intake process and prioritization

assessments/README.md

@@ -2,39 +2,73 @@
 
 ## Goals
 
-The [security assessment process](guide) is designed to accelerate the adoption of cloud native technologies, based on the following goals and assumptions:
+The [security assessment process](guide) is designed to accelerate the adoption
+of cloud native technologies, based on the following goals and assumptions:
 
 ### 1) Reduce risk across the ecosystem
 
-The primary goal is to reduce the risk from malicious attacks and accidental breaches of privacy. This process supports that goal in two ways:
+The primary goal is to reduce the risk from malicious attacks and accidental
+breaches of privacy. This process supports that goal in two ways:
 
-   * Clear and consistent process for communication increases detection & reduces time to resolve known or suspected vulnerability issues
-   * A collaborative evaluation process increases domain expertise within each participating project.
+   * Clear and consistent process for communication increases detection &
+     reduces time to resolve known or suspected vulnerability issues
+   * A collaborative evaluation process increases domain expertise within each
+     participating project.
 
 ### 2) Accelerate adoption of cloud native technologies
 
-Security reviews are a necessary, time intensive process. Each company, organization and project must perform its own reviews to ensure that it meets its unique commitments to its own users and stakeholders.
-In open source, simply finding security-related information can be overwhelmingly difficult and a time consuming part of the security review. The CNCF security assessment, hereafter "security assessment," process is intended to enable improved discovery of security information & assist in streamlining internal and external security reviews in multiple ways:
+Security reviews are a necessary, time intensive process. Each company,
+organization and project must perform its own reviews to ensure that it meets
+its unique commitments to its own users and stakeholders. In open source, simply
+finding security-related information can be overwhelmingly difficult and a time
+consuming part of the security review. The CNCF security assessment, hereafter
+"security assessment," process is intended to enable improved discovery of
+security information & assist in streamlining internal and external security
+reviews in multiple ways:
 
    * Consistent documentation reduces review time
    * Established baseline of security-relevant information reduces Q&A
-   * Clear rubric for security profile enables organizations to align their risk profile with the project’s risk profile and effectively allocate resources (for review and needed project contribution)
+   * Clear rubric for security profile enables organizations to align their risk
+     profile with the project’s risk profile and effectively allocate resources
+     (for review and needed project contribution)
    * Structured metadata allows for navigation, grouping and cross-linking
 
-We expect that this process will raise awareness of how specific open source projects affect the security of a cloud native system; however, separate activities may be needed to achieve that purpose using materials generated by the assessements.
+We expect that this process will raise awareness of how specific open source
+projects affect the security of a cloud native system; however, separate
+activities may be needed to achieve that purpose using materials generated by
+the assessements.
 
 ## Outcome
 
 Each project's security assessment shall include a description of:
 1. the project's design goals with respect to security
 2. any aspects of design and configuration that could introduce risk
-3. known limitations, such as expectations or assumptions that aspects of security, whole or in part, are to be handled by upstream or downstream dependencies or complementary software
-4. next steps toward increasing security of the project itself and/or increasing the applications of the project toward a more secure cloud native ecosystem
+3. known limitations, such as expectations or assumptions that aspects of
+   security, whole or in part, are to be handled by upstream or downstream
+   dependencies or complementary software
+4. next steps toward increasing security of the project itself and/or increasing
+   the applications of the project toward a more secure cloud native ecosystem
 
-Due to the nature and timeframe for the analysis, *this review is not meant to subsume the need for a professional security audit of the code*.  Audits of implementation-specific vulnerabilities, improper deployment configuration, etc. are not in scope of a security assessment.  A security assessmet is intended to uncover design and configuration flaws and to obtain a clear, comprehensive articulation of the project's design goals and aspirations while documenting the intended security properties enforced, fulfilled, or executed by said project.
+Due to the nature and timeframe for the analysis, *this review is not meant to
+subsume the need for a professional security audit of the code*.  Audits of
+implementation-specific vulnerabilities, improper deployment configuration, etc.
+are not in scope of a security assessment.  A security assessmet is intended to
+uncover design and configuration flaws and to obtain a clear, comprehensive
+articulation of the project's design goals and aspirations while documenting the
+intended security properties enforced, fulfilled, or executed by said project.
 
 ## Process
 
-The security assessment is a collaborative process for the benefit of the project and the community, where the primary content is generated by the [project lead](guide/project-lead.md) and revised based on feedback from [security reviewers](guide/security-reviewer.md) and other members of the SIG.
+The security assessment is a collaborative process for the benefit of the
+project and the community, where the primary content is generated by the
+[project lead](guide/project-lead.md) and revised based on feedback from
+[security reviewers](guide/security-reviewer.md) and other members of the SIG.
 
-See [security assessment guide](guide) for more details.
+
+* If you interested in a security assessment for your project and you are
+  willing to volunteer as [project lead](guide/project-lead.md) or you are a
+  SIG-Security member and want to recommend a project to review, please [file an
+  issue](https://github.com/cncf/sig-security/issues/new?assignees=&labels=assessment&template=security-assessment.md&title=%5BAssessment%5D+Project+Name)
+
+See [security assessment guide](guide) for more details.  To understand how we
+prioritize reviews, see [intake process](./intake-process.md).

assessments/intake-process.md

@@ -0,0 +1,45 @@
+# Security Assessment Priorities & Pipeline Intake Process
+
+SIG-Security has a volunteer team of subject matter experts and industry
+professionals dedicated to helping SIG-Security members, the TOC, and the larger
+CNCF community maintain an understanding of the current state of security in the
+cloud native ecosystem and helping cloud native projects succeed.
+
+The following process describes how projects are prioritized for security
+assessments.
+
+# Authority
+
+* The [Security Assessment
+  Facilitator](../governance/roles.md#security-assessment-facilitator) maintains
+  the Assessment queue
+* A named chair provides oversight for the Security Assessment initiative. This
+  chair can adjust queue, and is also responsible for conveying TOC
+  instructions, when needed. (Sarah Allen is the current named Chair for
+  Security Assessments.)
+
+# Pre-conditions
+
+* The project is either a CNCF project OR an assertion that the project is cloud
+  native (any objection must be resolved before an assessment would be
+  considered)
+* The project has identified a project lead and has a written self-assessment
+
+# Intake priorities
+
+1. TOC requests SIG-Security review a specific project or adjust priorities a.
+   TOC request will not interrupt an ongoing assessment b. TOC requests may jump
+   the prioritized queue of projects waiting for an assessment
+2. Projects that have received a CNCF Security Audit will be reviewed within a
+   year of audit.
+3. CNCF Projects that request a review (or invited by SIG members). Prioritized
+   by project majority (Graduated projects will be highest priority, then
+   incubated projects, then sandbox.)
+4. Non-CNCF Projects that request a review (or invited by SIG members)
+
+## Updates and renewal
+
+The Security Assessment team will review assessed projects annually, focusing
+primarily on any issues or concerns raised in previous assessments, addressing
+new functionality that affects risk profile of the project, and any issue that
+may have been flagged about the project.