Accessing Sensitive Information Policy
Purpose
The purpose of the Sensitive Information Policy (The Policy) is to outline the principles and behaviours adopted by OpenSSL when accessing Sensitive Information.
OpenSSL has a responsibility to maintain security for all sensitive information under its control and to secure this information against intentional or unintentional loss of confidentiality or integrity, so as to avoid financial loss, reputational damage or adverse impacts on our customers, contractors and contributors.
Scope
The policy applies to all OpenSSL contributors, contractors and individuals who use OpenSSL information resources.
The Policy establishes who can decide on what is deemed sensitive information, who can authorise access to it, which persons or roles have access to it, what they can access, under what circumstances they can access it and how the sensitive information can be used.
Note: The Policy doesn’t cover how they physically access the sensitive information.
Principles
Definition
Sensitive Information is defined as any information classified by OpenSSL or by law as private and confidential. Sensitive Information shall not include records that by law must be made available to the general public.
The Sensitive Information Table (SIT) will include the types of information that is considered by OpenSSL to be sensitive, this list is not exhaustive and by default includes any information deemed sensitive under legislation whether it is specifically listed or not.
Deciding what is Sensitive Information
- OpenSSL Board of Directors (BoD) will decide on what constitutes sensitive information on behalf of OpenSSL and maintain details of these in the SIT.
- The BoD or their designated representative will ensure that the SIT is regularly reviewed and maintained.
- For the purposes of The Policy, information that is deemed sensitive or requires restricted access under legislation is automatically considered to be part of the Sensitive Information Table in accordance with all legal obligations regardless of whether it appears in the SIT.
- The BoD can choose to make publicly available information normally considered sensitive (excluding information deemed sensitive under legislation) in order for OpenSSL to conduct business eg program code in that instance the information is considered non-sensitive.
Authorisation to access sensitive information
- The BoD will decide on who has access to sensitive information and what sensitive information they can access.
- The BoD will consider requests to access sensitive information solely based on whether a contractor, contributor or other individual requires access in order to perform the roles, tasks and duties assigned to them by OpenSSL keeping in mind that protection of sensitive information is a critical business requirement however the ability to work effectively and appropriately access sensitive information is also important.
- Contractors, contributors or individuals will only be permitted to access
sensitive information where they have either been given specific
permission from the BoD or where the BoD has deemed their role to require
access in order to perform their required tasks and duties.
- A list of Roles and individuals with access to sensitive information and what sensitive information they can access, will be maintained and regularly reviewed by the BoD or its designated representative, to ensure only those who need access have access. This list can be found in the Sensitive Information Access Table (SIAT).
- Where a role is listed in the SIAT, all persons performing this role are considered to have been granted authorization by the BoD to access the listed sensitive information, whilst they are performing this role.
- Where an individual has several roles their authorized access will be an amalgamation of all the roles they perform. Eg if you are a Developer & on the BoD you would have the authorization to access everything covered by both the Developer and BoD roles.
- Where practical, access privileges will be differentiated by user and user accounts which will be used in preference to root accounts.
- OpenSSL will maintain controls that limit access to sensitive information which are adequate, relevant and not excessive.
- Exemptions: The BoD must authorise any exemptions regarding access to sensitive information and this would only occur where there is a business need to be exempted from this policy (i.e. too costly, too complex, adversely impacting other business requirements). A risk assessment must be conducted and reviewed by the BoD prior to any authorisation being provided.
Use of Sensitive Information
Sensitive Information can only be accessed and used for business purposes ie in the performance of a person’s role, allocated task or duties as assigned to them by OpenSSL in the course of conducting OpenSSL business activities.
Breaches of The Policy
Where any OpenSSL contractor, contributor, or individual who uses OpenSSL information resources is found in violation of The Policy they may be subject to disciplinary action, up to and including termination of any contractual arrangements.