Create team documentation and training for "best practices in managing services for other communities"

[choldgraf]

Background

When we manage services for other communities we have a lot of power. For example, we may have visibility into sensitive information, usernames and emails, the work people are doing, etc. We need the ability to see these things in order to help debug. However, we need to give people confidence that we will not abuse this power through intentional or unintentional actions.

We should create something like a ten commandments of 2i2c SRE that ensures user safety and privacy. It could be rules and practices that we all agree to live by, and that we integrate into team practices and advertise to the world to give ourselves credibility.

An example of a commandment might be Any information a user puts on a hub, stays on the hub. AKA, a 2i2c SRE person can never remove any user's data from the hub themselves, unless directly asked to do so.

@yuvipanda I am curious if you have seen anything like this in other SRE organizations, or have tips on what such a document would look like.

Steps to complete this goal

• Agree whether this is a good idea or not
• Investigate the Google CIS benchmarks as potential targets for our hub security and practices.
• Determine some initial guidelines to focus on
• Write up a draft for our documentation (or the team-compass, I think either would work)
• Merge it in

[choldgraf]

After a recent meeting with the Columbia security folks they referred us to the Google Center for Internet Security benchmarks as a set of targets that the Columbia cloud policies adhere to. We should investigate this and understand if it's something we can build into our own practices. Added a list item to the top