Table of Contents

What is ISPOT

Information Security, Privacy Oversight Team

    The Massachusetts data security regulations (201 C.M.R. 17.00 et seq., the “Massachusetts Regulations”) that went into effect in 2010 require every company that owns or licenses “personal information” about Massachusetts residents to develop, implement, and maintain a Written Information Security Plan (WISP).  The WISP must contain certain minimum administrative, technical, and physical safeguards to protect such “personal information”, and a governing body for the organization.

The WISP must:

• Designate an individual or governing group to maintain and be responsible for the program, and at CHA this is the Information, Security, Privacy Oversight Team (ISPOT) detailed in section labeled IV. Administrative Controls in actual WISP below.

• Identify any reasonably foreseeable data security risks, this is our annual risk assessment process at CHA ;

• Protect and restrict access to paper and electronic forms of any personal information; and

• Oversee any third-party service providers and ensure that those service providers comply with the Massachusetts Regulations and other applicable regulations, this is our business associate program and auditing at CHA which is the charge of the Chief Information Security Officer.