So our email policy is that we have to do all of our comms from an official account and that we can’t share them for security reasons. (So only the named Training Officer has the password for the Training Officer Account).
We are also told that all staff plus any number of Cadets should have Bader access (Sharepoint and SMS with limitations able to be put in by the OC).
But that means that absolutely everyone has access to the general account because they need that login to acces personal accounts, there is no control over who can read and send emails from that general account. Mine is managed by 1 CI but theoretically any of 14 Staff & 6 Cadet NCO’s have access and can send or read anything they like.
I still have no idea how we ended up with (or were allowed) the current system, as a shared username and password is anathema to anyone who knows even the slightest thing about IT security and regulation.
One general account for generic working by a large pool of people, linked to the 2-teir system used for access to cadet/staff records (SMS) for control purposes seems like a good balance between auditability, security and cost until the system is proven and adopted as a good way forward.
Remember; on initial launch there was an OC’s account and the general account only. Training and Adj were added later, then SNCO, civcom etc. and now the plan to move to personal accounts.
The notion that using GDPR regs to cut down risk, when the systems we have and the suggested usage of them creates far more risk, is pretty dumb.
We all know that HQAC read this board, even if they don’t post. So pointing out what might be the bleeding obvious to us is useful because, as most know/assume, those at HQAC haven’t been near running a sqn since Trenchard was a lad.
They want us to abide by the law? Give us a system that actually follows the law in the first place.
