Difference between revisions of "Technology access policy"

From Wikimedia District of Columbia
Jump to: navigation, search
(Server access)
(Working)
Line 1: Line 1:
{{header title|title=Technology Access Policy|status=review}}
+
{{header title|title=Technology Access Policy|status=review|toc=yes}}
  
 
==ARTICLE I – PURPOSE==
 
==ARTICLE I – PURPOSE==
1. <u>Purpose</u>. The purpose of the Technology Access Policy ("Policy") is to establish rules concerning access to information technology resources in use by Wikimedia District of Columbia ("Corporation").
+
1. <u>Purpose</u>. The purpose of the Technology Access Policy ("Policy") is to establish rules concerning access to information technology resources used by Wikimedia District of Columbia (the "Corporation").
  
==ARTICLE II - EMAIL ADDRESSES==
+
==ARTICLE II EMAIL ADDRESSES==
1. <u>No Personal Use</u>. Email addresses issued by the Corporation on a domain name owned by the Corporation ("Corporation email addresses") shall only be used for conducting the official business of the Corporation. No personal use of Corporation email addresses is permitted.
+
1. <u>Definition</u>. A "Corporation Email Address" shall refer to any email address associated with a domain name owned by the Corporation, with the exception of domain names which are held by the Corporation exclusively for the benefit and use of another organization pursuant to an agreement between the Corporation and said organization.
  
2. <u>Persons Assigned Email Addresses</u>. Officers and Directors of the Corporation, staff members, and contractors shall be assigned Corporation email addresses by the Secretary.
+
2. <u>No Personal Use</u>. A Corporation Email Address shall only be used for conducting the official business of the Corporation. Personal use of a Corporation Email Address is prohibited.
  
3. <u>Revoking Email Addresses</u>. The Secretary shall revoke access to Corporation email addresses from any person who no longer satisfies the conditions of Article II, Paragraph 2, following a 90 day period, unless such person remains involved in the Corporation's activities in a different capacity.
+
3. <u>Assignment</u>. The Secretary shall assign a Corporation Email Address to each Officer and Director of the Corporation, to each staff member of the Corporation, and to any contractor engaged by the Corporation whose specific duties require the use of a Corporation Email Address.
 +
 
 +
4. <u>Revocation</u>. A person who has been assigned a Corporation Email Address and who ceases to meet the criteria listed in Article II, Paragraph 2 of this Policy shall have his or her access to said Corporation Email Address revoked ninety (90) days after ceasing to meet such criteria, unless the President determines that said person remains involved in the Corporation's activities in a capacity which requires continued access to a Corporation Email Address.
  
 
==ARTICLE III – PERSONALLY IDENTIFIABLE INFORMATION==
 
==ARTICLE III – PERSONALLY IDENTIFIABLE INFORMATION==
 
 
1. <u>Definition</u>. Personally Identifiable Information ("PII") refers to information which can be used to distinguish or trace an individual’s identity, including, but not limited to, their name, social security number, biometric records, credit card information, date or place of birth, mother’s maiden name, or other information that either alone, or in combination with other personal or identifying information is linked or linkable to a specific individual.
 
1. <u>Definition</u>. Personally Identifiable Information ("PII") refers to information which can be used to distinguish or trace an individual’s identity, including, but not limited to, their name, social security number, biometric records, credit card information, date or place of birth, mother’s maiden name, or other information that either alone, or in combination with other personal or identifying information is linked or linkable to a specific individual.
  
2. <u>Standards</u>. No information technology tool may be used to collect or store PII on behalf of the Corporation unless such tool supports industry-grade encryption and the restriction of access to individual persons.
+
2. <u>Standards</u>. No information technology tool shall be used to collect or store PII on behalf of the Corporation unless such tool supports industry-grade encryption and the restriction of access to individual persons.
  
3. <u>Assignment of Accounts</u>. Individuals shall be granted access to information technology tools used to store and collect PII ("PII Tools") on a need-to-know basis by the President. Each account shall be assigned for the exclusive use of one person, with no account sharing permitted.  
+
3. <u>Assignment</u>. Individuals shall only be granted access to an information technology tool used to store and collect PII ("PII Tool") by the President on a need-to-know basis. Each account used to access a PII Tool shall be assigned for the exclusive use of one person, and the sharing of such accounts shall be prohibited.
  
4. <u>List of Tools</u>. A list of PII Tools shall be maintained and made available to the President and to the Board of Directors. This list shall include the names of PII Tools used, where they are installed or accessed, and a list of persons with access to such PII Tools.
+
4. <u>List of Tools</u>. A list of PII Tools shall be maintained by the Technology Infrastructure Committee. The list shall include the name of each PII Tool, the location where said PII Tool is installed or accessed, and a list of persons with access to said PII Tool.
  
==ARTICLE IV – SERVER==
+
==ARTICLE IV – SERVERS==
1. <u>Use of the Server</u>. Any server operated by the Corporation shall only be used for purposes that further the interests of the Corporation, including technical projects which have been approved by the Corporation.
+
1. <u>Use</u>. Any server leased or operated by the Corporation ("Corporation Server") shall only be used for purposes that further the interests of the Corporation, including technical projects which have been approved by the Corporation.
  
2. <u>Shell Accounts</u>. Shell access to any Corporation-operated server shall only be granted with the approval of the President. The President is advised to consult with the Chair of the Technical Infrastructure Committee on the approval of such shell accounts. A list of active shell accounts shall be maintained by the Technical Infrastructure Committee.
+
2. <u>Shell Accounts</u>. Shell access to any Corporation Server shall only be granted with the approval of the President, who shall consult with the Chair of the Technical Infrastructure Committee prior to approving the assignment of shell accounts. A list of active shell accounts shall be maintained by the Technical Infrastructure Committee.
  
3. <u>Root Access</u>. The granting of root access to any existing shell account shall only be done with the approval of the President.
+
3. <u>Root Access</u>. Root access for a shell account shall only be granted with the approval of the President.

Revision as of 05:38, 24 July 2014

ARTICLE I – PURPOSE

1. Purpose. The purpose of the Technology Access Policy ("Policy") is to establish rules concerning access to information technology resources used by Wikimedia District of Columbia (the "Corporation").

ARTICLE II – EMAIL ADDRESSES

1. Definition. A "Corporation Email Address" shall refer to any email address associated with a domain name owned by the Corporation, with the exception of domain names which are held by the Corporation exclusively for the benefit and use of another organization pursuant to an agreement between the Corporation and said organization.

2. No Personal Use. A Corporation Email Address shall only be used for conducting the official business of the Corporation. Personal use of a Corporation Email Address is prohibited.

3. Assignment. The Secretary shall assign a Corporation Email Address to each Officer and Director of the Corporation, to each staff member of the Corporation, and to any contractor engaged by the Corporation whose specific duties require the use of a Corporation Email Address.

4. Revocation. A person who has been assigned a Corporation Email Address and who ceases to meet the criteria listed in Article II, Paragraph 2 of this Policy shall have his or her access to said Corporation Email Address revoked ninety (90) days after ceasing to meet such criteria, unless the President determines that said person remains involved in the Corporation's activities in a capacity which requires continued access to a Corporation Email Address.

ARTICLE III – PERSONALLY IDENTIFIABLE INFORMATION

1. Definition. Personally Identifiable Information ("PII") refers to information which can be used to distinguish or trace an individual’s identity, including, but not limited to, their name, social security number, biometric records, credit card information, date or place of birth, mother’s maiden name, or other information that either alone, or in combination with other personal or identifying information is linked or linkable to a specific individual.

2. Standards. No information technology tool shall be used to collect or store PII on behalf of the Corporation unless such tool supports industry-grade encryption and the restriction of access to individual persons.

3. Assignment. Individuals shall only be granted access to an information technology tool used to store and collect PII ("PII Tool") by the President on a need-to-know basis. Each account used to access a PII Tool shall be assigned for the exclusive use of one person, and the sharing of such accounts shall be prohibited.

4. List of Tools. A list of PII Tools shall be maintained by the Technology Infrastructure Committee. The list shall include the name of each PII Tool, the location where said PII Tool is installed or accessed, and a list of persons with access to said PII Tool.

ARTICLE IV – SERVERS

1. Use. Any server leased or operated by the Corporation ("Corporation Server") shall only be used for purposes that further the interests of the Corporation, including technical projects which have been approved by the Corporation.

2. Shell Accounts. Shell access to any Corporation Server shall only be granted with the approval of the President, who shall consult with the Chair of the Technical Infrastructure Committee prior to approving the assignment of shell accounts. A list of active shell accounts shall be maintained by the Technical Infrastructure Committee.

3. Root Access. Root access for a shell account shall only be granted with the approval of the President.