Confidentiality Policy: Systems Privileged Administrative Access

Purpose

Privileged administrative access to computer systems and services may be required for individuals to perform certain tasks delegated to them as a member of the Organization for Transformative Works (OTW) or one of its committees. This document describes the policy under which privileged administrative access to OTW systems and resources is granted to individuals.

 

Scope

This policy covers all OTW members and volunteers who are given privileged administrative access to computer systems and services maintained for OTW or any of its committees for the purposes of OTW organizational work.

 

Policy

 

Accounts

Where possible, privileged administrative access will be given to individual accounts rather than shared accounts so that actions may be traceable to individual account holders. Where this is not possible or feasible, shared administrative accounts may be created. If a shared account is used, the account’s authentication credentials (e.g. password) must be communicated in a secure fashion.

 

Limitation of Actions

Privileged administrative access, whether on an individual account or via a shared account, must only be used to perform necessary duties.

 

Authorization and Notification of Actions

Any action that is performed with the use of privileged administrative access must be authorized by the affected party or parties. After an action is performed with the use of privileged administrative access, the affected party or parties must be notified of the outcome of that action.

In some cases, the authorization to perform an action is implicit in the request from the originating party (e.g., creating a normal account for a new committee member) or in the specification of work to be performed (e.g., installing a software package and performing accompanying administrative tasks). In these cases explicit authorization is not required.

Requests to use your privileged administrative access to restore deleted data in the following cases shall be authorized by the appropriate parties:

  • Internal data restoration (internal wiki, committee backups, etc) — Chair(s) of the committee overseeing the tool or assigned delegates
  • Internal/public data restoration as a result of emergencies or accidental deletion by sysadmins — Systems Chair(s)
  • Public service data restoration (AO3, Fanlore, etc) outside of emergencies or accidental deletion by sysadmins — Legal Committee

 

Private Data

Any private data belonging to the OTW, its members, or volunteers that is encountered during the routine use of privileged administrative access must not be divulged to any other party without the consent of the owner of that data. Privileged administrative access must not be used with the intent to obtain access to private data that is not needed in order to complete necessary duties.

 

Granting Access

OTW members or volunteers will only be given privileged administrative access when approved by the OTW Board of Directors or the chair of the committee in which the privileges apply. The individual, relevant committee, and OTW Board of Directors will be notified of the change of account status or the granting of access to a shared account.

 

Modifying or Changing Access

An OTW member or volunteer with privileged administrative access may have this access modified on the approval of the OTW Board of Directors or the chair of the committee in which the privileges apply. The individual, the relevant committee, and the OTW Board of Directors will be notified of the change in access.

 

Terminating Access

When an individual leaves the OTW or a committee in which they have privileged administrative access, any relevant privileged administrative access granted to that individual will be revoked. In the case of a shared account, the account’s authentication credentials must be changed and communicated securely to any other individuals requiring them.

Privileged administrative access will also be revoked at the request of the individual account holder, the chair of the committee in which the privileges apply, or the OTW Board of Directors.

When privileged administrative access is revoked, the individual in question, the relevant committee, and the OTW Board of Directors will be notified.

 

 

Enforcement

Any OTW member or volunteer that is found to have intentionally used privileged administative access in a manner not specified by this policy will have that access revoked and/or may be removed from committee or volunteer membership at the discretion of the Board. Disputes originating out of the enforcement of this policy will be resolved by the OTW Board of Directors or their designates.

 

Definitions

Privileged administrative access: access given to an individual that would allow that person to view or modify data or services that a normal account holder would not be able to.

 

Resources