In the course of its operations, Sourcegraph encounters risks which could affect the confidentiality, integrity, or availability of information it holds. This includes information stored for Sourcegraph’s internal functions as well as information stored in order to provide services to customers.
This policy specifies a risk management framework through which:
This is a high-level policy document that specifies what processes need to occur as part of this framework. For details of how these processes occur in practice, please refer to the accompanying Information Security Risk Management Process.
This policy applies to all information handled in the course of Sourcegraph’s business, whether for internal purposes, or as part of services provided to customers. This policy also applies regardless of the technology or medium used to process or store the information.
Risks unrelated to information security are not in scope for this policy; when risk is mentioned in this document, unless explicitly specified, such reference is to information security risks alone. Risks in this context are used to identify high-level areas where a compromise of confidentiality, integrity, or availability might occur. This is distinct from vulnerabilities, which refer to specific technical weaknesses in Sourcegraph’s infrastructure, and are covered by Sourcegraph’s Vulnerability Management Policy.
At a high level, the risk management framework at Sourcegraph can be summarized via the following diagram:
The various stages of this process are described in more detail below.
| Role | Responsibilities |
|---|---|
| Risk Owner | • Understand and approve Sourcegraph’s information security risk appetite |
| • Facilitate the remediation actions/treatment plan for a risk | |
| • Sign off on risks assessments for individual risks | |
| • Sign off on risk reports (see section Reporting and Review below for more details on risk reporting) | |
| • Sign off on risk exceptions | |
| Compliance Manager | • Oversee the development and continuous improvement of the risk management policy and related procedures |
| • Coordinate and offer advice on risk management | |
| Security Team | • Responsible for the identification and assessment of information security risks |
| • Assist in the development of risk treatment plans | |
| • Run the reporting and review processes of the risk management policy framework | |
| Risk Manager | • Assist in the assessment of identified risks |
| • Assist in the development of risk treatment plans for specific risks where required | |
| • Ensure that risk treatment plans and schedules are adhered to, or that extensions are requested where this is not possible. | |
| Sourcegraph Staff | • Assist in the identification of risks when required by the Security Team |