Access control approval guidelines/Proposed revision June 2014

This page is still a draft and is not finalised. Feel free to edit it.

Introduction

This policy is to ensure access to WMUK systems and information is granted in a manner that carefully balances restrictions designed to prevent unauthorized access against the need to provide unhindered access to informational assets.

Key Principles

• Users who have access to different online applications and systems must be allocated access rights and permissions to computer systems and data that:

• Are commensurate with the tasks they are expected to perform.
• Have a unique login that is not shared with or disclosed to any other user.
• Have an associated unique password that is requested at each new login.

• User access rights will be reviewed at regular intervals as set out in the Annual security audit checklist to ensure that the appropriate rights are still allocated by the Office and Development Manager.
• System administration accounts must only be provided to users who are required to perform system administration tasks.

User Registration

Access is given through the establishment of a unique account in accordance with account request procedures. Exceptions to this policy include stand-alone personal computers, public access computers or related resources. [comment: not sure what the consequences of this exception are. Can the be a bit clearer please?] Mccapra (talk) 17:37, 17 May 2014 (BST)

Account request procedures

As part of a new member of staff and Trustee induction the Office and Development Manager will maintain a record for each member of staff which details

• The system or data to which they have access
• The date on which access was granted
• The reason for which access was granted

This document must be kept up to date by the Office and Development Manager, however all members of staff are expected to inform them of the set up and access to any new service or system where personal information is stored.

Users are expected to become familiar with and abide by organisational policies, standards and guidelines for appropriate and acceptable usage of the networks and systems. All users will have access to expectations, knowledge, and skills related to information security. Users are obligated to report instances of non-compliance.

Staff, including contractors

Generally, for new members of staff the following access will be granted as standard:

• GoogleApps account tied to the wikimedia.org.uk domain
• Office Wiki
• Office, Staff, and London staff mailing list (including archives)
• Direct Access to office as a keyholder and to secure key-safe

In addition the following access may be granted based on the routine tasks the member of staff will perform

• Paypal - managed user account with limited permissions
• OTRS account and specific address queues
• SAGE Accounting system
• CiviCRM (Permissions level limited to 'Editor' by default, but may be higher if required in line with job)
• Office Safe
• The data servers

Trustees

It is noted that trustees have an inherent right to access the data the charity holds as a part of their responsibilities, but that this should be balanced against proportionate use in the same way as any member of staff.

Generally, for new trustees the following access will be granted as standard:

• GoogleApps account tied to the wikimedia.org.uk domain
• Office and Board Wiki
• Board mailing list (including archives)

In addition the following access may be granted based on the routine tasks the trustee will perform:

• Paypal - managed user account with limited permissions
• ARC, Exec, and GovCom mailing lists (including archives)
• Bank accounts - with specific access for detailed bank mandate

Volunteers

It is noted that as far as possible volunteers will be able to access anonymised data sets for purposes of analysis or helping the charity improve. Where Volunteers must access personal information, for example, in order to coordinate events, this should be agreed and logged with a member of staff on a case by case basis and the data destroyed when the event has passed.

Removing user access

• When an employee leaves WMUK, their access to computer systems and data must be suspended within three working days to allow for handover. It is the responsibility of the Office and Development manager to manage and document the close down process.
• When a trustee leaves the WMUK board, their access must be suspended within three working days.
• If any user is found to have breached relevant policies signed on being granted access, they may be subject to disciplinary procedure. If a criminal offence is considered to have been committed further action may be taken to assist in the prosecution of the offender(s).
• If you are unsure of the implications of this policy or how it may apply to you, seek advice from the CEO.

[comment : this looks ok from the point of view of steps to be taken by the office. It is possible however that as a result of an oversight or unforeseen circumstances staff or trustees might not have their access blocked in a timely manner. Would it be of any use to require staff, trustees and other volunteers accessing the WMUK systems to sign a declaration undertaking not to misuse or disclose data and not to make any attempt to access the systems after their employment/term of office has ended? Mccapra (talk) 17:44, 17 May 2014 (BST)]

Definitions

• Access is defined as the ability and means necessary to store data in, to retrieve data from, to communicate with, or to make use of any resource of a system.
• Authorized Persons are defined as people who have established a documented need and received the necessary authorization. Persons must be a member of the WMUK Board of Trustees, volunteer community, or staff members.
• Information Technology Resources are defined as computers, telecommunication equipment, networks, automated data processing, databases, the Internet, printing, management information systems, and related information, equipment, goods, and services.