# Business Operations
#### In this section
- [Finance](#finance)
- [BizOps](#bizops)
- [Security](#security)
## Finance
#### Monthly accounting
Create a new issue for the current month and year named "Closing out YYYY-MM" using the [monthly accounting issue template](https://github.com/fleetdm/confidential/blob/main/.github/ISSUE_TEMPLATE/5-monthly-accounting.md) in GitHub and complete all of the tasks in the issue.
#### Commission payroll
- Update [commission calculator](https://docs.google.com/spreadsheets/d/1vw6Q7kCC7-FdG5Fgx3ghgUdQiF2qwxk6njgK6z8_O9U/edit) with new revenue from any deals that are closed/won (have a subscription agreement signed by both parties) and have an **effective start date** within the previous month.
- Find detailed notes on this process in [Notes - Run commission payroll in Gusto](https://docs.google.com/document/d/1FQLpGxvHPW6X801HYYLPs5y8o943mmasQD3m9k_c0so/edit#).
- Contact Charlie Chance in Slack and let her know she can run the commission payroll. Use the off-cycle payroll option in Gusto. Be sure to classify the payment as "Commission" in the "other earnings" field and not the generic "Bonus."
- Once commission payroll has been run, update the [commission calculator](https://docs.google.com/spreadsheets/d/1vw6Q7kCC7-FdG5Fgx3ghgUdQiF2qwxk6njgK6z8_O9U/edit) to mark the commission as paid.
#### Annual reporting for capital credit line
- Within 60 days of the end of the year:
- Provide Silicon Valley Bank (SVB) with our balance sheet and profit and loss statement (P&L, sometimes called a cashflow statement) for the past twelve months.
- Provide SVB with our annual operating budgets and projections (on a quarterly basis) for the coming year.
- Deliver this as early as possible in case they have questions.
#### Quarterly Quickbooks Online (QBO) check
- Check to make sure [bookkeeping quirks](https://docs.google.com/spreadsheets/d/1nuUPMZb1z_lrbaQEcgjnxppnYv_GWOTTo4FMqLOlsWg/edit?usp=sharing) are all accounted for and resolved or in progress toward resolution.
- Check balance sheet and profit and loss statements (P&Ls) in QBO against the [monthly workbooks](https://drive.google.com/drive/folders/1ben-xJgL5MlMJhIl2OeQpDjbk-pF6eJM) in Google Drive.
#### Spending company money
As we continue to expand our company policies, we use [GitLab's open expense policy](https://about.gitlab.com/handbook/spending-company-money/) as a guide for company spending.
In brief, this means that as a Fleet team member, you may:
* Spend company money like it is your own money.
* Be responsible for what you need to purchase or expense to do your job effectively.
* Feel free to make purchases __in the company's interest__ without asking for permission beforehand (when in doubt, do __inform__ your manager prior to purchase or as soon as possible after the purchase).
For more developed thoughts about __spending guidelines and limits__, please read [GitLab's open expense policy](https://about.gitlab.com/handbook/spending-company-money/).
#### Attending conferences or company travel
When attending a conference or traveling for Fleet, please make a post in [#help-brex](https://fleetdm.slack.com/archives/C0396TYH4EP) on Slack with the following information:
- The start and end dates for your trip.
- The price of your flight (feel free to optimize a direct flight if there is one that is less than double the price of the cheapest non-direct flight).
- The price of your hotel per night (dry cleaning is allowable if the stay is over 3 days).
- The price of the admission fees if attending a conference.
- $100 allowance per day for food and beverage **(please use your personal credit card for movies, mini bars, and entertainment, except when entertaining guests who contribute actively in code/community on a quarterly basis, or who are Salesforce contacts on an open, qualified opportunity with a budget of at least $160k+ ΔARR)**.
- Customer/Partner Facing Events:
- Gala/Black Tie Events: Tuxedo or Gown Rental, $150-$225 USD per event is reimbursable. **(The event must be customer specific and the invitation must state black tie only)**.
The monthly limit on your Brex card will be increased temporarily as necessary to accommodate the increased spending associated with the conference.
We highly recommend you order a physical Brex card if you do not have one before attending the conference.
#### Non-travel purchases that exceed a Brex cardholder's limit
For non-travel purchases that would require an increase in the Brex cardholder's limit, please make a post in [#g-business-opeartions](https://fleetdm.slack.com/archives/C047N5L6EGH)) on Slack with the following information:
- The nature of the purchase (i.e. SaaS subscription and what it's used for)
- The cost of the purchase and whether it is a fixed or variable (i.e. use-based) cost.
- Whether it is a one time purchase or a recurring purchase and at what frequency the purchase will re-occur (annually, monthly, etc.)
- If there are more ideal options to pay for the purchase (i.e. bill.com, the Fleet AP Brex card, etc.) that method will be used instead.
- In general, recurring purchases such as subscription services that will continually stretch the spend limit on a cardholder's Brex card should be paid through other means.
- For one time purchases where payment via credit card is the most convenient then the card limit will be temporarily increased to accomodate the purchase.
## BizOps
#### Zoom
We use [Zoom](https://zoom.us) for virtual meetings at Fleet, and it is important that every team member feels comfortable hosting, joining, and scheduling Zoom meetings.
By default, Zoom settings are the same for all Fleet team members, but you can change your personal settings on your [profile settings](https://zoom.us/profile/setting) page.
Settings that have a lock icon next to them have been locked by an administrator and cannot be changed. Zoom administrators can change settings for all team members on the [account settings page](https://zoom.us/account/setting) or for individual accounts on the [user management page](https://zoom.us/account/user#/).
#### Gong
Capturing video from meetings with customers, prospects, and community members outside the company is an important part of building world-class sales and customer success teams and is a widespread practice across the industry.
At Fleet, we use Gong to capture Zoom meetings and share them company-wide if a team member with a Gong license attends certain meetings, generally those with at least one person from outside of Fleet in attendance.
While some other Fleeties may have a Gong seat if it becomes necessary in their work, the typical use case at Fleet is for employees on the company's sales, customer success, or customer support teams. You should be notified anytime you join a recorded call with an audio message announcing "this meeting is being recorded" or "recording in progress." To stop a recording, the host of the call can press "Stop." If the call has external participants and is recorded, this call is stored in Gong for future use. In order to use Gong, the Zoom call must be hosted by someone with a Fleet email address. You cannot use Gong to record calls hosted by external parties.
To access a recording saved in Gong, visit [app.gong.io](app.gong.io) and sign in with SSO. Everyone at Fleet has access, whether they have a Gong seat or not, and you can explore and search through any uploaded call transcripts unless someone marks them as private (though the best practice would be not to record any calls you don't want to be captured). If you ever make a mistake and need to delete something, you can delete the video in Gong or reach out to Nathan Holliday or Mike McNeil for help. They will delete it immediately without watching the video. Note that any recording stopped within 60 seconds of the start of the recording is not saved in Gong, and there will be no saved record of it. Cloud recording in Zoom has to be turned on and unlocked company wide for Gong to function properly, because of this, there is a chance that some Gong recordings may still save in Zoom's cloud storage even if they aren't uploaded into Gong. To counter this, Nathan Holliday will periodically delete all recordings found in Zoom's storage without viewing them.
Most folks at Fleet should see no difference in their meetings if they aren't interfacing with external parties. For those with a Gong seat or scheduling a call with someone in attendance that has a Gong seat who does not wish for their Zoom call with an external party to record, words and phrases in the Zoom call title will disable the Gong recording for the call. 1 on 1, 1:1, confidential, interview, internal and no shadows are some commonly used words that will disable Gong. A complete list can be found [here](https://docs.google.com/document/d/1OOxLajvqf-on5I8viN7k6aCzqEWS2B24_mE47OefutE/edit?usp=sharing). If you need words added to the list of exlusionary words, please reach out to Nathan Holliday.
We have excluded anyone with an email domain from @cooley.com or @formationfinancial.com from Gong's recording feature. These are professional services firms working with Fleet on internal matters, and calls with them are considered internal.
Our goal in using Gong and recording calls is to capture insights from sales, customer, and community meetings and improve how we position and sell our product. We never intend to make anyone uncomfortable, and we hope you reach out to our DRI for Gong, Nathan Holliday, or Mike McNeil if you have questions or concerns.
If you need help using Gong, please check out Gong Acaedmy at [https://academy.gong.io/](https://academy.gong.io/).
#### Slack
At Fleet, we do not send internal emails to each other. Instead, we prefer to use Slack to communicate with other folks who work at Fleet.
We use threads in Slack as much as possible. Threads help limit noise for other people following the channel and reduce notification overload.
We configure our [working hours in Slack](https://slack.com/help/articles/360025054173-Set-up-Slack-for-work-hours-) to make sure everyone knows when they can get in touch with others.
#### Zapier and DocuSign
We use Zapier to automate how completed DocuSign envelopes are formatted and stored. This process ensures we store signed documents in the correct folder and that filenames are formatted consistently.
When the final signature is added to an envelope in DocuSign, it is marked as completed and sent to Zapier, where it goes through these steps:
1. Zapier sends the following information about the DocuSign envelope to our Hydroplane webhook:
- **`emailSubject`** - The subject of the envelope sent by DocuSign. Our DocuSign templates are configured to format the email subject as `[type of document] for [signer's name]`.
- **`emailCsv`** - A comma-separated list of signers' email addresses.
2. The Hydroplane webhook matches the document type to the correct Google Drive folder, orders the list of signers, creates a timestamp, and sends that data back to Zapier as
- **`destinationFolderID`** - The slug for the Google Drive folder where we store this type of document.
- **`emailCsv`** - A sorted list of signers' email addresses.
- **`date`** - The date the document was completed in DocuSign, formatted YYYY-MM-DD.
3. Zapier uses this information to upload the file to the matched Google Drive folder, with the filename formatted as `[date] - [emailSubject] - [emailCvs].PDF`.
4. Once the file is uploaded, Zapier uses the Slack integration to post in the #peepops channel with the message:
```
Now complete with all signatures:
[email subject]
link: drive.google.com/[destinationFolderID]
```
#### Salesforce
We consider Salesforce to be our Rolodex for customer information. During the onboarding process, you may need to add a license for the new hire. Here are the steps we take:
1. Go to “Your account.”
2. View contracts -> pick current contract.
3. Add the number of licenses.
4. Sign DocuSign sent to the email.
5. The order will be processed in ~30m.
## Security
#### In this section
- [Security policies](#security-policies)
- [Account recovery process](#account-recovery-process)
- [How we protect end-user devices](how-we-protect-end-user-devices)
- [Hardware security keys](#hardware-security-keys)
- [GitHub security](#gitHub-security)
- [Google Workspace security](#google-workspace-security)
- [Vulnerability management](#vulnerability-management)
- [Trust report](#trust-report)
# Security
## Security policies
Security policies are the foundation of our security program and guide team members in understanding the who, what, and why regarding security at Fleet.
For information about each of our security policies, see:
- [Information security policy, and acceptable use policy](./security-policies.md#information-security-policy-and-acceptable-use-policy)
- [Access control policy](./security-policies.md#access-control-policy)
- [Asset management policy](./security-policies.md#asset-management-policy)
- [Business continuity and disaster recovery policy](./security-policies.md#business-continuity-and-disaster-recovery-policy)
- [Data management policy](./security-policies.md#data-management-policy)
- [Encryption policy](./security-policies.md#encryption-policy)
- [Human resources security policy](./security-policies.md#human-resources-security-policy)
- [Incident response policy](./security-policies.md#incident-response-policy)
- [Operations security and change management policy](./security-policies.md#operations-security-and-change-management-policy)
- [Risk management policy](./security-policies.md#risk-management-policy)
- [Secure software development and product security policy](./security-policies.md#secure-software-development-and-product-security-policy)
- [Security policy management policy](./security-policies.md#security-policy-management-policy)
- [Third-party management policy](./security-policies.md#third-party-management-policy)
## Account recovery process
As an all-remote company, we do not have the luxury of seeing each other or being able to ask for help in person. Instead, we require live video confirmation of someone's identity before performing recovery, and this applies to all Fleet company accounts, from internal systems to SaaS accounts.
| Participant | Role |
| ----------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- |
| Requester | Requests recovery for their own account |
| Recoverer | Person with access to perform the recovery who monitors *#help-login* |
| Identifier | Person that visually identifies the requester in a video call. The identifier can be the recoverer or a person the recoverer can recognize visually |
Here are the steps we take for the recovery process:
1. If the requester still has access to Slack, they ask for help in *#help-login*. If they do not have access to Slack, they can contact their manager or a teammate over the phone via voice or texting, and they will post in *#help-login* for the requester.
2. A recoverer acknowledges the request in #help-login using the "eyes" emoji 👀.
3. The recoverer identifies the requester through a live video call.
* If the recoverer does not know the requester well enough to positively identify them visually, the
recoverer can ask a colleague whom they recognize to act as the identifier. **All three must be
live on a video call at the same time.**
* For example, if the recoverer does not recognize Guillaume but can recognize Zach, they should ask Zach to identify Guillaume. Using the requester's manager or a direct teammate is recommended, as it increases the chances they frequently see each other on video.
4. If the recoverer recognizes the requester or has the identity confirmed by the person acting as
the identifier, they can perform the recovery and update the thread in *#help-login*.
* If the recoverer is not 100% satisfied with identification, they do **NOT** proceed and post to #g-security to engage the security team immediately.
## How we protect end-user devices
At Fleet, we believe that a good user experience empowers contributors.
We follow the guiding principles below to secure our company-owned devices.
* Our devices should give contributors the freedom to work from anywhere.
* To allow maximum freedom in where and how we work, we assume that "Safe" networks do not exist. Contributors should be able to work on a coffee shop's Wi-Fi as if it were their home or work network.
* To limit the impact on user experience, we do not dictate security configurations unless the security benefit is significant (only if it dramatically reduces the risk for the company, customers, or open source users).
* By using techniques such as Two-Factor Authentication (2FA), code reviews, and more, we can further empower contributors to work comfortably from anywhere - on any network.
### macOS devices
> *Find more information about the process of implementing security on the Fleet blog. The first [Tales from Fleet security: securing the startup](https://blog.fleetdm.com/tales-from-fleet-security-securing-the-startup-448ea590ea3a) article covers the process of securing our laptops.*
We use configuration profiles to standardize security settings for our Mac devices. We use [CIS Benchmark for macOS 12](https://www.cisecurity.org/benchmark/apple_os) as our configuration baseline and adapt it to
* suit a remote team.
* balance the need for productivity and security.
* limit the impact on the daily use of our devices.
> *Note: Details of your Mac’s configuration profile can be viewed anytime from the **Profiles** app under **System Preferences**.*
Our policy applies to Fleet-owned laptops purchased via Apple's DEP (Device Enrollment Program), which will retroactively be applied to every company-owned Mac, consists of the below.
#### Enabling automatic updates
| # | Setting |
| --- | -------------------------------------------------------------------------------------- |
| 1.1 | Ensure all Apple-provided software is current |
| 1.2 | Ensure auto-update is enabled |
| 1.4 | Ensure installation of app updates is enabled |
| 1.5 | Ensure system data files and security updates are downloaded automatically is enabled |
| 1.6 | Ensure install of macOS updates is enabled |
*Note: the setting numbers included in the tables throughout this section are the recommended numbers from the CIS Benchmark for macOS12 document referenced above.*
**Why?**
Keeping software up-to-date helps to improve the resilience of our Mac fleet. Software updates include security updates that fix vulnerabilities that could otherwise be exploited. Browsers, for example, are often exposed to untrusted code, have a significant attack surface, and are frequently attacked.
macOS includes [malware protection tools](https://support.apple.com/en-ca/guide/security/sec469d47bd8/web) such as *Xprotect*. This is an antivirus technology based on [YARA](https://github.com/VirusTotal/yara) and MRT (Malware Removal Tool), a tool built by Apple to remove common malware from systems that are infected.
By enabling these settings, we:
* Ensure the operating system is kept up to date.
* Ensure XProtect and MRT are as up-to-date as possible.
* Ensure that Safari is kept up to date.
This improves the resilience of our Mac fleet.
**User experience impacts**
* Updates are required, which can be disruptive. For this reason, we allow the user to **postpone the installation five times**.
* Critical security updates are automatically downloaded, which could result in bandwidth use on slow or expensive links. For this reason, we limit automatic downloads to critical security updates only, while feature updates, which are typically larger, are downloaded at the time of installation selected by the user.
* Enforced updates **do not** include significant macOS releases (e.g., 11➡️12). Those updates are tracked and enforced separately, as the impact can be more significant. We require installing the latest macOS version within three months of release or when known vulnerabilities remain unpatched on the older version.
#### Time and date
| # | Setting |
| ----- | --------------------------------------------------- |
| 2.2.1 | Ensure "Set time and date automatically" is enabled |
**Why?**
An accurate time is important for two main reasons
1. Authentication. Many authentication systems like [Kerberos](https://en.wikipedia.org/wiki/Kerberos_(protocol)) and [SAML](https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language) require the time between clients and servers to be [close](http://web.mit.edu/Kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-admin/Clock-Skew.html). Keeping accurate time allows those protocols to prevent attacks that leverage old authentication sessions.
2. Logging. Performing troubleshooting or incident response is much easier when all the logs involved have close to perfectly synchronized timestamps.
**User experience impact**
* Minimal. Inability to set the wrong time. Time zones remain user-configurable.
#### Passwords
| # | Setting |
| ----- | ---------------------------------------------------------------------------------------- |
| 5.2.2 | Ensure minimum password length is configured (our minimum: eight characters) |
| 5.2.3 | Ensure complex password must contain alphabetic characters is configured |
| 5.8 | Ensure a password is required to wake the computer from sleep or screen saver is enabled |
**Why?**
This category of settings is unique because there are more settings that we do *not* configure than those we do.
We follow the CIS benchmark where it makes sense and, in this case, take guidance from [NIST SP800-63B - Digital Identity Guidelines](https://pages.nist.gov/800-63-3/sp800-63b.html), especially [Appendix A -Strength of Memorized Secrets](https://pages.nist.gov/800-63-3/sp800-63b.html#appA).
* We do NOT enforce special complexity beyond requiring letters to be in the password.
Length is the most important factor when determining a secure password; while enforcing password expiration, special characters and other restrictive patterns are not as effective as previously believed and provide little benefit at the cost of hurting the user experience.
* We do NOT enforce exceptionally long passwords.
As we use recent Macs with T2 chips or Apple Silicon, brute-force attacks against the hardware are [mitigated](https://www.apple.com/mideast/mac/docs/Apple_T2_Security_Chip_Overview.pdf).
* We DO require passwords to be a minimum of eight characters long with letters.
Since we can't eliminate the risk of passwords being cracked remotely, we require passwords to be a minimum of eight characters long with letters, a length reasonably hard to crack over the network and the minimum recommendation by SP800-63B.
**User experience impact**
* A password is required to boot and unlock a laptop. Touch ID and Apple Watch unlock are allowed, and we recommend using a longer password combined with TouchID or Apple Watch to reduce password annoyances throughout the day.
#### Disabling various services
| # | Setting |
| ------ | ------------------------------------------------- |
| 2.4.2 | Ensure internet sharing is disabled |
| 2.4.4 | Ensure printer sharing is disabled |
| 2.4.10 | Ensure content caching is disabled |
| 2.4.12 | Ensure media sharing is disabled |
| 6.1.4 | Ensure guest access to shared folders is disabled |
**Why?**
* Any service listening on a port expands the attack surface, especially when working on unsafe networks, to which we assume all laptops are connected.
* Laptops with tunnels connecting to internal systems (TLS tunnel, SSH tunnel, VPN.) or multiple network interfaces could be turned into a bridge and exposed to an attack if internet sharing is enabled.
* Guest access to shared data could lead to accidental exposure of confidential work files.
**User experience impacts**
* The inability to use the computer as a server to share internet access, printers, content caching of macOS and iOS updates, and streaming iTunes media to devices on the local network.
* File shares require an account.
#### Encryption, Gatekeeper, and firewall
| # | Setting |
| ------- | ------------------------------------------------- |
| 2.5.1.1 | Ensure FileVault is enabled |
| 2.5.2.1 | Ensure Gatekeeper is enabled |
| 2.5.2.2 | Ensure firewall is enabled |
| 2.5.2.3 | Ensure firewall Stealth Mode is enabled |
| 3.6 | Ensure firewall logging is enabled and configured |
**Why?**
* Using FileVault protects the data on our laptops, including confidential data and session material (browser cookies), SSH keys, and more. Using FileVault makes sure a lost laptop is a minor inconvenience and not an incident. We escrow the keys to be sure we can recover the data if needed.
* [Gatekeeper](https://support.apple.com/en-ca/HT202491) is a macOS feature that makes sure users can safely open software on their Mac. With Gatekeeper enabled, users may execute only trustworthy apps (signed by the software developer and/or checked for malicious software by Apple). This is a useful first line of defense to have.
* Using the firewall will make sure that we limit the exposure to our devices, while stealth mode makes them more challenging to discover.
* Firewall logging allows us to troubleshoot and investigate whether the firewall blocks applications or connections.
**User experience impacts**
* Due to FileVault's encryption process, a password is needed as soon as the laptop is turned on, instead of once it has booted.
* There is no performance impact macOS encrypts the system drive by default.
* With Gatekeeper enabled, unsigned or unnotarized (not checked for malware by Apple) applications require extra steps to execute.
* With the firewall enabled, unsigned applications cannot open a firewall port for inbound connections.
#### Screen saver and automatic locking
| # | Setting |
| ----- | ----------------------------------------------------------------------------------- |
| 2.3.1 | Ensure an inactivity interval of 20 minutes or less for the screen saver to be enabled |
| 6.1.2 | Ensure show password hint is disabled |
| 6.1.3 | Ensure guest account is disabled |
| NA | Prevent the use of automatic login |
**Why?**
* Fleet contributors are free to work from wherever they choose. Automatic login exposes sensitive company data and poses a critical security risk if a laptop is lost or stolen.
* Password hints can sometimes be easier to guess than the password itself. Since we support contributors remotely via MDM and do not require users to change passwords frequently, we eliminate the need for password hints and their associated risk.
* Since company laptops are issued primarily for work and tied to a single contributor's identity, guest accounts are not permitted.
* Automatic login would defeat the purpose of even requiring passwords to unlock computers.
**User experience impacts**
* Laptops lock after 20 minutes of inactivity. To voluntarily pause this, a [hot corner](https://support.apple.com/en-mo/guide/mac-help/mchlp3000/mac) can be configured to disable the screen saver. This is useful if you are, for example, watching an online meeting without moving the mouse and want to be sure the laptop will not lock.
* Forgotten passwords can be fixed via MDM instead of relying on potentially dangerous hints.
* Guest accounts are not available.
#### iCloud
We do not apply ultra restrictive Data Loss Prevention style policies to our devices. Instead, by using our company Google Drive, we make sure that the most critical company data never reaches our laptops, so it can remain secure while our laptops can remain productive.
| # | Setting |
| ------- | --------------------------------------------------------- |
| 2.6.1.4 | Ensure iCloud Drive Documents and Desktop sync is disabled |
**Why?**
* We do not use managed Apple IDs and allow contributors to use their own iCloud accounts. We disable iCloud Documents and Desktop sync to avoid accidentally copying data to iCloud, but we do allow iCloud drive.
**User experience impact**
* iCloud remains permitted, but the Desktop and Documents folders will not be synchronized. Make sure you put your documents in our Google Drive, so you do not lose them if your laptop has an issue.
#### Miscellaneous security settings
| # | Setting |
| ----- | ------------------------------------------------------------ |
| 2.5.6 | Ensure limit ad tracking is enabled |
| 2.10 | Ensure secure keyboard entry Terminal.app is enabled |
| 5.1.4 | Ensure library validation is enabled |
| 6.3 | Ensure automatic opening of safe files in Safari is disabled |
**Why?**
* Limiting ad tracking has privacy benefits and no downside.
* Protecting keyboard entry into Terminal.app could prevent malicious or non-malicious but inappropriate applications from receiving passwords.
* Library validation makes sure that an attacker can't trick applications into loading a software library in a different location, leaving it open to abuse.
* Safari opening files automatically can lead to negative scenarios where files are downloaded and automatically opened in another application. Though the setting relates to files deemed "safe," it includes PDFs and other file formats where malicious documents exploiting vulnerabilities have been seen before.
**User experience impact**
* There is minimal to no user experience impact for these settings. However, applications used to create custom keyboard macros will not receive keystrokes when Terminal.app is the active application window.
#### Enforce DNS-over-HTTPs (DoH)
| # | Setting |
| -- | ---------------------- |
| NA | Enforce [DNS over HTTPS](https://en.wikipedia.org/wiki/DNS_over_HTTPS) |
**Why?**
* We assume that no network is "safe." Therefore, DNS queries could be exposed and leak private data. An attacker on the same wireless network could see DNS queries, determine who your employer is, or even intercept them and [respond with malicious answers](https://github.com/iphelix/dnschef). Using DoH protects the DNS queries from eavesdropping and tampering.
* We use Cloudflare's DoH servers with basic malware blocking. No censorship should be applied on these servers, except towards destinations known as malware-related.
**User experience impacts**
* Some misconfigured "captive portals," typically used in hotels and airports, might be unusable with DoH due to how they are configured. This can be worked around by using the hotspot on your phone, and if you have to use this network for an extended period of time, there are usually workarounds to perform to connect to them. Navigating to http://1.1.1.1 often resolves the issue.
* If you are trying to reach a site and believe it is being blocked accidentally, please submit it to Cloudflare. This should be extremely rare. If it is not, please let the security team know.
* If your ISP's DNS service goes down, you'll be able to continue working. 😎
*Note: If you are from another organization, reading this to help create your own configuration, remember implementing DoH in an office environment where other network controls are in place has other downsides than it would for a remote company. **Disabling** DoH makes more sense in those cases so that network controls can retain visibility. Please evaluate your situation before implementing any of our recommendations at your organization, especially DoH.*
#### Deploy osquery
| # | Setting |
| -- | ---------------------- |
| NA | Deploy [osquery](https://osquery.io/) pointed to our dogfood instance |
***Why?***
We use osquery and Fleet to monitor our own devices. This is used for vulnerability detection, security posture tracking, and incident response when necessary.
#### Deploy Nudge
Keeping operating systems up to date is important to fix known vulnerabilities. This is why we enable automatic updates on macOS, but as that system is neither aggressive or reliable enough, we also use Nudge to push individuals to update their systems before a deadline.
##### Deploying Nudge
Two packages from the Nudge [releases](https://github.com/macadmins/nudge/releases) must be deployed via MDM.
1. Nudge itself. This is the Nudge executables that display prompts to update the system.
2. Nudge LaunchAgent. This is the package that contains the automated tasks that make Nudge check if the system is up to date, and if not, to show the prompt.
If only Nudge is deployed, nothing will happen on the system, as it will never launch unless triggered manually. The main reason to only install Nudge would be to run it manually for testing purposes, or if some other tool was used to schedule running it.
At Fleet, we use the standard LaunchAgent.
We do not bundle any configuration with the Nudge packages themselves.
##### Nudge configuration
Nudge supports multiple configuration modes, but the one we use is via a [profile](https://github.com/fleetdm/confidential/blob/main/mdm_profiles/nudge_configuration.mobileconfig). (Note: our MDM profiles are not public simply because a few of them contain secrets, such as Chrome organization identification strings. Our Nudge profile is extremely similar to the [sample one](https://github.com/macadmins/nudge/blob/main/Example%20Assets/com.github.macadmins.Nudge.mobileconfig)).
By joining a laptop to our MDM and deploying profiles, Nudge will get configured.
When a new update is released, the following fields must be updated:
* `aboutUpdateURLs` in all languages, pointing to the Apple page with information about vulnerabilities fixed in each update. If an update had no vulnerabilities fixed, we'd typically not enforce it via Nudge, but this is extremely rare.
* `requiredMinimumOSVersion` must be set to the new version (ex: `13.1`).
* `requiredInstallationDate` must be set to a date in the future, based on the criticality of the vulnerabilities fixed by the update.
### Chrome configuration
We configure Chrome on company-owned devices with a basic policy.
| Setting |
| --------------------------------------------------------- |
| Enforce Chrome updates and Chrome restart within 48 hours |
| Block intrusive ads |
| uBlock Origin adblocker extension deployed |
| Password manager extension deployed |
| Chrome Endpoint Verification extension deployed |
**Why?**
* Browsers have a large attack surface, and their updates contain critical security updates.
**User experience impact**
* Chrome must be restarted within 48 hours of patch installation. The automatic restart happens after 19:00 and before 6:00 if the computer is running and tabs are restored (except for incognito tabs).
* Ads considered intrusive are blocked.
* uBlock Origin is enabled by default, and is 100% configurable, improving security and browsing performance.
* Endpoint Verification is used to make access decisions based on the security posture of the device. For example, an outdated Mac could be prevented access to Google Drive.
### Personal mobile devices
The use of personal devices is allowed for some applications, so long as the iOS or Android device's OS
is kept up to date.
## Hardware security keys
If you do not already have a pair of hardware security keys, order [YubiKey 5C NFC security
keys](https://www.yubico.com/ca/product/yubikey-5c-nfc-pack-of-2/) with your company card, or ask
for help in [#help-login](https://fleetdm.com/handbook/security#slack-channels) to get one if you do not have a company card.
### Are they YubiKeys or security keys?
We use YubiKeys, a hardware security key brand that supports the FIDO U2F protocol. You can use
both terms interchangeably at Fleet. We use YubiKeys because they support more authentication protocols than regular
security keys.
### Who has to use security keys and why?
Security keys are **strongly recommended** for everyone and **required** for team members with elevated privilege access.
Because they are the only type of Two-Factor Authentication (2FA) that protects credentials from
phishing, we will make them **mandatory for everyone** soon.
See the [Google Workspace security
section](https://fleetdm.com/handbook/security#google-workspace-security-authentication) for more
information on the security of different types of 2FA.
### Goals
Our goals with security keys are to
1. eliminate the risk of credential phishing.
2. maintain the best user experience possible.
3. make sure team members can access systems as needed, and that recovery procedures exist in case of a lost key.
4. make sure recovery mechanisms are safe to prevent attackers from bypassing 2FA completely.
### Setting up security keys on Google
We recommend setting up **three** security keys on your Google account for redundancy purposes: two
YubiKeys and your phone as the third key.
If you get a warning during this process about your keyboard not being identified, this is due to
YubiKeys having a feature that can simulate a keyboard. Ignore the "Your keyboard cannot be
identified" warning.
1. Set up your first YubiKey by following [Google's
instructions](https://support.google.com/accounts/answer/6103523?hl=En). The instructions make
you enroll the key by following [this
link](https://myaccount.google.com/signinoptions/two-step-verification?flow=sk&opendialog=addsk).
When it comes to naming your keys, that is a name only used so you can identify which key was
registered. You can name them Key1 and Key2.
2. Repeat the process with your 2nd YubiKey.
3. Configure your phone as [a security key](https://support.google.com/accounts/answer/9289445)
### Optional: getting rid of keyboard warnings
1. Install YubiKey manager. You can do this from the **Managed Software Center** on managed Macs.
On other platforms, download it [from the official
website](https://www.yubico.com/support/download/yubikey-manager/#h-downloads).
2. Open the YubiKey manager with one of your keys connected.
3. Go to the **Interfaces** tab.
4. Uncheck the **OTP** checkboxes under **USB** and click *Save Interfaces*.
5. Unplug your key and connect your 2nd one to repeat the process.
### Optional: setting up security keys on GitHub
1. Configure your two security keys to [access
GitHub](https://github.com/settings/two_factor_authentication/configure).
2. If you use a Mac, feel free to add it as a security key on GitHub. This brings most of the
advantages of the hardware security key but allows you to log in by simply touching Touch ID as
your second factor.
### FAQ
1. Can I use my Fleet YubiKeys with personal accounts?
**Answer**: We highly recommend that you do so. Facebook accounts, personal email, Twitter accounts,
cryptocurrency trading sites, and many more support FIDO U2F authentication, the standard used by
security keys. Fleet will **never ask for your keys back**. They are yours to use everywhere you
can.
2. Can I use my phone as a security key?
**Answer**: Yes. Google [provides
instructions](https://support.google.com/accounts/answer/6103523?hl=En&co=GENIE.Platform%3DiOS&oco=1),
and it works on Android devices as well as iPhones. When doing this, you will still need the YubiKey
to access Google applications from your phone.
Since it requires Bluetooth, this option is also less reliable than the USB-C security key.
3. Can I leave my YubiKey connected to my laptop?
**Answer**: Yes, unless you are traveling. We use security keys to eliminate the ability of
attackers to phish our credentials remotely, not as any type of local security improvement. That
being said, keeping it separate from the laptop when traveling means they are unlikely to be
lost or stolen simultaneously.
4. I've lost one of my keys, what do I do?
**Answer**: Post in the `#g-security` channel ASAP so we can disable the key. IF you find it later, no
worries, just enroll it again!
5. I lost all of my keys, and I'm locked out! What do I do?
**Answer**: Post in the `#help-login` channel, or contact your manager if you find yourself locked out of Slack. You will be provided a way to log back in and make your phone your security key until you
receive new ones.
6. Can I use security keys to log in from any device?
**Answer**: The keys we use, YubiKeys 5C NFC, work over USB-C as well as NFC. They can be used on
Mac/PC, Android, iPhone, and iPad Pro with USB-C port. If some application or device does
not support it, you can always browse to [g.co/sc](https://g.co/sc) from a device that supports
security keys to generate a temporary code for the device that does not.
7. Will I need my YubiKey every time I want to check my email?
**Answer**: No. Using them does not make sessions shorter. For example, if using the GMail app on
mobile, you'd need the keys to set up the app only.
## GitHub security
Since Fleet makes open source software; we need to host and collaborate on code. We do this using GitHub.
This section covers our GitHub configuration. Like everything we do, we aim for the right level of security and productivity.
Because our code is open source, we are much more concerned about its integrity than its confidentiality.
This is why our configuration aims to protect what is in the code, but we spend no
effort preventing "leaks" since almost everything is public anyway.
If you are reading this from another organization that makes code that is not open source, we
recommend checking out [this guide](https://oops.computer/posts/safer-github-setup/).
### Authentication
Authentication is the lynchpin of security on Software-as-a-Service (SaaS) applications such as GitHub. It
is also one of the few controls we have to secure SaaS apps in general.
GitHub authentication differs from many SaaS products in one crucial way: accounts are global.
Developers can carry their accounts from company to company and use them for open source projects.
There is no reason to require company-specific GitHub accounts, as our code is public, and if it were
not, we would enforce Single Sign-On (SSO) to access our organization.
We enable *Require two-factor authentication* for everyone in the organization.
Fleet requires two-factor authentication for everyone in the organization. We do not require Single Sign-on (SSO) -
as most of the software we work on is open source and accessible to external collaborators. If you can imagine, GitHub
charges a [4x premium](https://sso.tax/) for this feature.
### Code security and analysis
| Code security and analysis feature | Setting | Note |
| ---------------------------------- | ------------------------------------------------------------------ | --------------------------------------------------------------------------- |
| Dependency graph | Automatically enable for new private repositories + enabled on all | Default on all public repositories. |
| Dependabot alerts | Automatically enable for new repositories + enabled for all | We want to be alerted if any dependency is vulnerable. |
| Dependabot security updates | Automatically enable for new repositories | This automatically creates PRs to fix vulnerable dependencies when possible. |
### Member privileges
| Member privileges feature | Setting | Note |
| ------------------------- | ------- | ---------------------------------------------------------------------------------------------------------------------------- |
| Base permissions | Write | Admin is too powerful, as it allows reconfiguring the repositories themselves. Selecting *Write* provides the perfect balance! |
| Repository creation | None | We want to limit repository creation and eventually automate it with the [GitHub Terraform provider](https://github.com/integrations/terraform-provider-github). |
| Repository forking | ✅ | By default, we allow repository forking. |
| Pages creation | None | We do not use GitHub pages, so we disable them to make certain people use our actual website or handbook, which are also in GitHub. |
#### Admin repository permissions
| Admin privileges feature | Member privileges feature | Note |
| -------------------------------------------------------------------------- | ------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Allow members to change repository visibilities for this organization | 🚫 | Most of our repos are public, but for the few that are private, we want to require org admin privileges to make them public |
| Allow members to delete or transfer repositories for this organization | 🚫 | We want to require org admin privileges to be able to delete or transfer any repository. |
| Allow repository administrators to delete issues for this organization | 🚫 | We want to require org admin privileges to be able to delete issues, which is something that is very rarely needed but could be, for example, if we received GitHub issue spam. |
| Allow members to see the comment author's profile name in private repositories | 🚫 | We barely use private repositories and do not need this. |
| Allow users with read access to create discussions | 🚫 | We do not currently use discussions and want people to use issues as much as possible. |
| Allow members to create teams | 🚫 | We automate the management of GitHub teams with the [GitHub Terraform provider](https://github.com/integrations/terraform-provider-github). |
### Team discussions
We do not use team discussions and therefore have disabled them. This is simply to avoid discussions
located in too many places and not security-related.
### Repository security
#### Branch protection
Branch protection is one of the most important settings to configure and the main reason we should not have members with administrative privileges on the repositories.
Located in the Branches section of repository settings, we create a rule for **main** that applies:
| Setting | Value | Note |
| ---------------------------------------------------------------- | ----- | --------------------------------------------------------------------------------------------------------------------- |
| Require a pull request before merging | ✅ | We enforce code reviews, which require PRs. |
| Require approvals | 1️⃣ | We require approval from one person in the team. |
| Dismiss stale pull request approvals when new commits are pushed | ✅ | Without this, someone could get approval for a small, very nice PR and change everything about it! |
| Require review from Code Owners | 🗓 | We are working towards enabling this as our team grows and allows for more flexibility |
| Restrict who can dismiss pull request reviews | 🚫 | As we are a team working in multiple timezones, we want to allow dismissing reviews and getting another one. |
| Allow specified actors to bypass required pull requests | 🚫 | We do not want anyone pushing directly to main. |
| Require status checks to pass before merging | ✅ | Because of our [monorepo](https://en.wikipedia.org/wiki/Monorepo#:~:text=In%20version%20control%20systems%2C%20a,as%20a%20'shared%20codebase'.), it is hard to pick many checks that work for all types of PRs, but we still enable this. |
| Require conversation resolution before merging | 🚫 | Reviewers should not approve a pull request if they do not think it's ready for merging. |
| Require signed commits | 🗓 | We are working towards enabling this, manually keeping track of unverified commits. |
| Require linear history | 🚫 | We do not currently use or enforce practices to generate a linear history. |
| Include administrators | ✅ | We want these rules to apply to *everyone*. |
| Restrict who can push to matching branches | 🚫 | Anyone in our organization should be able to merge PRs that get reviewed, and nobody should be able to push directly. |
| Allow force pushes | 🚫 | We do not need this, so we do not allow it. |
| Allow deletions | 🚫 | We do not want ANYONE to be able to delete the *main* branch. |
### Scanning tools
Though not technically a part of GitHub itself, we feel like the security tools we use to scan our code, workflows, and GitHub configuration are part of our overall GitHub configuration.
#### SAST and configuration scanning
| Scanning Tool | Purpose | Configuration |
| --------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------- |
| [OSSF Scorecard](https://github.com/ossf/scorecard) | Scan our GitHub repository for best practices and send problems to GitHub Security. | [scorecard-analysis.yml](https://github.com/fleetdm/fleet/blob/main/.github/workflows/scorecards-analysis.yml) |
| [CodeQL](https://codeql.github.com/) | Discover vulnerabilities across our codebase, both in the backend and frontend code. | [codeql-analysis.yml](https://github.com/fleetdm/fleet/blob/main/.github/workflows/codeql-analysis.yml) |
| [gosec](https://github.com/securego/gosec) | Scan golang code for common security mistakes. We use gosec as one of the linters(static analysis tools used to identify problems in code) used by [golangci-lint](https://github.com/golangci/golangci-lint) | [golangci-lint.yml](https://github.com/fleetdm/fleet/blob/main/.github/workflows/golangci-lint.yml) |
We are planning on adding [tfsec](https://github.com/aquasecurity/tfsec) to scan for configuration vulnerabilities in the Terraform code provided to deploy Fleet infrastructure in the cloud.
Once we have full coverage from a static analysis point of view, we will evaluate dynamic analysis
and fuzzing options.
#### Dependabot
As described in *Code security and analysis*, we use Dependabot for security updates to libraries.
Our [dependabot.yml](https://github.com/fleetdm/fleet/blob/main/.github/dependabot.yml) only
mentions GitHub actions. Security updates to all other dependencies are performed by Dependabot automatically, even though we do not configure all package managers explicitly in the configuration file, as specified in the repository configuration. As GitHub actions have no impact on the Fleet software itself, we are
simply more aggressive in updating actions even if the update does not resolve a vulnerability.
### Actions configuration
We configure GitHub Actions to have *Read repository contents permission* by default. This is
located in *organization/settings/actions*. As our code is open source, we allow all GitHub actions
but limit their default privileges so they do not create any additional risk. Additional permissions
needed can be configured in the YAML file for each workflow.
We pin actions to specific versions using a complete hash.
### Automation
We manage our GitHub configuration, creation of repositories, and team memberships manually. In the
future, we will consider automating most of it using the [Terraform
provider](https://github.com/integrations/terraform-provider-github) for GitHub. Our strategy for
this will be similar to what [this blog post](https://oops.computer/posts/github_automation/) describes.
## Google Workspace security
Google Workspace is our collaboration tool and the source of truth for our user identities.
A Google Workspace account gives access to email, calendar, files, and external applications integrated with Google Authentication or SAML.
At the same time, third-party applications installed by users can access the same data.
We configure Google Workspace beyond the default settings to reduce the risk of malicious or vulnerable apps being used to steal data. Our current configuration balances security and productivity and is a starting point for any organization looking to improve the security of Google Workspace.
As Google frequently adds new features, feel free to submit a PR to edit this file if you discover a new one we should use!
### Authentication
We cannot overstate the importance of securing authentication, especially in a platform that includes email and is used as a directory to log in to multiple applications.
#### 2-Step Verification
Google's name for Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA) is 2-Step Verification (2-SV). No matter what we call it, it is the most critical feature to protect user accounts on Google Workspace or any other system.
| 2FA Authentication methods from least to most secure | Weaknesses |
| ----------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------- |
| No 2FA | Credential theft is easy, and passwords are often leaked or easy to guess. |
| SMS/Phone-based 2FA | Puts trust in the phone number itself, which attackers can hijack by [social engineering phone companies](https://www.vice.com/en/topic/sim-hijacking). |
| Time-based one-time password (TOTP - Google Authenticator type six digit codes) | Phishable as long as the attacker uses it within its short lifetime by intercepting the login form. |
| App-based push notifications | These are harder to phish than TOTP, but by sending a lot of prompts to a phone, a user might accidentally accept a nefarious notification. |
| Hardware security keys | [Most secure](https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/) but requires extra hardware or a recent smartphone. Configure this as soon as you receive your Fleet YubiKeys |
##### 2-Step verification in Google Workspace
We apply the following settings to *Security/2-Step Verification* to all users as the minimum baseline.
| Setting name | Value |
| ------------------------------------------ | -------------------------------------------------- |
| Allow users to turn on 2-Step Verification | On |
| Enforcement | On |
| New user enrollment period | 1-week |
| Frequency: Allow user to trust the device | Off |
| Methods | Any except verification codes via text, phone call |
##### Hardware security keys
We strongly recommend using hardware security keys.
Fleet configures privileged user accounts with a policy that enforces the use of hardware security
keys. This prevents credential theft better than other methods of 2FA/2-SV. See [hardware security
keys](https://fleetdm.com/handbook/security#hardware-security-keys) for information about the model we use, why, and how to set
them up.
#### Passwords
As we enforce the use of 2-SV, passwords are less critical to the security of our accounts. We base our settings on [NIST 800-63B](https://pages.nist.gov/800-63-3/sp800-63b.html).
Enforcing 2FA is a much more valuable control than enforcing the expiration of passwords, which usually results in users changing only a small portion of the password and following predictable patterns.
We apply the following *Security/Password management* settings to all users as the minimum baseline.
| Setting name | Value |
| ----------------------------------------------------------------------- | ------------- |
| Enforce strong password | Enabled |
| Length | 8-100 |
| Strength and length enforcement/enforce password policy at next sign-in | Enabled |
| Allow password reuse | Disabled |
| Expiration | Never expires |
We also configure [Password Alert](https://support.google.com/chrome/a/answer/9696707?visit_id=637806265550953415-394435698&rd=1#zippy=) to warn users of password re-use. See [How we protect end-user devices](https://fleetdm.com/handbook/security#how-we-protect-end-user-devices).
#### Account recovery
Self-service account recovery is a feature we do not need, as we have enough Google administrators to support Fleet employees. As we secure accounts beyond the security level of most personal email accounts, it would not be logical to trust those personal accounts for recovery.
We apply the following settings to *Security/Account Recovery* to all users as the minimum baseline.
| Setting name | Value |
| ---------------------------------------------------------- | ----- |
| Allow super admins to recover their account | Off |
| Allow users and non-super admins to recover their account | Off |
First, we make sure we have a handful of administrators. Then, by not requiring password expiration, the number of issues related to passwords is reduced. Lastly, we can support locked-out users manually as the volume of issues is minimal.
#### Less secure apps
Less secure apps use legacy protocols that do not support secure authentication methods. We disable them, and as they are becoming rare, we have not noticed any issues from this setting.
We apply the following *Security/Less Secure Apps* settings to all users as the minimum baseline.
| Setting name | Value |
| ------------------------------------------------------------------------------------------------------- | ------------------------------------------------ |
| Control user access to apps that use less secure sign-in technology makes accounts more vulnerable. | Disable access to less secure apps (Recommended) |
#### API access
Google Workspace makes it easy for users to add tools to their workflows while having these tools authenticate to their Google applications and data via OAuth. We mark all Google services as *restricted* but do allow the use of OAuth for simple authentication and the use of less dangerous privileges on Gmail and Drive. We then approve applications that require more privileges on a case-by-case basis.
This level of security allows users to authenticate to web applications with their Google accounts. This exposes little information beyond what they would provide in a form to create an account, and it protects confidential data while keeping everything managed.
>To get an application added to Fleet's Google Workspace security configuration, create an issue and assign it to the security team in [this repository](https://github.com/fleetdm/confidential/issues). You'll need to include: the client ID in text (not a screenshot) in your issue. This is processed quickly (about 1-2 days) by the Head of Security. The Head of Security will do the research on permissions the app is requesting and determine approval for the app.
We mark every Google Service as *restricted* and recommend that anyone using Google Workspace mark at least the following as restricted in *Security/API Control/Google Services*:
* Google Drive
* Gmail
* Calendar (Invites include sensitive info such as external participants, attachments, links to meetings, etc.)
* Google Workspace Admin
When marked as *trusted* applications that need access to data in our Google Workspace.
### Rules and alerts
Google provides many useful built-in alerts in *Security/Rules*. We enable most and tweak their severity levels as needed. When necessary, we visit the [Alert Center](https://admin.google.com/ac/ac) to investigate and close alerts.
We have also created the following custom alerts.
| Alert On | Created on | Purpose | Notification |
| ------------------------------------------- | ----------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------- |
| Out of domain email forwarding | Login audit log, filtered by event | Attackers in control of an email account often configure forwarding to establish persistence. | Alert Center + Email |
| 2-step Verification disable | Login audit log, filtered by event | Though we enforce 2-SV, if we accidentally allow removing it, we want to know as soon as someone does so. | Alert Center + Email |
| 2-step Verification Scratch Codes Generated | Admin audit log, filtered by event | Use scratch codes to bypass 2-SV. An attacker with elevated privileges could leverage this to log in as a user. | Alert Center + Email |
| Change Allowed 2-step Verification Methods | Admin audit log, filtered by event | We want to detect accidental or malicious downgrades of 2-SV configuration. | Alert Center + Email |
| Change 2-Step Verification Start Date | Admin audit log, filtered by event | We want to detect accidental or malicious "downgrades" of the 2-SV configuration. | Alert Center + Email |
| Alert Deletion | Admin audit log, filtered by event | For alerts to be a reliable control, we need to alert on alerts being disabled or changed. | Alert Center + Email |
| Alert Criteria Change | Admin audit log, filtered by event | For alerts to be a reliable control, we need to alert on alerts being disabled or changed. | Alert Center + Email |
| Alert Receivers Change | Admin audit log, filtered by event | For alerts to be a reliable control, we need to alert on alerts being disabled or changed. | Alert Center + Email |
| Dangerous download warning | Chrome audit log, filtered by event | As we roll out more Chrome security features, we want to track the things getting blocked to evaluate the usefulness of the feature and potential false positives. | Alert Center |
| Malware transfer | Chrome audit log, filtered by event | As we roll out more Chrome security features, we want to track the things getting blocked to evaluate the usefulness of the feature and potential false positives. | Alert Center |
| Password reuse | Chrome audit log, filtered by event | As we roll out more Chrome security features, we want to track the things getting blocked to evaluate the usefulness of the feature and potential false positives | Alert Center |
### Gmail
#### Email authentication
Email authentication makes it harder for other senders to pretend to be from Fleet. This improves trust in emails from fleetdm.com and makes it more difficult for anyone attempting to impersonate Fleet.
We authenticate email with [DKIM](https://support.google.com/a/answer/174124?product_name=UnuFlow&hl=en&visit_id=637806265550953415-394435698&rd=1&src=supportwidget0&hl=en) and have a [DMARC](https://support.google.com/a/answer/2466580) policy to decide how our outgoing email should be defined.
The DKIM configuration under *Apps/Google Workspace/Settings for Gmail/Authenticate Email* simply consists of generating the key, publishing it to DNS, then enabling the feature 48-hours later.
[DMARC](https://support.google.com/a/answer/2466580) is configured separately at the DNS level once DKIM is enforced.
#### Email security
Google Workspace includes multiple options in *Apps/Google Workspace/Settings for Gmail/Safety* related to how it handles inbound email.
As email is one of the main vectors used by attackers, we make certain we protect it as much as possible. Attachments are frequently used to send malware. We apply the following settings to block common tactics.
| Category | Setting name | Value | Action | Note |
| --------------------------- | --------------------------------------------------------------- | ------- | ------------------------------------ | ------------------------------------------------------------------------------------------------------ |
| Attachments | Protect against encrypted attachments from untrusted senders | Enabled | Quarantine | |
| Attachments | Protect against attachments with scripts from untrusted senders | Enabled | Quarantine | |
| Attachments | Protect against anomalous attachment types in emails | Enabled | Quarantine | |
| Attachments | Whitelist (*Google's term for allow-list*) the following uncommon filetypes | Empty | | |
| Attachments | Apply future recommended settings automatically | On | | |
| IMAP View time protections | Enable IMAP link protection | On | | |
| Links and external images | Identify links behind shortened URLs | On | | |
| Links and external images | Scan linked images | On | | |
| Links and external images | Show warning prompt for any click on links to untrusted domains | On | | |
| Links and external images | Apply future recommended settings automatically | On | | |
| Spoofing and authentication | Protect against domain spoofing based on similar domain names | On | Keep email in the inbox and show warning | |
| Spoofing and authentication | Protect against spoofing of employee names | On | Keep email in the inbox and show warning | |
| Spoofing and authentication | Protect against inbound emails spoofing your domain | On | Quarantine | |
| Spoofing and authentication | Protect against any unauthenticated emails | On | Keep email in the inbox and show warning | |
| Spoofing and authentication | Protect your Groups from inbound emails spoofing your domain | On | Quarantine | |
| Spoofing and authentication | Apply future recommended settings automatically | On | | |
| Manage quarantines | Notify periodically when messages are quarantine | On | | |
We enable *Apply future recommended settings automatically* to make certain we are secure by default. We would prefer to adjust this after seeing emails quarantined accidentally rather than missing out on new security features for email security.
#### End-user access
We recommend using the Gmail web interface on computers and the Gmail app on mobile devices. The user interface on the official applications includes security information not visible in standard mail clients (e.g., Mail on macOS). We do allow a few of them at the moment for specific workflows.
| Category | Setting name | Value | Note |
| -------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| POP and IMAP access | Enable IMAP access for all users | Restrict which mail clients users can use (OAuth mail clients only) | |
| | Clients | (450232826690-0rm6bs9d2fps9tifvk2oodh3tasd7vl7.apps.googleusercontent.com, 946018238758-bi6ni53dfoddlgn97pk3b8i7nphige40.apps.googleusercontent.com, 406964657835-aq8lmia8j95dhl1a2bvharmfk3t1hgqj.apps.googleusercontent.com) | Those are the iOS, macOS built-in clients as well as Thunderbird. We plan to eventually only allow iOS,\ to limit the data cached on Macs and PCs. |
| | Enable POP access for all users | Disabled | |
| Google Workspace Sync | Enable Google Workspace Sync for Microsoft Outlook for my users | Disabled | |
| Automatic forwarding | Allow users to automatically forward incoming email to another address | Enabled | We will eventually disable this in favor of custom routing rules for domains where we want to allow forwarding. There is no mechanism for allow-listing destination domains, so we rely on alerts when new forwarding rules are added. |
| Allow per-user outbound gateways | Allow users to send mail through an external SMTP server when configuring a "from" address hosted outside your email domain | Disabled | |
| Warn for external recipients | Highlight any external recipients in a conversation. Warn users before they reply to email messages with external recipients who aren't in their contacts. | Enabled | |
### Drive and Docs
We use Google Drive and related applications for internal and external collaboration.
#### Sharing settings
| Category | Setting name | Value | Note |
| ------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Sharing options | Sharing outside of Fleet Device Management | On | |
| Sharing options | For files owned by users in Fleet Device Management warn when sharing outside of Fleet Device Management | Enabled | |
| Sharing options | Allow users in Fleet Device Management to send invitations to non-Google accounts outside Fleet Device Management | Enabled | |
| Sharing options | When sharing outside of Fleet Device Management is allowed, users in Fleet Device Management can make files and published web content visible to anyone with the link | Enabled | |
| Sharing options | Access Checker | Recipients only, or Fleet Device Management | |
| Sharing options | Distributing content outside of Fleet Device Management | Only users in Fleet Device Management | This prevents external contributors from sharing to other external contributors |
| Link sharing default | When users in Fleet Device Management create items, the default link sharing access will be: | Off | We want the owners of new files to make a conscious decision around sharing and to be secure by default |
| Security update for files | Security update | Apply security update to all affected files | |
| Security update for files | Allow users to remove/apply the security update for files they own or manage | Enabled | We have very few files impacted by [updates to link sharing](https://support.google.com/a/answer/10685032?amp;visit_id=637807141073031168-526258799&rd=1&product_name=UnuFlow&p=update_drives&visit_id=637807141073031168-526258799&rd=2&src=supportwidget0). For some files meant to be public, we want users to be able to revert to the old URL that is more easily guessed. |
#### Features and applications
| Category | Setting name | Value | Note |
| ------------------------------------ | ------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------- |
| Offline | Control offline access using device policies | Enabled | |
| Smart Compose | Allow users to see Smart Compose suggestions | Enabled | |
| Google Drive for desktop | Allow Google Drive for desktop in your organization | Off | To limit the amount of data stored on computers, we currently do not allow local sync. We may enable it in the future. |
| Drive | Drive | Do not allow Backup and Sync in your organization | |
| Drive SDK | Allow users to access Google Drive with the Drive SDK API | Enabled | The applications trusted for access to Drive are controlled but require this to work. |
| Add-Ons | Allow users to install Google Docs add-ons from add-ons store | Enabled | The applications trusted for access to Drive are controlled but require this to work. |
| Surface suggestions in Google Chrome | Surface suggestions in Google Chrome | Allow Google Drive file suggestions for signed-in users whenever a new search is performed or a new tab is opened (recommended) | |
| Creating new files on Drive | Allow users to create and upload any file | On | |
| Creating new files on Drive | Allow users to create new Docs, Sheets, Slides, Drawings and Forms files | On | |
## Vulnerability management
At Fleet, we handle software vulnerabilities no matter what their source is.
The process is simple:
1. A person or tool discovers a vulnerability and informs us.
2. Fleet determines if we must fix this vulnerability, and if not, documents why.
3. As long as it respects our remediation timelines and enough time remains for implementation and testing, Fleet fixes vulnerabilities in the next scheduled release. Else, Fleet creates a special release to address the vulnerabilities.
### Timeline
Fleet commits to remediating vulnerabilities on Fleet according to the following:
| Severity | Triage | Mitigation | Remediation |
| ---------------------------------- | ---------------- | ---------------- | ------------------------------------------------ |
| Critical+ In-the-wild exploitation | 2 business hours | 1 business day | 3 business days (unless mitigation downgrades severity) |
| Critical | 4 business hours | 7 business days | 30 days |
| High | 2 business days | 14 days | 30 days |
| Medium | 1 week | 60 days | 60 days |
| Low | Best effort | Best effort | Best effort |
| Unspecified | 2 business days | N/A | N/A |
Refer to our commercial SLAs for more information on the definition of "business hours" and
"business days."
Other resources present in the Fleet repo but not as part of the Fleet product, like our website,
are fixed on a case-by-case scenario depending on the risk.
### Exceptions and extended timelines
We may not be able to fix all vulnerabilities or fix them as rapidly as we would like. For example,
a complex vulnerability reported to us that would require redesigning core parts of the Fleet
architecture would not be fixable in 3 business days.
We ask for vulnerabilities reported by researchers and prefer to perform coordinated disclosure
with the researcher. In some cases, we may take up to 90 days to fix complex issues, in which case
we ask that the vulnerability remains private.
For other vulnerabilities affecting Fleet or code used in Fleet, the Head of Security, CTO and CEO
can accept the risk of patching them according to custom timelines, depending on the risk and
possible temporary mitigations.
### Mapping of CVSSv3 scores to Fleet severity
Fleet adapts the severity assigned to vulnerabilities when needed.
The features we use in a library, for example, can mean that some vulnerabilities in the library are unexploitable. In other cases, it might make the vulnerability easier to exploit. In those cases, Fleet would first categorize the vulnerability using publicly available information, then lower or increase the severity based on additional context.
When using externally provided CVSSv3 scores, Fleet maps them like this:
| CVSSv3 score | Fleet severity |
| ---------------------------------- | ----------------------------------- |
| 0.0 | None |
| 0.1-3.9 | Low |
| 4-6.9 | Medium |
| 7-8.9 | High |
| 9-10 | Critical |
| Determined on a case by case basis | Critical + in-the-wild-exploitation |
### Disclosure
Researchers who discover vulnerabilities in Fleet can disclose them as per the [Fleet repository security policy](https://github.com/fleetdm/fleet/security/policy).
If Fleet confirms the vulnerability:
1. Fleet's security team creates a private GitHub security advisory.
2. Fleet asks the researcher if they want credit or anonymity. If the researcher wishes to be credited, we invite them to the private advisory on GitHub.
3. We request a CVE through GitHub.
4. Developers address the issue in a private branch.
5. As we release the fix, we make the advisory public.
Example Fleet vulnerability advisory: [CVE-2022-23600](https://github.com/fleetdm/fleet/security/advisories/GHSA-ch68-7cf4-35vr)
### Vulnerabilities in dependencies
Fleet remediates vulnerabilities related to vulnerable dependencies, but we do not create security advisories on the Fleet repository unless we believe that the vulnerability could impact Fleet. In some situations where we think it is warranted, we mention the updates in release notes. The best way of knowing what dependencies are required to use Fleet is to look at them directly [in the repository](https://github.com/fleetdm/fleet/blob/main/package.json).
We use [Dependabot](https://github.com/dependabot) to create pull requests to update vulnerable dependencies. You can find these PRs by filtering on the [*Dependabot*](https://github.com/fleetdm/fleet/pulls?q=is%3Apr+author%3Aapp%2Fdependabot+) author in the repository.
We make sure the fixes to vulnerable dependencies are also performed according to our remediation timeline. We fix as many dependencies as possible in a single release.
## Trust report
We publish a trust report that includes automated checking of controls, answers to frequently asked
questions and more on [https://fleetdm.com/trust](https://fleetdm.com/trust)
## PeopleOps
#### In this section
- [CEO handbook](#ceo-handbook)
- [Directly responsible individuals](#directly-responsible-individuals)
- [Benefits](#benefits)
- [Payroll](#payroll)
- [Security](#security)
- [All the things](#all-the-things)
- [Hiring](#hiring)
- [Onboarding](#onboarding)
- [Taxes and compliance](#taxes-and-compliance)
- [Celebrations](#celebrations)
- [Departures](#departures)
### CEO handbook
[The CEO handbook](./ceo-handbook.md) details processes specific to Mike McNeil, CEO of Fleet.
### Directly responsible individuals
At Fleet, we use the concept of Directly Responsible Individuals (**DRI**s). This person is singularly responsible for a given aspect of the open source project, the product, or the company.
This person is accountable for accomplishing goals and making decisions about a particular element of Fleet.
DRIs help us collaborate efficiently by knowing exactly who is responsible and can make decisions about the work they're doing and are available to view in the [codeowners file](https://github.com/fleetdm/fleet/blob/main/CODEOWNERS).
>You can read more about directly responsible individuals in [GitLab's handbook](https://about.gitlab.com/handbook/people-group/directly-responsible-individuals/)
### Benefits
#### Coworking
Fleet will reimburse team members for coworking up to $100 USD per month. Please get prior approval from your manager, and then this reimbursement can be used for drop-in coworking or go towards a coworking membership. Once approved, get started by reaching out to the Charlie Chance via direct message in Slack.
Coworking expenses must be [reimbursed](#reimbursements). Brex cards should not be used for coworking due to possible legal complexities.
#### Paid time off
What matters most is your results, which are driven by your focus, your availability to collaborate, and the time and consideration you put into your work. Fleet offers all team members unlimited time off. Whether you're sick, you want to take a trip, you are eager for some time to relax, or you need to get some chores done around the house, any reason is a good reason.
For team members working in jurisdictions that require certain mandatory sick leave or PTO policies, Fleet complies to the extent required by law.
#### Taking time off
When you take any time off, you should follow this process:
- Let your manager and team know as soon as possible (i.e., post a message in your team's Slack channel with when and how long).
- Find someone to cover anything that needs covering while you're out and communicate what they need to take over the responsibilities as well as who to refer to for help (e.g., meetings, planned tasks, unfinished business, important Slack/email threads, anything where someone might be depending on you).
- Mark an all-day "Out of office" event in Google Calendar for the day(s) you're taking off.
If you can’t complete the above because you need to take the day off quickly due to an emergency, let your manager know and they will help you complete the handoff.
If you ever want to take a day off, and the only thing stopping you is internal (Fleetie-only) meetings, don’t stress. Consider, “Is this a meeting that I can reschedule to another day, or is this a meeting that can go on without me and not interfere with the company’s plans?” Talk to your manager if you’re unsure, but it is perfectly OK to reschedule internal meetings that can wait so that you can take a day off.
This process is the same for any days you take off, whether it's a holiday or you just need a break.
#### Holidays
At Fleet, we have team members with various employment classifications in many different countries worldwide. Fleet is a US company, but we think you should choose the days you want to work and what days you are on holiday, rather than being locked into any particular nation or culture's expectation about when to take time off.
When a team member joins Fleet, they pick one of the following holiday schedules:
- **Traditional**: This is based on the country where you work. Non-US team members should let their managers know the dates of national holidays.
**Or**
- **Freestyle**: You have no set schedule and start with no holidays. Then you add the days that are holidays to you.
Either way, it's up to you to make sure that your responsibilities are covered, and that your team knows you're out of the office.
#### New parent leave
Fleet gives new parents six weeks of paid leave. After six weeks, if you don't feel ready to return yet, we'll set up a quick call to discuss and work together to come up with a plan to help you return to work gradually or when you're ready.
#### Compensation changes
Fleet evaluates compensation during annual workiversaries. Supervisors and managers will document compensation changes and effective date in employee 1:1 docs and email confirmation to Charlie. Charlie will make sure that a copy of the compensation change is added to the [¶¶People Operations folder](https://drive.google.com/drive/folders/1NKZ0UTmLbOPOeAA-iaEote3_diqu8Cbw?usp=share_link) for record keeping. (For the forseeable (pre series B) future, comp changes will originate during zach/mike 1:1s in our agenda doc.)
Additional steps: Charlie will update the respective payroll platform (Gusto or Pilot) and update the [Equity spreadsheet](https://docs.google.com/spreadsheets/d/1_GJlqnWWIQBiZFOoyl9YbTr72bg5qdSSp4O3kuKm1Jc/edit?usp=sharing) (internal doc).
### Payroll
Many of these processes are automated, but it's vital to check Gusto and Pilot manually for accuracy.
- Salary employees are automated in Gusto and Pilot
- Contractors are a manual process in Gusto and Pilot
| Unique payrolls | Action | DRI |
|:-----------------------------|:-----------------------------|:-----------------------------|
| Commissions | "Off-cycle" payroll | Nathan
| Sign-on bonus | "Bonus" payroll | Charlie
| Performance bonus | "Bonus" payroll | Charlie
| Ramp | "Off-cycle" payroll | Nathan
| Accelerations | "Off-cycle" payroll | Nathan
Add the amount to be paid to the "Gross" line.
For Fleet's US contractors, running payroll is a manual process.
The steps for doing this are highlighted in this loom, TODO.
1. Time tools
2. Time tracking
3. Review hours
4. Adjust time frame to match current payroll period (the 27th through 26th of the month)
5. Sync hours
6. Run contractor payroll
#### Reimbursements
We provide all of our team members with Brex cards for making purchases for the company. Fleet will reimburse team members who pay for work-related expenses with their personal funds.
Team members can request reimbursement through [Gusto]([https://app.gusto.com/expenses](https://support.gusto.com/article/209831449100000/Get-reimbursed-for-expenses-as-an-employee)) if they're in the US or [Pilot]([https://pilot.co/](https://help.pilot.co/en/articles/4658204-how-to-request-a-reimbursement#:~:text=If%20you%20made%20a%20purchase,and%20click%20'Add%20new%20expense.)) if they are an international team member. When submitting an expense report, team members need to provide the receipt and a description of the expense.
Operations will review the expense and reach out to the team member if they have any questions. The reimbursement will be added to the team member's next payroll when an expense is approved.
>Pilot handles reimbursements differently depending on if the international team member is classified as an employee or a contractor. If the reimbursement is for a contractor, Operations will need to add the expense reimbursement to an upcoming recurring payment or schedule the reimbursement as an off-cycle payment. If the reimbursement is for an employee, no other action is needed; Pilot will add the reimbursement to the team member's next payroll.
#### Performance feedback
At Fleet, performance feedback is a continuous process. We give feedback (particularly negative) as soon as possible. Most feedback will happen during 1:1 meetings, if not sooner.
Founders evaluate and update compensation decisions yearly, shortly after the anniversary of a team member's start date.
### Security
At Fleet, we care about security. Here are a few resources about Fleet's security policies and best practices.
1. [Security Policies](https://fleetdm.com/handbook/security/security-policies#security-policies)
2. [Human Resources Security Policy](https://fleetdm.com/handbook/security/security-policies#human-resources-security-policy)
3. [Account recovery process](https://fleetdm.com/handbook/security#account-recovery-process)
4. [Personal mobile devices](https://fleetdm.com/handbook/security#personal-mobile-devices)
5. [Hardware security keys](https://fleetdm.com/handbook/security#hardware-security-keys)
### All the things
#### Key reviews
Every release cycle, each department leader prepares a [key review deck](https://about.gitlab.com/handbook/key-review/#purpose) and presents it to the CEO. In this deck, the department will highlight KPI metrics and progress of OKRs. The information for creating this deck is located in the ["🌈 Fleet" Google drive](https://drive.google.com/drive/folders/1lizTSi7YotG_zA7zJeHuOXTg_KF1Ji8k) using ["How to create key review"](https://docs.google.com/document/d/1PDwJL0HiCz-KbEGZMfldAYX_aLk5OVAU1MMSgMYYF2A/edit?usp=sharing)(internal doc).
#### Meetings
* At Fleet, meetings start whether you're there or not. Nevertheless, being even a few minutes late can make a big difference and slow your meeting counterparts down. When in doubt, show up a couple of minutes early.
* It's okay to spend the first minute or two of a meeting being present and making small talk. Since we are all remote, it's easy to miss out on hallway chatter and human connections that happen in [meatspace](https://www.dictionary.com/browse/meatspace). Use this time together during the first minute to say "Hi!" Then you can jump into the topics to be discussed.
* Turning on your camera allows for more complete and intuitive verbal and non-verbal communication. Feel free to leave your camera on or turn it off when joining meetings with new participants you might not be familiar with yet. Turn your camera on when you lead or cohost a meeting.
* In an all-remote company, “face time” matters. Remember: even if someone’s calendar is open, they have other work to do. Limiting (or batching up) internal meetings can enable longer, uninterrupted stretches of deep work.
#### Internal meeting scheduling
Use the Google Calendar "[Find a meeting
time](https://support.google.com/calendar/answer/37161?hl=en&co=GENIE.Platform%3DDesktop#zippy=%2Cfind-a-meeting-time)"
feature to coordinate meetings with Fleet team members. Enter the `@fleetdm.com` emails for each
participant into the "Meet with..." box in Google Calendar, and the calendar availability for each
participant will appear in your view. Then, when you select a meeting time, those participants will
automatically be invited, and a video conference will be attached to the invite.
Please prefer this strategy over negotiating meeting times via chat -- This can save a lot of
communication overhead, especially when scheduling with multiple participants.
It is important to [set your working
hours](https://support.google.com/calendar/answer/7638168?hl=en&co=GENIE.Platform%3DDesktop) in
Google Calendar and block out any personal time/events/PTO, so that team members do not inadvertently
schedule a time when you are not available. Many team members use the free tier of
[reclaim.ai](https://reclaim.ai/) to synchronize personal event times (without event details) into
their work calendars. It is also common practice to block out time for focused work.
#### Modifying an event organized by someone else
To edit an event where someone else at Fleet is the organizer, you can first subscribe to their calendar in Google Calendar and then edit the event on their calendar. Your edits will automatically apply to all attendees.
> This works because every Fleetie grants edit access to everyone else at Fleet as part of onboarding.
#### External meeting scheduling
When scheduling external meetings, provide external participants with a
[Calendly](https://calendly.com) link to schedule with the relevant internal participants. If you
need a Calendly account, reach out to `@charlottechance` via Slack.
#### Scheduling a Zoom meeting
We use the Zoom add-on for Google Calendar to schedule Zoom meetings when we create calendar events. To add a Zoom meeting to a calendar event, click the "Add video conferencing" dropdown and select "Zoom Meeting." Google Calendar will automatically add the Zoom meeting details and instructions to join the event.
We configure our Zoom meetings to let participants join before the host starts the meeting. We do this to make sure meetings start on time, even if the host isn't there.
#### Slack channel prefixes
We have specific channels for various topics, but we also have more general channels for the teams at Fleet.
We use these prefixes to organize the Fleet Slack:
* ***g-***: for team/group channels *(Note: "g-" is short for "grupo")*.
* ***oooh-***: used to discuss and share interesting information about a topic.
* ***help-***: for asking for help on specific topics.
* ***at*** or ***fleet-at***: for customer channels.
#### Slack communications and best practices
In consideration of our team, Fleet avoids using global tags in channels (i.e. @here, @channel, etc).
1. What about polls? Good question, Fleeties are asked to post their poll in the channel and @mention the teammates they would like to hear from.
2. Why does this matter? Great question! The Fleet [culture](https://fleetdm.com/handbook/company#culture) is pretty simple: think of others, and remember the company [Values](https://fleetdm.com/handbook/company#values).
### Hiring
#### Creating a new position
Every new position being created goes through this process before interviewing, accepting applicants, or extending offers.
1. Add the proposed position to ["Fleeties"](https://docs.google.com/spreadsheets/d/1OSLn-ZCbGSjPusHPiR5dwQhheH1K8-xqyZdsOe9y7qc/edit#gid=0) as a new row, with a blank start date. Be sure to include job title, manager, and department.
2. Add a job description to the ["Roles."](https://docs.google.com/document/d/1wS5jFfrZtO4xMH-3U_S8pE59gNXOTR3rS1WWD8pkq9E/edit#heading=h.5z24knw25190) Include only "Responsibilities" and "Experience." (You will insert these into the existing job description template.)
3. Create a private "#hiring-xxxxxx-2022" Slack channel (where "xxxxxx" is the job title) and invite the CEO (Mike McNeil) and People Operations (Charlie Chance).
- People Ops is the DRI for all `#hiring-xxxxx-2022` Slack channels.
4. In that channel, post a message proposing the position:
- At-mention CEO (@mikermcneil) and Charlie (@charlie).
- Include a link to the job description in "Roles."
- Include a link to the Fleeties document.
5. People Ops will:
- Confirm the "Roles" document has the job description, consisting only of "Responsibilities" and "Experience," and that both look accurate, grammatically correct, and otherwise ready to post in a public job description.
- Confirm the "Fleeties" document has a manager, job title, and department, and that the start date is not entered yet (so we can tell the position is proposed but not planned, yet).
- Using Pave, determine an anticipated salary and equity range, then add that research to "Compensation decisions" as a new heading.
- Share a direct link to the new heading in "Compensation decisions" with the CEO.
6. The CEO will then:
- Determine whether this fits into the budget and equity plan.
- Decide whether Fleet will open this position at this time.
- Set tentative compensation in the budget and equity plan.
- Set a tentative start date in the Fleeties doc to indicate this position is now part of the hiring plan.
- Reply in the `#hiring-xxxxx-2022` Slack channel, at-mentioning the original proposer, to let them know the new position is approved.
After getting CEO approval, create a position in Breezy.
#### Creating a new position in Breezy
> TODO: document how to post a job on fleetdm.com/apply using Breezy and manage the hiring process
#### Interviewing at Fleet
We're glad you're interested in joining the team!
Here are some of the things you can anticipate throughout this process:
- We try to reply by email within one business day from the time when the application arrives.
- You may receive a rejection email (Bummer, consider applying again in the future).
- You may receive an invitation to "book with us."
If you've been invited to "book with us," you'll have a Zoom meeting with the hiring team to discuss the next steps.
#### Hiring a new team member
> Fleet is unable to hire team members in some countries. See [this internal document](https://docs.google.com/document/d/1jHHJqShIyvlVwzx1C-FB9GC74Di_Rfdgmhpai1SPC0g/edit) for the list.
1. **Manager:** At-mention People Operations in the `#hiring-xxxxx-2022` channel and indicate that you would like for Fleet to make an offer to the candidate. Include the candidate's name, personal email address, the timeframe for their start date, and the country where they will be working.
2. **People Ops:** People Operations will research compensation using [Pave](https://www.pave.com), making sure to adjust for the cost of living where the candidate will do the work. _If People Ops is unsure of their findings, ask for help from the CEO._ People Ops will then document this decision in the [compensation decisions document](https://docs.google.com/document/d/1NQ-IjcOTbyFluCWqsFLMfP4SvnopoXDcX0civ-STS5c/edit) for future reference.
3. **People Ops:** After you have determined compensation, make copies of these two templates and customize them for this candidate:
- [Exit scenarios (template)](https://docs.google.com/spreadsheets/d/1k2TzsFYR0QxlD-KGPxuhuvvlJMrCvLPo2z8s8oGChT0/copy)
- [Informal offer email (template)](https://docs.google.com/document/d/1zpNN2LWzAj-dVBC8iOg9jLurNlSe7XWKU69j7ntWtbY/copy)
Change the name of the copied documents accordingly (e.g., "[candidate's name]'s a copy of exit scenarios") and link to the exit scenarios spreadsheet from the offer email.
4. **People Ops:** Next, prepare the informal offer email. Post in the `#g-people` Slack channel and at-mention the CEO for assistance with determining the number of shares. You'll then need to add the following information to the template:
- Candidate's name and email address
- Candidate's start date
- Candidate's compensation
- Candidate's manager (the person they report to)
- Equity offered to the candidate (specify the number of shares, and highlight it with a link to the candidate's exit scenarios spreadsheet)
- Benefits (determined by the candidate's location)
5. **People Ops:** Prepare the exit scenarios spreadsheet. Enter the number of shares offered to the candidate, and the spreadsheet will update to reflect this.
>**_Note:_** *Don't play with numbers in the exit scenarios spreadsheet. The revision history is visible to the candidate, and they might misunderstand.*
6. **People Ops:** Once both documents are complete, share the offer email draft, exit scenarios copy, and a link to the compensation decision with the CEO for approval by mentioning @mikermcneil in #g-people.
7. **CEO:** Confirm:
- The compensation decision has been documented sufficiently and adjusted for the cost of living.
- The equity plan and budget are up to date with the actual offer that is about to be sent.
- The Fleeties doc now reflects the actual start date from the offer email, as well as the candidate's name, LinkedIn URL, and preferred pronoun.
- It still makes business sense to make this offer by reviewing the budget and equity plan.
The CEO will then reply in `#g-people` to indicate that the offer is approved.
>**_Note:_** *When hiring an international employee, Pilot.co recommends starting the hiring process a month before the new employee's start date.*
8. **People Ops:** After obtaining CEO approval, confirm everything is correct one more time, then mention the CEO or CTO, who will send the offer email.
- The offer email is copied directly from Google Drive into Gmail before being sent to the candidate.
- When sending the offer, the CEO or CTO will edit the permissions of the exit scenarios sheet so it is accessible to the candidate.
- People Ops is cc'd on the offer email but will not participate in the email thread until after the offer is accepted.
#### Hiring a new consultant
Consultant agreements are sent through [DocuSign](https://www.docusign.com/), using the "Consulting Agreement" template. To send a new consulting agreement, you'll need the new consultant's name, the term of the service, a summary of the services provided, and the consultant's fee.
There are some defaults that we use for these agreements:
- Term: one month
- Services rendered: [use this doc](https://docs.google.com/document/d/1b5SGgYEHqDmq5QF8p29WWN3it3XJh3xRT3zG0RdXARo/edit)
- Work will commence and complete by dates: Start date and end of term date
- Fee: Get from the contractor
- Hours: Default to 10 hr/week - 40 hr/week
Then hit send! After all of the signatures are there, the completed document will automatically be uploaded to the appropriate Google Drive folder, and a Slack message will appear in the `#g-people` channel.
#### Updating a consultant's fee
- Direct message Charlie with rate change information.
- Charlie will post the information to `#g-people` and tag the CEO for approval.
- After CEO approval, Charlie will issue a new contractor agreement with the updated fee via DocuSign.
### Onboarding
#### Steps after an offer is accepted
1. Once an applicant accepts an offer in writing, People Ops replies to the candidate.
2. People Ops creates a [hiring issue](https://github.com/fleetdm/confidential/blob/main/.github/ISSUE_TEMPLATE/hiring.md) for the new team member in the [fleetdm/confidential](https://github.com/fleetdm/confidential/issues) repo. People Ops will use this issue to keep track of the hiring tasks for the new team member.
3. People Ops reaches out to the new team member via email to get any information they will need to prepare an agreement and add them to our payroll system.
- **US team members**: People Ops will send the new team member's agreement through [DocuSign](https://www.docusign.com/).
After signing and storing an in the correct Google Drive folder, People Ops will invite the new team member to onboard in [Gusto](https://www.gusto.com/). People Ops will reach out to them if the new team member is a W-2 employee and schedule an I-9 verification meeting.
>*If we're hiring in a new state, we'll have to register for state taxes and unemployment. Gusto usually handles this process.*
- **For international team members:** People Ops enters the new team member's information into [Pilot](https://pilot.co/) to kick off their hiring process. Pilot creates an agreement for the new team member, and People Ops reviews it to make sure everything looks correct. After People Ops confirms the information about the new hire, Pilot invites the new team member to enter the rest of their information and informs People Ops via email when a new Fleetie signs their agreement.
4. **As soon as we have a signed agreement with a new team member:** People Ops reaches out to the new team member to provide them with a [work device](#purchasing-a-company-issued-device) and a pair of [YubiKeys](./../security.md#hardware-security-keys). People Ops then requests a screenshot or link to the new Fleetie's preferred device and configuration. People Ops orders their device and Yubikeys using his Brex card and has them shipped directly to the new team member.
>*If the new team member is in the US and requests a MacBook, It will be purchased using our Apple business account. For MacBooks purchased with this account, Apple will ship pre-configured and enrolled in our MDM.*
5. **Two weeks before their first day at Fleet:** People Ops creates a [Google Workspace account](https://admin.google.com/ac/users) for the new team member and invites them to join the [FleetDM](https://github.com/fleetdm) GitHub organization.
When the new team member's work email is active, People Ops will send invitations to join Fleet's Slack and to create Fleet-managed 1Password and Zoom accounts with their Fleet email. People Ops sends the sign-in instructions to the new team member, accompanied by a brief explanation of the invitations sent.
6. **Before a new team member's first day:** People Ops creates an onboarding issue in the [fleetdm/confidential](https://github.com/fleetdm/confidential/issues) GitHub repo for the new team member. Before creating the issue, People Ops will go through it and comment on any steps that the new team member will not have to complete.
#### Team member onboarding
It's important that every team member at Fleet takes the time to get fully trained and onboarded.
When a new team member joins Fleet, we create an onboarding issue for them in the [fleetdm/confidential](https://github.com/fleetdm/confidential) repo using this [issue template](https://github.com/fleetdm/confidential/blob/main/.github/ISSUE_TEMPLATE/onboarding.md).
We want to make sure that the new team member will be able to complete every task in their issue. To make sure the new team member is successful in their onboarding, we customize their issue by commenting on any tasks they won't need to complete.
We believe in taking onboarding and training seriously and that the onboarding template is an essential source of truth and good use of time for every single new hire. If managers see a step that they don't feel is necessary, they should make a pull request to the [onboarding template](https://github.com/fleetdm/confidential/blob/main/.github/ISSUE_TEMPLATE/onboarding.md) and request a review from People operations.
#### Sightseeing tour
During their onboarding at Fleet, new team members are asked to schedule a sightseeing tour call with People operations. During this call, the new team member will participate in an interactive tour that includes:
- GitHub issues: the living bloodstream of the company.
- Kanban boards: the bulletin board of quests you can get and how you update status and let folks know things are done.
- Google Calendar: the future.
- Gmail: like any mailbox, full of junk mail, plus some important things, so it is important to check carefully.
- Salesforce: the Rolodex.
- Google Docs: the archives.
- Slack:
- The "office" (#g-, #general).
- The walkie talkies (DMs).
- The watering hole (#oooh-, #random, #news, #help-).
#### Contributor experience training
During their first week at Fleet, new team members are asked to schedule a contributor experience training call with People operations. During this call, the new team member will share their screen, and People operations will:
- make sure emails will get seen and responded to quickly.
- make sure Slack messages will get seen and responded to quickly.
- make sure you know where your issues are tracked, which kanban board you use, and what the columns mean.
- make sure you can succeed with submitting a PR with the GitHub web editor, modifying docs or handbook, and working with Markdown.
- talk about Google calendar.
- give you a quick tour of the Fleet Google drive folder.
#### Onboarding a new advisor
Advisor agreements are sent through [DocuSign](https://www.docusign.com/), using the "Advisor Agreement"
template. To send a new advisor agreement, you'll need the new advisor's name and the number of shares they
are offered.
Once you send the agreement, add a new row to the [advisory board spreadsheet](https://docs.google.com/spreadsheets/d/15knBE2-PrQ1Ad-QcIk0mxCN-xFsATKK9hcifqrm0qFQ/edit#gid=1803674483) and enter the new advisor's information. Use this spreadsheet to track the advisor's progress through the onboarding process.
>**_Note:_** *Be sure to mark any columns that haven't been completed yet as "TODO"*
When you complete the agreement, make sure it is in the correct Google Drive folder, update the [advisory board spreadsheet](https://docs.google.com/spreadsheets/d/15knBE2-PrQ1Ad-QcIk0mxCN-xFsATKK9hcifqrm0qFQ/edit#gid=1803674483) to show that the agreement has been signed, and ask the new advisor to add us on [Linkedin](https://www.linkedin.com/company/71111416), [Crunchbase](https://www.crunchbase.com/organization/fleet-device-management), and [Angellist](https://angel.co/company/fleetdm).
#### Purchasing a company-issued device
Fleet provides laptops for team members to use while working at Fleet. As soon as an offer is accepted, `@charlottechance` will reach out to the new team member to start this process. `@charlottechance` will work with the new team member to get their laptop purchased and shipped to them.
Most of the team at Fleet uses 16" MacBook Pros, but team members are free to choose any laptop or operating system that works for them, as long as the price [is within reason](#spending-company-money).
When selecting your new laptop, we ask that you optimize your configuration to have a large hard drive and be available for delivery or pickup quickly, without waiting for customization.
New equipment for projects are requested in #help-business-operations, please tag `@charlottechance` in your post. Include device requested (specs), reason for request, and timeline for when the device is needed.
When a device has been purchased, it's added to the [spreadsheet of company equipment](https://docs.google.com/spreadsheets/d/1hFlymLlRWIaWeVh14IRz03yE-ytBLfUaqVz0VVmmoGI/edit#gid=0) where we keep track of devices and equipment, purchased by Fleet. When the team member receives their computer, they will complete the entry by adding a description, model, and serial number to the spreadsheet.
### Taxes and compliance
From time to time, you may get notices in the mail from the IRS and/or state agencies regarding your company’s withholding and/or unemployment tax accounts. You can resolve many of these notices on your own by verifying and/or updating the settings in your Gusto account.
If the notice is regarding an upcoming change to your deposit schedule or unemployment tax rate, Charlie will make the change in Gusto. Including:
- Update your unemployment tax rate.
- Update your federal deposit schedule.
- Update your state deposit schedule.
**Important** Agencies do not send notices to Gusto directly, so it’s important that you read and take action before any listed deadlines or effective dates of requested changes.
Notices you should report to Gusto.
If you can't resolve the notice on your own, are unsure what the notice is in reference to, or the tax notice has a missing payment or balance owed, follow the steps in the Report and upload a tax notice in Gusto.
In Gusto, click **How to review your notice** to help you understand what kind of notice you received and what additional action you can take to help speed up the time it takes to resolve the issue.
For more information about how Fleet and our accounting team work together, check out [Fleet - who does what](https://docs.google.com/spreadsheets/d/1FFOudmHmfVFIk-hdIWoPFsvMPmsjnRB8/edit#gid=829046836) (private doc).
#### State quarterly payroll and tax filings
Every quarter, payroll and tax filings are due for each state. Gusto can handle these automatically if Third-party authorization (TPA) is enabled. Each state is unique and Gusto has a library of [State registration and resources](https://support.gusto.com/hub/Employers-and-admins/Taxes-forms-and-compliance/State-registration-and-resources) available to review.
You will need to grant Third-party authorization (TPA) per state and this should be checked quarterly before the filing due dates to ensure that Gusto can file on time.
#### CorpNet state registration process
In CorpNet, select "place an order for an existing business" we’ll need to have Foreign Registration and Payroll Tax Registration done.
- You can have CorpNet do this by emailing the account rep "Subject: Fleet Device Management: State - Foreign Registration and Payroll Tax Registration" (this takes about two weeks).
- You can do this between you and CorpNet by selecting "Foreign Qualification," placing the order and emailing the confirmation to the rep for Payroll registration (this is a short turnaround).
- You can do this on your own by visiting the state's "Secretary of State" website and checking that the company name is available. To register online, you'll need the EIN, business address, information about the owners and their percentages, the first date of business, sales within the state, and the business type (usually get an email right away for approval ~24-48 hrs).
For more information, check out [Fleet - who does what](https://docs.google.com/spreadsheets/d/1FFOudmHmfVFIk-hdIWoPFsvMPmsjnRB8/edit?usp=sharing&ouid=102440584423243016963&rtpof=true&sd=true).
#### Recruiting progress checkup
Weekly, Charlie looks in the [Fleeties spreadsheet](https://docs.google.com/spreadsheets/d/1OSLn-ZCbGSjPusHPiR5dwQhheH1K8-xqyZdsOe9y7qc/edit#gid=0) and reports on each open position:
- Is the position in [BreezyHR](https://app.breezy.hr/signin)?
- Is the position listed on fleetdm.com/jobs?
- What is the total # applicants?
- Total # interviews?
### Celebrations
#### Weekly updates
We like to celebrate our achievements weekly in `#general`.
- Every Thursday night, Charlie creates a thread in #help-manage requesting weekly updates, and managers will reply to the thread with their weekly updates.
- Friday afternoons, Charlie updates the KPIs in the [weekly updates spreadsheet](https://docs.google.com/spreadsheets/d/1Hso0LxqwrRVINCyW_n436bNHmoqhoLhC8bcbvLPOs9A/edit#gid=0), and Friday nights, Charlie will post the updates in #general.
Weekly update principles
- Each department's update is 20-40 words or less.
- Erring on the side of referring to items that are completely done and/or mentioning news that is potentially very exciting to folks throughout the company.
#### Workiversaries
We're happy you've ventured a trip around the sun with Fleet. Let's celebrate!
- Each Friday, if there are any upcoming workiversaries in the next seven days, People Operations posts about them in #g-people and tags @mikermcneil to let them know.
### Departures
#### Communicating departures
Although it's sad to see you go, Fleet understands that not everything is meant to be forever like open-source is. There are a few steps that we'll need to take to communicate to the team of your departure.
1. Direct team: The CEO will reach out to the departing teammember's direct reports in 1:1 calls.
2. Key stakeholders: The CEO will reach out to his direct reports about the departing teammember's departure.
3. Announcement: Charlie will make an announcement during the "🌈 Weekly Update" post on Friday in the `#general` channel on Slack.
## Rituals
The following table lists the People group's rituals, frequency, and Directly Responsible Individual (DRI).
| Ritual | Frequency | Description | DRI |
|:-----------------------------|:-----------------------------|:----------------------------------------------------|-------------------|
| AP invoice monitoring | Daily | Look for new accounts payable invoices and make sure that Fleet's suppliers are paid. | Nathanael Holliday |
| Weekly update | Weekly | Updates from managers on what their departments accomplished for the week are logged in the cloud and disseminated in Slack. Update the ops KPIs in the ["🌈 Weekly updates" spreadsheet](https://docs.google.com/spreadsheets/d/1Hso0LxqwrRVINCyW_n436bNHmoqhoLhC8bcbvLPOs9A/edit#gid=0).| Charlie Chance |
| Hours update | Weekly | Screenshots of contractor hours as shown in Gusto are sent via Slack to each contractor's manager with no further action necessary if everything appears normal. | Charlie Chance |
| Prepare Mike and Sid's 1:1 doc | Bi-weekly | Run through the document preparation GitHub issue for Mike's call with Sid. | Nathanael Holliday |
| OKR review | Every three weeks | Review the status of each OKR. | Mike Thomas |
| Brex reconciliation | Monthly | Make sure all company-issued credit card transactions include memos. | Nathanael Holliday |
| Monthly accounting | Monthly | Use the monthly accounting template in GitHub to go through the process of validating Fleet's books. | Nathanael Holliday |
| Commission payroll | Monthly | Use the [commission calculator](https://docs.google.com/spreadsheets/d/1vw6Q7kCC7-FdG5Fgx3ghgUdQiF2qwxk6njgK6z8_O9U/edit#gid=0) to determine the commission payroll to be run in Gusto. | Nathanael Holliday |
| US contractor payroll | Monthly | Sync contractor hours to payments in Gusto and run payroll for the month. | Charlie Chance |
| OKR planning | Quarterly | Plan for the next quarter's OKRs. | Mike Thomas |
| 550C update | Annually | File California 550C. | Charlie Chance |
| Workiversaries | Weekly/PRN | People Operations posts in #g-people and tags @mikermcneil about any upcoming workiversaries | Charlie Chance |
| Investor and Advisor updates | PRN | People Operations tracks the last contact with investors and coordinates outreach with CEO | Charlie Chance |
| CEO inbox sweep | Daily unless OOO | Charlie does a morning sweep of the CEO's inbox to remove spam and grab action items | Charlie Chance |
| Recruiting progress checkup | Weekly | Charlie looks in the [Fleeties spreadsheet](https://docs.google.com/spreadsheets/d/1OSLn-ZCbGSjPusHPiR5dwQhheH1K8-xqyZdsOe9y7qc/edit#gid=0) and reports on each open position | Charlie Chance |
| Payroll | Monthly before payroll runs | Every month, Charlie audits the payroll platforms for accuracy | Charlie Chance |
| Calendar audit | Daily | Daily Charlie audits CEOs calendar and set notes for meetings | Charlie Chance |
| TPA verifications | Quarterly | Every quarter before tax filing due dates, Charlie audits state accounts to ensure TPA is set up or renewed | Charlie Chance |
| OKR table update | Quarterly | Every quarter after OKRs are finalized, Charlie adds the OKR doc file to the table on Product's page | Charlie Chance |
| Revenue report | Weekly | At the start of every week, check the Salesforce reports for past due invoices, non-invoiced opportunities, and past due renewals. Report any findings to Mike Mcneil and Alex Mitchell in the #help-sales channel and follow up with customers as necessary to resolve. | Nathanael Holliday |
| Capital credit reporting | Annually | Within 60 days of the new year, provide financial statements to SVB | Nathanael Holliday |
| QBO check | Quarterly | The first month after the previous quarter has closed, make sure that QBO is accurate compared to Fleet's records | Nathanael Holliday |
| BizOps key review | every three weeks | Every release cycle a key review deck is prepared and presented | Nathanael Holliday |
| YubiKey adoption | Monthly | Track YubiKey adoption in Google workspace and follow up with those that aren't using it. | Charlie Chance |
| MDM device enrollment | Quarterly | Provide export of MDM enrolled devices to the ops team. | Luke Heath |
| Access revalidation | Quarterly | Review critical access groups to make sure they contain only relevant people. | Charlie Chance |
| Security policy update | Annually | Update security policies and have them approved by the CEO. | Nathanael Holliday |
| Security notifications check | Daily | Check Slack, Google, Vanta, and Fleet dogfood for security-related notifications. | Nathanael Holliday |
## Slack channels
These groups maintain the following [Slack channels](https://fleetdm.com/handbook/company#group-slack-channels):
| Slack channel | [DRI](https://fleetdm.com/handbook/company#group-slack-channels) |
|:----------------------------|:--------------------------------------------------------------------|
| `#g-people` | Charlie Chance
| `#help-onboarding` | Charlie Chance
| `#g-business-operations` | Nathan Holliday
| `#help-brex` | Nathan Holliday
| `#help-ceo` | Charlie Chance
| `#help-key-review-prep` | Charlie Chance
| `#help-login` | Nathan Holliday