| 1. Pass Phrase: | | 1. Pass phrases are so important and so complex to comply with all rules and regulations, that approved people must be helped in every possible way. | | 2. What others may call a password, in this document shall be known as a pass phrase. | | 3. Whet others may call login, in this document shall be known as sign-in. | | 4. Whet others may call users, in this document shall be known as approved people. | | 5. Whet others may call the system, in this document shall be known as the Bespoke Application Service. |
| 2. Computing Devices | | 1. The desktop computer shall remain as a valid computing device, but it may be used by any passing stranger. | | 2. Laptops, tablets and smart phones are personal computing devices that are registered to be used by one approved person. | | 3. An approved person may have many computing devices, some may be personal and some may be desktops. |
| 3. New Approved Person | | 1. A manager will identify a new person that they approve to become an approved person to share in their Bespoke Application Service. | | 2. As part of induction training, the manager helps the person to self register using a very specific private internet address - the address identifies the owner of the Bespoke Application Service. | | 3. Self registration should be using the approved persons personal computing device so that person and the computing device are both registered. | | 4. As part of the self registration procedure, the approved person will be shown their permanent pass phrase and their personal identifier (PIN). | | 5. After self-registration, the approved person may use the personal computing device to access business data as approved by their manager. | | 6. The manager may change the business data that the approved person may access at any time, including revoking the approved persons right to sign in. |
| 4. Criminal Behaviour | | 1. In the same way that a new person may use the self registration form, a criminal may use the same form. | | 2. The persons computing device and geolocation is detected and where these do not match the ownners profile, the self registration will be rejected. | | 3. If a criminal in a permitted goelocation and using an approved computing device does self-register the criminal will have access to only the business data that they author. No data breach is involved when the criminal can only process their own authored data and cannot see any other business data. | | 4. The Owner of the Bespoke Application Service will be able to process the criminals account and mark it as having all rights revoked - the criminal will then not be able to sign in. |
| 5. Forgotten Pass Phrase | | 1. When a person forgets their pass phase, needs a new pass phrase because the current pass phrase may be known to others or the persons needs to use a different or additional computing device, they tell their manager. | | 2. The manager will request a one-time pass-phrase for the approved person that has a expiry time of say 20 minutes - the manager tells the approved person to sign in with the one-time pass-phrase. | | 3. When the approved person signs in with the one-time pass-phrase within the expiry time set by their manager, they are shown their new pass-phrase and personal identifier (pin). It is not possible to reuse the original pass-phrase or pin - such data cannot be recreated. |
| 6. Self-Register Again | | 1. When an approved person self-registers again, they are assigned a brand new account with new pass-phrase and pin, but with no rights to view any other business data. | | 2. The manager may merge the old and new accounts so the new registed account takes on the rights of the old registered account. | | 3. The manager may revoke the new account and assign a one-time pass-phrase to the approved person. In all cases, the manager must take positive action to grant an approved persons account to have access rights to any business data. |
| 7. Shared business data | | 1. Each approved person may view a list of approved people with the telphone number and email address. Communication facilities are provided for one approved person to message another approved person. | | 2. The manager of the Bespoke Application Service has the exclusive right change approved person data. The manager may revoke all rights so the all person cannot sign in. The manager may change business data access rights so the approved person can only process some business data. |
| 8. Expiry Days | | 1. Approved people are approved for a limited number of days before they are assumed to have left and their account is automatically expired. | | 2. Where an approved person does not sign in and use the Besoke Application Service for more than 32 days, then the account is expired. Each time the person signs in, the expiry date is reset as 32 days into the future. | | 3. The manager may change the expiry date for an approved person at any time, so if an account has expired, then manager can reset the expiry data to enable the approved person to sign in. | | 4. The manager of a Bespoke Application Service may have their expiry time assigned as 128 days so they only need to sign in every three months to keep their account alive. | | 5. The manager may change the expiry date for an approved person to an ald historic date so the account has expired and the approved person cannot sign in. |
| 9. Data Deletion Policy | | 1. History cannot be changed and business data cannot be deleted. Business data can be hidden when it is no longer relevant, but hidden data may still be viewed and processed to make it shown again. | | 2. Business data cannot be deleted by overtyping with spaces or any other character. Before any business data is changed, a copy of the original data is stored in an archive that cannot be changed. | | 3. Business data is changed one field in one record at a time so every field value change can be encryted and replicated to many physical locations. | | 4. The threat of fraud has been minimised by ensuring that fraudulent data changes can be viewed and recovered. Because a large number of encrypted copies of all business data is maintained in different physical locations, fraud may not be practical. | | 5. Double interconnected data chains of work done are maintained. For each person, the date, time and business data accessed and every field value change made is recorded. For each record, the person, date and time of each and every field value change is recorded. |
| Document Control. | | 1. Document Title: Pass Phrase Policy. | | 2. Description: Pass Phrase, policies and guidelines. | | 3. Keywords: Pass Phrase, policies and guidelines. | | 4. Privacy: Shared with approved people for the benefit of humanity. | | 5. Edition: 1.1. | | 6. Issued: 1 May 2019. |
|
|