update to EPP and Data Policy

Emergency_Preparedness_Plan.md

@@ -1,6 +1,6 @@
 # Emergency Preparedness Plan
 
-We have an emergency preparedness plan in place to address various scenarios that may impact ORCA's operations or impact ORCA members. Everyone should familiarize themselves with this plan and know their roles and responsibilities. 
+We must have an emergency preparedness plan in place to address various scenarios that may impact ORCA's operations or impact ORCA members. Everyone should familiarize themselves with this plan and know their roles and responsibilities. 
 
 Potential emergencies could include:
 - Cybersecurity Breaches: Unauthorized access to sensitive data, systems, or networks, resulting in data theft, manipulation, or disruption of services.
@@ -11,44 +11,27 @@ Potential emergencies could include:
 
 If you encounter an emergency situation, follow these steps:
 
-- **Assess the Situation**: Remain calm and assess the severity of the emergency.
-- **Alert Others**: Notify nearby team members and evacuate the area if necessary.
-- **Contact Authorities**: Call campus security or emergency services as appropriate.
-- **Provide Details**: Provide clear and concise information about the emergency and your location.
+- **Assess the Situation**: Remain calm and assess the severity of the emergency
+- **Alert Others**: Notify nearby team members and evacuate the area if necessary
+- **Contact Authorities**: Call campus security or emergency services as appropriate
+- **Provide Details**: Provide clear and concise information about the emergency and your location
 
 ## Levels of Emergency
 * TYPE 1 - A catastrophic emergency event involving complete loss services, or a physical the entire campus and surrounding community (Example: complete deletion of ORCA Organization on Github, flooding, major hurricane, etc.)
 * TYPE 2 - A major emergency that impacts a sizable portion of ORCA, the campus and/or outside community (Examples: loss of a single repo, hacking of the social media account, potential data breach, active shooter, bomb threat, extended power outage, etc.)
-* TYPE 3 - A one dimensional event that has a limited duration and impact to the campus community (Example: Closing of a buidling for safety reasons, important but not critical bug in a repo)
+* TYPE 3 - A one dimensional event that has a limited duration and impact to the campus community (Example: Closing of a building for safety reasons, important but not critical bug in a repo)
 
 ## Initiation of a Emergency Status
-Only authorized members, which is the VERSO Director and the Leads, should declare an emegergency unless there is an immediate danger to someone's physical safety (ALSO REACH OUT TO CAMPUS SECURITY OR 911 at that time). Anyone else should route emergencies through Leads.
+Only authorized members, which is the VERSO Director and the Leads, should declare an emergency unless there is an immediate danger to someone's physical safety (ALSO REACH OUT TO CAMPUS SECURITY OR CALL 911 at that time). Anyone else should route emergencies through Leads. Because we are not a company with full-time employees, we will not have an on-call team. This will slow our responsiveness and require reaching out to team members to find who can help.
+
+Remember, we only report it as an emergency if we can verify it is happening, if you cannot verify it please check with others before starting this process.
 
-Remember, we only report it as an emergency if we can verify it is happening, if you cannot verify it please check with others.
 1. Reporting Member posts an @here post in the #emergency channel in slack with the following information:
   - Date and Time: Record the date and time when the emergency is declared to establish a timeline of events.
   - Type of Emergency: Clearly specify the type of emergency, such as cybersecurity breach, natural disaster, infrastructure failure, etc., to provide context for responders and stakeholders.
   - Severity Level: Assess and communicate the severity level of the emergency, ranging from minor incidents to critical crises, to guide response efforts and resource allocation.
   - Description of the Situation: Provide a detailed description of the emergency, including the cause, impact, and any relevant information about affected systems, personnel, or assets.
-2. On Call Member starts a Time Line document to record actions tacken
+2. Reporting Member starts a Time Line document (this is a Google Drive or Microsoft Onedrive doc that can be shared with others) to record actions taken and the time stamps of important events
 3. Reporting Member reaches out to the VERSO Director and determines who need to be contacted 
 4. A Slack Huddle is started for people to join to troubleshoot the problem
 5. When a resolution is reached, a final @here in the emergency channel declaring the Emergency as resolves with the Date and Time and a Description of the solution that was executed.
-
-
-## Cybersecurity and Data Protection
-
-To ensure cybersecurity and data protection:
-
-- **Use Secure Passwords**: Use strong, unique passwords for all accounts and systems.
-- **Secure Devices**: Keep devices and software updated with the latest security patches.
-- **Beware of Phishing**: Be cautious of emails or messages requesting sensitive information or login credentials.
-- **Report Suspicious Activity**: Report any suspicious activity or security incidents to IT support immediately.
-
-## Training and Awareness
-
-All team members should receive training on safety and emergency procedures, including:
-
-- **Orientation**: New members should receive orientation on safety procedures during onboarding.
-- **Regular Training**: Provide ongoing training and reminders about safety protocols.
-- **Emergency Drills**: Conduct periodic emergency drills to practice evacuation and response procedures.

IT_and_Data_Security_Policies.md

@@ -2,63 +2,22 @@
 # IT and Data Security Policies
 
 ## 1. Acceptable Use Policy
-
-### Purpose
-Members of ORCA may have access, in the course of their duties, sensative and important information and technology that should be protected. The purpose of this policy is to ensure the secure and appropriate use of the ORCA's information technology resources.
-
-### Guidelines
-- All employees are expected to use company IT resources responsibly and for business purposes only.
-- Prohibited activities include but are not limited to: 
+All individuals are expected to use IT resources responsibly. When working on ORCA projects be thoughtful about the computers, software and connected applications you may be using. Be careful of: 
   - Unauthorized access to data or systems
   - Sharing login credentials
-  - Downloading or installing unauthorized software
   - Visiting malicious or inappropriate websites
-- Employees are responsible for protecting their login credentials and reporting any suspected security breaches immediately.
 
-## 2. Data Protection and Privacy
+Everyone is responsible for protecting their login credentials and reporting any suspected security breaches immediately.
 
-### Purpose
-This policy outlines procedures for the protection and privacy of sensitive company and customer information.
-
-### Guidelines
-- All employees must adhere to data protection laws and regulations applicable to their role and location.
+## 2. Data Protection and Privacy
+We may at time handle sensitive and private information and data, and we must adhere to applicable data protection laws and regulations. This includes:
 - Sensitive data should be encrypted when transmitted over networks and stored securely.
 - Access to sensitive data should be restricted on a need-to-know basis.
 - Personal data should not be shared with third parties without proper authorization.
-- Employees should report any data breaches or incidents promptly to the VERSO Director.
-
-## 3. Password Management
-
-### Purpose
-This policy establishes guidelines for creating and managing secure passwords.
-
-### Guidelines
-- Passwords must meet minimum complexity requirements, including a mix of uppercase and lowercase letters, numbers, and special characters.
-- Passwords should not be shared or stored in unsecured locations.
-- Multi-factor authentication (MFA) should be used for accessing sensitive systems and data, including GitHub authentication.
 
-## 4. Remote Work Security
+If there is a suspected data breaches or incidents promptly report the time, data impacted, actions taken and if the attack is still going on to the VERSO Director.
 
-### Purpose
-This policy outlines security measures for employees working remotely or accessing company resources from external locations.
-
-### Guidelines
-- Remote access to company systems should be secured using VPNs and encrypted connections.
-- Data stored on portable devices should be encrypted and backed up regularly.
-- Employees should follow the same security practices when working remotely as they would on campus.
-
-## 5. Bring Your Own Device (BYOD)
-
-### Purpose
-This policy establishes guidelines for the use of personal devices for work purposes.
-
-### Guidelines
-- Personal devices used for work should meet minimum security requirements, including antivirus software and encryption.
-- Employees should not store sensitive company data on personal devices without proper authorization.
-lable to employees for reference.
-
-## 6. Confidentiality and data security policies
-#### Protection of Confidential Information
+### Protection of Confidential Information
 **Definition**: Confidential information includes any data, documents, or discussions that are not intended for public disclosure. This may include research findings, proprietary algorithms, sensitive personal information, or any other information deemed confidential by the program.
 
 - Access to confidential information should be limited to authorized personnel only. Employees and volunteers should sign confidentiality agreements to ensure they understand their obligations regarding the protection of confidential information.
@@ -74,6 +33,8 @@ lable to employees for reference.
 - Collect and retain only the minimum amount of data necessary to fulfill program objectives. Avoid collecting unnecessary or excessive data that could pose privacy risks to individuals.
 - Obtain explicit consent from individuals before collecting, processing, or sharing their personal data. Clearly communicate the purpose of data collection and provide individuals with options to control their data.
 
-#### Incident Response and Reporting
-- Develop and maintain an incident response plan to address security incidents and data breaches promptly. Define roles and responsibilities, escalation procedures, and communication protocols for responding to incidents.
-- Establish procedures for reporting security incidents and data breaches to program leadership, affected individuals, regulatory authorities, and other relevant stakeholders. Promptly investigate incidents and take appropriate corrective actions to mitigate risks.
+## 3. Password Management
+
+Passwords must meet minimum complexity requirements, including a mix of uppercase and lowercase letters, numbers, and special characters. Passwords should not be shared or stored in unsecured locations, we recommend using a password manager (bitwardent is an open source free option).
+
+Multi-factor authentication (MFA) should be used for accessing sensitive systems and data, including GitHub authentication.