Embed Size (px)
DESCRIPTION
Implementing MA 201 CMR 17.00 in a cultural institution…. Richard Snow Director of Information Technology Mount Auburn Cemetery [email protected]. Mount Auburn Cemetery. National Historic Landmark Founded 1831 200,000 visitors annually 175 acres of green space - PowerPoint PPT Presentation
Citation preview
Implementing MA 201 CMR 17.00 in a cultural institution…
Richard SnowDirector of Information TechnologyMount Auburn [email protected]
Mount Auburn Cemetery
National Historic LandmarkFounded 1831200,000 visitors annually175 acres of green spaceBotanical garden, over 5,000 trees650 Burials annuallyStill selling new burial space
Business Drivers
SalesFundraisingAdministrative
Personal Information on fileCredit card data on fileWhat other exposures would we find?
Mount Auburn Cemetery
People51 full-time, 11 part-time, and 29 seasonal employees, ~50 volunteers…WIDE range of computer skills
Computer Environment70 Win XP Workstations16 servers (12 are VMs)
Two big challenges
PCI DSS v1.2Credit card acquirers charge $20/mo for non complianceStarted impacting us in June, 2010
201 CMR 17.00Originally due for implementation Jan 1, 2009Went into effect March 1, 2010
Could not do it ourselvesGot funding approval in an off year to bring in consultant (unbudgeted)
RFP
RFP to three vendorsHad certification in PCI DSSWere more or less willing to take on a combined engagementBut who has expertise in a moving target?
Included SystemExperts after an SC online presentation.
Deliverables
Gap analysis of multiple requirementsPolicy workshopExternal scan
In addition to those provided by CC Acquirers
Internal scanPolicy review of initial policies
A big staff effort
Writing all those policiesProcedural Changes
Physical Security, Information Handling, PasswordsSystem configuration
Mandatory annual staff training
Compliance
201 CMR 17.00 – February, 2010PCI DSS v 1.2 – September, 2010
To Do List
Increased documentation and daily workNew deadlines to meet (patching, etc.)Unanticipated benefits
Policies still under revisionEnforcementPerpetual training
PowerPoint + WINK = Video on SharePoint
Lessons Learned
Anticipate and budget for complianceBoth your time and dollars
Don’t expect someone to write your policies for youOnline compliance sites for MA 201 CMR 17.00 at the low end
But does the customer understand what they are getting?
References•Mount Auburn Cemetery
–www.mountauburn.org•Rich Snow – [email protected]
•See Wikipedia for references and overview•201 CMR 17.00•PCI DSS
•www.mass.gov•Compliance checklist•Statute
SystemExperts www.systemexperts.com
