Written Information Security Policy
This organization is committed to protecting the private information entrusted to us in the course of business.
It is our policy to identify private information as it comes in to our company. Private information is defined as “Personal Information” as defined in 201 CMR 17.00 , and as additional information that we consider confidential. This information is stored in locked physical spaces or strong password protected computer files and is only retrieved by staff who have a business need for it. Where there is no business need for it, the information is shredded or securely erased.
Staff that has a business need to use this information must sign a confidentially agreement upon hiring. Upon leaving the company, people relinquish their passwords and keys to the locked physical spaces, and the passwords they have been using are changed.
The organization will only share private information with partners or vendors who need the information in order to do business with us and it is our company policy that personal information is not transmitted via email message. These partners and vendors must certify to us in writing that they follow a data security plan equivalent to ours.
As an additional precaution, the organization follows industry standard good computer security practices, including the use of up to date antivirus / antimalware protection, security patches, physical firewalls, secure password procedures, and physical access controls.
The organization regularly audits the training and practice of its staff in enforcing data security. Staff that does not adhere to the security rules properly is given verbal, then written warning, and if the problem persists, they are then terminated.
In the event of a security breach, the Information Safety Manager will carefully investigate, document, and notify authorities and involved parties of the breach.