Except with the advance written permission of the Program Coordinator, no employee shall keep, access or transport any records containing Personal Information outside of the Company’s premises. This prohibition includes remote electronic access to Personal Information contained on any Company computer network or server.

It is the policy of the Company to:
• limit the amount of Personal Information collected – collecting only the Personal Information that is reasonably necessary to accomplish the purpose for which it is collected;
• limit the time such information is retained – keeping it only for as long as is it reasonably needed to accomplish the purpose for which it was collected, unless the Company is legally required to keep it for a longer period; and
• limit access to the information – allowing access only by those persons who are reasonably required to know the information in order for the Company to accomplish the purpose for which the information was collected or to comply with the Company’s legal requirements.
The Program Coordinator will work with those offices or employees responsible for collecting and keeping Personal Information to develop and implement any specific rules or procedures necessary to implement this policy.

The Program Coordinator will periodically undertake to identify and assess the reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records of the Company that contain personal information. The Program Coordinator will do this at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information.
This assessment will include but not necessarily be limited to:
• identifying the paper, electronic and other records, computing systems, and storage media, including laptops and portable devices, that the Company uses to store personal information;
• identifying what Personal Information is collected, kept and used, and for what purposes;
• identifying which Company employees have access to Personal Information and for what purposes; and
• assessing the internal and external risks to the security of that information.
Based upon this assessment, the Program Coordinator will evaluate and where necessary improve the effectiveness of the Company’s safeguards for limiting the internal and external risks to the security of that information, including but not limited to:
• developing and implementing security policies and procedures;
• periodic training of relevant employees (including temporary employees and contractors) with respect the Company’s information security policies and procedures;
• ensuring employee awareness of and compliance with this Program and Policy and any other policies and procedures concerning the protection of Personal Information, including but not limited to periodic distribution of this Program and Policy and other relevant policies and procedures;
• implementing means for detecting and preventing security system failures; and
• encouraging timely reporting of information security failures or risks.

The Company’s Director of Information Services along with its Director of Human Resources will be responsible for overseeing, implementing, and administering this Program and Policy. The Program Coordinator will train staff, as necessary, to effectively implement the Program and Policy, and may designate any one or more Company employees to perform or assist in the performance of the responsibilities described in this Program and Policy. As used throughout the rest of this Program and Policy, the term “Program Coordinator” means “the Program Coordinator and his or her designee(s).”

For purposes of this Program and Policy:
“Personal Information” means a person’s first and last name or first initial and last name in combination with any one or more of the following:
• the person’s Social Security number,
• the person’s driver’s license number,
• the person’s state-issued identification card number, or
• the person’s financial account number or credit or debit card number, with or without any required security code, access code, personal identification number or password that would permit access to the person’s financial account,
provided, however, that “Personal Information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.
“Identity Theft” means the unauthorized use or attempted use of any identifying information of another person, including but not limited to Personal Information.

NETWORK OUTAGE: After verifying a site or building outage call IT Dept. at 413-499-0607 between the hours of 7:30 am – 5:30 pm or 413-266-1124 outside of regular business hours.

• On completion of the initial disaster recovery response the DRT leader should prepare a report on the activities undertaken.
• The report should contain information on the IS Dept. together with outcomes arising from those actions.
• The report will also contain an assessment of the impact to normal business operations.
• The report should be given to senior management as soon as possible.
•
The report will include:
• A description of the emergency or incident
• Those people notified of the emergency (including dates)
• Action taken by members of the department
• Outcomes arising from actions taken
• An assessment of the impact to normal business operations
• Assessment of the effectiveness of the BCP and lessons learned
• Lessons learned

This policy and procedure has been established to ensure that in the event of a disaster or crisis, personnel will have a clear understanding of who should be contacted.

The person who initially discovers the incident or problem will contact:

IT Dept. at 413-499-0607 between the hours of 7:30 am – 5:30 pm or 413-266-1124 outside of regular business hours.

When an incident occurs all IS staff must be informed. The Director of Information Services will then decide the extent to which the DRP must be invoked. Responsibilities of the Directopr of Information Services are to:

• Respond to a potential disaster;
• Assess the extent of the disaster and its impact on the business, data center, etc.;
• Decide which elements of the DR Plan should be activated;
• Maintain vital services and return to normal operation;
• Ensure employees are notified and allocate responsibilities and activities as required.
• Restore key services within 4.0 business hours of the incident;
• Recover to business as usual within 8.0 to 24.0 hours after the incident

Key trigger issues at headquarters that would lead to activation of the Data recovery Plan are:
• Total loss of all communications
• Total loss of power
• Flooding of the premises
• Loss of the building