Page 1
East Bergholt Parish Council
Proposed EB PC Digital Service Ownership model
Introduction
As the world inexorably moves its business on-line so to must the Parish Council. To achieve this the
PC will increasingly find itself using multiple online “services” such as the website, the website’s
hosting environment, its domain name(s), our corporate email accounts, any online banking and
payment services, and possible social media presences it decides to have.
Such services can be termed the PC’s “digital assets” and they will be procured, owned and managed
through their respective “service accounts”, which can be termed the PC’s “digital identities”.
A service account is typically set up when a service is procured, at which point a login name and a
means of authentication, typically a password is defined. Once these identities have been created
they quickly become critical to the organisation, and if they are hacked or lost, and the organisation
is locked out of the service, both major embarrassment and potential financial loss can be expected.
For this reason it is clear that the PC’s digital assets and digital identifies need to be well protected.
Protection starts by having a consistent and well thought out “digital asset management policy” that
can be applied to all online services, particularly where digital assets relate to identity services, (like
domain name or email) and money services, (like PayPal or online bank accounts).
Policy Objectives
Most organisations with mature online presences have created such policies. They have found that a
starting point is to ensure that services and services accounts are not “owned” by individuals or
external (commercial) organisations, but instead by “abstracted corporate identities” that can then
be “managed” by suitably appointed personnel in the organisation. The importance of this is that the
organisation has a lifespan beyond any of the individuals or third-party contractors employed by it,
and any accounts therefore have to be owned by the organisation.
This is our starting point for a PC digital asset strategy and amounts to three expectations, that:
a. The PC will increasingly own multiple on-line services, each of which will require an owner, a
manager and be paid for via some sort of online subscription.
b. The PC can identify a small “trusted group” of personnel who can be safely given the
necessary master passwords which in turn will enable them to individually access the key
services via their accounts and passwords. The membership of this trusted group can be
expected to change over time.
c. The PC will not rely on keeping critical account information (i.e.: logins and password) with
an individual’s but instead will make use of a modern online “password vault” that can be
made accessible to any in the trusted group. This approach greatly lessens the risk of the
loss of theft of critical account information from an individual’s care.
Implementing the Policy
1. The need for Master Account – The first step in implementing this policy is to create an
abstracted “master account” for the PC that will can as an “owner” for the online services. This
account is the key to all PC assets and will need to be well protected. Almost all modern services use
Multi Factor Authentication (MFA) with email verification to authenticate users when they first
register and/or login, and so the master account must have an email associated with it.

Page 2
2. The need for Service Independence – Because other PC services will depend on this account
it follows that the master account itself needs to be independent of any of the services used. For
example, if the PC took out a BT Broadband contact it will be offered a free email account which,
although tempting to use, should not be used as a master, because if the broadband contract were
terminated the email address would go as well!
3. Using a Google Account – A good solution commonly used is to take advantage of a free
Gmail “personal” account. This gives a perpetual account that can be well protected (e.g.: by MFA) ,
accessible from anywhere via a browser, together with supporting services (like free Gdrive storage,
and federated social logins). Obviously the master account needs to taken out in the name of the PC,
and an abstracted name such as ebparishcouncil@gmail.com) can be used. It will then be the
“master” account for all other service accounts and so emails from these services will be directed
into that account’s inbox. Note that this account will NOT be used for normal PC correspondence, it
is provides a service account email, not intended to be used for public email correspondence.
4. Security on the Master Account – It is very important that the credentials to this account are
kept secure. They should be known only to a small number of PC personnel whi will need access this
account for service management. This typically would the Parish Clerk, the Chair & Vice-Chair and
maybe a nominated councillor who might manage the “digital assets” on the PC’s behalf.
5. MFA or no MFA?- For security reasons Goggle always encourages users to implement Multi
Factor Authentication (MFA) on its accounts, typically a mobile phone number where SMS
verification messages can be sent. However that would make the account only accessible by the
owner of that particular mobile phone and goes against the idea of de-personalising PC accounts. It
will probably be better to turn off MFA and rely on a complex password that is regularly changed, or
if MFA is regarded as necessary, then use a second email address for verification messages (such as
the Parish Clerk’s PC email address). This will be an area for further discussion.
6. Avoiding Multiple Inboxes – To save the parish clerk from having to check multiple email
inboxes the Google account should have “email forwarding” set on too forward emails to the parish
clerk’s regular (public correspondence) email inbox.
7. Procuring Services -All new services the PC procures can now use this account as the
“account owner” and pay for these services can be done by the Parish Clerk using PC’s credit card (or
a PayPal service, which would be just another service owned by this account). Where procuring a
service requires some technical support, (e.g.: subscription to a hosting company) the parish clerk
and the technical team can share the parish clerk’s screen via Zoom during the procurement
process, with the clerk being directed by the technical specialist.
8. Service Management – Different services will require managers suitably cognizant with the
service provided. Some services will be best managed by the Parish Clerk directly, e.g.: a PayPal
account. However most services will require technical knowledge to manage them, implying a
different person to the Parish Clerk, (see next point).
9. Service Accounts and Multiple Users – Some services will allow different users to be
specified and in this case this name can be designated for the service manager. However many
services assume the account owner is also the manager. This does not weaken the security in our
model, for in such as case the service owner (e.g.: the Parish Clerk) will just give the individual
appointed as service manager the account owner’s login and password credentials for this service
alone. That individual does not get access to any other service beyond this one.

Page 3
10. Password Management – All services will require account to maintain password, and these
should be relatively complex and regularly changed. This gives a problem in that lists of service
passwords will need to be kept UpToDate. The best way to do this is NOT on paper or a private text
file accessible by a single individual, but an online and thus potentially accessible to the group of
trusted people. Hence the need for a password vault and to that end we have set up an free account
with Bitwarden.com, in the name the master account ebparishcouncil@gmail.com. It follows the
password for Bitwarden should only be shared among the trusted group.
Schematic for this Policy
This policy can be visually illustrated as follows:

Cllr. Rob Wombwell,
Digital Communications and Website Workgroup, EBPC,
23
rd
Sept 2022