DRAFT – WISP – Written Information Security Policy 15-June-2018
Purpose of policy
The WISP for SDM Foundation establishes a vision for maintaining the privacy and confidentiality of both client and business data, as well as the security of SDM Foundation equipment.
Roles and responsibilities
The Board of Directors is responsible for approving the policy which sets out the expectations for privacy and security at SDM Foundation. The Executive Director is responsible for creating and implementing procedures which will be used to train and evaluate staff and volunteers. The Executive Director may suggest policy updates to the Board as needed and will review and update the procedures periodically and review them with staff at least annually. Staff training will include general confidentiality training as well as specific procedural training. SDM Foundation staff and volunteers are responsible for knowing and following the WISP procedures, and for reporting any deviation in practice that they observe.
The Executive Director is also responsible for providing the public with a description of the kinds of personal data SDM Foundation collects, why they collect it, how they use it, and how it is stored, as well as giving clients an option for removing their information.
Examples of types of information and categories of sensitivity
- Client data during appointment – log in information, passwords, email, photos
- Employee data – names, addresses, Soc. Sec., direct deposit, salary, email, passwords
- Financial data – account numbers, passwords, expense and revenue data
- Online accounts used for administration – passwords, log ins, security measures
- Board Meeting materials – meeting packets for members
- Calendar – Client name, phone numbers, appointment information
- Mailing list – Client name, phone number, email address
- Online accounts used for lessons – user names and passwords
- Website access and use information – including Cookies
- Staff email
An incident is any action or inaction by any SDM staff member or volunteer that causes SDM Foundation equipment, business information, or client data, to be unsecure, whether the information is actually exposed to outside people or not.
How to Report – All staff and volunteers are required to report instances where they believe SDM Foundation equipment or information has been allowed to be unsecure, including all client data that is under our knowledge or control. Staff will report instances directly to the Executive Director (ED), or to a member of the Board of Directors if the Executive Director is unavailable or if the ED is the staff member involved in the incident. A report, which can be in a hard copy or electronic form, will provide detail about the instance, how long it occurred and what equipment or information was left unsecured.
The Executive Director, or designee, will undertake an investigation, which may include any or all of the following: talk with clients, staff and volunteers, examine equipment, watch recorded video, examine server data, including using outside support as needed. The results will be discussed with the staff or volunteer(s) involved.
Who will be notified
An annual report summarizing incidents will be presented to the Board of Directors at the first meeting of each calendar year.
Relationship to other policies
This WISP should be treated as though it includes the Acceptable Use Policy, which describes the use of SDM Foundation equipment and Wi-Fi, as it applies to staff, volunteers, and clients. The current version of the Acceptable User Policy is dated 15-July-16, but it may be revised at any time.