WMUK Security Standards
Establishing and meeting high security standards
Prior to withdrawal from the 2012 Fundraiser, Wikimedia UK was working hard to ensure it fully met all the obligations of the Fundraiser Agreement
Within this, Obligations 5(c) and 5(e) required: "Certification of compliance with applicable privacy laws provided to WMF" and "Technical capacity to process donations set up, and, if requested, donation infrastructure testing." It was identified that while WMUK was compliant in practice it lacked a series of policies and procedures to spell out an operational commitment to security of storage and processing of data and the ways in which this was established and supported through staff and volunteer training.
Katherine Bavage as Fundraising Manager for WMUK worked with User:ErrantX on this discrete piece of work to draw up draft policies that would meet the requirements of the obligations. Following withdrawal from the fundraiser, these remained draft pending community input, following which, they would require board review and approval.
The aim of this page is to seek the talent and critique of our community in making these policies better - if necessary by hacking them apart, reformulating them and creating something entirely different.
The end result cannot undermine our compliance with applicable laws, or create risks the Board of Trustees deem to be unacceptable in their duty to promote and protect the Charity's interests, but editors should be bold and critical, in order to ensure that all assumptions are justified as legally necessary if they cause concern.
Wikimedia UK, and indeed the wider Wikimedia community, is fortunate to include many individuals with personal and professional expertise in the fields of IT, privacy law and policy and governance. In addition, it may be that members of the community without experience in these specific fields will offer comment on balancing the risks presented by meeting high standards of compliance and security against enabling our volunteer-led movement to be flexible, creative and innovative in delivering its mission.
The draft IT Security Policy contains links to draft policies. These are open for consultation until the 23rd January 2013 - the long period reflecting the Christmas holiday period which is about to begin, and allowing the Fundraising Manager to respond to questions, research responses, and regularly remind the community to keep coming back and work on the drafts, and a week prior to submission to the board to check compliance and make any further adjustments if required.
Following this, the policies will be reviewed for amendments suggested by the community and presented to the Board meeting on 9th/10th February for approval as Wikimedia UK's standing security policies, alongside requests for further work to audit and risk assess the security of Wikimedia UK's set-up. These policies will likely evolve as we change as an organisation and as a movement, and ideally should be reviewed annually in line with a standard risk review process.
Call to action
Please visit IT Security Policy and the linked draft policies to participate in reviewing, editing and commenting.