Code of Massachusetts Regulations
965 CMR - DEPARTMENT OF STATE AUDITOR
Title 965 CMR 3.00 - Safeguard Of Personal Information
Section 3.03 - Written Information Security Program
Current through Register 1531, September 27, 2024
The Auditor shall develop, implement, maintain, and monitor a Written Information Security Program (WISP) designed to safeguard the personal information of residents of the commonwealth contained in the records of the Auditor. The Auditor's WISP shall be separate from 965 CMR 3.00 in order to facilitate periodic review and updating of the program. Like 965 CMR 3.00, the WISP shall be read consistently with the safeguards for protection of personal information of a similar character set forth in other state or federal laws and regulations applicable to the OSA and already in place, including but not limited to: the Fair Information Practices Act, M.G.L. c. 66A, § 1; the Criminal Offender Record Information Act, M.G.L. c. 6, § 172 and 940 CMR 11.00. The Auditor's WISP shall be available for public inspection, except to the extent any section(s) thereof may be exempt from disclosure under M.G.L. c. 4, § 7, cl. 26, or are privileged by law.
The Auditor's WISP shall include the following elements:
(1) Designation of Employee. The Auditor will designate one or more employees to design, implement, and coordinate the maintenance of the WISP.
(2) Identification and Assessment of Internal and External Risks. The Auditor will identify and assess internal and external risks to the security, confidentiality, or integrity of any electronic, paper, or other records containing personal information in each relevant area of activity of the Auditor, and will evaluate and improve, where necessary, the effectiveness of the current safeguards for minimizing such risks, including but not limited to
(3) The Auditor will take reasonable steps to ensure that departing or former employees cannot physically or electronically access records containing personal information.
(4) The Auditor will take reasonable steps to verify that any third-party service provider with access to personal information has the capacity to protect such personal information in the manner provided for in 201 CMR 17.03; and will take all reasonable steps to ensure that such third-party service provider is applying to such personal information protective security measures at least as stringent as those required to be applied to personal information under 201 CMR 17.03.
(5) Collection of Information. The Auditor will:
(6) Access, Storage, Use, and Disclosure. The Auditor will place reasonable restrictions upon physical access to records containing personal information including a written procedure that sets forth the manner in which physical and electronic access is restricted. The OSA will disclose the information only to those persons who and entities which reasonably require the information to perform their duties. The OSA will use and disclose the information only in conformance with a written procedure that sets forth the manner in which access to, and use and disclosure of such personal information, is restricted.
(7) Monitoring. The Auditor will conduct reasonable monitoring of systems to determine whether the WISP is operating in a manner reasonably calculated to prevent unauthorized access to or use of personal information and upgrading information safeguards as necessary to limit risks.
(8) Review of Program. The Auditor will review and, where necessary, update the WISP at least annually or whenever there is a material change in personnel, governmental, technological, administrative, or other practices that may reasonably undermine the efficacy of the program.
(9) Review, Responsive Action, and Documentation of Responsive Action. Where the OSA learns that unauthorized access to physical or electronic records by a employee or third party has occurred, the OSA will review the incident in a manner commensurate with the nature and scope of the unauthorized access to determine the possible breach of confidentiality, security, or integrity of the records, if any, and to make any necessary changes in personnel, governmental, technological, administrative, or other practices relating to protection of personal information. The Auditor in her discretion may impose appropriate disciplinary measures for violations of the WISP. The OSA will document any action taken.
(10) Destruction. The Auditor will establish policies and procedures for the destruction of personal information as soon as it is no longer needed or required to be maintained by state or federal record retention requirements.
(11) Employee Training. The Auditor will ensure that OSA employees are trained in the law and the OSA WISP relating to the proper collection, storage, use, and disclosure of personal information.