Information Security Policy

Information Security Policy #

Source: OASIS Open Information Security Policy. Approved and effective February 2, 2011.

Objective #

OASIS establishes administrative, technical, and physical safeguards to protect the Personal Information of members and employees, and to prevent unauthorized access, use, or dissemination of that information.

What Is Personal Information #

“Personal Information” is a person’s name combined with any of the following:

  • Social Security number or government-issued taxpayer ID
  • Driver’s license or government-issued ID number
  • Financial account number, credit card number, or debit card number together with any security code, access code, or password that would permit access to the account

Publicly available information and lawfully available government records are excluded from this definition.

Data Security Coordinator #

The Data Security Coordinator is responsible for implementing this policy, training employees, testing safeguards, evaluating third-party service providers, conducting mandatory annual training, and reviewing security measures annually. Contact the Director of IT for current Data Security Coordinator information.

Storage of Information #

  • Collect and retain Personal Information only to the extent required for legitimate business purposes. Do not accumulate records beyond what is needed.
  • Store physical records containing Personal Information in locked facilities or containers.
  • Electronic security measures include: secure authentication, role-based access controls, encryption of transmitted and portable device data, system monitoring, firewall protection, and current security software.

Access to Information #

Access to Personal Information is restricted to staff with a legitimate business need. Records containing Personal Information require Data Security Coordinator authorization before being removed from OASIS facilities. Staff must:

  • Log off workstations during extended inactivity
  • Lock screens when stepping away
  • Escort visitors in any area where Personal Information is accessible

Transmission of Information #

All Personal Information transmitted across public or wireless networks must be encrypted. Staff must secure files containing Personal Information when away from their desks, and secure all materials at the end of each workday.

Destruction of Records #

Records containing Personal Information must be destroyed by shredding or equivalent secure physical destruction, consistent with the Document Retention and Destruction Policy. Employees leaving OASIS must return or destroy all Personal Information in any form.

Reporting Violations and Breaches #

Policy violations should be reported to the Data Security Coordinator. Security incidents that may require government notification must be reported to the (Interim) ED and legal counsel immediately. All breaches are logged with response actions and provided to legal counsel.

Third Parties #

Before sharing Personal Information with third-party vendors, contractors, or partners, OASIS requires similar security policies or contractual restrictions. Legal counsel evaluates third-party compliance capacity. Operative contracts must require safeguards consistent with this policy.

Training #

All staff with access to Personal Information must acknowledge receipt of this policy in writing and complete initial and periodic retraining. Training attendance certification is mandatory.

Enforcement #

Violations result in disciplinary action up to and including termination.

Exceptions #

Any exception to this policy requires prior written authorization from the Data Security Coordinator or legal counsel.