201 CMR 17.00 – The 5 Things You Need to Do Right Now
As many of you are aware, the new Massachusetts Standards for the Protection of Personal information (201 CMR 17.00) will hit the books on January 1, 2010. The law establishes protection standards to be met by persons who own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts in both electronic and paper format. So even if you do not run your business in the Commonwealth you are still affected if you keep personal information about a resident of Massachusetts.
Personal information (PI) is defined here.
Here are the 5 things you need to do today to begin the process for compliance:
1. Read the Regulation (http://snipurl.com/ipfwi) and the 201 CMR 17 checklist (http://snipurl.com/201_cmr_checklist)
2. Roles and Responsibilities – Assign ownership for the overall security program within your organization. Next, elect a Security Council comprised of senior staff or management that are stakeholders in protecting personal (and other sensitive corporate) information. The Security Council facilitates consensus relative to the risks, impacts and priorities for compliance and will help with achieving (or changing) the security culture for your organization
3. Find the Personal Information (PI) – Through interviews with Business Managers, Data Owners and Subject Matter Experts. Additionally, the use of technology such as IdentityFinder can facilitate speedier PI discovery. Once discovered:
- Determine whether this data is still required and needed in the discovered location
- Do you need all the PI data or can you do without (do you still need your old customer’s credit card number)?
- Determine who requires mandatory access to the information and plan for the modification of your access lists to comply
- Ensure other safeguards are in place to protect this information (Physical access, firewalls, strong authentication/passwords, encryption). If not, budget and plan accordingly
4. Review your current Written Information Security Policies, if they exist, and plan for their update to include compliance. If they do not exist, develop a project plan to begin the development process. The larger the organization, the longer this will take for development and approval.
5. Determine if your Third-Parties, partners, consultants, etc. have access to PI and begin the process of discovering their protection mechanisms
Compliance doesn’t happen overnight. The sooner your company develops a strategy for 201 CMR 17.00 compliance the better your organization’s chances to meet the January 1, 2010 mandate. These safeguards not only make good business sense, they will soon be the law.
June 11th, 2009 at 1:49 am
An important segment of the data security procedure, which is often overlooked, is end-of-life data management procedures. It is not enough to reformat a storage device, use a ten pound sledge hammer, or depend on a recycler to manage the data destruction unless it is fully documented and meets the standards needed to ensure the data is unrecoverable.
There are three levels of data security dependent upon the sensitivity of the information:
Minimum level- Data erasure using a government certified overwrite software.
Maximum level without physical destruction of the device- Using a state-of-the-art data removal process which ensures that data recovery is impossible even forensically.
Maximum security level with physical destruction of the device- Entails data removal (see above methods) and physical destruction (shredding) of the device.
In all 3 levels of data destruction, having an audit trail, consisting of a printed report showing the date of the data eradication, the device part number and serial number and the individual who performed and certified the process, is critical.
July 25th, 2009 at 5:49 am
Compliance with 201 CMR 17 doesn’t have to be difficult or complex, it requires a plan of attack and a little bit of knowledge or training to accomplish your goals.
Below are my procedures to help you begin the development of the Computer Systems Security Portion of your Written Information Security Program (WISP), it starts with the Risk Assessment survey.
You should start the process by asking some simple questions.
Physically-where is the data kept and how do you protect it from unauthorized access? If it’s on paper or media like a CD or tapes how do you keep track of who has access to it during normal daily operations? How and where do you store it when it’s not in use? How do you decide who has/needs access to it and who doesn’t need access to it? How do you destroy it when it’s no longer needed? Are your team members given security awareness training so they are aware of the threats to your business? Do you check your trash to make sure that protected data is not mistakenly discarded?
Logically- If you have some or no established programs at all, you “MUST” conduct a risk assessment survey identifying; what sensitive information you have, where you have it, and how you plan to protect it.
If the data is on a desktop or network what protective measures are in place? Do you use a firewall and antivirus protections? What are your policies on patches and hot fixes that the hardware and software manufacturers recommend for known vulnerabilities? Do you have a password policy? Is the physical security of the spaces containing ADP adequate? How often do you read your logs, or audit who has been accessing the protected data and how are they using it?
After you complete all the tasks above; you have just completed your ADP risk assessment! Now you implement the procedures necessary for identified risks based on industry best standards.
* Document as a policy the procedures how staff members are to utilize ADP in their day-to-day operations.
* Train your staff on the procedures established, and what’s expected of them, don’t forget to have them sign an acknowledgement of understanding, which includes disciplinary actions for failure to adhere to the requirements of the policy.
Congratulations! You have just created one portion of your Written Information Security Program (WISP).
Bottom line is; if you don’t ask questions on how the protection process works, can you have any confidence that your business will survive even if it is never audited? The law just requires that you take common sense steps to protect the information that your customers have entrusted to you.
Properly conducting the risk assessment, combined with some solid Lean Six Sigma practices, you will reduce duplicated operations and storage of unnecessary PI which helps to protect your business.
Tom Considine, CIPP
Tom Considine & Associates
Information Privacy Professionals