Difference between revisions of "Technology access policy"

From Wikimedia District of Columbia
Jump to: navigation, search
(Expanding policy draft to be about other technological tools)
(Amended)
 
(11 intermediate revisions by 2 users not shown)
Line 1: Line 1:
{{header title|title=Technology Access Policy|status=review}}
+
{{header title|title=Technology Access Policy|toc=yes}}
  
 
==ARTICLE I – PURPOSE==
 
==ARTICLE I – PURPOSE==
1. <u>Purpose</u>. The purpose of the Technology Access Policy ("Policy") is to establish rules concerning access to information technology resources in use by Wikimedia District of Columbia ("Corporation").
+
1. <u>Purpose</u>. The purpose of the Technology Access Policy ("Policy") is to establish rules concerning access to information technology resources used by Wikimedia District of Columbia (the "Corporation").
  
==ARTICLE II - EMAIL ADDRESSES==
+
==ARTICLE II EMAIL ADDRESSES==
1. <u>No Personal Use</u>. Email addresses issued by the Corporation on a domain name owned by the Corporation ("Corporation email addresses") shall only be used for conducting the official business of the Corporation. No personal use of Corporation email addresses is permitted.
+
1. <u>Definition</u>. A "Corporation Email Address" shall refer to any email address associated with a domain name owned by the Corporation, with the exception of domain names which are held by the Corporation exclusively for the benefit and use of another organization pursuant to an agreement between the Corporation and said organization.
  
2. <u>Persons Assigned Email Addresses</u>. Officers and Directors of the Corporation, staff members, and contractors shall be assigned Corporation email addresses by the Secretary.
+
2. <u>No Personal Use</u>. A Corporation Email Address shall only be used for conducting the official business of the Corporation. Personal use of a Corporation Email Address is prohibited.
  
3. <u>Revoking Email Addresses</u>. The Secretary shall revoke access to Corporation email addresses from any person who no longer satisfies the conditions of Article II, Paragraph 2, following a 90 day period, unless such person remains involved in the Corporation's activities in a different capacity.
+
3. <u>Assignment</u>. The Secretary shall assign a Corporation Email Address to each Officer and Director of the Corporation, to each staff member of the Corporation, and to any contractor engaged by the Corporation whose specific duties require the use of a Corporation Email Address.
  
==ARTICLE III – ACCESS TO PERSONALLY IDENTIFIABLE INFORMATION==
+
4. <u>Continued Access</u>. No later than thirty (30) days after an individual who has been assigned a Corporation Email Address ceases to meet the criteria for access defined in Paragraph 3 of this Article, the President shall evaluate the individual's anticipated involvement in the Corporation's future activities and determine whether continued access to a Corporation Email Address should be granted.  If such access is granted, it will be retained indefinitely unless revoked by the President.
  
1. <u>Definition</u>. Personally Identifiable Information ("PII") refers to information which can be used to distinguish or trace an individual’s identity, including, but not limited to, their name, social security number, biometric records, credit card information, date or place of birth, mother’s maiden name, or other information that either alone, or in combination with other personal or identifying information is linked or linkable to a specific individual.
+
==ARTICLE III – PERSONALLY IDENTIFIABLE INFORMATION==
 +
1. <u>Definitions.</u> As used in this Policy, the following terms have the indicated meaning:
 +
:(a) "Personally Identifiable Information" ("PII") refers to any information about a specific individual, including (i) any information that can be used to distinguish or trace an individual‘s identity, whether alone or when combined with other personal or identifying information; and (ii) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.
 +
:(b) "Sensitive Personally Identifiable Information" ("Sensitive PII") refers to personally identifiable information, which if lost, compromised, or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual.
  
2. <u>Standards</u>. No information technology tool may be used to collect or store PII on behalf of the Corporation unless such tool supports industry-grade encryption and the creation of user accounts for individual persons.
+
2. <u>Standards for Tools</u>. Software platforms used by the Corporation to collect or store Sensitive PII ("Sensitive PII Tool") shall adhere to the following standards:
 +
: (a) <u>Individual Access</u>. Access shall be allocated to individual user accounts, not accounts shared among individuals. The President may make exceptions for specific tools if the President determines that no feasible alternative exists.
 +
: (b) <u>HTTP Connection</u>. Web-based tools shall only be accessed over HTTPS. Tools that do not support access over HTTPS shall not be used by the Corporation.
 +
: (c) <u>Two-Factor Authentication</u>. It is the policy of the Corporation to prefer tools that support two-factor authentication.
 +
: (d) <u>Public-Key Authentication</u>. Accounts on Corporation servers shall only be accessed through public-key authentication.
  
3. <u>Assignment of Accounts</u>. Individuals shall be granted access to information technology tools used to store and collect PII ("PII Tools") on a need-to-know basis by the President of the Corporation. Each account shall be assigned for the exclusive use of one person, with no account sharing permitted.
+
3. <u>Access</u>. Individuals shall only be granted access to a Sensitive PII Tool on a need-to-know basis and with the approval of the President, who shall report such approval to the Board. Shared accounts shall be prohibited.
  
4. <u>List of Tools</u>. A list of PII Tools shall be maintained and made available to the President of the Corporation and to the Board of Directors. This list shall include the names of PII Tools used, where they are installed or accessed, and a list of persons with access to such PII Tools.
+
==ARTICLE IV – SERVERS==
 +
1. <u>Use</u>. Any server leased or operated by the Corporation ("Corporation Server") shall only be used for purposes that further the interests of the Corporation, including technical projects which have been approved by the Corporation.
 +
 
 +
2. <u>Shell Accounts</u>. Shell access to any Corporation Server shall only be granted with the approval of the President, who shall report such approval to the Board.
 +
 
 +
3. <u>Root Access</u>. Root access for a shell account shall only be granted with the approval of the President.
 +
 
 +
==ARTICLE V – TERMINATION OF ACCESS==
 +
1. <u>Application</u>. Any person who has been granted access to an information technology resource pursuant to this Policy, and who ceases to meet the criteria for such access as defined in this Policy, shall have such access terminated as described in this Article.
 +
 
 +
2. <u>Termination of Email Access</u>. The Secretary shall terminate, or cause to be terminated, access to any Corporation Email Address.
 +
 
 +
3. <u>Termination of Sensitive PII Tool Access</u>. The President shall terminate, or cause to be terminated, access to any Sensitive PII Tool.
 +
 
 +
4. <u>Termination of Server Access</u>. The President shall terminate, or cause to be terminated, access to any Corporation Server.
 +
 
 +
5. <u>Termination of Website Access</u>. Wikimedia DC's public websites are intended to support activities conducted by Wikimedia DC staff and volunteers in furtherance of Wikimedia DC's charitable mission. Authorized Wikimedia DC staff or volunteers may immediately delete accounts, pages, and edits on any Wikimedia DC website that do not meet this criterion.
 +
 
 +
[[Category:Policies]]

Latest revision as of 17:31, 17 June 2018

ARTICLE I – PURPOSE

1. Purpose. The purpose of the Technology Access Policy ("Policy") is to establish rules concerning access to information technology resources used by Wikimedia District of Columbia (the "Corporation").

ARTICLE II – EMAIL ADDRESSES

1. Definition. A "Corporation Email Address" shall refer to any email address associated with a domain name owned by the Corporation, with the exception of domain names which are held by the Corporation exclusively for the benefit and use of another organization pursuant to an agreement between the Corporation and said organization.

2. No Personal Use. A Corporation Email Address shall only be used for conducting the official business of the Corporation. Personal use of a Corporation Email Address is prohibited.

3. Assignment. The Secretary shall assign a Corporation Email Address to each Officer and Director of the Corporation, to each staff member of the Corporation, and to any contractor engaged by the Corporation whose specific duties require the use of a Corporation Email Address.

4. Continued Access. No later than thirty (30) days after an individual who has been assigned a Corporation Email Address ceases to meet the criteria for access defined in Paragraph 3 of this Article, the President shall evaluate the individual's anticipated involvement in the Corporation's future activities and determine whether continued access to a Corporation Email Address should be granted. If such access is granted, it will be retained indefinitely unless revoked by the President.

ARTICLE III – PERSONALLY IDENTIFIABLE INFORMATION

1. Definitions. As used in this Policy, the following terms have the indicated meaning:

(a) "Personally Identifiable Information" ("PII") refers to any information about a specific individual, including (i) any information that can be used to distinguish or trace an individual‘s identity, whether alone or when combined with other personal or identifying information; and (ii) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.
(b) "Sensitive Personally Identifiable Information" ("Sensitive PII") refers to personally identifiable information, which if lost, compromised, or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual.

2. Standards for Tools. Software platforms used by the Corporation to collect or store Sensitive PII ("Sensitive PII Tool") shall adhere to the following standards:

(a) Individual Access. Access shall be allocated to individual user accounts, not accounts shared among individuals. The President may make exceptions for specific tools if the President determines that no feasible alternative exists.
(b) HTTP Connection. Web-based tools shall only be accessed over HTTPS. Tools that do not support access over HTTPS shall not be used by the Corporation.
(c) Two-Factor Authentication. It is the policy of the Corporation to prefer tools that support two-factor authentication.
(d) Public-Key Authentication. Accounts on Corporation servers shall only be accessed through public-key authentication.

3. Access. Individuals shall only be granted access to a Sensitive PII Tool on a need-to-know basis and with the approval of the President, who shall report such approval to the Board. Shared accounts shall be prohibited.

ARTICLE IV – SERVERS

1. Use. Any server leased or operated by the Corporation ("Corporation Server") shall only be used for purposes that further the interests of the Corporation, including technical projects which have been approved by the Corporation.

2. Shell Accounts. Shell access to any Corporation Server shall only be granted with the approval of the President, who shall report such approval to the Board.

3. Root Access. Root access for a shell account shall only be granted with the approval of the President.

ARTICLE V – TERMINATION OF ACCESS

1. Application. Any person who has been granted access to an information technology resource pursuant to this Policy, and who ceases to meet the criteria for such access as defined in this Policy, shall have such access terminated as described in this Article.

2. Termination of Email Access. The Secretary shall terminate, or cause to be terminated, access to any Corporation Email Address.

3. Termination of Sensitive PII Tool Access. The President shall terminate, or cause to be terminated, access to any Sensitive PII Tool.

4. Termination of Server Access. The President shall terminate, or cause to be terminated, access to any Corporation Server.

5. Termination of Website Access. Wikimedia DC's public websites are intended to support activities conducted by Wikimedia DC staff and volunteers in furtherance of Wikimedia DC's charitable mission. Authorized Wikimedia DC staff or volunteers may immediately delete accounts, pages, and edits on any Wikimedia DC website that do not meet this criterion.