Question:
What is 201 CMR 17:00?
Answer:
201 CMR 17:00 is yet another bigger brother telling us to the right thing…
The requirements simply enforce security of state of Mass residents’personal information… You may presume that the data is already secure. Well, that is wrong, just listen to the complaints for the requirements,
If you have a business and you do carry “personal information” about a Massachusetts resident then you must take care of the requirements listed in 201 CMR 17:00
The Office of Consumer Affairs and Business Regulation (OCABR) issued a comprehensive set of final (yes it is always final :) regulations establishing standards for how businesses protect and store consumers’ personal information as of September 22 2008. There is an executive order signed by Mass governor Deval L, Patrick related with this regulation., the irony is that it ends with “God Save the Commonwealth of Massachusetts”
The 201 CMR 17:00 standard is related with the M.G.L c. 93H because with the "general law chapter 93H –security breaches" there comes the enforcement leg of the regulation.
Implementation deadline is January 1, 2009 but an extension to May 2009 is hughly expected. Companies will be required to conduct internal and external security reviews and complete employee training
Of course most the technology associations, CPAs oppose to the regulation. They all have their reasons (not enough time, slow investment , harsh economic times etc). Mass CPA web site states that the compliance deadlines have been extended to May 1, 2009 (Jan 1, 2010 for 3rs party verifications and encryption). It is scary to know that the personal information is staying “clear” until then.
So what is it? “Every person that owns, licenses, stores or maintains personal information about a resident of the Commonwealth shall develop, implement, maintain and monitor a comprehensive, written information security program applicable to any records containing such personal information”
Personal information is defined with the following:Resident’s first name and last name or first initial and last name in combination of the one or more of the following data elements:
1. Social Security number
2. Driver's License number
3. Financial Account number (credit card, debit card)
4. Any means of access information for personal financial information
After a quick read, I came up with the following short/dirty to-do list for the 201 CMR 17:00 requirements:
1. Verification of current information security management system or framework
2. Assessment of current asset inventory for customer owned systems
3. Assessment of current information security roles and workflow
4. Assessment of policy enforcement for existing policies.
5. Verification of an information security risk management framework. Review of internal and external risk assessments.
6. Assessment of risk mitigation plan
7. Assessment of options for employee awareness programs for information security
8. Delivery of required policies matrix
9. Assessment of current employee termination procedures. Verification of enforcement
10. Assessment 3rd party business partners’ access to customer owned personal information. Cross-verification of 3rd party privacy policies
11. Assessment of workflow for personal information data collection. Verification of need-to-know principle
12. Assessment of access to personal information at customer facilities. Verification of need-to-know principle
13. Assessment of data classification for personal information at customer facilities.
14. Assessment of access logging for personal information
15. Verification of annual audit plan for personal information
16. Assessment of incident management
17. Assessment of patch management
18. Assessment of desktop/server firewall agent management, and enforcement
19. Assessment of encryption for all transmitted records and files containing personal information
20. Assessment authentication and authorization controls for personal information
21. Assessment of unique identifiers for personal information access (e.g. usernames)
22. Assessment account (password) management policy
23. Assessment of antivirus and malware policies, controls and enforcement.
My recommendation is the follow a larger framework such as ISO 27001 since there will be more compliance requirements in the future. ISO 27001 covers almost all requirements of 201 CMR 17:00
let me know if you have any questions,
- yinal
Monday, November 17, 2008
What is 201 CMR 17:00?
Subscribe to:
Post Comments (Atom)
2 comments:
Below are my procedures to help you begin the development of the Computer Systems Security Portion of your Written Information Security Program (WISP), it starts with the Risk Assessment survey.
Some of you may have see the below post from another group regarding 201 CMR 17. If you have, nothing’s changed...
I would start the process by asking some simple questions. Physically-where is the data kept and how do you protect it from unauthorized access? If it’s on paper or media like a CD or tapes how do you keep track of who has access to it during normal daily operations? How and where do you store it when it’s not in use? How do you decide who has/needs access to it and who doesn’t need access to it? How do you destroy it when it’s no longer needed? Are your team members given security awareness training so they are aware of the threats to your business? Do you check your trash to make sure that protected data is not mistakenly discarded?
Logically- If you have some or no established programs at all, you “MUST” conduct a risk assessment survey identifying; what sensitive information you have, where you have it, and how you plan to protect it.
If the data is on a desktop or network what protective measures are in place? Do you use a firewall and antivirus protections? What are your policies on patches and hot fixes that the hardware and software manufacturers recommend for known vulnerabilities? Do you have a password policy? Is the physical security of the spaces containing ADP adequate? How often do you read your logs, or audit who has been accessing the protected data and how are they using it?
After you complete all the tasks above; you have just completed your ADP risk assessment!
Now you implement the procedures necessary for identified risks based on industry best standards. Document as a policy the procedures how staff members are to utilize ADP in their day-to-day operations. Train your staff on the procedures established, and what’s expected of them, don’t forget to have them sign an acknowledgement of understanding, which includes disciplinary actions for failure to adhere to the requirements of the policy.
Congratulations! You have just created one portion of your Written Information Security Program (WISP) under 201 CMR 17.00.
Bottom line is; if you don’t ask questions on how the protection process works, can you have any confidence that your business will survive even if it is never audited? The law just requires that you take common sense steps to protect the information that your customers have entrusted to you.
Properly conducting the risk assessment, combined with some solid Lean Six Sigma practices, you will reduce duplicated operations and storage of unnecessary PI which helps to protect your business.
If some, or none of this makes any sense to some of you reading it, and you’d like to learn more on simplifying the compliance process, visit our website at www.TCIPP.com.
Hope this help you get on the right road to compliance!
Regards,
Tom Considine, CIPP
Tom Considine & Associates
Information Privacy Professionals
Great information on CMR 17 Here:
http://www.free-press-release.com/news/200907/1248536366.html
Post a Comment