{"id":568,"date":"2009-01-28T13:44:34","date_gmt":"2009-01-28T18:44:34","guid":{"rendered":"http:\/\/www.coresecuritypatterns.com\/blogs\/?p=568"},"modified":"2009-01-28T13:44:34","modified_gmt":"2009-01-28T18:44:34","slug":"massachusetts-201-cmr-1700-imposes-protection-of-personal-identity-information","status":"publish","type":"post","link":"https:\/\/websecuritypatterns.com\/blogs\/2009\/01\/28\/massachusetts-201-cmr-1700-imposes-protection-of-personal-identity-information\/","title":{"rendered":"Massachusetts 201 CMR 17.00 imposes &quot;Protection of Personal Identity Information&quot;."},"content":{"rendered":"<p>A month ago, I had a chance to meet with John Beveridge (Deputy State Auditor      at Office of the State Auditor<img loading=\"lazy\" decoding=\"async\" class=\"alignright\" src=\"http:\/\/www.e-referencedesk.com\/resources\/state-seal\/images\/massachusetts-seal.jpg\" alt=\"\" width=\"150\" height=\"150\" \/> of Massachusetts) at an <a href=\"http:\/\/www.isaca.org\" target=\"_blank\">ISACA<\/a> event in Boston. During a casual chat, he briefly mentioned about the upcoming regulation highlighting &#8220;<a href=\"http:\/\/www.mass.gov\/?pageID=ocamodulechunk&amp;L=1&amp;L0=Home&amp;sid=Eoca&amp;b=terminalcontent&amp;f=idtheft_201cmr17&amp;csid=Eoca\" target=\"_blank\"><strong>Mass 201 CMR 17.00<\/strong><\/a> &#8211; Massachusetts Standards for Data Protection of Personal Information&#8221;\u00a0 and it&#8217;s compelling security requirements !\u00a0 With all curiousity&#8230;I had my first dig at <strong>Mass 201 CMR 17.00 <\/strong>last week<strong>&#8230; it is the toughest data protection law<\/strong> so far (as a Govt initiative for preventing identity theft).. I am quite amazed by the stringent rules imposed by this regulation for protecting the personal identity information of Massachusetts residents. <em><strong>I am not a lawyer<\/strong><strong> or an auditor by profession<\/strong><\/em>&#8230;so here is a my <em>layman<\/em> interpretation of the regulation and its dictated requirements for securing personal identity information.<\/p>\n<h4><\/h4>\n<ul>\n<li><em><strong><span style=\"underline;\">Comprehensive Information Security Program<\/span> <\/strong><\/em>mandates <strong>ALL<\/strong> businesses that deals with personal identity information of Massachusetts residents\u00a0 (in paper and electronic forms)\u00a0 to provide\u00a0 comprehensive documentation of all practiced security measures taken for preventing unauthorized access and ensuring confidentiality and integrity of the personal identity information.\n<ul>\n<li>Access control policies and rules for all employees who have access to identity information and enforce disciplinary action on those who violated the rules.<\/li>\n<li>Upon employee termination, all physical and logical access privileges must be instantly revoked.<\/li>\n<li>Third-party service providers need to comply with the Information security program and it requires a contractual binding before providing them access to personal information.<\/li>\n<li>Identification of media including Laptops and PDA devices that store identity information and written procedures detailing how the physical access to those media is restricted.<\/li>\n<li>Monitoring to verify the information security is operational preventing unauthorized access and support putting safeguards for minimizing both internal and external risks.<\/li>\n<li>Require atleast an annual review and also whenever there is a material change has occurred in the business practices that relates to security and integrity of the information.<\/li>\n<li>Documentation of incidents, response actions and post-incident review of events and actions.<\/li>\n<\/ul>\n<\/li>\n<li><span style=\"underline;\"><em><strong>Secure User Authentication<\/strong><\/em><\/span>\n<ul>\n<li>Control of user identifiers and secure methods for selecting and assigning passwords.<\/li>\n<li>Use of authentication technologies such as Token devices and Biometrics.<\/li>\n<li>Restricting access to active users only.<\/li>\n<li>Blocking access to multiple unauthorized access attempts.<\/li>\n<\/ul>\n<\/li>\n<li><span style=\"underline;\"><em><strong>Data Encryption<\/strong><\/em><\/span> for all personal information in transit and storage.\n<ul>\n<li>Encryption of all records\/files in storage (Laptops\/other media) and transmitted over the wired\/wireless networks.<\/li>\n<\/ul>\n<\/li>\n<li><span style=\"underline;\"><em><strong>Firewall protection and Operating System Security Patches<\/strong><\/em><\/span> must be updated to support maintain the integrity of personal identity information.<\/li>\n<li><span style=\"underline;\"><em><strong>Malware and Virus protections<\/strong><\/em><\/span> ensuring all patches and definitions are updated on regular basis.<\/li>\n<li><span style=\"underline;\"><em><strong>Education and employee awareness training<\/strong><\/em><\/span> on the Information security program and practices.<\/li>\n<\/ul>\n<p>Mass 201 CMR 17 data protection requirements aligns well with <a href=\"http:\/\/www.ftc.gov\/opa\/2008\/07\/redflagsfyi.shtm\" target=\"_blank\"><strong>Federal Trade Commission&#8217;s Red Flag rules <\/strong><\/a>on Identity Theft Prevention. Some of the security practices has already been in use at many big companies addressing <a href=\"https:\/\/www.pcisecuritystandards.org\/\" target=\"_self\">PCI-DSS<\/a>, GLBA and HIPAA requirements. At the outset, this is a big business boost to Security architects and consulting companies deal with providing Information Security and identity management infrastructure and solutions.\u00a0 This regulation supposed to be effective on Jan 1, 2009 and now for some reasons the deadline is extended till May 1, 2009 &#8211; Not sure it helps everyone &#8211; but the deadline for compliance is chasing and not too far !<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A month ago, I had a chance to meet with John Beveridge (Deputy State Auditor at Office of the State Auditor of Massachusetts) at an ISACA event in Boston. During a casual chat, he briefly mentioned about the upcoming regulation highlighting &#8220;Mass 201 CMR 17.00 &#8211; Massachusetts Standards for Data Protection of Personal Information&#8221;\u00a0 and it&#8217;s compelling security requirements !\u00a0&#8230; <a href=\"https:\/\/websecuritypatterns.com\/blogs\/2009\/01\/28\/massachusetts-201-cmr-1700-imposes-protection-of-personal-identity-information\/\">Read more &raquo;<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[2,17,5,6,8,9,11],"tags":[24,57,58,62,64],"class_list":["post-568","post","type-post","status-publish","format-standard","hentry","category-biometrics","category-database-security","category-identity-management","category-main","category-pki-main","category-security","category-smartcards-pki","tag-biometrics-main","tag-pki-main","tag-provisioning","tag-security","tag-smartcards"],"jetpack_sharing_enabled":true,"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/websecuritypatterns.com\/blogs\/wp-json\/wp\/v2\/posts\/568","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/websecuritypatterns.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/websecuritypatterns.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/websecuritypatterns.com\/blogs\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/websecuritypatterns.com\/blogs\/wp-json\/wp\/v2\/comments?post=568"}],"version-history":[{"count":0,"href":"https:\/\/websecuritypatterns.com\/blogs\/wp-json\/wp\/v2\/posts\/568\/revisions"}],"wp:attachment":[{"href":"https:\/\/websecuritypatterns.com\/blogs\/wp-json\/wp\/v2\/media?parent=568"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/websecuritypatterns.com\/blogs\/wp-json\/wp\/v2\/categories?post=568"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/websecuritypatterns.com\/blogs\/wp-json\/wp\/v2\/tags?post=568"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}