Data Security Policy

Overview

ArtsPool is committed to protecting its members, employees, partners, and the company from illegal or damaging actions by individuals, either knowingly or unknowingly. ArtsPool’s intentions for publishing a Data Security Policy are not to impose restrictions that are contrary to the company’s established culture of openness, trust, and integrity. 

Effective security is a team effort involving the participation and support of every ArtsPool employee, affiliate, or member who deals with information and/or information systems. It is the responsibility of every computer or device user to know these guidelines, and to conduct their activities accordingly.

Purpose

The purpose of this policy is to outline the general standards and practices for security of ArtsPool and member data. These rules are in place to protect employees, members, and ArtsPool. Failure to comply with this policy exposes ArtsPool, its employees, and its members to risks including identity theft, financial fraud, compromise of network systems and services, and legal issues. More detailed information for ArtsPool employees and members can be found in ArtsPool’s internal Data Security Guide and Data Security Guide for members respectively.

Scope

This policy applies to the security of ArtsPool and member data including, but not limited to, passwords, documents, financial information, donor data, and employee data. All employees, contractors, consultants, temporary, and other workers at ArtsPool and its subsidiaries are responsible for exercising good judgment regarding appropriate use and adequate security of such data in accordance with ArtsPool’s policies and standards, and local laws and regulations. Exceptions to this policy are documented in the section entitled Exceptions below.

This policy applies to employees, contractors, consultants, temporaries, and other workers at ArtsPool, including all personnel affiliated with third parties and member personnel doing work on ArtsPool’s behalf. This policy applies to all equipment and information systems that are owned or leased by ArtsPool. 

Equipment security

All devices used for ArtsPool work, including without limitation office computers, portable laptops, tablets, and mobile phones, must be secured against unauthorized access and theft. This includes automated screen locks, disk drive encryption, password-based access and highest level access permissions allowed by the device (e.g. biometric fingerprint access). For a guide to specific security measures, please refer to the relevant security articles in the ArtsPool Help Center and follow any instructions from ArtsPool’s Technology Team.

Screen locks on devices must automatically activate after a period of 10 minutes of inactivity, and users must lock the screen or log off when the device is unattended.

Every effort must be made to securely delete any information temporarily stored on any device instead of a network account. In no event should ArtsPool or ArtsPool’s members’ data be stored permanently on any device and instead should only be stored in approved network accounts.

Password security

All passwords for member and ArtsPool accounts must be stored in a secure password manager that uses at minimum 256 Advanced Encryption Standard encryption and two-factor authentication. Passwords stored in the password manager must only be shared with ArtsPool staff on an as-needed and as-authorized basis, and access to the full password manager must only be granted to the ArtsPool employees who serve as keymasters on ArtsPool’s Technology Team. Passwords are shared with password groups rather than with individual user accounts to facilitate permissions management.

Password generation

When generating passwords, ArtsPool staff must use a secure random password generator. The same password must not be used on multiple accounts. Particular attention should be paid to ensuring unique passwords for critical systems such password managers, email, and document storage.

Password changes

Passwords should be changed as required by service providers as soon as possible after receiving notification. Changes are also required in the following situations:

• When an ArtsPool employee leaves, any financial institution passwords to which they had access must be changed.
• When a member employee leaves who had access to the member’s password manager account, the member password for the account must be changed.
• If there is a credible and imminent reason to believe that any password has been or may be compromised, that password must be changed.
• Password manager password (for ArtsPool employee accounts) has not been changed in the last 12 months.

Two-factor authentication 

Two-factor authentication (2FA) is a secondary password or code that provides an additional layer of security when accessing accounts. Whenever possible, ArtsPool staff should enable 2FA on accounts to which they have access. This includes individual accounts to services used in day-to-day operations. 2FA is required for password managers, payroll systems, email, accounting systems, and document storage (if available).

Phone numbers should not be used as the second factor of authentication unless required by the system in question. If a phone number is required for 2FA, it is preferable to use an ArtsPool-issued phone number.

Access control

Access control for protected systems, including but not limited to password managers, the accounting system, document storage systems, and ArtsPool’s proprietary software systems, is managed by the ArtsPool employees who serve as keymasters on ArtsPool’s Technology Team. ArtsPool operates according to the principle of “least privilege” with respect to protected systems, which means that ArtsPool employees and member employees are only granted access to systems and data required to perform their work. Access beyond this scope must be requested in accordance with section entitled Exceptions below.

Application security

To ensure that web-based applications are secure, ArtsPool implements or requires strong security practices both for its proprietary applications and when adopting third-party systems. These practices include:

• Two-factor authentication.
• Encryption of and/or obfuscation of personally identifiable information at rest.
• Permissions-based access.
• Login timeouts.
• Logs of login activity and notification of unusual access or activity.
• Use of Secure Socket Layer (SSL)/Transport Layer Security(TLS) certificates for secure web access.
• Regular, redundant data backups.

In addition, on its proprietary systems, ArtsPool implements code linting tools to ensure code quality, as well as middleware tools to help mitigate potential attacks.

ArtsPool chooses third-party services with a high level of consideration of their security protocols. In addition to the above features, ArtsPool prioritizes systems that are compliant with the System and Organization Controls (SOC) standard created by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA).

Personally identifiable information

ArtsPool will never send over email or share in any non-permission-protected format any personally identifiable information of any individual, including, without limitation, Social Security numbers, birth dates, driver’s license numbers or images, passport numbers or images, mother’s maiden name, etc. ArtsPool is guided in its security practices for personally identifiable information by the U.S. General Services Administration’s Rules of Behavior for Handling Personally Identifiable Information. Personally identifiable information is never stored permanently on company or employee devices and all devices must be password protected and have automatic screen locks as described in the Equipment Security section above.

Social Security numbers and bank information

In particular, Social Security numbers and bank account information required for ArtsPool to conduct business on behalf of a member should be kept in a masked, encrypted, or password-protected format whenever possible and should only be stored in the system(s) used for processing that information. Unmasked Social Security numbers and bank information should not be permanently stored in ArtsPool’s document storage system and should be deleted from the document storage system once the information is input into the relevant processing system. If documents containing unmasked Social Security numbers must be retained in ArtsPool’s document storage system for compliance purposes, they must be stored in a permissioned folder that is audited annually, and such documents must be destroyed once the legally mandated retention period has elapsed. When transmitting or collecting documents containing unmasked Social Security numbers or bank information, ArtsPool employees must use a secure file transfer or digital signature system as determined by the ArtsPool Technology Team.

Security incidents

Security incidents identified by ArtsPool’s Incident Response Team will be managed in accordance with ArtsPool’s Technology Incident Response Plan.

Policy accountability

Measurement

ArtsPool employees and members are expected to hold themselves accountable to the standards and policies set forth by ArtsPool's management team. ArtsPool’s Technology Lead will conduct periodic quality control checks on this policy, but it is the responsibility of each individual to ensure that their actions align with the cooperative’s stated values, policies, and procedures 

Exceptions

Any exception to the policy must be approved by ArtsPool’s management team in advance. 

Gaps in accountability

Gaps in accountability with respect to this policy will be reviewed by the Technology Lead and/or management team depending on the severity. The Technology Team will provide initial feedback to any employees or members that are not aligned with the practices outlined in this policy and provide clear steps that can be taken for improvement. An employee found to have knowingly acted contrary to this policy may be subject to disciplinary action, up to and including termination of employment, but such determination will be made by the ArtsPool management team. 

Definitions and terms

Definitions of technical terms contained herein can be found in the SANS Glossary located at https://www.sans.org/security-resources/glossary-of-terms/.