I think

  1. The Secretary (or someone) should hold a master list for security, this is for security not for unconstrained access
  2. The master list should document to whom, the passwords have been given.
  3. Passwords should only be given to people who require them for their BrisLETS jobs. Access can be given and rescinded as needed.
  4. Roles that immediately require passwords are the CES Admin, Membership and Website Administrator – they should maintain the Master List.
  5. Passwords should be reasonably secure “(jnehsd7524gakk#4256” rather than “Peace64” and changed regularly.
  6. When there are personal passwords such as administration email passwords, individual passwords should only be held by individuals, this ensures accountability.

    As an example, all president@ emails need to be guaranteed to originate from the president and go to the president.

    These passwords can be modified from the CPanel master password, in an emergency

    Another example is the website, where people might need editor access in order to do certain jobs but they don’t need admin access to all systems. The admin can grant and remove access as needed as required by the task.

  7. When we share systems like “slack” it is important that we can all can check that comments don’t “mysteriously” disappear.
    This requires ALL participants to have administrative access
    As normal if comments “need” to disappear then we need to recall that these are official records of a registered association and there must be records and no mystery.

    I have reasoned elsewhere that we are better off without slack
  8. honestly, we aren’t guarding the crown jewels but it is important to be as secure as we can easily be and this is easy. The procedure is orientated around getting the work done rather than bureaucracy and it does ensure that when it comes time for us to hand over, the keys are all there hanging where they should be,

-roy-

next step

This needs be documented as a procedure
put into action
and
In a timely manner, procedures should be approved by the MC and published as part of the association’s documentation

(updated oct 31)
(updated jan 29)


Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Skip to content