WRITTEN INFORMATION SECURITY PROGRAM
I. OBJECTIVE:
The objective of the Longwood Cricket Club (for purposes of this Written Information Security Program the term “Company” means the Company and/or any of its employees or agents that provided the Employee Information Handbook to you and for which you work) in the development and implementation of this comprehensive Written Information Security Program (“WISP”), is to create effective administrative, technical and physical safeguards for the protection of personal information maintained by the Company, and to comply with obligations under Massachusetts General Laws Chapter 93H and 201 CMR 17.00, and other laws regulating the handling of personal information that are applicable to the Company. The WISP sets forth our procedure for evaluating our electronic and physical methods of accessing, collecting, storing, using, transmitting, and protecting personal information.
The WISP is a statement of Company’s data security policy that applies to all Company employees. 
For purposes of the WISP, “personal information” means the first name and last name or first initial and last name of a person in combination with any one or more of the following data elements that relate to such person, or any of the following data elements standing alone or in combination, if such data elements could be used to commit identity theft against the individual:

1. Social Security number;

 

2. Driver’s license number or state-issued identification card number;

 

3. Financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a person’s financial account.

 
II. PURPOSE:
The purpose of the WISP is to:

1. Ensure the security and confidentiality of personal information, as defined above;

 

2. Protect against any anticipated threats or hazards to the security or integrity of such information;

 
(c) Protect against unauthorized access to or use of such information in a manner that creates a substantial risk of identity theft or fraud.

 
III. SCOPE:
In formulating and implementing the WISP, the Company has:

1. Identified reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information;

 

2. Assessed the likelihood and potential damage of these threats, taking into consideration the sensitivity of the personal information;

 

3. Evaluated the sufficiency of existing policies, procedures, information systems, and other safeguards in place to control risks;

 

4. Designed and implemented safeguards to minimize those risks, consistent with the requirements of 201 CMR 17.00;

 
(e) Implemented regular monitoring of the effectiveness of those safeguards.
IV. DATA SECURITY COORDINATOR:
Implementation, supervision and maintenance of the WISP will be the responsibility of the “Data Security Coordinator.” The Company has designated Fred Groen to serve as the Data Security Coordinator. The Data Security Coordinator will be responsible for:

1. Implementation of the WISP;

 

2. Coordination of annual training of employees who have access to personal information (including temporary and contract employees) on the importance of personal information security and the proper use of the Company’s computer systems, and having each attendee certify their attendance at the training, and their familiarity with the Company’s requirements for ensuring the protection of personal information;

 

3. Regular confirmation of the WISP’s safeguards;

 

4. Evaluating the ability of each of our third-party service providers to implement and maintain appropriate security measures for the personal information to which we have permitted them access; and requiring such third-party service providers by contract to implement and maintain appropriate security measures;

 
(e) Reviewing the scope of the security measures in the WISP at least annually, or whenever there is a material change in our business practices that may implicate the security or integrity of records containing personal information.
V. INTERNAL RISKS MITIGATION POLICIES:
To guard against internal risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks, the following measures are mandatory and are effective immediately:

1. The Company will only collect personal information that is necessary to accomplish our legitimate business transactions and for legitimate business purposes or to comply with any and all federal, state or local regulations;

 

2. A copy of the WISP shall be available and given to all current and new employees.  Each employee shall acknowledge by signing an electronic copy of the WISP that he/she/they has reviewed the WISP and agrees to abide by the provisions in the WISP;

 

3. Employees are encouraged and invited to advise the Data Security Coordinator of any activities or operations which appear to pose risks to the security of personal information and, if the Data Security Coordinator is involved with these risks, employees are encouraged and invited to advise any other manager or supervisor;

 

4. A training session for all current employees will be held annually to review the importance of personal information security and the proper use of the Company’s computer systems;

 

5. Security measures shall be reviewed at least annually, or whenever there is a material change in our business practices that may reasonably implicate the security or integrity or records containing personal information. The Data Security Coordinator shall be responsible for this review and shall fully apprise management of the results of that review and any recommendations for improved security arising out of that review;

 

6. Access to records containing personal information shall be limited to those employees whose duties demonstrate a legitimate need to access said records, and only for a legitimate job-related purpose with respect to the particular information accessed;

 

7. Access to personal information shall be restricted to active users and active user accounts only, and re-log-in shall be required when a computer has been inactive for more than 15 minutes;

 

8. Current employees’ user ID’s and passwords are uniquely assigned to a specific employee and are not vendor supplied;

 

1. Employee Passwords must be changed every 30 days and be strong and secured;

 

10. Electronic access to systems containing records with personal information will be blocked after three unsuccessful attempts to gain access;

 

11. Any paper files containing personal information of customers or employees shall be stored in a secured location, or within secured filing cabinets or other similar types of storage;

 

• Employees are prohibited from keeping open files containing personal information on their desks when they are not at their desks;

 

13.  At the end of the work day, all files and other records containing personal information must be secured in a manner that is consistent with the WISP’s rules for protecting the security of personal information. Computers will be logged off or locked, records will be locked in a manner that only authorized employees would have access;
14. Terminated employees must return all records containing personal information, in any form, that may at the time of such termination be in the former employee’s possession, must return all the Company owned and issued laptops and portable devices, and must permanently delete all such information stored on personal laptops or other portable personal devices or media;
15. A terminated employee’s physical and electronic access to personal information must be blocked at the time of termination. Such terminated employee shall be required to surrender at the time of termination all keys, IDs or access codes or badges, and the like, that permit access to the Company’s premises or information systems. Moreover, such terminated employee’s remote electronic access to personal information must be disabled; his/her voicemail access, e-mail access, internet access, and user names and passwords must be invalidated;

 

16. The Data Security Coordinator or their designee shall maintain a secured and confidential master list of all lock combinations, system passwords, and keys allowing for access to documents containing personal information. The list will identify which employees possess keys, keycards, or other access devices and that only approved employees have been provided access credentials;

 

17. Written and electronic records containing personal information shall be securely destroyed or deleted at the earliest opportunity consistent with business needs or legal retention requirements applicable to the Company as follows:

 

• When no longer needed for a legitimate business purpose, paper documents containing personal information shall be either redacted or shredded so that personal data cannot practicably be read or reconstructed;

 

• When no longer needed for a legitimate business purpose, electronic media and other non-paper media containing personal information shall be destroyed or erased so that personal information cannot practicably be read or reconstructed.

 
 

18. Employees are to notify the Data Security Coordinator or any supervisor in the event of a known or suspected security breach or unauthorized use of personal information.  If notified, the supervisor must in turn notify the Data Security Coordinator.

 

19. Whenever there is an incident that requires notification under Massachusetts law (M.G.L. c. 93H, §3) or any other law applicable to the Company, there shall be a mandatory post-incident review of events and actions taken, if any, with a view to determining whether any changes in our security practices are required to improve the security of personal information for which we are responsible;

 

20. Disciplinary action will be applicable to violations of the WISP, whether or not personal information was actually accessed or used without authorization.

 
 
VI. EXTERNAL RISK MITIGATION POLICIES:
To guard against external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks, the following measures are effective immediately:

1. Firewall protection, operating system security patches, and all software, anti-virus, and anti-malware products shall be reasonably up-to-date and installed on any system that stores or processes personal information;

 

2. Personal information shall not be removed from business premises in electronic or written form absent legitimate business need and use of reasonable security measures, as described in this policy;

 

3. Electronic records containing personal information shall not be stored or transported on any portable electronic device, sent or transmitted electronically to any portable device, or sent or transported electronically to any computer, portable or not, without the record or file being encrypted. The only exception shall be where there is no reasonable risk of unauthorized access to the personal information or it is technologically not feasible to encrypt the data as and where transmitted. In furtherance of this requirement, all portable devices that have access to Company email must be password secured, and the storage on that device must be encrypted;

 

4. All computer systems should be monitored for unauthorized use of or access to personal information;

 

5. Only Company authorized/owned software should be installed on any computer that has access to or is connected to a network that stores, transports or processes personal information;

 

6. There shall be secure user authentication protocols in place that control user ID and other identifiers, assign passwords in a manner that conforms to accepted security standards or use unique identifier technologies, and control passwords to ensure that password information is secure;

 

7. All personal portable devices that are configured to access Company email shall be configured so that the Company can, in the Company’s sole discretion, remotely wipe that device.

 
VII. Third Party Service Provider Protocol:
Any service provider or individual that receives, stores, maintains, processes, or otherwise is permitted access to any file or other data element containing personal information (“Third-Party Service Provider”) shall be required to meet the following standards as well as any and all standards set forth in 201 CMR 17.00. (Examples include third parties who provide off-site backup storage copies of our electronic data; paper record copying or storage service providers; contractors or vendors having authorized access to our records):

1. Any contract with a Third-Party Service Provider shall require the Service Provider to implement security standards consistent with 201 CMR 17.00.

 

2. It shall be the responsibility of the Data Security Coordinator to obtain reasonable confirmation that any Third-Party Service Provider is capable of meeting security standards consistent with 201 CMR 17.00.

 

3. Any existing contracts with Third-Party Service Providers shall be reviewed by the Data Security Coordinator or their designee. These Service Providers shall meet the security standards consistent with 201 CMR 17.00, or other Providers meeting such requirements will be selected, when feasible to do so.

 

4. A list of currently known Third-Party Service Providers shall be created and maintained.

 
 
I have received this WISP on________________________ and agree to abide by all of its terms.
Name:                                                                               Date: