The Hazard Vulnerability Analysis should be viewed within the specific context provided by Hillcrest Educational Centers, including the following elements and dimensions:
• Hillcrest primarily provides residential treatment for children and adolescents. Hillcrest also provides day therapeutic education. Students in both types of programs are physically healthy and do not suffer from any major medical problems or physical disabilities. They are capable of self-preservation.
• Hillcrest provides very intensive staffing and supervisor ratios, including awake overnight staffing, at every residential campus.
• Staff are regularly trained in emergency procedures and fire/evacuation drills are regularly conducted.
• Hillcrest campuses are equipped with required fire and smoke detection systems, all Hillcrest buildings are equipped with fire extinguishers, and all HEC dormitories are equipped with sprinkler systems.  Each Hillcrest residential campus is equipped with emergency power generators.
• Hillcrest’s Maintenance Department regularly conducts campus safety inspections and major systems maintenance.
• Hillcrest maintains and utilizes snow removal and sanding/salting vehicles/equipment for use on campuses.

Based upon the geographic location of Hillcrest Educational Centers, state and national agency data, experience and history, it has been determined that the potential hazards most likely to have impact on general agency operations and on the safety, care and treatment of Hillcrest students and on the safety of staff include the following:

I Purpose
The Hazard Vulnerability and Local Resource Analysis is conducted as part of a larger, ongoing effort associated with Emergency Preparedness and Management, in order to:
• insure a safe and supportive environment of care for Hillcrest students and staff.
• to insure the efficient and effective provision of student care and treatment.
• do so in a manner compliant with regulations promulgated by the Mass. Dept. of Early Education and Care (DEEC), Mass. Department of Elementary and Secondary Education (DESE), standards established by the Joint Commission (JC), and all other applicable laws, regulations and standards.

II Objective
The Hazard Vulnerability and Local Resource Analysis is conducted in order to:
• identify reasonably likely potential hazards and disasters.
• identify potential direct and indirect effects these may have on Hillcrest operations.
• identify internal and/or local resources that can be utilized to mitigate and/or respond to emergencies and/or disasters.

Any employee who violates this Program and Policy, or any security policies or procedures adopted in accordance with this Program and Policy, will be subject to disciplinary action, which may include termination of employment.

All employees are required to report to their supervisor or the Program Coordinator any material risk to or breach of the security of Personal Information maintained by the Company. Any supervisor receiving such a report must promptly inform the Program Coordinator.
The Program Coordinator will:
• undertake any action necessary to respond to the risk or breach;
• conduct a post-incident review of the events and all actions taken, if any, to make changes in business practices relating to protection of personal information; and
• document any such post-incident review and all responsive actions taken in connection with any incident involving a breach of security.

The Program Coordinator will conduct regular monitoring to ensure that the Company’s Personal Information security program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of Personal Information and will upgrade and upgrading information safeguards as necessary to limit risks. The Program Coordinator also will update this Program and Policy periodically to reflect any changes with respect to the risks of Identity Theft.

The Program Coordinator will establish and maintain a security system covering the Company’s computers, including any wireless system, which at a minimum will have the following elements:

(1) Secure user authentication protocols including:
• control of user IDs and other identifiers;
• a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices;
• control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect;
• restricting access to active users and active user accounts only; and
• blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system
(2) Secure access control measures that:
• restrict access to records and files containing Personal Information to those who need such information to perform their job duties; and
• assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls
(3) To the extent technically feasible, encryption of all transmitted records and files containing Personal Information that will travel across public networks, and encryption of all data to be transmitted wirelessly.
(4) Reasonable monitoring of systems for unauthorized use of or access to personal information.
(5) Encryption of all Personal Information stored on laptops or other portable devices.
(6) For files containing Personal Information on a system that is connected to the Internet, reasonably up-to-date firewall protection and operating system security patches, which are reasonably designed to maintain the integrity of the personal information.
(7) Reasonably up-to-date versions of system security agent software, which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software which can be supported with up-to-date patches and virus definitions and which is set to receive the most current security updates on a regular basis.
(8) Education and training of employees on the proper use of the computer security system and the importance of Personal Information security.

Paper documents containing Personal Information shall be redacted, burned, pulverized or shredded so that personal data cannot practicably be read or reconstructed.
Electronic media and other non-paper media containing Personal Information shall be destroyed or erased so that Personal Information cannot practicably be read or reconstructed.

Employees are prohibited from leaving open records containing Personal Information unattended on their desks.
At the end of the work day, and as appropriate during the work day, all records containing Personal Information shall be stored in secure storage areas or containers.
Visitors shall not be permitted to visit unescorted any area of the Company where Personal Information is kept.

The Company will take reasonable steps to verify that all third-party service providers with access to Personal Information have the capacity to and will protect such information, including but not limited to having reasonable policies and procedures in place that are designed to detect, prevent, and mitigate Identity Theft.
Those steps to be taken by the Company will include:
• selecting and retaining only service providers that are capable of maintaining reasonable and appropriate safeguards for personal information;
• contractually requiring service providers to maintain such safeguards; and
• prior to permitting any third-party service provider access to personal information, obtaining from the service provider a written certification that the service provider has a written, comprehensive information security program that is in compliance with the provisions of all applicable federal and state laws as they may be amended from time to time.

Immediately upon the termination of a person’s employment with the Company, the Company will:
• obtain from the person all Personal Information in their possession, including all such information contained in any computer electronic files or devices, and
• terminate the person’s physical and electronic access to any records containing personal information, including but not limited to deactivating any of the person’s computer passwords and user names.