Posted on Mon, Nov 23, 2009
I know you. I've seen you at the department store fragrance counter the day before Valentine's Day. We've met in line at the post office on April 15, sometimes just before midnight, haven't we?
You're not a procrastinator, you're just like the rest of us: time-challenged.
Be that as it may, January 1, 2010 is coming. And, from Weymouth to Williamstown, and everywhere in between, the people of the Commonwealth of Massachusetts will expect you to be fully compliant with Mass 201 CMR 17, the legislative standards to which your enterprise will be held regarding the safeguarding of of Massachusetts' residents' personal information.
Make a List, Check It at Least Twice
The legislation itself is, as compliance dictates go, surprisingly simple.
Basically, Massachusetts wants you to follow industry-standard best practices for security and to have a solid plan in place in the event something malicious occurs with the consumer data you're charged with safeguarding while it's in your custody.
Mass 201 CMR 17 is itself a checklist of what's required of you and your enterprise.
Here's roughly what the law says and, better yet, what you need to do to make good come next January 1.
These are your "duties":
Put someone in charge of data security
If you don't already have someone fulfilling the role of chief information security officer, now's the time to fill that vacancy.
Risk management
Identify the internal and external risks to data security, confidentiality, and integrity. Make sure you have a training program to ensure employees are versed in compliance. Monitor employee compliance with policies. Upgrade systems as necessary. Store records in locked containers or facilities. Constantly work to improve detection, prevention, and responses to security threats.
Remember the home front
Got any telecommuters on your team? The way they access, handle, and transport sensitive data must be part of your overall security plan.
Justice served
Mass 201 CMR 17 requires that violators of your policy are disciplined for their actions.
Lock the gate behind them
Be sure employees who are separated from the organization no longer have access to secure data once they're gone.
The Partner Principle
Make sure third-party business partners have the means to meet compliance standards and are contractually obligated to do so.
Take only what you need
Keep the minimum amount of information necessary to serve your customers, nothing more.
Take stock
Keep an inventory of records and the devices storing those records.
Fact-check
You're required to routinely monitor the efficacy of your security program. Make sure your security practices actually work as planned.
Double-back
The new law requires a minimum annual review of your policy or a review if your business practices change substantively from the time you first implemented.
Report cards
Document your responses to any security breaches and how your business practices will change to prevent similar occurrences in the future.
Your system needs:
Secure user authentication protocols including: control of user ids and identifiers; secure means to select passwords with at least seven letters and numbers; secure locations to store passwords, separate from where the data those passwords secure are; access restricted to active accounts only; blocked access after multiple failed attempts to enter the system.
Secure access control measures including: restricted access to data, limited to those who need it; a unique identifier (not vendor supplied) in addition to passwords for those with computer access.
Encryption: No matter how it's transmitted, data must be encrypted.
Monitoring and review: Audit trails detailing access by users and non-authorized users, including success and failure of logins.
Review the reviewers: Periodic reviews of those auditing the user audits.
Firewall: Your enterprise needs a current, up-to-date firewall to prevent unauthorized users from gaining entry if your systems access the Web.
Up-to-date antivirus and antispyware: Your system must routinely update for virus definitions and software patches.
Records review: After a reported breach in security, records must be reviewed to determine whether or not the integrity of the data has been compromised.
Educate: Mass 201 CMR 17 requires you to educate your staff on the proper use of your security measures and the importance of computer security.
Put these measures in place and when those auditors show up at your door in the New Year, you can offer them the last of the eggnog and rest assured that your systems will pass inspection hands-down. Need help? Give us a call at 1-800-YES-TECH, Option 1 for help with compliance to this law.