IT and Data Security Policies
1. Acceptable Use Policy
All individuals are expected to use IT resources responsibly. When working on ORCA projects be thoughtful about the computers, software and connected applications you may be using. Be careful of:
- Unauthorized access to data or systems
- Sharing login credentials
- Visiting malicious or inappropriate websites
Everyone is responsible for protecting their login credentials and reporting any suspected security breaches immediately.
2. Data Protection and Privacy
We may at time handle sensitive and private information and data, and we must adhere to applicable data protection laws and regulations. This includes:
- Sensitive data should be encrypted when transmitted over networks and stored securely.
- Access to sensitive data should be restricted on a need-to-know basis.
- Personal data should not be shared with third parties without proper authorization.
If there is a suspected data breaches or incidents promptly report the time, data impacted, actions taken and if the attack is still going on to the VERSO Director.
Definition: Confidential information includes any data, documents, or discussions that are not intended for public disclosure. This may include research findings, proprietary algorithms, sensitive personal information, or any other information deemed confidential by the program.
- Access to confidential information should be limited to authorized personnel only. Employees and volunteers should sign confidentiality agreements to ensure they understand their obligations regarding the protection of confidential information.
- Confidential information should be stored securely and accessed only on a need-to-know basis. When sharing confidential information, use encrypted channels and ensure recipients are authorized to receive it.
Data Security Measures
- All sensitive data should be encrypted both at rest and in transit to prevent unauthorized access or interception. Use industry-standard encryption algorithms and protocols to ensure data security.
- Implement access controls and user authentication mechanisms to restrict access to sensitive data based on user roles and permissions. Regularly review and update access controls to minimize the risk of unauthorized access.
- Regularly backup data to ensure its availability and integrity in case of accidental deletion, corruption, or other data loss events. Store backups securely and ensure they are accessible only to authorized personnel.
Data Privacy Compliance
- Ensure compliance with relevant data privacy regulations, such as the General Data Protection Regulation (GDPR) or the Family Educational Rights and Privacy Act (FERPA), when handling personal or sensitive data.
- Collect and retain only the minimum amount of data necessary to fulfill program objectives. Avoid collecting unnecessary or excessive data that could pose privacy risks to individuals.
- Obtain explicit consent from individuals before collecting, processing, or sharing their personal data. Clearly communicate the purpose of data collection and provide individuals with options to control their data.
3. Password Management
Passwords must meet minimum complexity requirements, including a mix of uppercase and lowercase letters, numbers, and special characters. Passwords should not be shared or stored in unsecured locations, we recommend using a password manager (bitwardent is an open source free option).
Multi-factor authentication (MFA) should be used for accessing sensitive systems and data, including GitHub authentication.