This policy applies to all individuals who have access to, use, manage, or otherwise interact with the SPCA’s website, including but not limited to employees, volunteers, contractors, and third-party service providers.
The purpose of the Website Security Policy is to ensure the secure operation of the SPCA’s website and protect the data collected through it, particularly in relation to online donations. The policy outlines the procedures and security controls to defend against potential cyber threats, such as DDoS attacks and phishing attempts.
- Secure Online Transactions
All online transactions will be conducted over secure, encrypted connections (HTTPS/SSL). Payment processing will be conducted using secure, trusted third-party payment processors that are PCI DSS compliant. SPCA does not store credit card details on its servers.
- Protection Against DDoS Attacks
Measures will be put in place to protect the website from DDoS attacks. This may include the use of website firewall services, traffic monitoring, and rate limiting.
- Protection Against Phishing and Other Malicious Activity
The website will be monitored for signs of phishing and other malicious activity. SPCA’s IT team or third-party service provider will employ intrusion detection systems and perform regular scans for vulnerabilities and malware.
- Data Protection
- Access Controls
Only authorized personnel will have administrative access to the website. Authentication will require multi-factor authentication. User access will be reviewed on a regular basis, and promptly revoked when no longer required.
- Software Maintenance and Patching
The website will be kept up to date with the latest security patches and updates. Regular maintenance will be carried out to ensure all website software and plugins are current.
- Reporting of Security Incidents
Any suspected or confirmed security incidents related to the website should be reported to SPCA’s Incident Response Team immediately, as outlined in the SPCA Incident Response Plan.
This policy will be reviewed annually or whenever significant changes are made to the website or its surrounding infrastructure.