
 
 1. Confidentiality: Remote workers must maintain the confidentiality of company data, information, and assets by following the company's data protection policies. This includes keeping passwords and sensitive information secure and not sharing it with unauthorized parties.
 2. Theft of assets: Employees who work remotely must ensure that their work equipment and assets are secure and protected from theft. This includes using password-protected screensavers, locking their workstations when not in use, applying full encryption on the working device and reporting any loss or theft of assets immediately.
@@ -22,9 +24,7 @@ The purpose of this policy is to ensure that Rocket.Chat employees who work remo
 
 By following these rules and guidelines, Rocket.Chat employees who work remotely can ensure the security of company assets, data and information, and protect the company from security breaches and data losses.
 
-
-
-#### Additional information and recommendations
+## Additional information and recommendations
 
 Here you can find guidelines on how to protect your home network:&#x20;
 
diff --git a/departments-operations/security/security-policy/supplier-relationship.md b/departments-operations/security/security-policy/supplier-relationship.md
index 4d61231..28485d8 100644
--- a/departments-operations/security/security-policy/supplier-relationship.md
+++ b/departments-operations/security/security-policy/supplier-relationship.md
@@ -27,6 +27,8 @@ The questionnaire template can be found [here](https://docs.google.com/spreadshe
 
 Note: If you have questions whether the questionnaire should be sent to a vendor or not, please contact Compliance or Security teams.
 
+The provision of SOC 2 Type II reports by the vendors may exclude the need of filling out the Vendor Risk Assessment Questionnaire. &#x20;
+
 #### Supplier compliance:
 
 Supplier compliance is assessed on a risk-based approach and against the requirements of our security policies. Suppliers must demonstrate the same level of compliance for their supply chain.