Cybersecurity Policy

1. Purpose

The purpose of this policy is to establish standards and procedures to protect Crime Trackers Massachusetts (CTM) digital systems, data, and networks against unauthorized access, cyber threats, and data breaches. This ensures operational integrity, confidentiality, and compliance with applicable cybersecurity best practices.

2. Scope

This policy applies to:

  • All CTM personnel, full-time, part-time, and contract
  • Operational volunteers with access to CTM systems
  • All IT systems, applications, databases, and networks used for organizational operations
  • Any device or account used to access CTM systems, including mobile and remote devices

3. Policy Statement

  • CTM personnel must adhere to cybersecurity best practices to protect organizational data and digital assets.
  • Multi-factor authentication, strong password protocols, encryption, and secure system access are mandatory.
  • Any suspected or confirmed cybersecurity incident must be reported immediately according to the Breach Response Plan.

4. Access Control & Authentication

  • All personnel must use unique user accounts; sharing of login credentials is strictly prohibited
  • Multi-Factor Authentication (MFA) is required for all system access where technically feasible
  • Access levels must follow the principle of least privilege, providing personnel only the access necessary for their role
  • Account termination or modification must occur immediately upon separation or role change

5. Password Standards

Personnel must:

  • Use passwords of at least 12 characters including uppercase, lowercase, numbers, and symbols
  • Change passwords every 90 days or as required by IT policies
  • Avoid using personal information or previously compromised passwords
  • Store passwords securely using approved password management tools

6. Data Protection & Encryption

  • All sensitive data must be encrypted in transit and at rest using approved encryption standards
  • Portable devices (laptops, external drives) must be encrypted and password-protected
  • Cloud storage and email communications must utilize organization-approved secure platforms

7. Device & Network Security

  • Use organization-provided devices whenever possible
  • Ensure all devices have updated antivirus, firewall, and security patches
  • Avoid connecting to unsecured public networks; use VPNs for remote access
  • Report lost or stolen devices immediately to supervisors or IT personnel

8. Cybersecurity Incident & Breach Response

A. Reporting

  • Report any suspected security breach, malware, phishing attempt, or unauthorized access immediately
  • Use secure channels to report incidents to supervisors or the designated IT/security officer

B. Response & Containment

  • IT personnel will investigate, contain, and remediate the incident
  • Personnel must cooperate fully and provide all requested information
  • All incident details are confidential until cleared for internal or external communication

C. Documentation & Review

  • Document all breaches or attempts, including source, method, and impact
  • Conduct post-incident reviews to improve protocols and prevent recurrence

9. Training

  • All personnel must complete mandatory cybersecurity training upon onboarding and annually thereafter
  • Training covers phishing awareness, secure system use, password management, and breach reporting
  • Refresher training or updates will be provided following new threats or system updates

10. Supervisor Responsibilities

  • Ensure personnel compliance with cybersecurity standards
  • Review access logs, monitor for unusual activity, and enforce policy adherence
  • Escalate incidents to executive leadership and IT/security teams as appropriate

11. Policy Review

  • This policy shall be reviewed annually or after a significant cyber incident
  • Updates must reflect current best practices, technology changes, and legal requirements
  • All personnel must acknowledge receipt and understanding of updates