Access control approval guidelines

From Wikimedia UK
Jump to navigation Jump to search
Comment This policy was adopted by the Board on 9 February 2013. It is part of a series of IT Security Policy.

Introduction

This policy is to ensure access to WMUK computing resources is granted in a manner that carefully balances restrictions designed to prevent unauthorized access against the need to provide unhindered access to informational assets.

Key Principles

  • Users who have access to different online applications and systems must be allocated access rights and permissions to computer systems and data that:
  • Are commensurate with the tasks they are expected to perform.
  • Have a unique login that is not shared with or disclosed to any other user.
  • Have an associated unique password that is requested at each new login.
  • User access rights will be reviewed at regular intervals to ensure that the appropriate rights are still allocated by the Office and Development Manager.
  • System administration accounts must only be provided to users that are required to perform system administration tasks.

User Registration

Access is given through the establishment of a unique account in accordance with account request procedures. Exceptions to this policy include stand-alone personal computers, public access computers or related resources.

A signed request for access to WMUK systems must be completed and provided to the Office and Development Manager. It should include:

  • Name
  • Address
  • Telephone number
  • Requested access levels
  • Reasons for access required (With reference to the Caldicott principles)
  • Confirmation that the user has read and understood WMUK's IT Security Policy, Cardholder Data Security Policy and Data Breach Policy.

Users are expected to become familiar with and abide by organisational policies, standards and guidelines for appropriate and acceptable usage of the networks and systems. All users will have access to expectations, knowledge, and skills related to information security. Users are obligated to report instances of non-compliance.

Staff

Generally, for new members of staff the following access will be granted as standard:

  • Payroll
  • GoogleApps
  • Office Wiki
  • Office mailing list (including archive)
  • Direct Access to office

In addition the following access may be granted based on the routine tasks the member of staff will perform

  • Paypal - managed user account with limited permissions
  • Fundraising@ email client
  • SAGE Accounting system
  • CiviCRM (Permissions level limited to 'Editor' by default, but may be higher if required in line with job)

Trustees and volunteers

Generally, for new trustees the following access will be granted as standard:

  • GoogleApps
  • Office and Board Wikis
  • Office, Board and Exec mailing lists (including archives)

In addition the following access may be granted based on the areas of WMUK the Trustee has oversight of/the volunteer routinely needs to access in a manner that is impractical to manage by making requests of staff members:

  • Paypal - managed user account with limited permissions
  • SAGE Accounting system
  • CiviCRM (Permissions level limited to 'Editor' by default, but may be higher if required)

Removing user access

  • When an employee leaves WMUK, their access to computer systems and data must be suspended at the close of business on their last working day. It is the responsibility of the Chief Executive to request the suspension of the access rights via the Office and Development Manager.
  • When a trustee leaves the WMUK board, their access must be suspended at the close of business of the next working day.
  • If any user is found to have breached relevant policies signed on being granted access, they may be subject to disciplinary procedure. If a criminal offence is considered to have been committed further action may be taken to assist in the prosecution of the offender(s).
  • If you are unsure of the implications of this policy or how it may apply to you, seek advice from the Office and Development Manager.

Definitions

  • Access is defined as the ability and means necessary to store data in, to retrieve data from, to communicate with, or to make use of any resource of a system.
  • Authorized Persons are defined as people who have established a need and received the necessary authorization. Persons must be a member of the WMUK Board of Trustees, volunteer community, or staff members.
  • Information Technology Resources are defined as computers, telecommunication equipment, networks, automated data processing, databases, the Internet, printing, management information systems, and related information, equipment, goods, and services.