IT Security Policy
Introduction[edit | edit source]
Wikimedia UK (WMUK) rely heavily on an IT infrastructure in supporting the online Wikimedia movement and delivering its work programme. IT assets include physical devices, servers and both public and private data. To protect these assets, and to mitigate risk, WMUK has implemented a number of IT security policies and procedures as outlined in this document.
Key Principles[edit | edit source]
- This IT security policy applies to all staff members, contractors, visitors to the WMUK offices and Trustees when interacting with WMUK equipment or data.
- WMUK is compliant with all applicable legislation. Including:
- Data Protection Act 1998
- PCI DSS
- Anti-Spam legislation
- In addition WMUK has reviewed the ISO 27001 security guidelines and has written policies and procedures to meet these best practices. It is a long term aim of the organisation to attain ISO 27001 compliance.
Wikimedia UK[edit | edit source]
WMUK operates in support of the Wikimedia movement in the UK, a global online group committed to creating open access knowledge (such as Wikipedia). The community supports openness and transparency in its interactions. Much of Wikimedia UK's work takes place online (including private collaboration), this represents a challenge to effective IT security.
WMUK is committed to striking a balance between transparency and the protection of private and sensitive information.
In particular WMUK:
- Lacks a full IT department and relies on technical contractors and volunteers for support and maintenance
- Operates from a shared office environment
- Encourages remote working (with software accessible over the internet)
The policies referred to below have been implemented to mitigate risk associated with these factors.
Commitment[edit | edit source]
In keeping with the Wikimedia commitment to openness and transparency, many of these policies are publicly available under CC-BY-SA. Some policies may not be publicly available for privacy and security reasons.
IT Security Controller[edit | edit source]
The IT Security Controller is responsible for maintaining WMUK's compliance with these policies and procedures. WMUK's IT Security Controller is the Chief Executive, who is also the named contact for Wikimedia UK as a data controller.
Policies[edit | edit source]
The following policies and records make up WMUK's IT Security Policy plan, and are publicly available:
- Access control approval guidelines
- Annual security audit checklist
- Data Breach Policy
- Finance Policy 2012
- Data Encryption Policy
- Remote Access Policy
- Clear Screen and Desk Policy
- PCI Compliance
- Cardholder Data Security Policy
- Training Policy and Control List
- Physical Security Policy
- Third Party Payment Processors
The following policies and records are not available publicly:
- Access Control List
- Training Control List
This is to protect staff members or volunteers who can access sensitive information, and staff members and volunteers who have yet to receive key training, to avoid either being exploited or targeted to gain access to personally identifiable information and other key data.
Security Response[edit | edit source]
In response to a breach of these policies, please refer to the relevant policy for applicable remedial action.
Revisions[edit | edit source]
Revisions, suggestions and questions are encouraged. Please direct all queries C/O the Chief Executive via firstname.lastname@example.org
- E-mails to this address are reviewed and responded to by volunteers from the user community. Please understand that neither Wikimedia UK nor the Wikimedia Foundation (who operate the global volunteer helpdesk) can guarantee confidential treatment of any sensitive information you include in your message.