Levels of Protection Policy (draft)
Define 5 categories of data that require increasingly strigent protection mechanisms:
Level |
Description |
Access allowed |
Example |
Mechanism |
0 |
content intended to be freely viewable |
world viewable, editing requires TWiki account |
most everything, this is the default level |
Twiki protection |
1 |
content for a limited audience |
viewing and editing requires TWiki account |
work in progress, draft report, etc. |
Twiki protection |
2 |
might be copyrighted but not too sensitive |
viewing and editing requires TWiki account |
class data sets |
TWiki protection |
3 |
sensitive information |
viewing and editing requires TWiki account |
comments from candidate interviews |
TWiki protection, seperate web |
4 |
very sensitive information |
viewing requires special username and password |
clinical trial data that we are contractually required to protect |
pages served from outside TWiki, uses Apache and Linux access methods |
Levels 0, 1, and 2 are basically the same. The difference in levels of access is determined by the author of the topic. The author can use the DENYTOPICVIEW / ALLOWTOPICVIEW, DENYTOPICCHANGE / ALLOWTOPICCHANGE, and DENYTOPICRENAME / ALLOWTOPICRENAME variables to set access levels.
Note that using DENYTOPICVIEW / ALLOWTOPICVIEW to control viewing access is not too secure. All content is searchable within a web - a search will turn up view restricted topics. That is why level 3 uses a seperate web for its content.
Never place on the web site data that contain patient identifiers of any kind.