1 / 12

Implementing MA 201 CMR 17.00 in a cultural institution…

Implementing MA 201 CMR 17.00 in a cultural institution…. Richard Snow Director of Information Technology Mount Auburn Cemetery rsnow@mountauburn.org. Mount Auburn Cemetery. National Historic Landmark Founded 1831 200,000 visitors annually 175 acres of green space

leann
Download Presentation

Implementing MA 201 CMR 17.00 in a cultural institution…

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Implementing MA 201 CMR 17.00 in a cultural institution… Richard Snow Director of Information Technology Mount Auburn Cemetery rsnow@mountauburn.org

  2. Mount Auburn Cemetery National Historic Landmark Founded 1831 200,000 visitors annually 175 acres of green space Botanical garden, over 5,000 trees 650 Burials annually Still selling new burial space

  3. Business Drivers Sales Fundraising Administrative Personal Information on file Credit card data on file What other exposures would we find?

  4. Mount Auburn Cemetery People 51 full-time, 11 part-time, and 29 seasonal employees, ~50 volunteers… WIDE range of computer skills Computer Environment 70 Win XP Workstations 16 servers (12 are VMs)

  5. Two big challenges PCI DSS v1.2 Credit card acquirers charge $20/mo for non compliance Started impacting us in June, 2010 201 CMR 17.00 Originally due for implementation Jan 1, 2009 Went into effect March 1, 2010 Could not do it ourselves Got funding approval in an off year to bring in consultant (unbudgeted)

  6. RFP RFP to three vendors Had certification in PCI DSS Were more or less willing to take on a combined engagement But who has expertise in a moving target? Included SystemExpertsafter an SC online presentation.

  7. Deliverables Gap analysis of multiple requirements Policy workshop External scan In addition to those provided by CC Acquirers Internal scan Policy review of initial policies

  8. A big staff effort Writing all those policies Procedural Changes Physical Security, Information Handling, Passwords System configuration Mandatory annual staff training

  9. Compliance 201 CMR 17.00 – February, 2010 PCI DSS v 1.2 – September, 2010

  10. To Do List Increased documentation and daily work New deadlines to meet (patching, etc.) Unanticipated benefits Policies still under revision Enforcement Perpetual training PowerPoint + WINK = Video on SharePoint

  11. Lessons Learned Anticipate and budget for compliance Both your time and dollars Don’t expect someone to write your policies for you Online compliance sites for MA 201 CMR 17.00 at the low end But does the customer understand what they are getting?

  12. References Mount Auburn Cemetery www.mountauburn.org Rich Snow – rsnow@mountauburn.org See Wikipedia for references and overview 201 CMR 17.00 PCI DSS www.mass.gov Compliance checklist Statute SystemExpertswww.systemexperts.com

More Related