Security Level Descriptions and Access
TCA’s data systems are described in the document below. As an organization with stakeholders spread geographically, we manage approximately 30 different online-based software systems to enable the day-to-day business of our organization. These systems are categorized as Level 1, 2, or 3 to reflect the sensitivity of the information stored in each location, where a Level 1 designation indicates the most sensitive data and, consequently, the most highly-protected data.
The TCA Google Administrator is responsible for tracking data access and providing data access based on the policy described below. The Google Administrator for 2020 is Paul Sakamoto (email@example.com
Personally Identifiable Information (PII) that requires the highest level of security and limited access. This also includes any information deemed by the TCA board as private or classified. Examples include but are not limited to:
- Social Security Numbers
- Credit Card and payment information
- HR information:
- Payroll and personal financial information
- W9s and other tax information
- Un-approved meeting minutes
- Financial reports
- Organizational finance information
- Completed Contracts and Agreements
A list of systems that contain Level 1 information is available in the TCA Systems and Levels doc, updated by the Google Administrator. If you need access to this list, please contact the Google Administrator.
Approval Policy for access to Level 1 Data
Individuals with Level 1 access must be approved by the TCA Executive Committee. Executive Committee must notify the Google Administrator when an individual is approved for Level 1 access.
Individuals seeking Level 1 access may use the following form: TCA Confidentiality Agreement for Level 1 Data
Personal contact information, TCA brand and messaging services. Examples include but are not limited to:
- Phone numbers
- Email addresses
- Mailing addresses
- Administrative systems access:
- Website, social media, non-public program information (contracts & agreements, confidential program information)
- TCA meeting resources (Gotomeeting login, Zoom login)
Approval Policy for access to Level 2 Data
Committee chairs may approve Level 2 security access, and must notify the Google Administrator of these changes.
Individuals seeking Level 2 access may use the following form: TCA Confidentiality Agreement for Level 2 Data
Public Information: Information that is accessible to the general public. No approval is necessary to access Level 3 data. Examples include but are not limited to:
- Program publicity information
- Approved meeting notes
- Website information
Information Retention and Deletion Policy
For the types of documents indicated below, TCA agrees to securely store records for the indicated amount of time. Hardcopy documents to be stored with financial documents maintained by the TCA Treasurer.
|TYPE OF DOCUMENT
|Program attendee registration info and agreements
|Board applications and agreements
|Personnel File Records (Medical records should be stored separately)
||4 years (after termination)
|I-9 forms (stored separately from regular personnel files)
||3 years (after the date of hire or 1 year after termination)
|Title VII Records
|Payroll and Tax Records (Name, Address, SSN, wage rates, Hours worked, weekly deductions, allowances, etc)
|Meeting Minutes (soft copy)
|Financial Records (soft copy is ok)
Hard Copy Documentation
- When ready for deletion, all hard copy documentation will be securely destroyed (suggested methods below):
Soft Copy Documents:
- PII redacted and thrown away
- Soft Copy Documents and attachments will be electronically destroyed
When new volunteers or staff enter or depart the organization, the following protocol should be followed.
- Non-essential email should be deleted annually
- Essential email is defined as any messages or attachments necessary for archival use or future planning.
- Non-essential email is defined as any messages not deemed necessary for archival record keeping or future planning purposes.Onboarding and Offboarding Process
Email Address Use and Granting
TCA business must be conducted on an official TCA email address with @taikocommunityalliance.org domain. Volunteers and board members are expected to regularly check their @taikocommunityalliance.org email addresses as primary form of internal communication. @taikocommunityalliance.org email addresses may not be forwarded to personal emails.
Requesting an Email
Request should be submitted via email to the Google Administrator with:
- First and Last Name
- Contact Phone Number
- Completed TCA Data Use Agreement
- Any email lists to be updated
- Level of security access and approval (Level 2 and 1 only)
- Volunteer: Committee Chair submits the request
- Board Member: Board Secretary submits the request
- Staff: Supervising Board Member submits the request
The Google Administrator will
- Store the TCA Data Use Agreement and update information on Salesforce
- Create an @taikocommunityalliance.org email address for the individual
- Add the new user to appropriate google list(s)
Email Lists (Google Groups)
- The Google Administrator will maintain a current list of Google Groups and members of each group. That list will be available to TCA Board Members and Committee Chairs.
- The Google Administrator will send Committee Chairs a copy of their list annually. Committee Chairs are expected to respond to Google Administrator to verify accuracy of the list.
- Committee Chairs are responsible at all times for notifying the Google Administrator of:
- Change in membership
- If necessary, committee chair may approve Level 2 security access
- If necessary, committee chair must have Level 1 security access approved by the TCA Executive Committee
- Committee Chairs will work with the Google Administrator to:
- Create group alias
- Forwarding and manage committee email
- Request new aliases
- Delete or remove distribution lists
- Sunset and Renewal Process: Google Administrator will evaluate and update lists every two years (during non-NATC year).
Document and Information Sharing Policy
. Documents and information will be shared only within the TCA environment. Sharing is only allowed within populations of similar security level access.
- Level 1 information may only be shared with Level 1-approved individuals
- Level 2 information may only be shared with Level 2 or Level 1-approved individuals
- Level 3 information may be shared with anyone.
. Meeting notes and committee documents should be shared with email distribution list instead of individuals whenever possible.
Personnel Change Process
Committee chairs are responsible for notifying the Google Administrator of any changes in committee membership within 7 days of personnel change via email and should share the following information:
- Name of individual(s) involved.
- Reason for change.
- Email list(s) affected by the change.
- Google documents affected by the change.
- Change of ownership for documents.
Within 48 hours, the Google Administrator will make the following adjustments and confirm the completed changes via email.
- If an individual will no longer be a TCA Committee Member
- Change passwords to individual’s @taikocommunityalliance.org accounts and documents.
- Change password(s) to all Level 1 and Level 2 TCA assets individual had access to.
- If the individual is changing Committees.
- Update email list(s) affected by the change.
- Make appropriate adjustments to Google document ownership.
Requests for access to TCA systems should be directed to the appropriate Committee Chairs as indicated in TCA Systems and Levels. See Section 1 for Data Access Approval Policy.
Password Best Practices
- Passwords should be changed every 90 days [alternatively, implement two-step authentication and direct phone authentication to TCA-owned device]
- Passwords should contain more than 7 characters, one capital letter, one number, and one special character.
TCA Information Security Requirements
TCA Information Security Requirements For TCA partner(s) For third party external users. For example, organizations with partner agreements with TCA.