Web Site Security Policies

May 5th, 2019
 

Overview

The following statement explains the security measures that we take to ensure user privacy and general security of the AustinQuakers.org web site.

The term "secure" is never absolute, especially when applied to the Internet. All information on the Internet is necessarily public to some degree. Therefore no web site can be proclaimed completely "secure." We may establish security goals and implement prudent and reasonably effective protections.

Goals

As much as possible, we restrict access to personal or sensitive information that we do not wish to make public to everyone who uses the Internet. This includes names, addresses, and e-mail information, as well as Meeting minutes, documents and announcements of sole concern to Friends Meeting of Austin.

With this in mind, our security goals are as follows:

  1. Prohibit access to private data by unauthorized Internet users.
  2. Block the 'robot' programs which scour the Internet collecting e-mail and address information for marketing purposes.
  3. Apply security encryption (SSL / HTTPS) wherever possible
  4. Allow users to "opt out" of any email list or notification system.
  5. Allow users to choose whether or not to be listed in the directory
  6. Avoid any display of email, addresses, phone numbers or other personal information to anonymous users.
  7. Do not share any user data beyond the meeting or the yearly meeting (SCYM.org)
  8. Listing in the directory is limited by the user's choice. Any user can choose to be hidden from meeting directory listings and lookups.  Note however that it is not practical to restrict administrators from viewing these entries, they are therefore exempt from direcory listing restrictions.
  9. We use browser "cookies" to support necessary functionality such as sign-in. However, we never use them for tracking or data collection and do not share any information obtained from cookies with any other party. 
  10. We never send full sign-in credentials (user name and password) in an unencrypted email message.
  11. Sensitive pages such as unsubscribe and password reset pages are secured through use of a quickly expiring security token.
  12. Form transactions are protected using a highly secure security token.
  13. We apply industry standard techniques in our server and browser side scripting to foil well known security threats. 

Implementation notes

  1. Production web sites are protected with HTTPS (SSL) authentication.
  2. Feature authorizations are enforced by server side scripting (PHP), and are therefore generally safe from tampering.
  3. Industry standard techniques are employed to thwart "hacking" attempts such as cross site scripting, script injection, SQL parameter injection and denial of service attacks. 
  4. We e-mail login information to users on their request. Since these e-mail messages are not encrypted they are theoretically vulnerable to interception ay a third party.  Therefore, we mitigate this danger with a policy of never sending the username and password in the same email message.  Users who are registering or recovering a password are presented with a link that may be used to change the password.  These pages are protected with an expiring security token.
  5. Web site accounts are only issued to persons listed in the meeting directory database.  This listing is entered by an administrator on request.
  6. Cookies and scripting: Some users prefer to disable the 'cookies' and JavaScript or 'Active Scripting' features of the browser for security reasons. We are generally not able to support this choice.  As with most modern web based applications, our pages that have any behavior beyond simple display will not function without JavaScript.  Cookies are used for security purposes so it is not possible to sign-in without cookies enabled.