Training Policy and Control List/Proposed revisions June 2014

From Wikimedia UK
Jump to navigation Jump to search
A newspaper This page is still a draft and is not finalised. Feel free to edit it.

Overview

Understanding the importance of computer security and members' of staff and volunteers' responsibilities and accountabilities for computer security are paramount to ensure the data Wikimedia holds remains secure.

This can be accomplished with a combination of general computer security awareness training and targeted, product specific, training. Awareness and training information needs to be upgraded and reinforced on at least an annual basis, and with specific updates to meet pressing changes in the organisational set up or to the legal framework affecting data protection and personal privacy.

The Wikimedia Security Training Policy applies equally to all individuals that use any Wikimedia UK Information Resources.

Training

Induction

  • All new users must sign the Training Policy and Control list wiki document, stating they have read and understand Wikimedia UK's requirements regarding computer security policies and procedures as part of the access control request process.
  • All new users must sit with the Office and Development Manger for a security check to ensure they have implemented appropriate encryption and remote access set requirements prior to, or at least within 30 days of, being granted access to any Wikimedia UK information resources.

Existing Staff and Volunteers

  • All users (employees, consultants, contractors, interns, etc.) must be provided with sufficient training and supporting reference materials (via the Wikimedia UK IT Security Policy documents) to allow them to properly protect Wikimedia information resources.
  • All users must cooperate with an annual computer security compliance audit and remedy any lapses in best practice or compliance identified.
  • Wikimedia UK will develop and maintain an internal communications process to be able to communicate new computer security program information, security bulletin information, and security items of interest to existing staff an volunteers in the form of a not less than annual update following the security audit.

Remedial Actions

  • If it is identified that an existing member of staff has failed to comply with the various polices pursuant to information security and data protection they will be offered in-house re-fresher training.
  • Repeated violation of Wikimedia UK's information security and data protection policies in the same manner may result in disciplinary action, which may result in termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; dismissal for interns and volunteers.
  • Basic training in information security and data protection from an external provider will be offered as a first step in any disciplinary process.
  • Additionally, individuals may be subject to loss of Wikimedia UK Information Resources access privileges, civil, and criminal prosecution

Control List

  • The training control list only viewable by staff members and Trustees via the office wiki. It may be shared with relevant committee members or other volunteers at the discretion of the Board to identify any training needs relevant to the work of such groups.