Skip to content
Oral History Society OHS Documentation

Website Security Policy

Purpose

Section titled “Purpose”

This policy sets out the security requirements for all users who access the Oral History Society (OHS) website administration systems and connected third-party services. It exists to protect the organisation, its members, its data, and its reputation from unauthorised access, data breaches, and financial loss.

Scope

Section titled “Scope”

This policy applies to all individuals with administrative or editorial access to:

  • The OHS WordPress website (ohs.org.uk), including Administrator and Editor accounts
  • Cloudflare (DNS and security management)
  • Stripe (payment processing)
  • Any other connected service used in the operation of ohs.org.uk

This includes OHS staff, trustees, volunteers, and authorised external contractors.

Why This Policy Matters

Section titled “Why This Policy Matters”

The OHS website handles sensitive data including member information, payment details (processed via Stripe), and content of historical and cultural significance. A security breach could result in:

  • Exposure of personal data, placing OHS in breach of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, with potential regulatory action from the Information Commissioner’s Office (ICO)
  • Financial loss through unauthorised access to Stripe or fraudulent transactions
  • Reputational damage to an organisation trusted by researchers, community groups, and heritage bodies across the UK and internationally
  • Loss or corruption of irreplaceable content, including oral history resources and archival material
  • Operational disruption, taking the website offline or compromising its integrity

These risks are preventable through consistent application of basic security practices. This policy ensures those practices are followed by everyone with access.

Two-Factor Authentication (2FA)

Section titled “Two-Factor Authentication (2FA)”

All users with access to WordPress Admin or Editor accounts, Cloudflare, and Stripe must enable two-factor authentication (2FA) on their account.

2FA must be set up within 72 hours of being granted access to any service covered by this policy.

Users who have not enabled 2FA within the 72-hour window will have their access suspended until 2FA is confirmed as active. This is non-negotiable and applies to all users regardless of role or seniority.

Each user is individually responsible for:

  • Setting up 2FA on their own account(s)
  • Generating and securely storing backup/recovery codes
  • Keeping their 2FA method (authenticator app, hardware key, etc.) accessible and functional

Recommended 2FA methods include authenticator apps such as Google Authenticator, Microsoft Authenticator, or Authy. SMS-based 2FA is discouraged where a stronger option is available.

Backup codes must be stored securely (see Password Requirements). If a user loses access to their 2FA method and their backup codes, they must contact the website administrator to arrange a supervised account recovery.

Password Requirements

Section titled “Password Requirements”

All passwords for OHS website services must be strong and unique. A strong password is typically at least 16 characters and includes a mix of upper and lower case letters, numbers, and special characters. Passphrases (a sequence of random words) are also acceptable provided they are sufficiently long.

Passwords must never be reused across services. Each OHS service account must have its own unique password.

Passwords and backup codes must be stored in an encrypted password manager (also known as a password vault). Recommended options include Bitwarden, 1Password, or KeePass.

Passwords and backup codes must never be stored in plain text. This includes, but is not limited to:

  • Microsoft Word documents
  • Microsoft Excel spreadsheets
  • Notepad or other text files
  • Sticky notes (physical or digital)
  • Email drafts or messages
  • Browser bookmarks or notes apps without encryption

Passwords must never be shared with other users. If another person requires access to a service, a separate account must be created for them.

Authorised Email Addresses

Section titled “Authorised Email Addresses”

Only @ohs.org.uk email addresses may be used to register for or access OHS website administration services, including WordPress, Cloudflare, and Stripe.

Personal email addresses (e.g. Gmail, Outlook, Yahoo) are not permitted for OHS service accounts.

The sole exception is authorised external contractors, who may use their professional business email address where an @ohs.org.uk address is not available. External contractor access must be approved in writing by the designated role (e.g. the Website Officer or Board Chair) and reviewed at the end of each contracted engagement.

When a user’s involvement with OHS ends (whether staff, volunteer, trustee, or contractor), their access to all services must be revoked promptly, and no later than 5 working days after their departure or the end of their engagement.

Responsibilities

Section titled “Responsibilities”

All users are responsible for:

  • Complying with this policy in full
  • Setting up and maintaining their own 2FA and backup codes
  • Using strong, unique passwords stored in an encrypted vault
  • Reporting any suspected security incident or unauthorised access immediately to the designated contact

The website administrator (or designated responsible person) is responsible for:

  • Granting and revoking access in line with this policy
  • Monitoring compliance with the 2FA requirement and suspending non-compliant accounts after 72 hours
  • Conducting periodic access reviews to ensure only active, authorised users retain access
  • Maintaining an up-to-date register of all users with access to each service

Breaches of This Policy

Section titled “Breaches of This Policy”

Failure to comply with this policy may result in immediate suspension of access. Repeated or serious non-compliance will be escalated to the OHS Board of Trustees for further action.

Any suspected or confirmed security breach must be reported immediately to the designated contact. OHS has a legal obligation under UK GDPR to report certain types of personal data breach to the ICO within 72 hours of becoming aware of it.

Policy Review

Section titled “Policy Review”

This policy will be reviewed annually, or sooner if a significant security incident occurs or if changes to OHS systems or legislation require it.

Account Recovery

Section titled “Account Recovery”

If a user loses access to their account and is able to reset their password through the standard self-service process (e.g. via a password reset email to their @ohs.org.uk address), they should do so and no further action is required beyond ensuring their new password meets the requirements in Password Requirements.

If a user loses access to their 2FA method but has their backup/recovery codes available, they should use these to regain access and immediately set up a replacement 2FA method.

If a user is unable to reset their password and has lost access to both their 2FA method and all backup/recovery codes, their account cannot be restored through self-service. In this situation:

  • The user must notify the website administrator (or designated responsible person) as soon as possible.
  • A security review will be carried out before any account recovery action is taken. This review will include verification of the user’s identity through a means independent of the compromised account (for example, confirmation by a known OHS contact in person or via video call, or verification against information held on file).
  • The website administrator will assess whether there is any indication of unauthorised access or suspicious activity on the account before restoring it.
  • Only once the security review is satisfactorily completed will the account be recovered, the password reset, and a new 2FA enrolment initiated under supervision.
  • A record of the recovery request and the outcome of the security review will be kept on file.

It is ultimately the individual user’s responsibility to maintain good password hygiene and security practices, including:

  • Keeping their password manager accessible and up to date
  • Storing backup/recovery codes securely but retrievably
  • Ensuring their 2FA method (authenticator app, hardware key, etc.) remains functional and accessible

OHS will make reasonable efforts to support users who lose access, but repeated account recovery requests resulting from poor security practices may be treated as a compliance issue under Breaches of This Policy.

The website administrator is not obligated to recover an account on an emergency or same-day basis. Recovery will be completed as promptly as is practical, but security will not be compromised for the sake of speed.

Working in Public Places and Remote Environments

Section titled “Working in Public Places and Remote Environments”

Users who access OHS website services or sensitive data outside of a private, secure environment (for example, in cafés, libraries, co-working spaces, trains, or other public or shared locations) must take additional precautions to protect OHS data and accounts.

Screen privacy. Users must ensure their screen is not visible to others when working with OHS systems or sensitive data. This may include:

  • Positioning the screen away from passers-by and neighbouring seats
  • Using a privacy screen filter on laptops and mobile devices
  • Reducing the amount of sensitive information displayed on screen at any one time

Device security. Devices used to access OHS services must be locked whenever the user steps away, however briefly. This means:

  • Enabling automatic screen lock after a short period of inactivity (no more than 2 minutes is recommended)
  • Manually locking the device (e.g. Windows key + L, or closing the laptop lid) before leaving the workspace, even momentarily
  • Never leaving a device unattended and unlocked in a public or shared space

Logging out. Users must log out of all OHS service accounts (WordPress, Cloudflare, Stripe, and any other connected services) when they have finished their session. Accounts must not be left logged in on any device, including personal computers. Relying solely on closing the browser tab or window is not sufficient, as sessions may persist.

Public and shared networks. Users should exercise caution when connecting to public Wi-Fi networks (e.g. in cafés, hotels, or on public transport). Where possible, a VPN (virtual private network) should be used when accessing OHS services over an untrusted network. Users should avoid accessing Stripe or other payment-related services over public Wi-Fi unless a VPN is active.

Shared and public devices. Users must never log into OHS services on a shared, public, or borrowed device (for example, a library computer or a colleague’s personal laptop). OHS accounts should only be accessed from the user’s own device, secured in line with this policy.