This repository has been archived by the owner on Dec 16, 2019. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 2
/
10-acceptable-use-policy.Rmd
67 lines (49 loc) · 4.35 KB
/
10-acceptable-use-policy.Rmd
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
# Acceptable use policy
## Scope
This acceptable use policy covers the use of the Analytical Platform and all associated software and applications.
This policy applies in addition to the [MoJ acceptable use policy](https://intranet.justice.gov.uk/guidance/security/it-computer-security/acceptable-use/).
## Who this policy applies to
This policy applies to all users of the Analytical Platform (excluding users of apps hosted by the platform).
## General principles
__All users will:__
* report any security incidents, including a loss of data, in line with the relevant MoJ, HMPPS or HMCTS procedures;
* report any breach of this acceptable use policy to the [Analytical Platform team](mailto:analytical_platform@digital.justice.gov.uk);
* follow all relevant information governance procedures;
* protect their login credentials appropriately;
* create secure passwords following best practice guidelines (see [here](https://github.com/ministryofjustice/itpolicycontent/blob/master/content/security/framework/password-standard.md));
* ensure that two-factor authentication is enabled when accessing GitHub and the Analytical Platform (see [here](https://ministryofjustice.github.io/security-guidance/standards/authentication/#multi-factor-authentication) the MoJ security guidance about multi-factor authentication);
* sign out of the Analytical Platform when access is not required;
* understand they and MoJ have a legal responsibility to protect personal and sensitive information;
* understand that their use of the Analytical Platform may be monitored;
* ensure that all transfers of data onto and within the Analytical Platform are conducted safely and securely;
* not access the Analytical Platform from any non-MoJ IT system, such as a personal computer;
* not share their account or login credentials with any other person;
* not use the same login credentials for more than one system or purpose;
* not store any data on the Analytical Platform that is classified as SECRET or TOP SECRET;
* not move any data to the Analytical Platform without completing a data movement form;
* not attempt to access any data, apps or software on the Analytical Platform without the appropriate permission; and
* not use the Analytical Platform to undertake any illegal activity or any activity that could harm MoJ's reputation or compromise the security of data or IT systems.
__App admins and data source admins will:__
* ensure that app and data source users have the correct read/write permissions;
* ensure that app and data source users only have access to the minimum data required for them to perform their job; and
* regularly review access permissions for app and data source users, including when users join or leave MoJ, or move within MoJ.
## GitHub
In almost all cases, work must be stored in private repositories in the [MoJ Analytical Services](https://github.com/moj-analytical-services/) organisation. You may only store work in a public repository if you have:
* verified that the work contains __no__ sensitive information or secrets;
* obtained prior written permission from your line manager; and
* followed the guidance on [making source code open and reusable](https://www.gov.uk/service-manual/technology/making-source-code-open-and-reusable).
GitHub may be used to store:
* source code;
* reports and documentation; and
* small, non-sensitive data sets (on a temporary basis when alternatives such as S3 are not practical)
in accordance with the following restrictions.
__All users will:__
* not store any large data sets (> 1,000 records) in GitHub;
* not store any data, source code or documentation containing sensitive information in GitHub;
* not store any data, source code or documentation containing personal information in GitHub;
* not store any credentials or secrets, such as usernames, passwords, database connection strings or API keys in GitHub;
* provide access to private repositories on a need-to-know basis;
* store all MoJ work in the [MoJ Analytical Services](https://github.com/moj-analytical-services/) organisation;
* not store any work in public repositories without obtaining prior written permission from their line manager;
* verify that any work stored in public repositories does not contain any sensitive or personal information; and
* follow the guidance on [making source code open and reusable](https://www.gov.uk/service-manual/technology/making-source-code-open-and-reusable).