ORGANIZATIONAL REQUIREMENTS

The “duty to protect” portion of the regulation is comprised of the organizational requirements. In short, the regulation requires the implementation of a security program that will be shepherded by a designated person within the organization. The security program requirements are well defined within the regulation, and are really comprised of some very common sense approaches to information security that most organizations have hopefully already adopted. Again, the companies that will need to do the most work toward compliance are small and medium sized businesses that may not deal with personal information as their business, but do have employee personal information that needs to be protected.

TECHNOLOGICAL REQUIREMENTS

The remainder of the regulation is comprised of technological requirements. Again this may simply be a matter of enhancing the “common sense” technologies that most businesses have already implemented. Firewalls (perimeter and endpoint), anti-malware protection (perimeter and endpoint), content filtering (web, email, IM), intrusion prevention, and patch management. Part of the key here is making sure that these technologies are up to date and refreshed on a regular basis and documented. That leads me to two components that I don’t think many businesses are doing: effective management, documentation, reporting, and data encryption.

EFFECTIVE MANAGEMENT, DOCUMENTATION, AND REPORTING

The first is effective management, documentation, and reporting. Documentation and providing proof is essential when we talk about being in compliance. Effective management is critical in order to easily provide documentation and proof. We still talk to many organizations that don’t have central management for their anti-malware/end point protection, firewalls and network security, and patch and compliance management. If you can’t easily pull up a report on the status of these items, you really need to look into more effective management of these systems.

ENCRYPTION OF DATA IN TRANSPORT

The second and very critical component is data encryption. The regulation talks about this in two ways. The first is the encryption of data over public mediums (through the internet, and wireless!).

Most businesses have a good handle on encrypting data in transport; public transport encryption is fairly standard today and a widely accepted best practice. SSL/TLS for web applications has become crucial and is widely being used even internally to help protect user credentials as well as data. IPSEC and SSL virtual private networks are used frequently to establish connectivity through public mediums. Even wirelessly, many businesses are moving from WEP to WPA and adopting additional security measures for greater wireless security. Email encryption still needs some attention in most organizations, and many organizations will need to look at email encryption to help protect personal information both internally and externally.

ENCRYPTION OF DATA AT REST

Where businesses need the most help is in the encryption of data at rest, particularly data at rest on portable devices. We’ve found that many businesses have increased the usage of laptops, cell phones, other PDAs, memory sticks, and other writeable media, but have not taken appropriate steps to secure those devices. If you look at the trends in data loss incidents you will see that the single largest percentage of incidents comes from lost or stolen portable devices, particularly laptops. In the past few years, endpoint encryption products have come a very long way in making the technology much easier to deploy and manage.

DATE FOR FULL COMPLIANCE IS JANUARY 1st 2010!

January 1st is only seven months away which makes right now the perfect time to begin assessing your organization against the new requirements and planning and implementing the changes that will be required. Overall, the regulation is a set of common sense security practices that don’t really push the boundary of reasonable protection. If you have a well established security program, you may find that you are already well prepared and may need to do little to comply. However, there are many organizations that will need significant improvements to their existing organization and infrastructure. Whether behind the curve, or ahead of it, GreenPages can set up a security assessment to ensure your organization is in compliance when January 1st, 2010 rolls around.

For a deep dive into the Massachusetts 201 CMR 17 Privacy Law, listen to GreenPages’ May webinar or call your GreenPages Account Manager at 800-989-2989.

‹ ‹ ‹ Back to Newsletter