Security Policies

Personnel policy
Netzilo reviews risks on a regular basis, to ensure proper mitigations are in place.

Reference Checks
As part of its hiring process, Netzilo does not perform criminal background checks, but does employ a reference check process for prospective employment candidates prior to or within 30 days of their hire date.

Security Awareness training
All employees must complete Netzilo’s information security awareness training as part of their initial onboarding and thereafter, while still under contract, on an annual basis.

Performance Reviews
All full time employees must complete an annual Performance Review, the results of which are signed and dated by both the employee and their manager, and uploaded to the employee’s personnel files in the HR system.

 

Risk assessment policy
Netzilo reviews risks on a regular basis, to ensure proper mitigations are in place.

Scope
This policy covers any risk that could affect confidentiality, availability, and integrity of Netzilo’s key information assets and systems.

Risk assessments can be conducted on any information system, to include applications, servers, and networks, and any process or procedure by which these systems are administered and/or maintained.

Risk assessment
The Security Review Team is responsible for completing periodic information security risk assessments for the purpose of determining areas of vulnerability, and to identify and initiate appropriate remediations.

A risk register should include:

• Identification of the risk
• What mitigations have been put in place
• Acceptance of the residual risk

The execution, development and implementation of remediation programs is the joint responsibility of the Security Review Team. Employees are expected to cooperate fully with any risk assessment being conducted on systems for which they are held accountable. Employees are further expected to work with the Security Review Team in the development and implementation of a remediation plan.

Schedule
Risks should be evaluated on an annual basis.

​

​

Information classification policy
To understand its potential exposure from a security risk, issue or incident, Tailscale regularly catalogues and classifies its data and other in-scope assets, in order to apply risk-based controls.

Assets are anything that has value to the organization, including but not limited to, customer data, production data, financial data, intellectual property, and any material non-public information.

Asset cataloging
Tailscale catalogues assets with several pieces of information, to help identify the potential risk of the asset. Information collected is as follows:

Description, i.e. what is the asset?
Risk, i.e. what is the asset risk classification?
Use, i.e. how is this asset used?
Location, i.e. where is it stored, used, and backed up?
Sharing, i.e. is it shared with any third parties, such as vendors? Which specific third parties?
If new data is catalogued, or data use changes, it should be specifically reviewed to verify that its collection and use is in line with Netzilo’s Privacy Policy.

Asset risk classification
Tailscale classifies assets into three risk categories: Low Risk, Medium Risk, and High Risk. Definitions are as follows: 

When multiple classifications may apply, the highest applicable classification is used. For example, if a machine is low-risk by itself, but can be used to access high-risk data, its overall classification is also high-risk.

Schedule
Netzilo should review the data it collects and processes, and update the data register, quarterly.

​​​

​

​Third party vendor review policy
Netzilo reviews vendor security practices before contracting, and on a regular basis, to ensure vendors properly handle Netzilo’s customer data, confidential data, and other data.

Scope
This policy only applies to vendors or contractors handling Netzilo or its customers’ data.

Schedule
Vendors’ security practices should be initially evaluated as part of their contract review, and while still in use, on an annual basis.

Contractors must read and acknowledge Netzilo’s security policies as part of their onboarding. Contractors must complete Netzilo’s information security training as part of their onboarding and thereafter, while still under contract, on an annual basis.

Vendor assessment
As part of vendor evaluation and contracting, vendors’ security practices should be reviewed to ensure they sufficiently protect Netzilo’s and its customers’ data.

The requirements for a vendor may change based on the risk classification of the assets they are handling (see the Information classification policy), such as sensitive data, or access to production resources; and may change during a contract if a vendor’s scope or responsibilities change.

Netzilo will:

1- Ask vendors for their SOC 2 type II or type I report for an overview of their current security practices. If a SOC 2 report does not exist or where insufficient information is provided, Netzilo will ask the vendor to complete the VSAQ.
2- Review the vendor’s responses and compare these to Netzilo’s security policies to identify any gaps where the vendor may have weaker policies.
3- For each notable gap or where insufficient information is provided, Netzilo can: ask the vendor to make a change or provide additional information, implement a mitigating control, or accept the risk. These should be documented in the risk register.
 

Netzilo will document vendor information, to help in case of a potential incident. This information includes:
 

• Vendor name, i.e. Which vendor?
• Vendor contact information, i.e. How do we contact the vendor? List different contacts for billing, support, and/or security where they apply.
• Type of data shared, i.e. What types of data from Tailscale does the vendor collect or otherwise have access to?
• Terms of Service for services provided by the vendor
• Security report or questionnaire shared by the vendor