Technology Access Policy

From Wikimedia District of Columbia
Revision as of 18:36, 14 September 2014 by Kirill Lokshin (talk | contribs) (Kirill Lokshin moved page Internal:Technology access policy to Technology access policy: Adopted)
Jump to navigation Jump to search

ARTICLE I – PURPOSE

1. Purpose. The purpose of the Technology Access Policy ("Policy") is to establish rules concerning access to information technology resources used by Wikimedia District of Columbia (the "Corporation").

ARTICLE II – EMAIL ADDRESSES

1. Definition. A "Corporation Email Address" shall refer to any email address associated with a domain name owned by the Corporation, with the exception of domain names which are held by the Corporation exclusively for the benefit and use of another organization pursuant to an agreement between the Corporation and said organization.

2. No Personal Use. A Corporation Email Address shall only be used for conducting the official business of the Corporation. Personal use of a Corporation Email Address is prohibited.

3. Assignment. The Secretary shall assign a Corporation Email Address to each Officer and Director of the Corporation, to each staff member of the Corporation, and to any contractor engaged by the Corporation whose specific duties require the use of a Corporation Email Address.

4. Revocation. A person who has been assigned a Corporation Email Address and who ceases to meet the criteria listed in Article II, Paragraph 3 of this Policy shall have his or her access to said Corporation Email Address revoked ninety (90) days after ceasing to meet such criteria, unless the President determines that said person remains involved in the Corporation's activities in a capacity which requires continued access to a Corporation Email Address.

ARTICLE III – PERSONALLY IDENTIFIABLE INFORMATION

1. Definitions. As used in this Policy, the following terms have the indicated meaning:

(a) "Personally Identifiable Information" ("PII") refers to any information about a specific individual, including (i) any information that can be used to distinguish or trace an individual‘s identity, whether alone or when combined with other personal or identifying information; and (ii) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.
(b) "Sensitive Personally Identifiable Information" ("Sensitive PII") refers to personally identifiable information, which if lost, compromised, or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual.

2. Standards for Tools. Any tool used by the Corporation to collect or store Sensitive PII ("Sensitive PII Tool") shall support industry-grade encryption and the restriction of access to individual persons.

3. Access. Individuals shall only be granted access to a Sensitive PII Tool on a need-to-know basis and with the approval of the President. Each account used to access a Sensitive PII Tool shall be assigned for the exclusive use of one person, and the sharing of such accounts shall be prohibited.

4. List of Tools. A list of Sensitive PII Tools shall be maintained by the President, or by an individual duly appointed by the President for this purpose. The list shall include the name of each Sensitive PII Tool, the location where said tool is installed or accessed, and a list of persons with access to said tool.

ARTICLE IV – SERVERS

1. Use. Any server leased or operated by the Corporation ("Corporation Server") shall only be used for purposes that further the interests of the Corporation, including technical projects which have been approved by the Corporation.

2. Shell Accounts. Shell access to any Corporation Server shall only be granted with the approval of the President. A list of active shell accounts shall be maintained by the President, or by an individual duly appointed by the President for this purpose.

3. Root Access. Root access for a shell account shall only be granted with the approval of the President.