AMERICAN SOCIETY OF ANIMAL SCIENCES, INC.
It is the objective of American Society of Animal Sciences, Inc. (“ASAS”) in the development and implementation of this comprehensive information security program (“CISP”) to create effective administrative, technical and physical safeguards for the protection of personal information, and to comply with obligations under 201 CMR 17.00. This CISP sets forth our procedure for evaluating our electronic and physical methods of accessing, collecting, storing, using, transmitting, and protecting personal information. For purposes of this CISP, “personal information” means an individual’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to an individual’s financial account; provided, however, that “personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public. ASAS generally acquires personal information in connection with hiring employees and payroll, and in accepting donations and conference fees from members and the public.
The purpose of the CISP is to:
ASAS appoints Jacelyn Hemmelgarn to be its Data Security Coordinator. The Data Security Coordinator will be responsible for:
All paper records containing personal information shall be kept in a locked file cabinet with restricted access. Paper records will be destroyed regularly in accordance with ASAS’s document destruction policy using an office-grade shredder. Records containing personal information may not be taken out of the office and may be accessed only by personnel with a business necessity. Checks that need to be transported from the office to the bank may be sent by US mail or hand delivered by the responsible employee, and if hand delivered, will not be left unattended at any point in the transition.
Checks. When ASAS receives checks from conference registrants or donors, it will make only one hard copy and keep it in a locked file cabinet with restricted access. The checks themselves will also be kept under lock and key until they are deposited.
Paper employment records. Paper employment records must be kept under lock and key and accessed only by staff members responsible for employment issues and/or by the Chief Operating Officer or by the Chief Executive Officer.
ASAS requires the following security systems with respect to the maintenance of personal information on its computers:
Authentication Protocols. The Data Security Coordinator shall secure user authentication protocols including:
Access Protocols. The Data Security Coordinator shall implement the following secure access control measures:
Restriction on E-mailing Personal Information. ASAS will not, as a general rule, send or accept personal information by e-mail. To the extent exceptions must be made, the security measures described in this CISP shall be taken.
Encryption. Should any records and files containing personal information be transmitted across public networks or wirelessly, such records or files shall be encrypted. Personal information stored on laptops and other portable devices shall also be encrypted.
Monitoring. ASAS shall take all steps necessary to reasonably monitor its computer network for unauthorized use of or access to personal information.
Firewalls. All files containing personal information on a system that is connected to the Internet shall be protected by a reasonably up-to-date firewall protection and operating system security patches designed to maintain the integrity of the personal information.
Virus protection. All computers containing personal information shall be protected by reasonably up-to-date versions of system security agent software, including malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.
ASAS routinely shares personal and financial information with its payroll service, its CPA firm, legal counsel, and credit card vendors. ASAS requires each of these organizations to send written evidence, signed by an authorized person, confirming that they follow a security plan that fully complies with 201 CMR 17.
The Data Security Coordinator shall ensure that all employees, whether full-time, part-time, seasonal or temporary, and independent contractors, consultants and volunteers who have access to personal information are trained on the data security requirements provided in this CISP.
All employees, whether full-time, part-time, seasonal or temporary, and independent contractors, consultants and volunteers upon termination or resignation shall immediately be denied access to physical and electronic records containing personal information and will be required to return or destroy all records and files containing personal information in any form that may at the time of such termination or resignation be in their possession or control, including all such information stored on laptops, portable devices, or other media, or in files, records, notes, or papers.
All employees, whether full-time, part-time, seasonal or temporary, and independent contractors, consultants and volunteers, shall as soon as practicable and without unreasonable delay notify the Data Security Coordinator when such person knows or has reason to know of a security breach or when the person knows or has reason to know that personal information was acquired or used by an unauthorized person or used for an unauthorized purpose.
A “security breach” is any unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information that creates a substantial risk of identity theft or fraud. A good faith but unauthorized acquisition of personal information by a person or agency, or employee or agent thereof, for lawful purposes, is not a breach of security unless the personal information is used in an unauthorized manner or subject to further unauthorized disclosure.
When the Data Security Coordinator is informed of a security breach, he/she will (1) notify the individual whose information was compromised, and (2) notify the Massachusetts Attorney General and the Office of Consumer Affairs and Business Regulation.
The notice to the individual will be in writing, possibly by electronic mail, and will include the following information:
The notice to the Office of Consumer Affairs and Business Regulation and to the Attorney General will include the following:
Non-Retaliation. ASAS will not retaliate against anyone who reports a security breach or non-compliance with CISP, or who cooperates in an investigation regarding such breach or non-compliance. Any such retaliation will result in disciplinary action by ASAS up to and including suspension or termination.
Documentation. ASAS shall document all responsive actions taken in connection with any incident involving a security breach.
American Society of Animal Science
PO Box 7410, Champaign, IL 61826-741
E-mail: email@example.com, Ph. 217.356.9050, Fax 217.689.2436
Copyright © 2023 ASAS. All Rights Reserved.