Ellicott City Partnership (ECP) IT Infrastructure Security & Netiquette Best Practices v.2017.2 draft

Ellicott City Partnership (ECP) IT Infrastructure
Security & Netiquette Best Practices v.2017.2 draft


This document is a work in progress, intended to be revisited every January, and revised based upon the latest and best practices.  At the same time, all ECP passwords should be audited, inventoried and updated on a yearly basis, after personnel changes, and after any suspected breach of security.
… A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so …
At all times, the ECP must know all passwords and password holders, and be able to contact those password holders. Mechanisms must exist to change passwords on short notice (within an hour) and to pull offline any webpages that are compromised, offending or otherwise troublesome.
Google Webmaster Guidelines
Community Roles
(These rolls are not yet fully defined, included for further work.)
  • The ECP Executive Board is the ultimate authority.
    • Delegates authority to web admins and password holders, and shall remove such authority if necessary.  Arbitrates all disputes.
    • Takes necessary action to protect ECP webpages, passwords, branding, reputation, computer equipment, networks, other digital properties, staff and volunteers.
  • ECP committee members and other partners or associates of the ECP.
  • Webpage and social media admins, including Facebook, Twitter and WordPress.
  • All password holders, including techs (wifi, FTP), volunteer web editors and moderators.
  • Other IT and marketing volunteers, ECP fans, friends, volunteers, Old EC community, residents, shops, other stakeholders and the general public.

Signed Agreement for Trusted Webpage Admins, IT Techs and Password Holders
See Agreement below.

ECP IT Security

ECP Password Registry
  • One or more trustees appointed by the ECP Executive Board, bound by the signed agreement.
  • Securely maintain ECP passwords, possibly in a safe deposit box.
  • Keep track of who has access to what.
  • Audit and update all ECP passwords every January.

ECP Passwords
… An unfortunate side effect of using so many apps is that you inevitably end up with lots of passwords. Managing these effectively is something you should solve early … 
  • Comply with latest best practices according to the experts.
  • At least 10 characters, with at least one each of UPPER, lower, numb3r & $ymbol.
  • Avoid reusing parts of passwords (‘ecp’ or ‘mainstreet’).
  • Use multifactor authentication (2FA).
  • Use password manager software (eg, http://www.LastPass.com), biometric verification or new other tools.
  • Update passwords every year, after personnel changes, and after a suspected data breach.
  • Avoid sharing passwords — individuals should have their own passwords/accounts (Gmail).
  • Avoid ‘orphaning’ passwords — leaving them inaccessible.
  • Passwords to be known by at least 2 people, recorded in the password registry or in a safe deposit box or similar.
  • ECP must be able to contact all password holders 24/7.
  • Password Management Software

Facebook, Twitter & WordPress
  • Shared administrator?
  • Ellicott Townie?

ECP Facebook pages 
Should ECP have a shared Fb admin acct for pages, like Ellicott Townie (See Richard)?

Domains & Webhosting

Branding, Style 
  • ECP logos, slogans & other identifiers on ECP social media pages.
  • ECP social media pages link to each other.
  • ECP intellectual property.

Netiquette guidelines
  • Positive, friendly, inclusive, community-supporting tone.
  • Educated, honest, evidence based.
  • Sensitive to diverse populations & people with disabilities.
  • Spell-check, grammar-check, style-check, fact-check, vibe-check.
  • Follow general best practices, including Google webmaster guidelines.
  • Be open to emerging trends in best practices (revisit & revise every year).

ECP File-Sharing

File-Sharing, Collaboration, Data Storage & Archiving, Cloud Services

ECP Signed Agreement

Signed agreement with trusted web admins & password holders
  • Webpage admins agree to shut down web channels on short notice (within one hour / periodic “stress test”).
  • Webpage admins agree to follow ECP style guidelines, branding, tone, imagery, events and links, etc.  For example, ECP pages on Facebook might carry ECP logos and links to other pages and events.
  • Keep ECP Password Inventory current with latest logins.
  • Report security compromises, vandalism, impersonation, hacks and other hostile acts online to the ECP Executive Board.
  • Report to the ECP Board how to perform one’s job better, and how to protect ourselves from ‘black hat’ hackers and other hostile or dysfunctional players.
  • Trusted web admins and password holders agree to report any relevant suspicious activity to the ECP Executive Board. 

And …

Future dev: things not covered in this document
  • Roles.

Draft by Richard Ellsberry for the ECP, 2017.
Special thanks to Erika, Heather and Maureen for input on the earliest iteration.