Information Security Plan effective March 1, 2010



Similar documents
FINAL May Guideline on Security Systems for Safeguarding Customer Information

***This sample is provided solely for informational purposes. Nothing in this document constitutes legal advice***

SAMPLE TEMPLATE. Massachusetts Written Information Security Plan

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP)

DOCUMENT RETENTION AND DESTRUCTION POLICY

Written Information Security Plan (WISP) for. HR Knowledge, Inc. This document has been approved for general distribution.

Information Security and Electronic Communications Acceptable Use Policy (AUP)

PCI Data Security and Classification Standards Summary

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Awareness Training Gramm-Leach-Bliley Act (GLB Act)

DOCUMENT RETENTION POLICY Revised 01/2009

HIPAA Security Alert

California State University, Sacramento INFORMATION SECURITY PROGRAM

LSE PCI-DSS Cardholder Data Environments Information Security Policy

U.S. Department of the Interior's Federal Information Systems Security Awareness Online Course

Guide to INFORMATION SECURITY FOR THE HEALTH CARE SECTOR

Wellesley College Written Information Security Program

INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc.

RECORD RETENTION AND DESTRUCTION POLICY

DOCUMENT RETENTION POLICY

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129

HIPAA Security COMPLIANCE Checklist For Employers

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Records Management Policy

MCPHS IDENTITY THEFT POLICY

Advanced AMC, Inc. Appraiser Services Agreement (Independent Contractor Agreement)

How To Protect The Time System From Being Hacked

Records Retention Guidelines

HIPAA Training for Hospice Staff and Volunteers

HIPAA Security Training Manual

8.03 Health Insurance Portability and Accountability Act (HIPAA)

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Montclair State University. HIPAA Security Policy

INFORMATION TECHNOLOGY Policy 8400 (Regulation 8400) Data Security

31-R-11 A RESOLUTION ADOPTING THE CITY OF EVANSTON IDENTITY PROTECTION POLICY. WHEREAS, The Fair and Accurate Credit Transactions Act of 2003,

Data Management Policies. Sage ERP Online

American Skin Association

PHI- Protected Health Information

Cyber Self Assessment

Valdosta Technical College. Information Security Plan

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

Town of Essex Comprehensive Public Records and Technology Policy

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

Office 365 Data Processing Agreement with Model Clauses

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

Newcastle University Information Security Procedures Version 3

WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery

BERKELEY COLLEGE DATA SECURITY POLICY

Information Security Policy

City of Grand Rapids ADMINISTRATIVE POLICY

Hardware and Software

DATA PROTECTION IT S EVERYONE S RESPONSIBILITY. An Introductory Guide for Health Service Staff

Index .700 FORMS - SAMPLE INCIDENT RESPONSE FORM.995 HISTORY

Information Security Program Management Standard

Ohio Supercomputer Center

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

INFORMATION SECURITY PROGRAM

Supplier IT Security Guide

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

Records Management Manual of the University of Nevada Las Vegas Table of Contents

RECOMMENDED RECORD RETENTION PERIODS FOR BUSINESS RECORDS. In Retention Period Order. Permanent Records

Information Technology Security Policies

Responsible Access and Use of Information Technology Resources and Services Policy

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES

Course: Information Security Management in e-governance

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

GREAT AMERICAN TITLE OF HOUSTON, LLC D/B/A GREAT AMERICAN TITLE COMPANY EXAMINATION REPORT NOVEMBER 24, 2015

Approved By: Agency Name Management

Client Advisory October Data Security Law MGL Chapter 93H and 201 CMR 17.00

Information Security Policy

Chapter 84. Information Security Rules for Street Hail Livery Technology System Providers. Table of Contents

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10

INFORMATION TECHNOLOGY SECURITY POLICY COUNTY OF IMPERIAL

Gramm Leach Bliley Act. GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev. 7/1/2007

The HIPAA Security Rule Primer A Guide For Mental Health Practitioners

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Transcription:

Information Security Plan effective March 1, 2010 Section Coverage pages I. Objective 1 II. Purpose 1 III. Action Plans 1 IV. Action Steps 1-5 Internal threats 3 External threats 3-4 Addenda A. Document Retention and Destruction Policy and Procedures 5-6 B. Security Policies and Procedures 7 General Principles, Computer Technology and Security, Insurance The Association Advantage LLC 591 North Avenue, Suite 3-2 Wakefield, MA 01880-1617 781/245-6485 Fax 781/245-6487 Solutions@TheAssociationAdvantage.net www.theassociationadvantage.net

I. OBJECTIVE: a. Our objective, in the development and implementation of this written information security plan, is to create effective administrative, technical and physical safeguards in order to protect our company and our clients and their members non-public, personal information. The plan evaluates our electronic and physical methods of accessing, collecting, storing, using, transmitting, protecting, and disposing of our company and our clients non-public, personal information. b. Hereafter, all of the policies and procedures refer to both our company and our client associations and members non-public, personal information II. PURPOSES: a. Ensure the security and confidentiality of information. b. Protect against any anticipated threats or hazards to the security or integrity of this information. c. Protect against unauthorized access to or use of information that could result in substantial harm or inconvenience. III. ACTION PLANS: a. Identify reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of information or information systems. b. Assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of information. c. Evaluate the sufficiency of existing policies, procedures, information systems, and other safeguards in place to control risks. IV. ACTION STEPS: a. Appoint a specific person or persons within the organization to be responsible for: i. Initial implementation of plan ii. Training of employees iii. Regular testing of the controls and safeguards established by the plan iv. Evaluating the ability of prospective service providers to maintain appropriate information security practices, ensuring that such providers are required to comply with this information security plan, and monitoring such providers for compliance herewith. v. Periodically evaluating and adjusting the plan, as necessary, in light of relevant changes in technology, sensitivity of customer information, reasonably foreseeable internal or external threats to customer information, changes to information systems. b. Conduct an annual meeting for all employees on the elements of this information security plan, the contents of privacy policies, and any other requirements of federal or state privacy laws. All persons following the guidelines of this information security plan are required to sign a contract to uphold the policies within this information security plan. c. Determine reasonably foreseeable internal threats that could result in unauthorized disclosure, misuse, alteration, or destruction of company or client information or information systems, assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of information, and evaluate the sufficiency of existing policies, procedures, information systems, and other safeguards in place to control risks. 1.

Action Steps continued Internal Threat Risk Level Response Intentional or inadvertent misuse of company or client information by current employees Intentional or inadvertent misuse of information by former employees subsequent to their employment Inadvertent disclosure of information to the general public, contracted specialists or guests in the office 1. Dissemination and annual review of privacy laws and individual client privacy policies. 2. Employment agreements amended to require compliance with privacy policies and to prohibit any nonconforming use of information during or after employment. 3. Employees are encouraged to report any suspicious or unauthorized use of information. 4. Periodic review to ensure these safeguards are implemented 1. Require return of all information in the former employee s possession (i.e., policies requiring return of all organization property), including laptop computers and other devices in which records may be stored, files, records, work papers, etc. 2. Eliminate access to information (i.e., policies requiring surrender of keys, ID or access codes or badges, business cards; disable remote electronic access; invalidate voicemail, e-mail, internet, passwords, etc.), and maintain a highly secured master list of all lock combinations, passwords, and keys. 3. Change passwords for current employees periodically. 4. Amend employment agreements during employment to require compliance with privacy policies and to prohibit any nonconforming use of information during or after employment. 5. Send pre-emptive notices to clients when the organization has reason to believe a departed employee may attempt to wrongfully use information, informing them that the employee has left the company. 6. Encourage employees to report any suspicious or unauthorized use of information. 7. Periodic review to ensure these safeguards are implemented 1. Prohibit employees from keeping open files on their desks when leaving for the day or a substantial period of time. 2. Require all files and other records containing company and client records to be secured at day s end. 3. Use a software program that requires each employee to enter a unique log-in ID to access computer records and to re-log in when the computer is inactive for more than a few minutes. 4. Change passwords periodically. 5. Restrict guests to one entrance point. 6. Use shredding machines on unused photocopies or other records being discarded before depositing in trash or recycling containers. 7. Ensure secure destruction of obsolete equipment, including computer hardware and software items. 8. Encourage employees to report any suspicious or unauthorized use of information. 9. Periodic review to ensure these safeguards are implemented 10. Require all sensitive records to be maintained in locked desks or filing cabinets when the office is closed. 2.

Action Steps continued d. Determine reasonably foreseeable external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of information or information systems, assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of information, and evaluate the sufficiency of existing policies, procedures, information systems, and other safeguards in place to control risks. External Threat Risk Level Response Inappropriate access to, or acquisition of information by third parties Inappropriate use of information by third parties 1. Install firewalls for access to internet sites. Include privacy policy on Internet sites. 2. Require secure authentication for internet and/or intranet and extranet users. 3. Require encryption and authentication for all infrared, radio, or other wireless links. 4. Train employees to protect and secure laptops, handheld computers, or other devices and media used outside the office that contain sensitive information. 5. Install virus-checking software that continually monitors all files, downloads, floppy disks, CDs, USB sticks, all incoming and outgoing e-mail messages. 6. Establish uniform procedures for installation of updated software. 7. Establish systems and procedures for secure back-up, storage and retrieval of computerized and paper records. 8. Establish procedures to ensure external points of entry to the office are closed, locked and inaccessible to unauthorized persons when the office is closed. 9. Physically lock or otherwise secure the computers, and areas in which sensitive paper records are stored. 10. Use shredding machines on unused photocopies or other records being discarded before depositing in trash or recycling containers. 11. Ensure secure destruction of obsolete equipment, including computer hardware and software systems. 12. Encourage employees to report any suspicious or unauthorized use of information. 13. Periodic review to ensure these safeguards are implemented 1. Evaluate the ability of all prospective third-party service providers to maintain appropriate information security practices. 2. Provide all third-party service providers to whom contractual access to premises or records has been granted (including, but not limited to, insurance companies being solicited for new or renewal policies, mailing houses, custodial or plant services, equipment or service vendors, affiliates, non-affiliated joint marketing partners, ) with a copy of the Privacy Policies. 3. Require all such third-parties-by written contract-to adhere to the Privacy Policies, agree to make no use of any nonpublic personal information that would be prohibited thereby, or otherwise by law or contract, and agree to hold harmless and indemnify the company for any inappropriate use of non-public personal information.

Inappropriate use of information by third parties continued 4. Require all such third-parties-by written contract-to return all information and property at the completion or termination, for whatever reason, of the agreement between the company and the third-party. 5. Prohibit access to information (i.e., policies requiring surrender of keys, ID or access codes or badges, disabling remote electronic access; invalidating voicemail, e-mail, internet, passwords, etc, if applicable) to all such third-parties upon completion or termination, for whatever reason, of the agreement between the company and the third-party. 6. Change passwords for current employees periodically. 7. Send pre-emptive notices to clients when the company has reason to believe a terminated third-party service provider may attempt to wrongfully use information, informing them that the agreement with the company is no longer in effect. 8. Encourage employees to report any suspicious or unauthorized use of information. 9. Periodic review to ensure these safeguards are implemented 4.

Addendum A - Document Retention and Destruction Policy & Procedures The Association Advantage LLC shall retain records for the period of their immediate or current use, unless longer retention is necessary for historical reference or to comply with contractual or legal requirements. Records and documents outlined in this policy include paper, electronic files (including emails) and voice mail records regardless of where the document is stored, including network servers, desktop or laptop computers and handheld computers and other wireless devices with text messaging capabilities. Any employee of The Association Advantage LLC, or any other person who is in possession of records belonging to The Association Advantage LLC who is uncertain as to what records to retain or destroy, when to do so, or how to destroy them, may seek assistance from The Association Advantage LLC s Document Retention Policy (DRP) manager who is Sherri Oken, CAE, Executive Director. In accordance with 18 U.S.C. 1519 and the Sarbanes Oxley Act, The Association Advantage LLC shall not knowingly destroy a document with the intent to obstruct or influence an investigation or proper administration of any matter within the jurisdiction of any department, agency of the United States or in relation to or contemplation of such matter or case. If an official investigation is under way or even suspected, document purging must stop in order to avoid criminal obstruction. The retention periods described herein are guidelines. There are circumstances under which a record or document may have to be maintained longer than the guidelines. This will be a decision made by the Document Retention Policy Manager. In order to eliminate accidental or innocent destruction, THE ASSOCIATION ADVANTAGE LLC has the following document retention policy: Type of Document Accounts payable ledgers and schedules Audit reports Bank Reconciliations Bank statements Checks (for important payments and purchases) Contracts, mortgages, notes and leases (expired) Contracts (still in effect) Correspondence (general) Correspondence (legal and important matters) Correspondence (with customers and vendors) Deeds, mortgages, and bills of sale Depreciation Schedules Duplicate deposit slips Employment applications Expense Analyses/expense distribution schedules Year End Financial Statements Insurance Policies (expired) Insurance records, current accident reports, claims, policies, etc. Internal audit reports Inventories of products, materials, and supplies Invoices (to customers, from vendors) Minute books, bylaws and charter Patents and related Papers 5. Minimum Requirement 2 years 3 years 2 years 2 years 2 years 3 years 3 years 3 years

Document Retention and Destruction Policy & Procedures continued Payroll records and summaries Personnel files (terminated employees) Retirement and pension records Tax returns and worksheets Timesheets Trademark registrations and copyrights Withholding tax statements *Source of information serving as background guidance in determining THE ASSOCIATION ADVANTAGE LLC s organization s document retention policy. * 2004 National Council of Nonprofit Associations, www.ncna.org 6.

Addendum B - Security Policies and Procedures General Principles The Association Advantage LLC, as an independent contractor, will with discretion and confidentiality, perform the contracted administrative, management and consulting services in consideration of agreed upon annual payments. We will protect the privacy of our clients and members, and respect the information disclosure policies set forth by their boards of directors. We will safeguard our client s records and data to the best of our ability. Computer Technology and Security We evaluate and upgrade hardware on a regular basis, as well as utilize systems to safeguard our clients data. All data is protected by firewalls and virus protection software. Data Backup Our networked system operates off a server with redundant hard drives and an external tape backup that automatically backs up our full system daily. Weekly, we create additional back up media for databases and financial records: Flash drive/memory stick media is encrypted for additional security. Software but not records or data is maintained on our lap top computer. Firewalls Lynksys Network Translation (NAT) Firewall: Model WRT 54G Windows Firewall AntiVirus Protection Norton AntiVirus Software Symantec Endpoint Protection also anti-spamware Insurance The Association Advantage carries general liability insurance in the amount of $2,000,000. Our policy includes $10,000 Employee Dishonesty coverage. If check-writing privileges are granted by an association, the appropriate staff person will be bonded. 7.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information