On This Page
Other policies
- Personnel policy
- Information classification policy
- Third party vendor review policy
- Incident disclosure and notification policy
- Incident response policy
- Incident response process
- BCP/DR policy
- Access control policy
- Password policy
- Change management policy
- Testing policy
- Patch management policy
- Data retention and deletion policy
Risk assessment policy
Tailscale reviews risks on a regular basis, to ensure proper mitigations are in place.
Scope
This policy covers any risk that could affect confidentiality, availability, and integrity of Tailscale’s key information assets and systems.
Risk assessments can be conducted on any information system, to include applications, servers, and networks, and any process or procedure by which these systems are administered and/or maintained.
Risk assessment
The Security Review Team is responsible for completing periodic information security risk assessments for the purpose of determining areas of vulnerability, and to identify and initiate appropriate remediations.
A risk register should include:
- Identification of the risk
- What mitigations have been put in place
- Acceptance of the residual risk
The execution, development and implementation of remediation programs is the joint responsibility of the Security Review Team. Employees are expected to cooperate fully with any risk assessment being conducted on systems for which they are held accountable. Employees are further expected to work with the Security Review Team in the development and implementation of a remediation plan.
Schedule
Risks should be evaluated on an annual basis.