May 01, 2024
Fountain of Life Information Technology Policy
Introduction
This policy provides clear guidance on the responsibilities of FoL, its staff and volunteers. It defines guidance for acceptable use, security and data management. Anyone who uses any of the IT facilities provided by FoL should be aware of and have received a copy of this policy, or an abridged version for volunteers. This includes staff and volunteers.
FoL has overall responsibility for ensuring that online safety is an integral part of everyday practice. This will include ensuring that:
- Staff and their line managers receive the appropriate training, guidance, time and resources to effectively implement online safety policies and procedures.
- Clear and rigorous policies and procedures are applied to the use/non-use of personal ICT equipment by all individuals who come into contact with FoL. Such policies and procedures should include the personal use of work-related resources.
- This policy is implemented, monitored and reviewed regularly and any updates are shared with relevant individuals at the earliest opportunity.
- Allegations of misuse or known incidents are dealt with appropriately and promptly, in line with agreed procedures, and in liaison with other agencies where applicable.
- Effective online safeguarding support systems are in place eg. filtering controls, secure networks and virus protection.
FoL may log details of Internet activity, including sites visited, etc., in order to ensure compliance with this policy.
1.Acceptance of this policy
By using any of FoL IT systems users accept that they will abide by this policy. Before using any system, users should be familiar with this document.
All new users to FoL IT systems will be given a basic induction on the safe and correct use of the systems depending on their previous experience and knowledge. As a minimum the following will be highlighted to them and a copy of this policy given to them:
- Usernames & Passwords are to be kept safe and not written down or shared with anyone. Passwords should be strong, not saved in browsers on shared, public or portable devices not owned and operated by FoL.
- IT usage may be monitored - this includes internet and emails.
- FoL devices and IT systems should only be used for church business.
- Personal devices used to conduct FoL business must confirm to the minimum standards set out by this policy.
- Any devices (including personal) that have been used for FoL work and are stolen must be reported as soon as it is noticed to the Senior Minister and Administrator.
- All security software must be kept up to date.
- Where possible memory sticks and external drives should not be used - in the rare event memory sticks are used, they must be encrypted.
- If working outside FoL buildings, users should only connect to reputable Wi-Fi networks.
- Be alert to cyber threats particularly from phishing, email attachments, using open wi-fi networks, and poor protection of data through weak passwords, open browsers, lost devices, shared devices and lack of anti-virus software.
2 IT Systems & Device Usage Passwords
2.1.1 Accounts must always be password-protected. Line managers must be advised and will instruct accordingly if password protection is not possible.
2.1.2 Passwords should be set to ‘strong’. First-time passwords (e.g. when a new user is registered) are temporary and must be changed as soon as possible by the user. Avoid using the same passwords for your home and work accounts.
2.1.3 Passwords should be changed at least annually or sooner if required, following the same requirement for ‘strong’ passwords.
A ‘strong’ password should consist of 8 or more character and include at least one capital letter, number and special character
2.1.4 Usernames & Passwords must not be shared with those who have no permission to use them; this includes the staff and other secure Wi-Fi network keys. Do not write passwords down in notebooks or on paper near a device or unsecured. Passwords must not be stored in standard
files on a device such as a word document.
2.1.5 All wi-fi networks are password gated and passwords are changed usually annually or sooner if needed.
3 Acceptable Use
Staff, their managers and volunteers should be able to use work based online technologies:
- To prepare appropriate resources including for children and young people
- For research and information purposes
- For study support.
All staff and volunteers will be subject to authorised use as agreed by their line manager. All staff should be provided with a copy of this Policy which they must sign off. Volunteers who have access to FoL’s It Systems should be provided with a shorthand of this document to ensure basic information security. Authorised users should have their own individual password to access a filtered internet service provider. Users are not generally permitted to disclose their password to others, unless required to do so by law or where requested to do so by the Senior Minister or Safeguarding Officers. All computers and related equipment that can access personal data should be locked when unattended to prevent unauthorised access. The use of personal technologies is subject to the authorisation of line managers.
3.1 Internet access is primarily for church-related purposes. All existing laws and FoL policies apply to a user’s conduct on the Internet.
3.2 Do not waste FoL’s resources. Church employees may use their Internet facilities for non-business research or browsing during lunch and outside of work hours, provided that all other usage policies are adhered to.
3.3 Employees and volunteers will not use FoL’s Internet access facility to visit sites which are:
- Illegal under current law;
- Defamatory, threatening or intimidatory or which could be classed as harassment;
- Contain obscene, profane or abusive language;
- Contain pornographic material whether in writing, pictures, films or video clips;
- Contain offensive material regarding sex, race, religion or any disability or sexual orientation;
- Infringe third party rights or otherwise unlawful.
The following explicit prohibitions apply to computer and Internet usage:
- Harassment of any kind is prohibited.
- No abusive, profane, or offensive language is to be transmitted through the Church’s e-mail or internet system.
- Electronic media may not be used for any purpose that is illegal, against church policy, or contrary to FoL’s best interests.
- The display of any kind of obscene image or document on any FoL computing resource is prohibited.
- No user may use FoL’s facilities to deliberately propagate any virus, worm, Trojan horse, trapdoor, or back-door program code or knowingly disable or overload any computer system, network, or to circumvent any system intended to protect the privacy or security of another user.
- FoL’s Internet facilities and computing resources must not be used to knowingly violate the laws and regulations of the United Kingdom or any other nation, or the laws and regulations of any state, city, province or local jurisdiction in any material way.
- You must not download executable files, including freeware or shareware, from the internet unless authorised to do so.
3.4 FoL reserves the right to block access to any site.
3.5 The viewing of Live TV by anyone on any device connected to FoL’s Internet access facility must be covered by the user’s own licence(s) where required.
3.6 FoL staff agree to abide by the Acceptable Use Policy whilst their device is connected to the FoL network.
4 Software
4.1 Purchased software and software documentation may be copied only as specified by the vendor. No versions of any purchased software are permitted beyond the number the church has purchased.
4.2 Staff, Members and Volunteers of the Church may not purchase or write their own software for use in the Church without authorization. The downloading of any unauthorized software to church-owned hardware is also not permitted.
4.3 No user may use FoL facilities knowingly to download or distribute pirated software or data. Any software or files downloaded via the Internet may be used only in ways that are consistent with their licenses or copyrights.
5 File Storage
5.1 All electronic files should be stored in the user’s Google Drive.
5.2 Files should not be stored locally on a device or in another cloud platform/file server that is not operated by FoL
5.3 All Personally Identifiable data must be stored in line with the guidance set out in the FoL Data Privacy and GDPR Policies.
6 Devices
FoL acknowledges that staff may their use own mobile device at/for work purposes. FoL will provide all staff with the equipment to fulfil their job role, in relation to IT this will include the use of a computer during working hours. In some cases, staff may choose to purchase/use their own laptop/ additional screens/ desktop particularly if working remotely.
7 Minimum Device Requirements
In order to prevent unauthorized access, devices must be password protected and kept securely using the features of the device where available:
- The device must lock itself with a password or PIN if it is idle for five minutes.
- After five failed login attempts, the device will lock.
- Rooted (Android) or jailbroken (iOS) devices are strictly forbidden from accessing the network. Employees’ access to company data is limited based on user profiles defined by the System Administrator and automatically enforced.
The employee’s device may be remotely wiped if
1) the device is lost,
2) the employee terminates his or her employment,
3) FoL detects a data or policy breach, a virus or similar threat to the security of the company’s data and technology infrastructure.
All devices require the following security measures to be in place:
- Anti-virus software is installed and up to date
- Anti-malware software is installed and up to date
- A device firewall is active and up to date
Any Operating System used must not be end-of-life (windows 8.1 or older, macOS 11 or older)
8 Device Updates
8.1 FoL will ensure that FoL’s own devices are kept up to date with essential software updates (e.g. virus definitions, Windows updates, etc.).
8.2 Users are responsible for keeping their own devices up to date and should implement manufacturer and recommended updates within a reasonable timeframe so as not to allow their own devices to become vulnerable.
9 Lost or Stolen Devices
9.1 Lost or stolen devices which have been used for FoL work must be reported without delay. Passwords should be changed immediately. If this is not possible their accounts will be temporarily blocked until this can happen.
10 Risks/Liabilities/Disclaimers
While FoL will take every precaution to prevent the employee’s personal data from being lost in the event it must remote wipe a device, it is the employee’s responsibility to take additional precautions, such as backing up email, contacts, etc.
10.1 FoL reserves the right to disconnect devices or disable services without notification.
10.2 Staff are personally liable for all costs associated with their personal device.
11 FoL owned Portable Equipment
11.1 FoL owns and manages a collection of IT equipment, including projectors, laptops and tablets for use in FoL ministries. Users are expected to take precautions to ensure that laptops are not stolen, lost, or damaged.
11.2 If devices are lost, stolen, or otherwise damaged such that they cannot be restored to normal working order, the employee may be responsible for the pro-rated cost of the device. In case of theft or loss, the user must report it to Church Leadership Users are encouraged to check their home insurance policies regarding coverage. FoL will evaluate the circumstances of the theft or loss to determine if reimbursement to FoL should be waived.
12 FoL owned devices
Devices owned by FoL are to be used for church related work and may be used for limited personal use. Upon leaving employment or voluntary role at FoL, all equipment must be returned.
13 Reimbursement
13.1 FoL may reimburse employees for reasonable costs of mobile phones, and other devices needed to perform roles not provided by FoL such as home printers.
13.2 Plug in devices such as USB flash drives should be avoided unless sure they are trustworthy.
13.3 Use of a plug-in device to store data should be avoided as far as reasonably possible but if needed, must be fully encrypted.
14 Email Communication
14.1 Users are provided with a FoL email – it is not to be used for personal use. Work emails should not usually be linked to personal social media or other accounts unless approved by line managers.
14.2 All use of email must be consistent with FoL’s policies and procedures relating to acceptable use, ethical conduct, safety, compliance with applicable laws and proper business practices and must not be used to circulate spam messages.
14.3 As much as possible, personally identifiable data should not be sent via email, instead it should be submitted via electronic forms directly to the database where it is stored. Where it is necessary to do this the email must be deleted as soon as the data has been transferred to the database or file store.
14.4 Emails and communications with staff including WhatsApp messages, should usually be made within working hours unless in an emergency.
14.5 Staff email accounts will be removed immediately following the last day of employment unless otherwise agreed by church leadership. Any data on drives which can be copied should be done before employment ends, or ownership moved over to another member of staff. Access after this will not be possible.
15 User Access Levels
15.1 Users will be given access to data and services based on their role as determined by the IT Director and will be reviewed on a regular basis to ensure it is in line with an individual’s job role.
15.2 Administrator Access
All FOL owned devices will have local administrator access. There is a requirement for those who manage FOL owned devices to have administrator access. Administrative accounts should not be used for day to day work such as accessing files and emails. Staff with administrator access should have two accounts, one for day to day work and an administrator account to be used only when necessary.
16 Network Security
16.1 The FoL network will be secured by a perimeter to prevent attacks from outside the network. This firewall should be active and up to date at all times.
16.2 Access to the configuration of network devices is restricted to administrators and physical access to the network equipment is restricted.
17 IT Disaster Recovery and Data Backup Policy
17.1 FoL will ensure that onsite critical data and Google Workspace loud data is backed up periodically and copies maintained at an off-site location. The responsibility for backing up data held on the workstations of individuals regardless of whether they are owned privately or by the church falls entirely to the user.
- Copies of the back-up media, together with the back-up record, should be stored safely in a remote location, at a sufficient distance away to escape any damage from a disaster at the main site.
- Regular tests of restoring data/software from the backup copies should be undertaken, to ensure that they can be relied upon for use in an emergency.
18 Disaster Recovery
Where an onsite system warrants a disaster recovery plan, FoL will put one in place within one calendar month and maintain/review it regularly.
Offsite data processors will have their disaster recovery plans/policies regularly reviewed.
This policy should be read alongside FoL’s Privacy Notices, Social Media and Communications Policy, Youth Communications Policy and any GDPR requirements of current Data Protection Laws. Deliberate failure to comply with this policy may lead to disciplinary action.
Appendix A: User Self Audit Form
Follow this check list to ensure that you are compliant with FoL’s IT policy.
- Are the passwords I am using secure and known only to me? Are they easy for me to remember but hard for somebody else to guess?
- Is the device I am using compliant with FoL’s standards?
- Is it password protected? Is the password set to ‘strong’?
- Does it have all of the latest software updates?
- Does it have anti-virus, anti-malware and a firewall? For example, Windows Defender.
- Am I am only using memory sticks where necessary and ensuring they are encrypted if they are being used?
- Do I know the limitations of using email communication?
- Am I making sure that I only store personal and FoL data in locations approved by FoL, such as ChurchSuite or Google Drive?
- Is my FoL email account set up with two factor identification?
- Am I storing FoL Data or passwords on public, shared or personal devices
- Do I know what to do in the event my device is lost, stolen or breached?
Appendix B: Free Wi-fi Terms of Use – For Guest Wi-Fi users
By accessing the wireless network, you acknowledge that you're of legal age, you have read and understood and agree to be bound by this agreement.
The wireless network service is provided by FoL and is completely at their discretion. Your access to the network may be blocked, suspended, or terminated at any time for any reason.
You agree not to use the wireless network for any purpose that is unlawful and take full responsibility of your acts.
The wireless network is provided "as is" without warranties of any kind, either expressed or implied