COMPREHENSIVE WRITTEN INFORMATION SECURITY PROGRAM:
SCHRAG Inc.
Last Reviewed: February 2010
I. OBJECTIVE:
Our objective, in the development and implementation of this comprehensive written information security program (“WISP”), is to create effective administrative, technical and physical safeguards for the protection of personal information of residents of the Commonwealth of Massachusetts, and to comply with obligations under 201 CMR 17.00. The WISP sets forth our procedure for evaluating our electronic and physical methods of accessing, collecting, storing, using, transmitting, and protecting personal information of residents of the Commonwealth of Massachusetts. For purposes of this WISP, “personal information” means a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident:
a. Social Security number;
b. driver's license number or state-issued identification card number; or
c. financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account;
provided, however, that “personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.
II. PURPOSE:
The purpose of the WISP is to:
a. ensure the security and confidentiality of personal information;
b. protect against any anticipated threats or hazards to the security or integrity of such information; and
c. protect against unauthorized access to or use of such information in a manner that creates a substantial risk of identity theft or fraud.
In formulating and implementing the WISP, our goal is to:
(1) identify reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information;
(2) assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of the personal information;
(3) evaluate the sufficiency of existing policies, procedures, customer information systems, and other safeguards in place to control risks;
(4) design and implement a WISP that puts safeguards in place to minimize those risks, consistent with the requirements of 201 CMR 17.00; and
(5) regularly monitor the effectiveness of those safeguards.
III. INVENTORY OF PERSONAL INFORMATION
Use of personal information within SCHRAG Inc. is limited to the following categories and circumstances:
Social Security Numbers
Social Security Numbers (SSNs) are used only for payroll and for payment of independent contractors. We do not use or maintain SSNs for any customers or vendors.
Driver’s License or other State-Issued Identification Card Numbers
We do not use or maintain any information regarding driver’s licenses or other state-issued identification cards for our employees, contractors, customers, or vendors.
Financial Account Numbers
We have access to our employees’ bank account numbers for the purpose of direct payroll deposit.
We accept payment from customers and other parties by check and those checks include bank account numbers. Most checks are drawn from accounts belonging to corporations or other businesses, and not from accounts belonging to residents of Massachusetts.
We receive credit card payments from some customers. These payments are generally processed by a third-party vendor (Intuit) and for the most part we never have access to the credit card numbers. A small number of customers have given their credit card information to us to enable regular monthly billing without customer intervention.
Other than noted above, we do not use or maintain any financial account information for employees, contractors, customers, or vendors.
Indirect Access to Customers’ Personal Information
As the computer network administrator for our customers, we have indirect access to personal information stored in electronic form by our customers. It is our policy never to access this information without the knowledge and consent of our customers. Passwords to our customers’ networks are maintained only in encrypted form both on our own systems and by our help desk and network operating center vendors.
IV. HANDLING OF PERSONAL INFORMATION
Paper Records
All paper records are kept in a building with limited physical access. In our opinion, the security of these paper records is reasonable considering the scope and volume of the information maintained. Paper records containing personal information are put through a cross-cut shredder before disposal.
Electronic Records
The use of personal information in electronic form is extremely limited, and we take reasonable precautions as described below to safeguard this information.
V. COMPLIANCE WITH 201 CMR 17.00:
201 CMR 17.00 includes a number of required elements for every WISP. This section addresses each requirement in order.
1. The President of SCHRAG Inc. (currently David Schrag) is hereby designated to maintain the WISP.
2. Reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of electronic, paper, or other records containing personal information include:
a. Internal risks: None, as there is only one employee of the company and that employee is authorized to review all company information in all forms. That employee is fully aware of the 201 CMR 17.00 requirements.
b. External risks:
i. Unauthorized physical access to paper or electronic records kept at our office.
ii. Unauthorized physical access to electronic records on our portable computer equipment.
iii. Unauthorized electronic access to our computer network via the Internet or a wireless network.
iv. Unauthorized electronic access to data stored in an on-line repository maintained by another vendor.
These external risks are mitigated through a combination of safeguards, including:
1. Limited physical access to the office.
2. A policy of closely watching portable equipment and password protection for any equipment left unattended.
3. A commercial-grade firewall between the Internet and all office equipment.
4. WPA encryption on the wireless network with a strong password. This password was last changed on February 10, 2010.
5. Strong passwords for all on-line accounts.
6. Additional password protection for financial files.
3. David Schrag is the only employee authorized to keep, access, and transport records containing personal information outside of business premises, and that information is safeguarded as described above.
4. Disciplinary measures are not applicable to our environment.
5. Employee termination is not applicable to our environment.
6. We employ service providers for payroll processing and credit card transaction processing. These service providers are nationally recognized and we are seeking assurance that they will comply with all state and federal regulations regarding data security. Any new contracts with service providers signed after March 1, 2010, will include specific reference to safeguarding personal information.
7. As noted above, we have imposed reasonable restrictions upon physical access to records containing personal information.
8. Regular monitoring of the WISP and the operations described within is automatic, given the nature of the business and the limited number of employees.
9. The WISP and the operations described within will be reviewed on an annual basis, in December of each year. It will also be reviewed if there is a material change in business practices.
10. Any incidents involving a breach of security will be documented and a post-incident review involving business practice changes will be conducted.
201 CMR 17.00 also specifically requires that the WISP include a description of the security system covering the company’s computers. Although some of these elements have already been described above, they are repeated here for ease of documenting compliance with the regulations.
1. The following password policies are in effect for our Windows 7 computers:
a. Standard Windows complexity requirements are enforced. The minimum password length is 8 characters.
b. Passwords expire every 90 days.
c. Accounts are locked out for 30 minutes after 5 unsuccessful login attempts.
2. Access control measures are not applicable in a single-employee environment.
3. Personal information is never sent across public networks without encryption, and our wireless network employs WPA encryption.
4. Account logon auditing has been enabled on the Windows 7 computers and the logs can be reviewed on demand. Our limited use of personal information on our computer system does not justify automated monitoring for unauthorized use or access.
5. No personal information should be stored on laptops or other portable devices, making encryption of these devices unnecessary.
6. We maintain a business-class firewall. We keep our computer system security patches up to date with Microsoft Update (scheduled to run automatically).
7. We use Microsoft Security Essentials to protect our computers from malware, and this software is automatically updated.
8. Employee education and training is not applicable in our environment.
VI. DATA SECURITY COORDINATOR:
We have designated David Schrag to implement, supervise and maintain the WISP. That designated employee (the “Data Security Coordinator”) will be responsible for:
a. Initial implementation of the WISP;
b. Training employees (if any);
c. Regular testing of the WISP’s safeguards;
d. Evaluating the ability of each of our third party service providers to implement and maintain appropriate security measures for the personal information to which we have permitted them access, consistent with 201 CMR 17.00; and requiring such third party service providers by contract to implement and maintain appropriate security measures.
e. Reviewing the scope of the security measures in the WISP at least annually, or whenever there is a material change in our business practices that may implicate the security or integrity of records containing personal information.
f. If deemed necessary, conducting an annual training session for all owners, managers, employees and independent contractors, including temporary and contract employees who have access to personal information on the elements of the WISP. All attendees at such training sessions are required to certify their attendance at the training, and their familiarity with the firm’s requirements for ensuring the protection of personal information.
|
