The protection of customer information and data is under increasing scrutiny worldwide, and we consider the protection of member and stakeholder information and data to be paramount. With that, we began the development of a Chapter Information Security Program in 2019. We are evolving the program to include a documented set of information security policies, procedures, and guidelines relevant to chapters. We will continually partner with chapters to ensure the confidentiality, integrity, and availability of member and stakeholder data and information.
We have updated the chapter policy manual to include the chapter information security policy. You can access the latest version of the Volunteer Resource Center (VRC). Updates to this policy were informed by:
Our commitment to securing member and stakeholder data
Responses to the Chapter Information Security Questionnaire launched in 2019
The ever-evolving nature of information security best practices
Why is the Chapter Information Security Policy being updated?
The protection of customer data and information is under ever-increasing scrutiny and it’s paramount that we protect the privacy of our members. Protecting customer’s data is not just an obligation, in many nations, it’s a legal requirement.
When is the policy effective?
The policy is effective immediately and is included in the chapter policy manual, available on the Volunteer Resource Center.
Will chapters be asked about their data security and data practices within the charter renewal document?
Chapters will not be asked about their data security practices within the charter renewal document. Each year, The chapter development department in partnership with the IT security team will determine whether all chapters will be required to complete a risk assessment in which case chapters will be asked to attest to their security posture. Chapters will not be required to complete a risk assessment in 2020.
How will chapters be impacted if their responses to the assessment reveal evidence of high risk to customer and member data?
As PMI and chapters own a shared risk relative to the security of our customers’ information, we will partner with the chapter to identify opportunities to mitigate risks. In addition, we will continue to explore how to support chapters that may need support in mitigating risks and addressing gaps in inappropriate controls.
Will PMI provide chapters with guidance and resources to assist in mitigating risks associated with data security?
We will develop training resources and guidelines for chapter leaders based on needs. As data security is impacted by evolving risks and the emergence of new technologies, We will remain committed to providing chapters with training resources to protect customer information.
How will information security training resources be delivered?
The availability of resources will be announced to chapter leaders via PMInsight and they will be located on the Volunteer Resource Center.
What should chapters do if they are have developed and approved their own policies on how data is secured and managed?
We strongly recommend that chapters develop and adopt their own information security policies. If your chapter already has policies in place and you have questions about inconsistencies with our policy, please reach out to your chapter partner or chapter administrator.
What is the role of the Chapter Security Point of Contact?
Our updated policy states that each chapter appoints someone to be the chapter’s point of contact on data security matters. Amongst other responsibilities, the point of contact will be responsible for the completion of the Information Security Risk Assessment or assisting in its completion. Chapters have the capacity to combine the security role with suitable existing chapter leadership roles such as Chapter President or VP of Information Technology.
If a chapter has experienced a suspected information security incident, who should the chapter contact at PMI?
If the chapter believes it has experienced a suspected security incident, the chapter should immediately contact its chapter partner. The chapter partner will notify the PMI IT security team, who will remain available to assist the chapter in the resolution of the incident.