Employees are prohibited from leaving open records containing Personal Information unattended on their desks.
At the end of the work day, and as appropriate during the work day, all records containing Personal Information shall be stored in secure storage areas or containers.
Visitors shall not be permitted to visit unescorted any area of the Company where Personal Information is kept.

The Company will take reasonable steps to verify that all third-party service providers with access to Personal Information have the capacity to and will protect such information, including but not limited to having reasonable policies and procedures in place that are designed to detect, prevent, and mitigate Identity Theft.
Those steps to be taken by the Company will include:
• selecting and retaining only service providers that are capable of maintaining reasonable and appropriate safeguards for personal information;
• contractually requiring service providers to maintain such safeguards; and
• prior to permitting any third-party service provider access to personal information, obtaining from the service provider a written certification that the service provider has a written, comprehensive information security program that is in compliance with the provisions of all applicable federal and state laws as they may be amended from time to time.

Immediately upon the termination of a person’s employment with the Company, the Company will:
• obtain from the person all Personal Information in their possession, including all such information contained in any computer electronic files or devices, and
• terminate the person’s physical and electronic access to any records containing personal information, including but not limited to deactivating any of the person’s computer passwords and user names.

Except with the advance written permission of the Program Coordinator, no employee shall keep, access or transport any records containing Personal Information outside of the Company’s premises. This prohibition includes remote electronic access to Personal Information contained on any Company computer network or server.

It is the policy of the Company to:
• limit the amount of Personal Information collected – collecting only the Personal Information that is reasonably necessary to accomplish the purpose for which it is collected;
• limit the time such information is retained – keeping it only for as long as is it reasonably needed to accomplish the purpose for which it was collected, unless the Company is legally required to keep it for a longer period; and
• limit access to the information – allowing access only by those persons who are reasonably required to know the information in order for the Company to accomplish the purpose for which the information was collected or to comply with the Company’s legal requirements.
The Program Coordinator will work with those offices or employees responsible for collecting and keeping Personal Information to develop and implement any specific rules or procedures necessary to implement this policy.

The Program Coordinator will periodically undertake to identify and assess the reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records of the Company that contain personal information. The Program Coordinator will do this at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information.
This assessment will include but not necessarily be limited to:
• identifying the paper, electronic and other records, computing systems, and storage media, including laptops and portable devices, that the Company uses to store personal information;
• identifying what Personal Information is collected, kept and used, and for what purposes;
• identifying which Company employees have access to Personal Information and for what purposes; and
• assessing the internal and external risks to the security of that information.
Based upon this assessment, the Program Coordinator will evaluate and where necessary improve the effectiveness of the Company’s safeguards for limiting the internal and external risks to the security of that information, including but not limited to:
• developing and implementing security policies and procedures;
• periodic training of relevant employees (including temporary employees and contractors) with respect the Company’s information security policies and procedures;
• ensuring employee awareness of and compliance with this Program and Policy and any other policies and procedures concerning the protection of Personal Information, including but not limited to periodic distribution of this Program and Policy and other relevant policies and procedures;
• implementing means for detecting and preventing security system failures; and
• encouraging timely reporting of information security failures or risks.

The Company’s Director of Information Services along with its Director of Human Resources will be responsible for overseeing, implementing, and administering this Program and Policy. The Program Coordinator will train staff, as necessary, to effectively implement the Program and Policy, and may designate any one or more Company employees to perform or assist in the performance of the responsibilities described in this Program and Policy. As used throughout the rest of this Program and Policy, the term “Program Coordinator” means “the Program Coordinator and his or her designee(s).”

For purposes of this Program and Policy:
“Personal Information” means a person’s first and last name or first initial and last name in combination with any one or more of the following:
• the person’s Social Security number,
• the person’s driver’s license number,
• the person’s state-issued identification card number, or
• the person’s financial account number or credit or debit card number, with or without any required security code, access code, personal identification number or password that would permit access to the person’s financial account,
provided, however, that “Personal Information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.
“Identity Theft” means the unauthorized use or attempted use of any identifying information of another person, including but not limited to Personal Information.

NETWORK OUTAGE: After verifying a site or building outage call IT Dept. at 413-499-0607 between the hours of 7:30 am – 5:30 pm or 413-266-1124 outside of regular business hours.

• On completion of the initial disaster recovery response the DRT leader should prepare a report on the activities undertaken.
• The report should contain information on the IS Dept. together with outcomes arising from those actions.
• The report will also contain an assessment of the impact to normal business operations.
• The report should be given to senior management as soon as possible.
•
The report will include:
• A description of the emergency or incident
• Those people notified of the emergency (including dates)
• Action taken by members of the department
• Outcomes arising from actions taken
• An assessment of the impact to normal business operations
• Assessment of the effectiveness of the BCP and lessons learned
• Lessons learned