Acceptable Use¶
Objective¶
This page offers a practical guide for the everyday use of Cafh technology. It helps volunteers, staff, and trusted partners care for systems, teachings, records, and the member area in a steady and humane way.
Why this matters¶
Digital care is shaped by ordinary habits. A rushed click, a copied file, or a message sent without pause can create more trouble than a complex attack. Clear and friendly rules help people with different levels of technical experience work with confidence and care. That keeps the portal, member content, and shared records in healthier condition.
Risks this page helps reduce¶
- Phishing and malware
- Sensitive data stored in personal tools
- Public sharing of restricted material
- Tool sprawl with no review
- Admin rights used too widely
- Mistakes that go unreported
Expectations¶
These expectations are the daily baseline for Cafh work. They do not ask every member to think like a technician. They give simple habits that reduce risk across many roles and skill levels.
- Use organizational accounts only for approved activities.
- Use the Cafh password manager for shared or critical credentials.
- Use multi-factor authentication on every critical service.
- Install software only from trusted and approved sources.
- Avoid storing sensitive information in personal or unmanaged services.
- Report suspicious messages, malware, or accidental disclosures immediately.
Member area and teachings¶
This area needs extra care. It holds material shared for members and material tied to study and formation. The main risk is not only loss. The main risk is wrong sharing into spaces that do not fit the purpose of the content.
- Treat member-only content as restricted.
- Share books, teachings, and study material only through approved channels.
- Do not post member content in public tools or public social channels.
- Keep drafts and files in the approved storage location for that work.
Devices and accounts¶
Clear daily discipline on devices and accounts prevents many avoidable problems. The goal is not heavy control. The goal is fewer surprises, clearer ownership, and faster recovery.
- Shared devices must use named accounts in normal operations.
- Disable inactive accounts at once.
- Report lost devices and stolen devices the same day.
- Keep admin rights with the smallest practical group.
Personal devices used for Cafh work¶
Most Cafh members use their own phones and computers for Cafh work. This is a real part of how the organization operates. Cafh cannot require one product, one operating system, or one protection tool on every personal device. It can still define baseline practices for access to Cafh systems and data.
When a personal device is used for Cafh work:
- Keep the operating system, browser, and main apps current
- Use the built-in screen lock and encryption features supported by the device
- Keep Cafh work inside approved apps, storage, or browser sessions
- Avoid local copies of restricted files
- Use local copies only for a short and clear task
- Delete downloaded Cafh files after the task closes
- Keep Cafh work away from personal sharing apps and shared family accounts
- Avoid admin work from public or borrowed devices
- Report loss, theft, malware, or suspicious behavior the same day
These steps reduce risk even without full device management by Cafh.
Sample personal device self-check¶
| Member | Device used for Cafh work | Access type | Screen lock | Updates current | Restricted local files | Last self-check |
|---|---|---|---|---|---|---|
| Ana R. | Personal laptop | Admin and records | Yes | Yes | No | 2026-04-15 |
| Marta S. | Personal phone | Email and social media | Yes | Yes | No | 2026-04-18 |
| Luis M. | Personal laptop | Member support and data access | Yes | Yes | Temporary export only | 2026-04-20 |
New tools¶
New tools often seem small at the start. A small pilot can still create new copies of data, new admin paths, and new long term cost. This review gives Cafh a pause before that drift becomes normal work.
Review these points for each new tool:
- Data location and retention terms
- Access control and role support
- Export and recovery options
- Contract or cost implications
- Compatibility with existing policy commitments
No new tool should be used for Cafh work until the committee reviews it. This review can be brief for low-risk tools. It must be deeper for tools that hold member data, official content, or admin access.
Tool review checklist¶
The checklist gives the committee one shared lens. It keeps the decision from resting only on convenience or enthusiasm. It helps the group compare low-risk tools and high-risk tools with the same basic questions.
Before approval, the committee should confirm:
- What problem the tool solves
- Which team or members will use it
- Which Cafh data will enter the tool
- Whether the data is public, internal, or restricted
- Where the data is stored
- Who owns the account and billing
- Whether Cafh can control admins, MFA, and recovery
- Whether the tool supports export and deletion
- Whether the vendor gives a clear support path
- Whether the tool fits the incident and privacy rules of Cafh
High-risk tool triggers¶
Some tools need slower review and stronger records. The cases below touch data, identity, public voice, or the core service chain. That is why the committee should treat them with more care.
The review must be treated as high risk when a tool:
- Stores member data
- Stores internal committee records
- Stores teachings or member-only study material
- Controls official email, domains, DNS, or social channels
- Receives admin access to cloud or website systems
- Uses AI on Cafh content or member data
- Has no clear export path or exit path
Sample tool review register¶
| Tool | Purpose | Data used | Risk level | Cafh owner | Key checks | Decision | Review date |
|---|---|---|---|---|---|---|---|
| Zoom | Meetings and training | Internal meeting data | Medium | Committee chair | MFA, host roles, recording controls, support path | Approved | 2026-10-01 |
| Member records platform | Member records | Restricted member data | High | Membership owner | Export, deletion, access control, backups, privacy terms | Approved with review | 2026-07-01 |
| Design collaboration tool | Public content drafts | Public and internal draft content | Medium | Communications owner | Admin owner, file sharing, exit path | Approved | 2026-09-15 |
| New AI writing tool | Draft summaries and translations | Public text and draft internal notes | High | Committee delegate | Data handling, human review, export, AI use limits | Pending | 2026-05-15 |
Cybersecurity and safe use of AI awareness course¶
Cafh should keep one awareness course for members who use official systems, handle member data, publish content, or hold admin access. This course gives one shared base for daily digital care. It helps the committee reduce avoidable mistakes and build one common response language.
The course should be completed:
- Before giving admin, publishing, or recovery access
- During onboarding for members with digital duties
- Every 12 months as a refresher
- After a major incident or major policy change
Sample course outline¶
| Module | Main topics | Practical result |
|---|---|---|
| Daily account protection | passwords, password manager, MFA, recovery paths, device locking | Members know how to protect official access |
| Personal device safety | updates, screen lock, local copies, shared devices, same-day reporting | Members know how to lower device risk in a volunteer setting |
| Phishing and suspicious activity | fake login pages, malicious links, social engineering, unusual messages | Members know when to stop and report |
| Member data and privacy | restricted data, sharing rules, approved storage, exports, privacy duties | Members know what data needs extra care |
| Official channels and brand | official email, social channels, public voice, approval paths | Members know how to use official channels with care |
| Incident reporting and support | urgent cases, standard cases, abuse reports, evidence, escalation path | Members know what to report and what to record |
| Safe use of AI | allowed uses, restricted uses, human review, bias, member data, teachings | Members know how AI may assist and where it must stop |
Sample training register¶
| Member | Role | Access level | Course date | Refresher due | Notes |
|---|---|---|---|---|---|
| Ana R. | Committee member | Admin | 2026-04-15 | 2027-04-15 | Full course completed |
| Marta S. | Communications owner | Publisher | 2026-04-18 | 2027-04-18 | Needs vendor escalation module review |
| Luis M. | Membership support | Data access | 2026-04-20 | 2027-04-20 | Full course completed |
Response expectations¶
Users must report mistakes, security events, and policy exceptions at once. The digital contact records the event and starts containment. Fast reporting matters more than a perfect first explanation. Early notice gives Cafh time to reduce harm, preserve evidence, and call the right people.