Confluence SOP
SOP Name: GovStack Confluence Guidance
Version | Author / Editor | Date | Changes |
---|---|---|---|
v1 | Esther | Oct 26, 2022 |
|
|
|
|
|
INTRODUCTION
The GovStack initiative will use Confluence to create documents, collaborate, and document teamwork.
PURPOSE:
To standardize the process for knowledge management for GovStack Initiative in a transparent way.
SCOPE OF APPLICABILITY
This procedure refers to documents that do not contain sensitive or confidential information. For documents with sensitive or confidential information. Please read the information confidentiality below
RESPONSIBILITY
All member of the GovStack team can create and save documents for the use of other members.
DEFINITIONS
Confluence is a tool to create, store, and share information
Create information: Create pages. Build how-to materials. Brainstorm ideas. Capture thoughts. Plan new projects.
Store information: Store resources. Organize pages. Easily find the information you need.
Share information: Share projects. Give and receive feedback. Collaborate across teams.
PROCEDURE:
Step | Process | Person Responsible |
0 | Create a page on Confluence for GovStack workstream. Link to how to create confluence page here.
| PM/Team member |
1 | If there is a relevant page created, create a child page to document GovStack related information | PM/Team member |
2 | Insert template created in Confluence as required. Link to meeting note template here. More customized template on confluence.
| PM/Team member |
3 | Link page to relevant Jira ticket e.g., Building Block issue | PM/Team member |
4 | Update each page as required | PM/Team member |
5 | Create blog for announcement or publish accomplishment | Comms Lead/PM |
6 | Upload document created outside of Confluence but relevant to GovStack initiative. | All team members |
Note:
Contact PM if unsure how to create Confluence page and where to store documents
INFORMATION CONFIDENTIALITY CLASSIFICATION AND TOOL USAGE
Version | Editors | Changes |
---|---|---|
0.8 | Nico Lück, Rachel Lawson, P.S. Ramkumar, Esther Ogunjimi, Moritz Fromageot, Ayush Shukla |
|
PURPOSE OF THIS DOCUMENT
This document is to guide participants of the GovStack community in finding the appropriate place to store information. As a community driven by the principle of openness, we aim to make decisions and information as much public as possible. However, to ensure that we do not risk issues to the project, or the partners supporting the project, we must consider the content/data we are handling and store it in locations that mitigate those risks. The overall way we work is to: 1. classify content/data and agree how each classification is handled 2. place reminders of what classification of content/data is appropriate on each platform, where possible 3. communicate to all members of the project team which platforms are available for use and what classification of content/data is appropriate in each.
PERSONAL DATA
Data relating to people’s must always be handled with the greatest care and always in accordance with the rules given by GDPR. The GovStack project details these rules in its Privacy Policy and they must always be followed before further considering what information to store where, as described in this document.
CLASSIFICATION OF INFORMATION
Protection needs of the information consider damage that may occur if confidentiality, integrity or availability is compromised. The person creating the information is responsible for selecting the appropriate classification. For this person to select the correct classification, the protection need is described in detailed abstract manner and example cases are given. Reoccurring meetings shall be already categorized so that information coming out of this meeting inherit the respective class. We also define the tools we use to handle information at each classification. There may be exceptions to these rules, especially at the Public classification. At the Normal / High classifications, usage of a particular tool other than that defined here should be cleared with your partner lead.
Protection Need | Potential damage to GovStack Initiative or partners (Def. See below) | Example cases (incl. Meetings) Initially, it is up to the groups to decide the classification of information not yet listed here. However, in long-term, all groups in the category “normal” should consider to move into “non classified/public” | Tools we use in the GovStack project for this purpose |
---|---|---|---|
Non classified/ Public information | No damage expected | General
Governance Committee
Product Committee
Technical Committee
Specs documents, use case definition by working groups. Including in-development versions. Country Engagement (for comms purposes or digital public goods)
| Confluence Public Areas Jira Public Areas Slack GitHub Gitbook Website Social Media |
Normal | Damage impacts are limited and manageable. | General
Country Engagement Team
Founding partner meeting (closed Governance meeting)
Communications and Events
| Confluence Restricted Areas Jira Restricted Areas MS Teams direct Chat |
High | The damage effects can be considerable | Founding partner meeting (closed Strategic Governance meeting)
Partnership Management (Donors)
Country Engagement
Code of Conduct Team
| GIZ MS Teams |
Very High | The damage effects can reach an existentially threatening, catastrophic extent |
| No exchange of these information |
PROTECTION NEEDS IN DETAIL
“Normal” protection needs category
Violation of laws/ regulations/contracts
Violations of regulations and laws with minor consequences
Minor breaches of contract with at most low contractual penalties
Impairment of the right to informational self-determination
It is a question of personal data, the processing of which may have adverse effects on the social standing or economic conditions of the person concerned.
Impairment of the physical integrity of a person
Impairment does not appear possible.
Impairment of the ability to perform tasks
The impairment would be assessed as tolerable by those concerned.
The maximum acceptable downtime is between 24 and 72 hours.
Negative internal or external effects
Low and/or only internal impairment of reputation/confidence is to be expected.
Financial consequences
The financial loss is acceptable to the organization.
“High” protection need category
Violation of laws/regulations/contracts
Violations of regulations and laws with substantial consequences
Major breaches of contract with high contractual penalties
Impairment of the right to informational self-determination
It is a question of personal data, the processing of which may have significant adverse effects on the social standing or economic conditions of the person concerned.
Impairment of the physical integrity of a person
Adverse effects on the personal integrity cannot be ruled out completely.
. Impairment of the ability to perform tasks
The adverse effects would be assessed as intolerable by some of the individuals concerned.
The maximum acceptable down time is between one and 24 hours.
Negative internal or external effects
Considerable impairment of reputation/confidence is to be expected.
Financial consequences
The financial loss is considerable, but does not threaten the existence of the organization
“Very high” protection need category
Violation of laws/regulations/contracts
Fundamental violation of regulations and laws
Breaches of contract with ruinous damage liabilities
Impairment of the right to informational self-determination
Includes personal data, the processing of which entails a danger to life and limb or the personal freedom of the person concerned.
Impairment of the physical integrity of a person
Severe adverse effects on the personal integrity are possible.
Danger to life and limb
Impairment of the ability to perform tasks
The adverse effects would be assessed as unacceptable by all concerned.
The maximum acceptable downtime is less than one hour.
Negative internal or external effects
National adverse effects on the reputation or confidence are possible, which may even threaten its continued existence.
Financial consequences
The financial loss threatens the existence of the organization.
RECLASSIFYING INFORMATION
Of course, we couldn’t classify information without also recognizing that there will be occasions where it needs to be reclassified for a particular purpose.
An example of data needing reclassification might be photos taken at an event. By default, they are treated as “Normal” classification meaning they are only stored on email, MS Teams or the private Confluence. We want to publish them on the website so need to reclassify as “Public”.
The method to reclassify information is to agree this reclassification in a committee or working group meeting, record the agreement to reclassify the information in the meeting notes and then move the information where it is needed.
So, for the example of photos taken at an event, the Comms team must note in their meeting minutes that images x y and z.jpg have been reclassified as public and may now be added to social media.