[Docs] Incorporate TBS feedback into Guardrails

[bzarboni1]

ISSUE

Upon request, the TBS client provided the following feedback regarding the current Guardrails:

“Use Pull Requests or Merge Requests to review and approve changes to the SCM configuration.”

Which assumes you have an Infra as code approach to the management of your SCM. I would recommend changing that to something like “use documented processes to review and approve changes to the SCM configuration” because you will still have folks who clickops things.

Also there might be a place for Plan for Continuity - Canada.ca especially for SaaS SCM’s you should have a third party back up solution in place (ex. daily S3 backups)

---

Additionally, some ITSG Control coverage is missing from the Guardrails docs for the controls:

AC-2(3), AC-2(4), AC-6(9), AC-8, AC-9, AC-9(3), AC-12, AC-16(2), AC-17(1), AC-17(2), AC-17(100), 
IA-2(11), IA-5(6), IA-5(7), IA-8, IA-8(100), IA-9, IA-9(1), IA-9(2), 
SC-8, SC-8(1), 
SI-10, SI-12, SI-4(5), SI-4(7)

---

After incorporating the above controls into the docs, the following will not be implemented / need to be added to the Risk register:

- AC-8, AC-9, AC-9(3), AC-12,
- AC-17(100),
- IA-9, IA-9(1), IA-9(2),
- SI-12

---