On This Page
- Personnel policy
- Risk assessment policy
- Third party vendor review policy
- Incident disclosure and notification policy
- Incident response policy
- Incident response process
- BCP/DR policy
- Access control policy
- Password policy
- Change management policy
- Testing policy
- Patch management policy
- Data retention and deletion policy
Information classification policy
To understand its potential exposure from a security risk, issue or incident, Tailscale regularly catalogues and classifies its data and other in-scope assets, in order to apply risk-based controls.
Assets are anything that has value to the organization, including but not limited to, customer data, production data, financial data, intellectual property, and any material non-public information.
Tailscale catalogues assets with several pieces of information, to help identify the potential risk of the asset. Information collected is as follows:
- Description, i.e. what is the asset?
- Risk, i.e. what is the asset risk classification?
- Use, i.e. how is this asset used?
- Location, i.e. where is it stored, used, and backed up?
- Sharing, i.e. is it shared with any third parties, such as vendors? Which specific third parties?
Asset risk classification
Tailscale classifies assets into three risk categories: Low Risk, Medium Risk, and High Risk. Definitions are as follows:
When multiple classifications may apply, the highest applicable classification is used. For example, if a machine is low-risk by itself, but can be used to access high-risk data, its overall classification is also high-risk.
Tailscale should review the data it collects and processes, and update the data register, quarterly.