Updated Travis CI to run on the develop branch

alan-turing-institute · Jun 8, 2021 · a88be19 · a88be19
1 parent 5391270
commit a88be19
Show file tree

Hide file tree

Showing 4 changed files with 7 additions and 7 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -129,7 +129,7 @@ jobs:
         target_branch: autodocs
         token: $GITHUB_TOKEN
         on:
-          branch: master
+          branch: develop
 
   allow_failures:
     - env: ALLOWED_FAILURE=true
diff --git a/CODEOWNERS b/CODEOWNERS
@@ -5,9 +5,9 @@
 # No default rule set. We want to allow updates to documents with only usual peer review.
 
 # Set owners for code used to deploy Safe Haven
-# This is a protection to allow us to accept PRs from 
+# This is a protection to allow us to accept PRs from
 # our early adopters but ensure strict review to start
-# We only plan to require code owner review for 
-# master and other branches that may be deployed from.
+# We only plan to require code owner review for
+# main and other branches that may be deployed from.
 # Note: /dir/ applies to directory and all subdirectories
 /deployment/      @martintoreilly @jemrobinson @JimMadge
diff --git a/docs/conf.py b/docs/conf.py
@@ -47,7 +47,7 @@ def tag2version(tag):
 html_context["display_github"] = True
 html_context["github_user"] = "alan-turing-institute"
 html_context["github_repo"] = "data-safe-haven"
-html_context["github_version"] = "master/docs/"
+html_context["github_version"] = "develop/docs/"
 
 # -- Project information -----------------------------------------------------
 

diff --git a/docs/reference/checklists/DSPT.md b/docs/reference/checklists/DSPT.md
@@ -30,7 +30,7 @@ Evidence Reference |Evidence text - Others (Category 3) |Tool tips - Others (Cat
 1.4.4 |Is your organisation compliant with the national data opt-out policy? |Please provide your published compliance statement e.g. within a privacy notice and/or Published Data Release Register (https://digital.nhs.uk/services/national-data-opt-out-programme/compliance-with-the-national-data-opt-out). |Y |PD|[Data Subjects Request policy](https://turingcomplete.topdesk.net/tas/public/ssp/content/detail/knowledgeitem?origin=sspTile&unid=11b7dab8a01047ee992508f16a95e566)|
 1.5.2 |What actions have been taken following confidentiality and data protection monitoring/spot checks during the last year?|The spot checks should check that staff are doing what it says in your staff Confidentiality and Data Protection guidance and the response should include details of any actions, who has approved the actions and who is taking them forward. |Y |PD|[Data Protection Policy](https://turingcomplete.topdesk.net/tas/public/ssp/content/detail/knowledgeitem?origin=sspTile&unid=5d4e868d975b4e849a43f7cd0e629f16) section 4.3 & 8|
 1.6.1 |There is an approved procedure that sets out the organisation’s approach to data protection by design and by default, which includes pseudonymisation requirements. |The procedures should be approved by the board or equivalent and aim to ensure that only the minimum necessary personal data are processed, that pseudonymisation is used where possible and that processing is transparent allowing individuals to monitor what is being done with their data. |Y |PD|[Data Protection Policy](https://turingcomplete.topdesk.net/tas/public/ssp/content/detail/knowledgeitem?origin=sspTile&unid=5d4e868d975b4e849a43f7cd0e629f16), 3.11 specifically|
-1.6.2 |There are technical controls that prevent information from being inappropriately copied or downloaded. |Technical controls that can support data protection include access control, encryption, computer port control, pseudonymisation techniques etc.  Provide details at high level. |P|TD |says 'at some tiers' in [security doc](https://github.com/alan-turing-institute/data-safe-haven/blob/master/docs/explanations/security_decisions/security-controls.md), needs to be more specific issue #891 |
+1.6.2 |There are technical controls that prevent information from being inappropriately copied or downloaded. |Technical controls that can support data protection include access control, encryption, computer port control, pseudonymisation techniques etc.  Provide details at high level. |P|TD |says 'at some tiers' in [security doc](../../explanations/security_decisions/security-controls.md), needs to be more specific issue #891 |
 1.6.3 |There are physical controls that prevent unauthorised access  to buildings and locations where personal data are stored or processed. |Physical controls that can support data protection include lockable doors, windows and cupboards, clear desk procedure, security badges, key coded locks to access secure areas, records libraries, etc.  Provide details at high level. |N |PD |Policy to be drafted by IT - in progress (IC) |
 1.6.5 |There is a staff procedure, agreed by the person with responsibility for data security, on carrying out a Data Protection Impact Assessment that follows relevant ICO guidance. |CO guidance available at: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-impact-assessments/ |Y |PD|[Data Protection Policy](https://turingcomplete.topdesk.net/tas/public/ssp/content/detail/knowledgeitem?origin=sspTile&unid=5d4e868d975b4e849a43f7cd0e629f16) section 3.5|
 1.6.6 |Is a Data Protection Impact Assessment carried out before high risk processing commences? |‘High risk processing’ encompasses: Automated processing; Large scale processing of special categories data - which includes health and genetic data; Systematic monitoring of a public area. If not relevant for your organisation tick to confirm. |? |PD|asking IC for more detail - checking with the DPAP/DPIA as well to see if it is spelled out in more detail in these documents|
@@ -46,7 +46,7 @@ Evidence Reference |Evidence text - Others (Category 3) |Tool tips - Others (Cat
 4.1.2 |Does the organisation understand who has access to personal and confidential data through your systems, including any systems which do not support individual logins? |Each system may use its own user list(s) or use federated access. There may be systems where technically or operationally it is not possible to have individual logins but there are alternative methods of maintaining user lists. Where this occurs, it is understood and risk assessed by the organisation. |N |PD|We need to define a specific DSH policy for access - is this something for the team or for IC to do? |
 4.2.1|When was the last audit of user accounts held? An audit of staff accounts from your organisation, to make sure there aren't any inappropriate access permissions.|Record the date when the last user audit was held. This should be completed annually as a minimum|N|PD|We need to define a specific DSH policy for access, is this something for the team or for IC to do?|
 4.3.1 |All system administrators have signed an agreement which holds them accountable to the highest standards of use. |With great power comes great responsibility and all administrators should attest to that responsibility by being signatory to a agreement affirming the highest standard of use. If no systems select Yes. |?|PD|IC says that [Standards of use policy](https://turingcomplete.topdesk.net/tas/public/ssp/content/detail/knowledgeitem?origin=sspTile&unid=fb1b75737e5b452e9f5327a4b8ac2add&from=0d1cf443-a273-4da6-b2fb-6dfbec2f76f2) that everyone signs should be enough. Do we agree?  |
-4.5.1 |Do you have a password policy giving staff advice on managing their passwords? |Password policy must cover (a) How to avoid choosing obvious passwords (b) Not to choose common passwords (c) No password reuse. (d) Where and how they may record passwords to store and retrieve them securely. (e) If password management software is allowed, and if so, which.(f) Which passwords they really must memorise and not record anywhere. |Y|PD|[password policy](https://github.com/alan-turing-institute/data-safe-haven/blob/master/docs/how_to_guides/user_guides/user-guide.md#closed_lock_with_key-set-a-password)|
+4.5.1 |Do you have a password policy giving staff advice on managing their passwords? |Password policy must cover (a) How to avoid choosing obvious passwords (b) Not to choose common passwords (c) No password reuse. (d) Where and how they may record passwords to store and retrieve them securely. (e) If password management software is allowed, and if so, which.(f) Which passwords they really must memorise and not record anywhere. |Y|PD|[password policy](../../how_to_guides/user_guides/user-guide.md#closed_lock_with_key-set-a-password)|
 5.1.2 |Provide summary details of process reviews held to identify and manage problem processes that cause security breaches. |Processes which have caused breaches or near misses, are reviewed to identify and improve processes which force staff to use workarounds which compromise data security. |Y |PD|Section 6 of [Data Breach & Security Incident Management Policy](https://turingcomplete.topdesk.net/tas/public/ssp/content/detail/knowledgeitem?origin=sspTile&unid=6c4590be2c74466497f5239915717621)|
 6.1.1 |A data security and protection breach reporting system is in place. |Confirmation that a functioning data security and protection breach reporting mechanism is in place including use of the DSP Toolkit incident reporting tool |Y |PD/TS|Section 6 of [Data Breach & Security Incident Management Policy](https://turingcomplete.topdesk.net/tas/public/ssp/content/detail/knowledgeitem?origin=sspTile&unid=6c4590be2c74466497f5239915717621) and notes on issue #888|
 6.1.4 |The person with overall responsibility for data security is notified of the action plan for all data security breaches. |If no breaches then please state "No breaches" |Y |PD|Section 6 of [Data Breach & Security Incident Management Policy](https://turingcomplete.topdesk.net/tas/public/ssp/content/detail/knowledgeitem?origin=sspTile&unid=6c4590be2c74466497f5239915717621) and notes on issue #888|