Stake/Ward File Sharing Site

Use this forum to discuss issues that are not found in any of the other clerk and stake technology specialist forums.
RossEvans
Senior Member
Posts: 1345
Joined: Wed Jun 11, 2008 9:52 pm
Location: Austin TX
Contact:

#21

Post by RossEvans »

jdlessley wrote:Actually there is some policy on this regarding the confidentiality of records found in the CHI, book1, p 150-151. While it does not address e-mail specifically it does address the confidentiality and security of reports, records and membership information. E-mail, falling under storing this information electronically, would require to be password protected.

Protection of storage and encryption of transmission are two different things, although they are related. Arguably both are involved with email. But the concept of protected storage applies even more directly to some central repository, such as what macsense is talking about -- provided that the data involved comprises confidential records within the scope of those provisions. Not all content falls under that definition.

The technical issue is how to comply with such requirements when they do apply. Perhaps where this forum could add value is in recommending technical solutions that would help leaders conform.

There are decent solutions such as PGP, but they are a hassle for end-users to implement. A less ambitious solution might be using recent versions of WinZip. It includes 256-bit AES, which is probably good enough. Managing shared passwords can be complicated, but is workable for small groups such as bishoprics.

Security is mostly a problem of people following procedures, and noncompliance does not occur only in email or in complicated shared-file architectures. I often find unprotected files right on the clerk's office computer.
jdlessley
Community Moderators
Posts: 9860
Joined: Mon Mar 17, 2008 12:30 am
Location: USA, TX

#22

Post by jdlessley »

I would love to hear someone provide a solution for this specific need. But with the restrictions the Church places on the confidentiality of records and records management I don't see a solution for electronic storage beyond the systems the Church curently provides in administrative computers and Church servers. As I read macasense's original post he included items the Church specifically addresses in the CHI as being identified as confidential. They do not need to be "highly confidential materials" as macsense described to require special handly and storage. Examples of confidential records, using the CHI definition, include reports and official forms.
macsense wrote:I don't see this as a place for confidential materials necessarily. Rather, a place for stake calendars, temple schedules, stake statistical reports, etc..
Stake calendars can contain confidential information. At least the LUWS stake web calendar requires a username and password for access. Additionally it is stored on a Church server. Stake statistical reports are one category of records, reports, that are mentioned in the CHI as being confidential. As such the policies and procedures identified in the CHI must be followed.

It is too difficult to make a list of those documents that could possibly end up being stored on a central file sharing site. Is there a chance that a confidential document would end up being stored on such a site and then become compromised? In my opinion the answer is yes. It is also my opinion that the Church does not want to take that risk.

I don't want to discourage looking into solutions, but I think that when a solution meets the needs of local leaders it is not enough to procede ahead in implementing a solution without taking it to the appropriate Church leaders and/or departments for approval. This is an area where the local leaders would not necessarily have all the legal and technical information necessary to make an informed decision.
JD Lessley
Have you tried finding your answer on the ChurchofJesusChrist.org Help Center or Tech Wiki?
User avatar
marianomarini
Senior Member
Posts: 619
Joined: Sat Jan 19, 2008 3:13 am
Location: Vicenza. Italy

#23

Post by marianomarini »

As tech poeple we could be used to think in a limited world (real) instead of infinite (ideal).
Security is a real matter, we can't have 100% of efficency.
So. I wonder who can be so interested to know Sacrament Meeting attendance to spend time and money to crack a 128 bit key?
La vita è una lezione interminabile di umiltà (Anonimo).
Life is a endless lesson of humility (Anonimous).
RossEvans
Senior Member
Posts: 1345
Joined: Wed Jun 11, 2008 9:52 pm
Location: Austin TX
Contact:

#24

Post by RossEvans »

jdlessley wrote:I don't want to discourage looking into solutions, but I think that when a solution meets the needs of local leaders it is not enough to procede ahead in implementing a solution without taking it to the appropriate Church leaders and/or departments for approval. This is an area where the local leaders would not necessarily have all the legal and technical information necessary to make an informed decision.

It seems to me that the direction from CHQ on a plethora of technical issues has been the opposite: The general advice is not to submit every idea to Salt Lake for approval, but to rely on local priesthood leaders to interpret policy.

(BTW, the password-protection requirement from the CHI is actually less restrictive than some of the other unofficial interpretations of policy sometimes advanced here.)

Where CHQ can help most is in providing generalized technical resources for generalized needs: If the objective really is to keep all files on church-owned-and-operated servers, then CHQ ought to be providing such file servers for local leaders and members. The current offerings in LUWS are a start. But for local leadership use they are too limited and too constraining in terms of allowed file types. Why restrict this at all? There also is an obvious need for authenticated file folders specifically for leaders.

Staying within the letter of policy is important. But it is also important to support local leaders who are trying to magnify their callings.
jdlessley
Community Moderators
Posts: 9860
Joined: Mon Mar 17, 2008 12:30 am
Location: USA, TX

#25

Post by jdlessley »

boomerbubba wrote:It seems to me that the direction from CHQ on a plethora of technical issues has been the opposite: The general advice is not to submit every idea to Salt Lake for approval, but to rely on local priesthood leaders to interpret policy.
Taking the solution to the Church for this situation is not the same as setting up broadband Internet connections, creating local networks, or anything similar. The issue here concerns whether setting up a site to store electronic documents would meet the security requirements for such documents. Even the December 13, 2004, policy letter on Authorized Church Web Sitesmay come into play.

The guidance in the Confidentiality of Records and Records Management sections in the CHI probably did not anticipate storing electronic documents outside the local administrative computer or its associated media as proposed in this thread. When reading the CHI, the only mention of electronic information is in regards to the administrative computer and media used with that computer. I would think that expanding the storage of electronic confidential records beyond the local unit administrative computer and media associated with that computer should be taken to Church headquarters. The CHI, Book 1, page 151, even counsels leaders to seek guidance from Church headquarters for direction regarding data protection in specific instances. I think setting up a files storage site would be a specific instance.

I am sure the security of confidential records is no small issue. Local leaders do not have the legal resources to make the decision for this situation. It would not hurt to contact the data privacy officer at Church headquarters at the following e-mail address: dataprivacyofficer@ldschurch.org.
JD Lessley
Have you tried finding your answer on the ChurchofJesusChrist.org Help Center or Tech Wiki?
RossEvans
Senior Member
Posts: 1345
Joined: Wed Jun 11, 2008 9:52 pm
Location: Austin TX
Contact:

#26

Post by RossEvans »

jdlessley wrote: The issue here concerns whether setting up a site to store electronic documents would meet the security requirements for such documents. ...

I suggest that is one of the issues, which can be most easily "resolved" simply by saying no. The other issue is that of actually solving the problem for the local leaders. (No one thinks they are not authorized to see the data in question to magnify their callings. It's just a problem of how to disseminate it to them efficiently and securely.)

So in addition to contacting the privacy officer, the issue also could be taken up through channels to seek a technical solution to the leaders' needs. It may be that a general solution is already in the works. In the long run, given the LDS Accounts feature with authentication-by-calling going into place, and the economies of scale of data hosting, a centralized service would make a lot of sense.
jdlessley
Community Moderators
Posts: 9860
Joined: Mon Mar 17, 2008 12:30 am
Location: USA, TX

#27

Post by jdlessley »

boomerbubba wrote:I suggest that is one of the issues, which can be most easily "resolved" simply by saying no.
To those asking the question it may seem that they (proper Church authority) may take the simple way out rather than actually investigating the issue. I doubt that the answer would be given without some sort of background for the reason - even if the reason is not given in the answer.
boomerbubba wrote:The other issue is that of actually solving the problem for the local leaders. (No one thinks they are not authorized to see the data in question to magnify their callings. It's just a problem of how to disseminate it to them efficiently and securely.)
Exactly. The solution mansense proposes involves creating an central file sharing site (generally a site not belonging to the Church). Part of the reason for contacting Church headquarters is to see if the solution he or others may be contemplating meets not only their needs but complies with guidance for securing confidential records and also the Authorized Church Websites letter. I suspect one of the reasons for getting a no answer would be that the Church would not have control of the security of any electronic documents stored at the site. That would be a concern because the content of those documents could potentially contain privacy information, confidential information, or information the Church does not want available to the general public (The contents of, or extracts of, the CHI is one example.).
boomerbubba wrote:So in addition to contacting the privacy officer, the issue also could be taken up through channels to seek a technical solution to the leaders' needs. It may be that a general solution is already in the works.
boomerbubba wrote:It seems to me that the direction from CHQ on a plethora of technical issues has been the opposite: The general advice is not to submit every idea to Salt Lake for approval, but to rely on local priesthood leaders to interpret policy.
From these two statements I am confused as to what you really want to say. Are you in support of taking technical issues, including possible solutions derived locally, to Church headquarters or are the solutions to be dealt with locally?
JD Lessley
Have you tried finding your answer on the ChurchofJesusChrist.org Help Center or Tech Wiki?
RossEvans
Senior Member
Posts: 1345
Joined: Wed Jun 11, 2008 9:52 pm
Location: Austin TX
Contact:

#28

Post by RossEvans »

jdlessley wrote:From these two statements I am confused as to what you really want to say. Are you in support of taking technical issues, including possible solutions derived locally, to Church headquarters or are the solutions to be dealt with locally?

I don't see that the two are mutually exclusive. I was just observing that when policy questions are raised in this forum, a common response from IT adminstrators is that policy is to be interpreted by local priesthood leaders.

There is nothing at all wrong with them asking headquarters for some official resolution to a particular question, and it's good to know that email resource is available to resolve privacy issues in particular. Not every IT policy issue is a privacy issue, however, and not every issue requires such a ruling from CHQ. Local priesthood leaders might consider themselves competent to decide some issues, despite your finding that they "would not necessarily have all the legal and technical information necessary to make an informed decision." It really is their call whether to ask, because they have the keys.

If I had to guess, I suspect that overall the policy constraints -- including the very restrictive warning not to upload to third-party sites data downloaded from church systems regardless of technical security -- are so severe that macsense likely will end up disappointed in what is allowable at a local level.

But if the matter ends there, purely as a matter of interpreting policy using status quo church technology, it will be very sad. Macsense has described a legitimate need of local priesthood leaders who are trying to magnify their callings. If he and his priesthood file leaders are taking the matter to CHQ, I hope it would be with a view toward finding a technical solution somehow. If the privacy officer says no to one idea, he is probably not the right person to ask for a novel technical solution to be developed that is allowable.
TuckerHST-p40
New Member
Posts: 3
Joined: Thu Dec 17, 2009 3:37 pm
Location: Holladay, UT USA

Google Sites

#29

Post by TuckerHST-p40 »

Google Docs are useful for collaboration, but if you want to do file sharing, Google Sites is, in some ways, better. Attached is a screen shot of a "file cabinet" page.

All you need to use sites is a domain name, and they're very cheap. The actual service (Google Apps) is free, and I think they allow up to 50 users. There's no programming involved, although you need just a smidge of tech knowledge to get it up and running and to administer ongoing.

-scott
Attachments
Sites.jpg
(66.24 KiB) Downloaded 94 times
Post Reply

Return to “General Clerk Discussions”