Information Security Policy

Virtual Region Information Security Policy

  • Introduction, Governing Law and Jurisdiction
  • Scope of this policy
  • General principles
  • Hard copy documents
  • Electronic data
  • Mobile devices
  • Dropbox and Google Drive
  • Email
  • Data breach
  • Reporting to Chair or designated board member
  • Notification to ICO
  • Notification to data subject(s)
  • Delegation
  • Version

Introduction, Governing Law and Jurisdiction

The Virtual Region is organized and incorporated as a not for profit entity under the laws of the State of New Mexico, the United States of America. This Policy and all other policies of the Virtual Region, and any dispute or claim arising out of or in connection with this and other Virtual Region policies or their subject matter, shall be governed by and construed exclusively in accordance with the laws of the State of New Mexico, United States of America.

The Virtual Region, all Board members (who act as directors of the Virtual Region) and any other persons designated by the Board in terms of the Bylaws of the Virtual Region to undertake various service for the Virtual Region, agree that the courts of New Mexico, United States of America, shall have exclusive jurisdiction to adjudicate on and/or settle any dispute or claim arising out of or in connection with this and other VR policies, or their subject matter.

The sixth data protection principle under the General Data Protection Regulation (GDPR), which is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area, calls for organizations to employ appropriate technological and organizational measures for the security of personal data.

In this policy the Virtual Region (VR), in seeking to take reasonable efforts to comply with the GDPR, has set out the processes which are to be followed to keep data secure(organizational measures), and the technological measures which are to be adopted.

Scope of this policy

All are responsible for ensuring that if they deal with any personal data, it is kept securely and is not disclosed (either orally or in writing or accidentally) to any unauthorized third party.

This policy applies to everyone who processes personal data from or on behalf of Virtual Region. This includes designated VR board members, Committee Chairs and members, Subcommittee Chairs and members, service coordinators, Event hosts and co-hosts, translators, moderators, Newsletter Coordinators. Sponsor /Speaker Coordinators. Event Chairs and member and other OA members giving service.

General principles

OA is an anonymous fellowship, and our 12th Tradition states that:

“Anonymity is the spiritual foundation of all these Traditions, ever reminding us to place principles before personalities”. We hold information about other fellows in confidence. This policy upholds the 12th Tradition.

We will only use your personal data for the purposes for which we collected it as described above. Only authorized people are permitted to access your data, which is kept secure and confidential for the time period as described above, and then deleted/destroyed using secure methods.

Hard copy documents

When personal data is stored on paper (for example: a register of meeting attendees), it is to be kept in a secure place where unauthorized people cannot see it.

When not required, paper or files are to be kept in a locked drawer or filing cabinet.

Printouts are not to be left where unauthorized people could see them, like on a printer, or on the kitchen table.

Paper copies are to be securely shredded or burned when no longer required. Tearing or screwing up paper is not a secure means of disposal.

Electronic data

The computers and devices that are used to access the personal data of others are to have current software installed, as legacy software is not supported by security patching. Security updates are be installed. Devices should always have anti-virus / anti-malware software installed, and kept updated.

Strong passwords are to be used to secure electronic devices and also services used to access data (email, dropbox, Microsoft. Google Workspace account etc). Passwords are not be reused, shared, saved to file, or saved to non-secure password key chains or browsers. Ideally, password management software is be used, and protected with a strong password. Guidance on choosing and using passwords can be found here.

If using a shared computer, password protected services are to be closed down when work is finished. Files   are not to be left open, and the screen is to be locked when away from it.

Home Wi-Fi is to be encrypted to the highest standard available (ideally WPA2). Suggestions for securing home Wi-Fi are:

  • Change your router admin username and password so that they are not the standard for your router.
  • Change the broadcast name for your Wi-Fi (the SSID) so that it does not describe the router.
  • Activate firewalls and turn off guest networks
  • Keep firmware updated.
  • Unless your router is locked away, turn off WPS (the one-push button to connect to your router).

Open Wi-Fi networks are not be used to access personal data.

You have explicitly consented to the transfer of your information, and you have been warned of the possible risks of the transfer.

Mobile devices

Particular care is to be taken to keep mobile devices secure: they are to be password protected, and ideally encrypted. Unencrypted USB devices are especially insecure as they are so easy to lose. Ideally devices are to have remote wiping agents installed so that they can be erased if stolen.

Cloud Storage Service Providers

The designated VR Board members, Committee and Subcommittee Chairs are all to make use of secure cloud storage service providers such as Dropbox(basic),or Google Drive to save personal information. Two-step verification is to be activated, and a strong password used.

Documents are to be saved in the most suitably secure location, and multiple copies of the same documents not allowed to proliferate. Any document which contains personal data is to be saved using a filename with the suffix PD, for example: ‘Website Invoices (PD)’. The suffix PD stands for Personal Data.

Each VR Chair, Board Member, Committee Chair and Subcommittee Chair is responsible to manage access to their own Dropbox folder and or Google drive. These have been assigned by the region. Amongst their responsibilities includes ensuring that access is only granted to authorized fellows giving service, and also to outgoing VR Board members and other authorized fellows who are conducting a handover. Once a service fellow has completed their handover then they will be removed from shared folders, and synced copies of information removed from their personal device by those managing access. The admin of the regions drop box, Microsoft Essential, and google drive are responsible for oversight and coordination of deletion or transfer of data from all region email, Google drive, drop box, and Microsoft Essential accounts when a change or service volunteers takes place or request for deletion or removal is made.

Documents are to be deleted in line with the archiving and retention rules set out in the Virtual Region Privacy Policy.

Email

VR, Board members, Committee and Subcommittee Chairs, are to use Virtual Region email accounts.  Committee member are to use from any one of the following 5 email service providers: Google, AOL, MSN(Microsoft), Yahoo or Bluehost and other that may be identified and approved by VR. Email is not inherently secure. Most emails transmitted over the internet are sent in plain text, which makes them vulnerable to interception. Consideration is to be given as to the nature of the information that is being sent via email.

It is strongly suggested that email addresses without the surnames of the OA service fellows be used wherever possible, at all levels of OA service in respect of the Virtual Region.

Email accounts are to be securely password protected, and security features not disabled.

Great care is to be taken when opening email attachments, in case they contain a virus, Trojan, spyware or other malware. It is now commonplace for ransomware attacks to be launched by ‘spoof’ emails which appear to come from a legitimate organization attaching an invoice or order form, which, if opened, installs malware which encrypts all data on the attacked device. A ransom is then charged for the decryption key. Under the GDPR, corruption of data is a data breach, and therefore a ransomware attack should be reported as such to the VR Chair or where the designated board member responsible for the protection of privacy and of personal data, as per the policy below.

When sending emails to a list, the board member mail is to be addressed in the ‘To’ field back to the sender, with the recipients listed in the ‘BCC’ (blind carbon copy) field. This means that email addresses are not shared between the whole list.

Documents containing personal data may be attached to emails, either sent or received. These must be saved securely. The emails with the attachments are also to be kept secure, and themselves deleted in accordance with the archiving and retention rules set out in the Privacy Policy.

Data breach

Reporting to VR Chair or designated board member responsible for compliance, where applicable

If there is a personal data breach, the GDPR requires that OA Virtual Region notify the Data Protection Regulator of the relevant country (such as in the United Kingdom the Information Commissioners Office of the United Kingdom) without undue delay and not later than 72 hours after having become aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of data subjects.

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. This might include loss of a USB stick with OA members’ contact details, or accidental email of contact details to anyone not authorized to receive them. Anyone handling personal data in connection with OA (designated VR Board members, Committee Chairs and members, Subcommittee Chairs and members, Event Chairs. hosts and co-hosts and other service coordinators and service fellows) is to notify the VR Chair or Board member designated as the person responsible for the protection of privacy and of personal data]  at  privacy@oavirtualregion.org as soon as they become award of a data breach. Anyone who has concerns about data privacy, or the risk of a breach should notify the Chair or Co-Chair of their concerns at the aforementioned email address.

Notification to the relevant Data Protection Regulator  

The Chair [or board member designated as the person responsible for the protection of privacy and of personal data] will consider whether the breach is likely to result in a risk to the rights and freedoms of data subjects. If such a risk is unlikely then the breach will not be reported to the relevant Data

Protection Regulator of the country of the data subject, but will be recorded in a data breach template document. Remedial action will be identified, and a timetable for completion will be drawn up.

If there is a risk to data subjects, the Chair [ or board member designated as the person responsible for the protection of privacy and of personal data] is to take reasonable efforts to notify the relevant Data Protection Regulator of the country of the data subject, of the breach, describing:

  1. the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned,
  2. the name and contact details of the person from whom more information can be obtained. This may be the Chair or designated board member responsible for the protection of privacy and of personal data] or it may be some other person assigned responsibility for handling the data breach,
  3. the likely consequences of the personal data breach,

The Chair or designated board member responsible for the protection of privacy and of personal data] is to take reasonable efforts to provide the notification within 72 hours of their being notified of the breach, unless this is not possible, in which case it will take place as soon as possible, and reasons given for the delay.

Where it is not possible to provide all of the above information at the same time, the information may be provided in phases without undue further delay. The Chair or where there is designated board member responsible for the protection of privacy and of personal data] is to record the breach in a breach template document, stating the nature of the breach, when and how it was reported, when it was notified to the relevant Data Protection Regulator, its effects and the remedial action taken, and any response from that Regulator.

Notification to data subject(s)

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, and it is not possible to prevent this risk from materializing, the Board member designated as the person responsible for the protection of privacy and of personal data] is to take reasonable efforts to inform the data subject(s) without undue delay. The following information will be communicated, using clear and plain language:

  1. The nature of the personal data breach,
  2. the name and contact details of the person from whom more information can be obtained. This may be the Chair [or the board member designated as the person responsible for the protection of privacy and of personal data or it may be some other person assigned responsibility for handling the data breach,
  3. the likely consequences of the personal data breach,
  4. the measures taken or proposed to be taken by the data controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

The notice is to be sent directly to the data subject, unless this would involve disproportionate effort, in which case it can be published on the Virtual Region website.

Delegation

The Chair or where there is a person designated as the board member responsible for the protection of privacy and of personal data may delegate their responsibilities under this section toa named person, but will continue to hold ultimate responsibility for ensuring that any breach is properly recorded and (if relevant) notified.

Version

This Information Security Policy was submitted and prepared for the Virtual Region Board 2021

Skip to content