intake process and prioritization

cncf · Nov 18, 2019 · 7b979b2 · 7b979b2
1 parent 7d4c9b0
commit 7b979b2
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 1 deletion.
diff --git a/assessments/README.md b/assessments/README.md
@@ -37,4 +37,7 @@ Due to the nature and timeframe for the analysis, *this review is not meant to s
 
 The security assessment is a collaborative process for the benefit of the project and the community, where the primary content is generated by the [project lead](guide/project-lead.md) and revised based on feedback from [security reviewers](guide/security-reviewer.md) and other members of the SIG.
 
-See [security assessment guide](guide) for more details.
+
+* If you interested in a security assessment for your project and you are willing to volunteer as [project lead](guide/project-lead.md) or you are a SIG-Security member and want to recommend a project to review, please [file an issue](https://github.com/cncf/sig-security/issues/new?assignees=&labels=assessment&template=security-assessment.md&title=%5BAssessment%5D+Project+Name)
+
+See [security assessment guide](guide) for more details.  To understand how we prioritize reviews, see [intake process](./intake-process.md).
diff --git a/assessments/intake-process.md b/assessments/intake-process.md
@@ -0,0 +1,34 @@
+# Security Assessment Priorities & Pipeline Intake Process
+
+SIG-Security has a volunteer team of subject matter experts and industry professionals dedicated to helping SIG-Security members, the TOC, and the larger CNCF community maintain an understanding of the current state of security in the cloud native ecosystem and helping cloud native projects succeed. 
+
+The following process describes how projects are prioritized for security assessments.
+
+# Authority
+
+* The [Security Assessment Facilitator](../governance/roles.md#security-assessment-facilitator) maintains the Assessment queue
+* A named chair provides oversight for the Security Assessment initiative. 
+This chair can adjust queue, and is also responsible for conveying TOC 
+instructions, when needed. (Sarah Allen is the current named Chair for Security Assessments.)
+
+# Pre-conditions
+
+* The project is either a CNCF project OR an assertion that the project is cloud native (any objection must be resolved before an assessment would be considered)
+* The project has identified a project lead and has a written self-assessment
+
+# Intake priorities
+
+1. TOC requests SIG-Security review a specific project or adjust priorities
+   a. TOC request will not interrupt an ongoing assessment
+   b. TOC requests may jump the prioritized queue of projects waiting for an assessment
+2. Projects that have received a CNCF Security Audit will be reviewed within a year of audit.
+3. CNCF Projects that request a review (or invited by SIG members). Prioritized by 
+project majority (Graduated projects will be highest priority, then incubated projects, then sandbox.)
+4. Non-CNCF Projects that request a review (or invited by SIG members)
+
+## Updates and renewal
+
+The Security Assessment team will review assessed projects annually, 
+focusing primarily on any issues or concerns raised in previous assessments, 
+addressing new functionality that affects risk profile of the project, 
+and any issue that may have been flagged about the project.