120 likes | 251 Views
Implementing MA 201 CMR 17.00 in a cultural institution…. Richard Snow Director of Information Technology Mount Auburn Cemetery rsnow@mountauburn.org. Mount Auburn Cemetery. National Historic Landmark Founded 1831 200,000 visitors annually 175 acres of green space
E N D
Implementing MA 201 CMR 17.00 in a cultural institution… Richard Snow Director of Information Technology Mount Auburn Cemetery rsnow@mountauburn.org
Mount Auburn Cemetery National Historic Landmark Founded 1831 200,000 visitors annually 175 acres of green space Botanical garden, over 5,000 trees 650 Burials annually Still selling new burial space
Business Drivers Sales Fundraising Administrative Personal Information on file Credit card data on file What other exposures would we find?
Mount Auburn Cemetery People 51 full-time, 11 part-time, and 29 seasonal employees, ~50 volunteers… WIDE range of computer skills Computer Environment 70 Win XP Workstations 16 servers (12 are VMs)
Two big challenges PCI DSS v1.2 Credit card acquirers charge $20/mo for non compliance Started impacting us in June, 2010 201 CMR 17.00 Originally due for implementation Jan 1, 2009 Went into effect March 1, 2010 Could not do it ourselves Got funding approval in an off year to bring in consultant (unbudgeted)
RFP RFP to three vendors Had certification in PCI DSS Were more or less willing to take on a combined engagement But who has expertise in a moving target? Included SystemExpertsafter an SC online presentation.
Deliverables Gap analysis of multiple requirements Policy workshop External scan In addition to those provided by CC Acquirers Internal scan Policy review of initial policies
A big staff effort Writing all those policies Procedural Changes Physical Security, Information Handling, Passwords System configuration Mandatory annual staff training
Compliance 201 CMR 17.00 – February, 2010 PCI DSS v 1.2 – September, 2010
To Do List Increased documentation and daily work New deadlines to meet (patching, etc.) Unanticipated benefits Policies still under revision Enforcement Perpetual training PowerPoint + WINK = Video on SharePoint
Lessons Learned Anticipate and budget for compliance Both your time and dollars Don’t expect someone to write your policies for you Online compliance sites for MA 201 CMR 17.00 at the low end But does the customer understand what they are getting?
References Mount Auburn Cemetery www.mountauburn.org Rich Snow – rsnow@mountauburn.org See Wikipedia for references and overview 201 CMR 17.00 PCI DSS www.mass.gov Compliance checklist Statute SystemExpertswww.systemexperts.com