Table of Contents
Updated by Max Dana
ArtsPool’s intentions for publishing a Data Security Policy are not to impose restrictions that are contrary to the company’s established culture of openness, trust and integrity. ArtsPool is committed to protecting its members, employees, partners, and the company from illegal or damaging actions by individuals, either knowingly or unknowingly.
Effective security is a team effort involving the participation and support of every ArtsPool employee, affiliate or member who deals with information and/or information systems. It is the responsibility of every computer user to know these guidelines, and to conduct their activities accordingly.
The purpose of this policy is to detail the standards and practices for security of ArtsPool and member data. These rules are in place to protect employees, members, and ArtsPool. Failure to comply with this policy exposes ArtsPool, its employees, and its members to risks including identity theft, financial fraud, compromise of network systems and services, and legal issues.
This policy applies to the security of ArtsPool and member data including, but not limited to, passwords, documents, financial information, donor data, and employee data. All employees, contractors, consultants, temporary, and other workers at ArtsPool and its subsidiaries are responsible for exercising good judgment regarding appropriate use and adequate security of such data in accordance with ArtsPool’s policies and standards, and local laws and regulations. Exceptions to this policy are documented in the section entitled Exceptions below.
This policy applies to employees, contractors, consultants, temporaries, and other workers at ArtsPool, including all personnel affiliated with third parties and member personnel doing work on ArtsPool’s behalf. This policy applies to all equipment and information systems that are owned or leased by ArtsPool.
All devices used for ArtsPool work, including without limitation office computers, portable laptops, tablets, and mobile phones, must be secured against unauthorized access and theft. This includes automated screen locks, disk drive encryption, password-based access and highest level access permissions allowed by the device (e.g. biometric fingerprint access). For a guide to specific security measures, please refer to the relevant security article for your device in the ArtsPool Help Center and follow any instructions from ArtsPool’s technology lead.
All passwords for member and ArtsPool accounts must be stored in a secure password manager that uses at minimum 256 Advanced Encryption Standard encryption and two-factor authentication. Passwords stored in the password manager must only be shared with ArtsPool staff on an as-needed and as-authorized basis, and access to the full password repository must only be granted to the ArtsPool employees on ArtsPool’s Incident Response Team. Passwords are shared with password groups rather than with individual user accounts to facilitate permissions management.
Passwords should NEVER be sent to members or ArtsPool staff via email.
When generating passwords, ArtsPool staff must use a secure random password generator such as xkpasswd using the standard presets unless prevented by character limitations. The same password must not be used on multiple accounts. Particular attention should be paid to ensuring unique passwords for critical systems such password repositories, email and document storage.
Passwords should be changed as required by service providers as soon as possible after receiving notification. Changes are also required in the following situations:
- When there is a change to the Incident Response Team, change the password for the master password repository.
- When a ArtsPool employee leaves, any financial institution passwords to which they had access must be changed.
- When a member employee leaves who had access to the member’s password repository, the member password for the repository must be changed.
- If there is a credible and imminent reason to believe that any password has been or may be compromised, that password must be changed.
- Password repository password (master and staff accounts) has not been changed in the last 6 months.
Two-factor authentication is a secondary password or code that provides an additional layer of security when accessing accounts. Whenever possible, ArtsPool staff should enable two-factor authentication on accounts to which they have access. This includes individual accounts to services used in day-to-day operations. Two-factor authentication is required for password repositories, payroll systems, email, accounting systems, and document storage (if available).
ArtsPool chooses third party services with a high level of consideration of their security protocols. Security protocols and functionality that are prioritized in this decision include:
- Compliance with the Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization created by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA)
- Availability of two-factor authentication
- Encryption and/or obfuscation of personally identifiable information
- Permissions-based access
- Use of Secure Socket Layer (SSL)/Transport Layer Security(TLS) certificates for secure web access
- Notification of unusual access or activity
Personally identifiable information
ArtsPool will never send over email or share in any non-permission-protected format any personally identifiable information of any individual, including, without limitation, Social Security numbers, birth dates, driver’s license numbers or images, passport numbers or images, mother’s maiden name, etc. ArtsPool is guided in its security practices for personally identifiable information by the U.S. General Services Administration’s Rules of Behavior for Handling Personally Identifiable Information. Personally identifiable information is never stored permanently on company or employee devices and all devices must be password protected and have automatic screen locks as described in the Equipment Security section above.
ArtsPool’s Technology Team and Operations Committee will verify compliance to this policy through various methods, including but not limited to, business tool reports, and internal and external audits.
Any exception to the policy must be approved by ArtsPool’s Technology Team and Operations Committee in advance.
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
Definitions and terms
Definitions of technical terms contained herein can be found in the SANS Glossary located at https://www.sans.org/security-resources/glossary-of-terms/