WRITTEN INFORMATION SECURITY PROGRAM (WISP)

Effective Date: May 1, 2025

Last Updated: May 1, 2025

  1. PURPOSE AND SCOPE

This Written Information Security Program (“WISP”) defines the security procedures of Frostin In Boston (“the Business”) to:

  • Ensure the security and confidentiality of customer and business information;
  • Protect against anticipated threats or hazards to the security or integrity of such information;
  • Protect against unauthorized access to or use of protected information that could result in substantial harm or inconvenience to customers; and
  • Comply with Massachusetts General Laws Chapter 93H and the regulations at 201 CMR 17.00.

This WISP applies to all operations of the Business, including online ordering systems, payment processing, and social media accounts.

  1. PROGRAM ADMINISTRATION

Security Coordinator

Liza Littenberg-Tobias, Owner and Manager of the Business, is designated as the Security Coordinator responsible for:

  • Implementation and maintenance of this WISP;
  • Regular testing of security measures;
  • Evaluating the WISP’s effectiveness;
  • Training personnel on security procedures; and
  • Responding to security incidents. 

Contact Information:

Email: frostininboston@gmail.com

Phone: (617) 419-0624

  1. RISK ASSESSMENT

The Business has identified the following risks to customer information:

External Risks

  • Unauthorized access to the website ordering system
  • Data breaches of payment processors (Venmo, Wave, Stripe, Square)
  • Phishing attempts targeting business accounts
  • Malware and ransomware attacks

Internal Risks

  • Inadequate password security
  • Improper storage of customer information
  • Improper disposal of documents containing Personal Information*
  • Unauthorized access to business devices

The Security Coordinator will conduct risk assessments annually and after any security incident.

* In accordance with 201 CMR 17.02, “Personal Information” means a Massachusetts resident’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident:

(a) Social Security number;

(b) driver’s license number or state-issued identification card number; or

(c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account. 

However, “Personal Information” shall not include information that is lawfully obtained from publicly available information, or from federal, state, or local government records lawfully made available to the general public.

  1. DATA COLLECTION AND STORAGE

Customer Information Collected

The Business collects the following information from customers:

  • Names
  • Email addresses
  • Shipping addresses
  • Payment information (processed through third-party providers)
  • Order history

Storage and Access

  • Customer information is stored in WordPress, Wave, Stripe, Square, and Venmo.  
  • Access to systems containing Personal Information is limited to the Business owner.
  • If temporary contractors are granted access, it will be limited to the minimum necessary to perform their functions.
  1. SECURITY MEASURES

Computer System Security

  1. Authentication Controls
  • Secure, unique passwords (minimum 8 characters with complexity requirements)
  • Password changes at least annually
  • Password manager usage for secure storage of credentials
  1. Access Limitations
  • Limited access privileges based on business need
  • Immediate termination of access for any contractors upon completion of service
  1. Encryption
  • Secure transport encryption (SSL/TLS) for the business website
  • Full-disk encryption on all business devices
  • Encrypted transmission of all Personal Information
  1. Network Security
  • Secure, password-protected Wi-Fi with WPA3 encryption
  • Firewall enabled on all devices
  1. System Monitoring
  • Anti-malware software installed and regularly updated
  • System and security updates applied promptly
  • Regular monitoring of account access and activity

Payment Processing Security

  • All payment processing conducted through approved service providers (Venmo, Wave, Stripe, Square)
  • No storage of complete payment card information on business systems
  • Regular verification of PCI DSS compliance status of payment processors

Physical Security

  1. Physical Access Controls
  • Business devices stored in secure location when not in use
  • Screen locks enabled on all devices when not in active use
  • Limited access to physical spaces where sensitive information is discussed or stored
  1. Document Management
  • Physical documents with Personal Information stored in locked storage
  • Cross-cut shredding of documents containing Personal Information before disposal

Social Media Security

  • Unique, complex passwords for all social media accounts
  • Regular review of social media privacy settings
  • No posting of customer Personal Information
  1. THIRD-PARTY SERVICE PROVIDER OVERSIGHT

For each service provider with access to Personal Information, the Business:

  • Takes reasonable steps to verify providers maintain appropriate security measures;
  • Reviews privacy policies of service providers annually; and
  • Requires providers (through contracts or terms of service) to implement and maintain appropriate security measures.

Current approved service providers:

  • Website hosting: WordPress
  • Payment processors: Venmo, Wave, Stripe, Square
  1. EMPLOYEE TRAINING AND MANAGEMENT

The Security Coordinator ensures:

  • Security training upon hiring any contractors or employees;
  • Annual security refresher training;
  • Immediate training on any security policy changes; and
  • Distribution and acknowledgment of this WISP. 

Training topics include:

  • Password management and authentication policies;
  • Recognizing and avoiding phishing attempts;
  • Proper handling of customer information; and
  • Incident reporting procedures. 
  1. INCIDENT RESPONSE PLAN

Upon discovery of a security breach:

  1. Immediate Response
  • Contain the breach by isolating affected systems.
  • Document the breach details including timing, affected systems, and data.
  • Preserve evidence for later analysis.
  1. Investigation
  • Determine the source and extent of the breach.
  • Identify Personal Information that may have been accessed.
  • Document findings for regulatory reporting.
  1. Notification
  • Notify affected Massachusetts residents in accordance with Mass. Gen. Laws ch. 93H.
  • Notify the Massachusetts Attorney General’s Office and Office of Consumer Affairs and Business Regulation.
  • Notify payment processors or other relevant service providers.
  1. Remediation
  • Address vulnerabilities that led to the breach.
  • Implement additional security measures as needed.
  • Update the WISP based on lessons learned.
  1. Documentation
  • Maintain records of the incident and response.
  • Document any changes implemented as a result.
  1. MONITORING AND EVALUATION

The Security Coordinator will:

  • Conduct annual reviews of security controls;
  • Evaluate the effectiveness of the WISP annually; and
  • Update the WISP to reflect changes in technology, business operations, or regulatory requirements.
  1. ENFORCEMENT

Failure to comply with this WISP may result in:

  • Disciplinary action for any contractors or employees;
  • Termination of relationships with service providers; and/or
  • Legal action where appropriate.
  1. DOCUMENT RETENTION AND DESTRUCTION
  • Records containing Personal Information kept only as long as necessary for business purposes or as required by law
  • Secure destruction of records when no longer needed
  • Annual review of stored information to identify and securely destroy unnecessary records

APPROVAL

Liza Littenberg-Tobias, Owner

Frostin In Boston

Date: May 8, 2025