[Improvement]: Improve the "Best practices for preventing data leaks in your organization" article (#39591)

Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
2025-12-19 18:10:59 -05:00 · 2023-07-27 16:09:03 +02:00
parent f87035a89d
commit af8298c344
8 changed files with 34 additions and 7 deletions
--- a/content/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository.md
+++ b/content/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository.md
@@ -197,6 +197,10 @@ After using either the BFG tool or `git filter-repo` to remove the sensitive dat

 ## Avoiding accidental commits in the future

+{% ifversion fpt or ghec or ghes %}
+Preventing contributors from making accidental commits can help you prevent sensitive information from being exposed. For more information see "[AUTOTITLE](/code-security/getting-started/best-practices-for-preventing-data-leaks-in-your-organization)."
+{% endif %}
+
 There are a few simple tricks to avoid committing things you don't want committed:

 - Use a visual program like [{% data variables.product.prodname_desktop %}](https://desktop.github.com/) or [gitk](https://git-scm.com/docs/gitk) to commit changes. Visual programs generally make it easier to see exactly which files will be added, deleted, and modified with each commit.
--- a/content/code-security/getting-started/best-practices-for-preventing-data-leaks-in-your-organization.md
+++ b/content/code-security/getting-started/best-practices-for-preventing-data-leaks-in-your-organization.md
@@ -18,7 +18,7 @@ shortTitle: Prevent data leaks

 As an organization owner, preventing exposure of private or sensitive data should be a top priority. Whether intentional or accidental, data leaks can cause substantial risk to the parties involved. While {% data variables.product.prodname_dotcom %} takes measures to help protect you against data leaks, you are also responsible for administering your organization to harden security.

-There are several key components when it comes to defending against data leaks: 
+There are several key components when it comes to defending against data leaks:

 - Taking a proactive approach towards prevention
 - Early detection of possible leaks
@@ -28,7 +28,7 @@ The best approach will depend on the type of organization you're managing. For e

 ## Secure accounts

-Security best practices include:
+Protect your organization's repositories and settings by implementing security best practices, including enabling 2FA and requiring it for all members, and establishing strong password guidelines.

 {% ifversion ghec %}- Enabling secure authentication processes by using SAML and SCIM integrations, as well as 2FA authentication whenever possible. For more information, see "[AUTOTITLE](/organizations/managing-saml-single-sign-on-for-your-organization/about-identity-and-access-management-with-saml-single-sign-on)," "[AUTOTITLE](/organizations/managing-saml-single-sign-on-for-your-organization/about-scim-for-organizations)," and "[AUTOTITLE](/authentication/securing-your-account-with-two-factor-authentication-2fa)." {% endif %}

@@ -67,13 +67,13 @@ No matter how well you tighten your organization to prevent data leaks, some may
 {% ifversion fpt or ghec %}
 There are two forms of {% data variables.product.prodname_secret_scanning %} available: **{% data variables.secret-scanning.partner_alerts_caps %}** and **{% data variables.secret-scanning.user_alerts_caps %}**.

- {% data variables.secret-scanning.partner_alerts_caps %}—These are enabled by default and automatically run on all public repositories and public npm packages. 
+- {% data variables.secret-scanning.partner_alerts_caps %}—These are enabled by default and automatically run on all public repositories and public npm packages.
 - {% data variables.secret-scanning.user_alerts_caps %}—To get additional scanning capabilities for your organization, you need to enable {% data variables.secret-scanning.user_alerts %}.

-  When enabled, {% data variables.secret-scanning.user_alerts %} can be detected on the following types of repository:{% ifversion fpt %}   
+  When enabled, {% data variables.secret-scanning.user_alerts %} can be detected on the following types of repository:{% ifversion fpt %}
   - Public repositories owned by personal accounts on {% data variables.product.prodname_dotcom_the_website %}
   - Public repositories owned by organizations
-   - Private and internal repositorites owned by organizations using {% data variables.product.prodname_ghe_cloud %}, when you have a license for {% data variables.product.prodname_GH_advanced_security %}{% elsif ghec %} 
+   - Private and internal repositorites owned by organizations using {% data variables.product.prodname_ghe_cloud %}, when you have a license for {% data variables.product.prodname_GH_advanced_security %}{% elsif ghec %}
   - Public repositories owned by organizations that use {% data variables.product.prodname_ghe_cloud %} (for free)
   - Private and internal repositorites when you have a license for {% data variables.product.prodname_GH_advanced_security %}{% endif %}
 {% endif %}
@@ -98,7 +98,7 @@ If a user pushes sensitive data, ask them to remove it by using the `git filter-

 At the organization level, if you're unable to coordinate with the user who pushed the sensitive data to remove it, we recommend you contact [GitHub Support](https://support.github.com/contact) with the concerning commit SHA.

-If you're unable to coordinate directly with the repository owner to remove data that you're confident you own, you can fill out a DMCA takedown notice form and tell GitHub Support. For more information, see [DMCA takedown notice](https://support.github.com/contact/dmca-takedown). 
+If you're unable to coordinate directly with the repository owner to remove data that you're confident you own, you can fill out a DMCA takedown notice form and tell GitHub Support. For more information, see [DMCA takedown notice](https://support.github.com/contact/dmca-takedown).

 {% note %}

--- a/content/organizations/managing-organization-settings/restricting-repository-creation-in-your-organization.md
+++ b/content/organizations/managing-organization-settings/restricting-repository-creation-in-your-organization.md
@@ -25,6 +25,10 @@ Organizations using {% data variables.product.prodname_ghe_cloud %} can also res
 Enterprise owners can restrict the options you have available for your organization's repository creation policy. For more information, see "[AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-repository-creation)."
 {% endif %}

+{% ifversion fpt or ghec or ghes %}
+Organization owners can restrict the type of repositories members can create to private {% ifversion ghec or ghes %}or internal{% endif %} to help prevent sensitive information from being exposed. For more information, see "[AUTOTITLE](/code-security/getting-started/best-practices-for-preventing-data-leaks-in-your-organization)."
+{% endif %}
+
 {% warning %}

 **Warning**: This setting only restricts the visibility options available when repositories are created and does not restrict the ability to change repository visibility at a later time. For more information about restricting changes to existing repositories' visibilities, see "[AUTOTITLE](/organizations/managing-organization-settings/restricting-repository-visibility-changes-in-your-organization)."
@@ -34,7 +38,7 @@ Enterprise owners can restrict the options you have available for your organizat
 {% data reusables.profile.access_org %}
 {% data reusables.profile.org_settings %}
 {% data reusables.organizations.member-privileges %}
-1. Under "Repository creation", select one or more options.
+1. Under "Repository creation", select one or more options. <br><br>

   {% ifversion fpt or ghec %}
   {% note %}
--- a/content/organizations/managing-organization-settings/restricting-repository-visibility-changes-in-your-organization.md
+++ b/content/organizations/managing-organization-settings/restricting-repository-visibility-changes-in-your-organization.md
@@ -20,6 +20,10 @@ You can restrict who has the ability to change the visibility of repositories in

 You can restrict the ability to change repository visibility to organization owners only, or you can allow anyone with admin access to a repository to change visibility.

+{% ifversion fpt or ghec or ghes %}
+Restricting who has the ability to change the visibility of repositories in your organization helps prevent sensitive information from being exposed. For more information, see "[AUTOTITLE](/code-security/getting-started/best-practices-for-preventing-data-leaks-in-your-organization)."
+{% endif %}
+
 {% warning %}

 **Warning**: If enabled, this setting allows people with admin access to choose any visibility for an existing repository, even if you do not allow that type of repository to be created. For more information about restricting the visibility of repositories during creation, see "[AUTOTITLE](/organizations/managing-organization-settings/restricting-repository-creation-in-your-organization)."
--- a/content/organizations/managing-organization-settings/setting-permissions-for-deleting-or-transferring-repositories.md
+++ b/content/organizations/managing-organization-settings/setting-permissions-for-deleting-or-transferring-repositories.md
@@ -18,6 +18,10 @@ shortTitle: Set repo management policy

 Owners can set permissions for deleting or transferring repositories in an organization.

+{% ifversion fpt or ghec or ghes %}
+Limiting the ability to delete or transfer repositories helps prevent sensitive information from being exposed. For more information, see "[AUTOTITLE](/code-security/getting-started/best-practices-for-preventing-data-leaks-in-your-organization)."
+{% endif %}
+
 {% data reusables.profile.access_org %}
 {% data reusables.profile.org_settings %}
 {% data reusables.organizations.member-privileges %}
--- a/content/organizations/managing-organization-settings/upgrading-to-the-corporate-terms-of-service.md
+++ b/content/organizations/managing-organization-settings/upgrading-to-the-corporate-terms-of-service.md
@@ -15,6 +15,8 @@ shortTitle: Upgrade to Corporate ToS

 The Standard Terms of Service is an agreement between {% data variables.product.prodname_dotcom %} and you as an individual. To enter into an agreement with {% data variables.product.prodname_dotcom %} on behalf of an entity, such as a company, non-profit, or group, organization owners can upgrade to the Corporate Terms of Service.

+You can upgrade to the Corporate Terms of Service instead of using the Standard Terms of Service to help prevent sensitive information from being exposed. For more information see "[AUTOTITLE](/code-security/getting-started/best-practices-for-preventing-data-leaks-in-your-organization)."
+
 1. Navigate to your organization's settings and scroll to the **Terms of Service** section.
 1. Click **Read the Corporate Terms of Service**.
 1. After you've read the Corporate Terms of Service, click **Sign corporate terms**.
--- a/content/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization.md
+++ b/content/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization.md
@@ -44,6 +44,10 @@ After verifying ownership of your organization's domain, you can restrict email

 {% ifversion ghec %}You can also verify custom domains used for {% data variables.product.prodname_pages %} to prevent domain takeovers when a custom domain remains configured but your {% data variables.product.prodname_pages %} site is either disabled or no longer uses the domain. For more information, see "[AUTOTITLE](/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages)."{% endif %}

+{% ifversion fpt or ghec or ghes %}
+If you confirm your organization’s identity by verifying your domain and restricting email notifications to only verified email domains, you can help prevent sensitive information from being exposed. For more information see "[AUTOTITLE](/code-security/getting-started/best-practices-for-preventing-data-leaks-in-your-organization)."
+{% endif %}
+
 {% ifversion ghec or ghes %}

 ## About domain approval
--- a/content/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/managing-the-forking-policy-for-your-repository.md
+++ b/content/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/managing-the-forking-policy-for-your-repository.md
@@ -18,6 +18,11 @@ shortTitle: Manage the forking policy
 ---
 An organization owner must allow forks of private{% ifversion ghae or ghes or ghec %} and internal{% endif %} repositories on the organization level before you can allow or disallow forks for a specific repository. For more information, see "[AUTOTITLE](/organizations/managing-organization-settings/managing-the-forking-policy-for-your-organization)."

+{% ifversion fpt or ghec or ghes %}
+You can help prevent sensitive information from being exposed by disabling the ability to fork repositories in your organization. For more information, see "[AUTOTITLE](/code-security/getting-started/best-practices-for-preventing-data-leaks-in-your-organization)."
+{% elsif ghae %}
+{% endif %}
+
 {% data reusables.repositories.navigate-to-repo %}
 {% data reusables.repositories.sidebar-settings %}
 1. Under "Features", select **Allow forking**.