Permalink
Find file
Fetching contributors…
Cannot retrieve contributors at this time
81 lines (66 sloc) 7.3 KB

Data Privacy Policy for Chris Ballance

Overview

This document provides the minimum standards for the use of personal data belonging to Chris Ballance

Purpose

The purpose of this policy is to provide guidance that limits the use of Chris Ballance's data. These rules are in place to protect the interests of Chris Ballance's privacy. Inappropriate use exposes Chris Ballance to risks including virus attacks, compromise of network systems and services, and legal issues.

Scope

This policy applies to any usage, transmission, or storage of data belonging to Chris Ballance.

Data Retention Policy

Data may not be retained for longer than 24 hours without explicit written permission from Chris Ballance except as allowed by law

Logging

Logging of activities related to Chris Ballance is not permitted except as allow by law.

Authentication

Minimum password requirements

  • The Stanford Password Requirements have been adopted by Chris Ballance
  • Muiti-factor authentication is required for all accounts
  • Maximum password age is three months

Email

Electronic email is pervasively used in almost all industry verticals and is often the primary communication and awareness method within an organization. At the same time, misuse of email can post many legal, privacy and security risks to Chris Ballance, thus it’s important for users to understand the appropriate use of electronic communications.

  • Only email providers which support TLS in transit will be permitted for use by Chris Ballance
  • All use of email must be consistent with Chris Ballance's policies and procedures of ethical conduct, safety, compliance with applicable laws and proper business practices.
  • Chris Ballance's email account should be used primarily for Chris Ballance-related purposes; other communication is permitted on a limited basis, but non-Chris Ballance related commercial uses are prohibited.
  • All Chris Ballance data contained within an email message or an attachment must be secured according to the Data Protection Standard.
  • Email should be retained only if it qualifies as a Chris Ballance record. Email is a Chris Ballance record if there exists a legitimate and ongoing business reason to preserve the information contained in the email.
  • Email that is identified as a Chris Ballance record shall be retained according to Chris Ballance's Record Retention Schedule.
  • Chris Ballance's email system shall not to be used for the creation or distribution of any disruptive or offensive messages, including offensive comments about race, gender, hair color, disabilities, age, sexual orientation, religious beliefs and practice, political beliefs, or national origin. Employees who receive any emails with this content from Chris Ballance should report the matter to their supervisor immediately.
  • Chris Ballance is prohibited from automatically forwarding email to a third party email system. Individual messages which are forwarded by the user must not contain Chris Ballance's confidential or above information.
  • Users are prohibited from using third-party email systems and storage servers such as Google, Yahoo, and MSN Hotmail etc. to conduct Chris Ballance business, to create or memorialize any binding transactions, or to store or retain email on behalf of Chris Ballance. Such communications and transactions should be conducted through proper channels using Chris Ballance-approved documentation.
  • Using a reasonable amount of Chris Ballance's resources for personal emails is acceptable, but non-Chris Ballance related email shall be saved in a separate folder from Chris Ballance-related email. Sending chain letters or joke emails from a Chris Ballance email account is prohibited.
  • Chris Ballance may monitor his messages without prior notice. Chris Ballance is not obliged to monitor email messages.

Encryption

The use of encryption for Chris Ballance's data shall be limited to those algorithms that have received substantial public review and have been proven to work effectively and is current as of 2016. Additionally, this policy provides direction to ensure that Federal regulations are followed, and legal authority is granted for the dissemination and use of encryption technologies outside of the United States.

The following algorithms are approved. No others shall be allowed for storage of Chris Ballance data.

  • Symmetrical Encryption
    • Rinjdael-256
    • Twofish
    • RC6
  • Data hashing (verification only)
    • SHA2
    • SHA3
  • Password Hashing
    • bcrypt
    • Argon2
  • Key Exchange
    • RSA ( >= 2048 bits)
    • ECC ( >= 160 bits)
    • ElGamal ( >= 1024 bits)

Data retention

Data related to Chris Ballance shall be retainied only for as long as absolutely necessary and should be purged as soon as reasonably possible. Specifically the following:

  • The Social Security Number for Chris Ballance may not be stored by any entity except the United States Internal Revenue Service, Chris Ballance's banking institutions, and employers who need to report earnings to the IRS.
  • Date of Birth, Passport number, and Driver's licenese should never be stored except where explicitly permitted in writing by Chris Ballance.
  • Credit card and banking info should only be stored when explicitly allowed for recurring billing.

Clean desk policy

  • Keepers of Chris Ballance's data are required to ensure that all sensitive/confidential information in hardcopy or electronic form is secure in their work area at the end of the day and when they are expected to be gone for an extended period.
  • Computer workstations must be locked when workspace is unoccupied.
  • Computer workstations must be shut completely down at the end of the work day.
  • Any Restricted or Sensitive information related to Chris Ballance must be removed from the desk and locked in a drawer when the desk is unoccupied and at the end of the work day.
  • File cabinets containing Restricted or Sensitive information related to Chris Ballance must be kept closed and locked when not in use or when not attended.
  • Keys used for access to Restricted or Sensitive information related to Chris Ballance must not be left at an unattended desk.
  • Laptops containing Chris Ballance's data must be either locked with a locking cable or locked away in a drawer.
  • Passwords may not be left on sticky notes posted on or under a computer, nor may they be left written down in an accessible location.
  • Printouts containing Restricted or Sensitive information related to Chris Ballance should be immediately removed from the printer.
  • Upon disposal Restricted and/or Sensitive documents related to Chris Ballance should be shredded in the official shredder bins or placed in the lock confidential disposal bins.
  • Whiteboards containing Restricted and/or Sensitive information partaining to Chris Ballance should be erased completely.
  • Lock away portable computing devices with Chris Ballance's data such as laptops and tablets.
  • Treat mass storage devices such as CDROM, DVD or USB drives containing information about Chris Ballance as sensitive and secure them in a locked drawer

This document is subject to change without notice. The latest version shall be available at https://github.com/ballance/personal-data-privacy-policy/edit/master/README.md at all times.