IT Security Policy: Difference between revisions
m (→Policies) |
(Adding draft policy template) |
||
| Line 1: | Line 1: | ||
{{notice|This is a draft policy that has not yet been approved by the Board.}} | |||
==Process== | ==Process== | ||
Revision as of 13:17, 21 December 2012
|
This is a draft policy that has not yet been approved by the Board. |
Process
Please:
- Feel free to edit the policy directly, with comment on the talk page about any major edit
- Feel free to suggest edits on the talk page, with links to any further information if relevant
Introduction
Wikimedia UK (WMUK) rely heavily on an IT infrastructure in supporting the online Wikimedia movement and delivering its work programme. IT assets include physical devices, servers and both public and private data. To protect these assets, and to mitigate risk, WMUK has implemented a number of IT security policies and procedures as outlined in this document.
Key Principles
- This IT security policy applies to all staff members, contractors, visitors to the WMUK offices and Trustees when interacting with WMUK equipment or data.
- WMUK is compliant with all applicable legislation. Including:
- Data Protection Act 1998
- PCI DSS
- Anti-Spam legislation
- In addition WMUK has reviewed the ISO 27001 security guidelines and has written policies and procedures to meet these best practices. It is a long term aim of the organisation to attain ISO 27001 compliance.
Wikimedia UK
WMUK operates in support of the Wikimedia movement in the UK, a global online group committed to creating open access knowledge (such as Wikipedia). The community supports openness and transparency in its interactions. Much of Wikimedia UK's work takes place online (including private collaboration), this represents a challenge to effective IT security.
WMUK is committed to striking a balance between transparency and the protection of private and sensitive information.
In particular WMUK:
- Lacks a full IT department and relies on volunteer support and maintenance
- Operates from a shared office enviornment
- Encourages remote working (with software accessible over the internet)
The policies referred to below have been implemented to mitigate risk associated with these factors.
Commitment
In keeping with the Wikimedia commitment to openness and transparency, many of these policies are pubicly available under CC-BY-SA. Some policies may not be publicly available for privacy and security reasons.
IT Security Controller
The IT Security Controller is responsible for maintaining WMUK's compliance with these policies and procedures. WMUK's IT Security Controller is the Chief Executive, who is also the named contact for Wikimedia UK as a data controller.
Policies
The following policies and records make up WMUK's IT Security Policy plan, and are publicly available:
- Access control approval guidelines
- Annual security audit checklist
- Data Breach Policy
- Donor Privacy Policy
- Finance Policy 2012
- Data Encryption Policy
- Remote Access Policy
- Clear Screen and Desk Policy
- PCI Compliance
- Cardholder Data Security Policy
- Training Policy and Control List
- Physical Security Policy
- Third Party Payment Processors
- Annual security audit checklist
The following policies and records are not available publicly:
- Access Control List
- Training Control List
This is to protect staff members or volunteers can access sensitive information, and staff members and volunteers who have yet to receive key training, to avoid either being exploited or targeted to gain access to personally identifiable information and other key data.
Security Response
In response to a breach of these policies, please refer to the relevant policy for applicable remedial action.
Revisions
Revisions, suggestions and questions are encouraged. Please direct all queries C/o the Chief Executive via info@wikimedia.org.uk