MA 201 CMR STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH

Transcription

1 MA 201 CMR STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH

2 Personal Information - Defined Personal information, a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident s financial account;

3 Internal & External Threats 700,000+ MA residents compromised (>10% of population) 470 firms reported being breached 2/3 of breaches go unreported Internal Threats Abound FTC reports Identity Theft attacks over 10 million victims / yr costs $52+ billion / year Victims spend countless hours to repair damaged credit External Threats Viruses, Mal-ware, Hackers, Professional Cyber- Thieves, Vendors, improper firewall or Wireless AP s configuration or management, lost backups 88% of IT admins would steal critical data if they were laid off 59% admitted to stealing company data 67% used their former company's confidential information to leverage a new job

4 201CMR17 effects virtually everyone If you touch MA Resident Personal Data, you must comply No Organization is Exempt Industry sector, Size, Profit, Non-profit, Church, School, municipalities, in-state and out of state MA Regulation is Unique PCI --- SOX --- HIPAA --- SAS GLBA Compliance with other regulations does not mean you are 201CMR17 compliant Detailed Requirements Written Information Security Policies (WISP), Staff Training, Authentication & Access Controls, Data Encryption and Security Monitoring, Annual Reviews Vendor Due Diligence, Intrusion Detection APPLIES TO PAPER AND ELECTRONIC RECORDS

5 Non-compliance could be Expensive Major Fines $5,000 for each security failure $5,000 per violation to notify Lawsuits Civil lawsuits Class-action lawsuits New Federal Laws will make it easier for Civil Suits related to data loss Lost Revenues Customer blame firms that lose their data 80% of the time Insurance Standard Liability / E&O insurance won t pay costs

6 What is 201 CMR 17.00? Regulation created in Massachusetts under MA MGL 93H to answer the call for tighter controls of resident data Created out of concerns over identity theft and the fallout from well known breaches (TJX, Hannafords, Heartland, etc) Requires businesses to ensure the safekeeping of MA resident s data Requires notification if a breach occurs

7 201CMR Defined Requires businesses to implement policies, procedures, processes, and controls that apply to stored resident data Requires the Identification of MA resident data that needs protection Defines computer and record retention security requirements in order to comply with the law Requires creating secure access control

8 201CMR Defined Requires secure authentication controls Encryption of communications Defines requirements for ongoing monitoring of WISP program controls Anti-Virus and protection agents Employee training Defines requirements for proper disposal of MA resident personal data

9 Understanding the Process Perform in-depth risk assessment in order to identify deficiencies and needs Create WISP in order to define controls that meet regulation objectives Develop controls such as policies, processes, and procedures in order to support and maintain security objectives outlined in the WISP Remediate shortfalls in compliance with technology or additional policy development Monitor, maintain, and audit for ongoing effectiveness

10 Understanding the Process Copyright 2008 Peritus Security Partners, LLC. All rights reserved

11 Creating Compliance - The Process Copyright 2008 Peritus Security Partners, LLC. All rights reserved

12 The Compliance Process - Continued MA 201 CMR Copyright 2008 Peritus Security Partners, LLC. All rights reserved

13 The Compliance Process - Cont d MA 201 CMR 17.00

14 Achieving Compliance Summary After the Risk Assessment is completed organizations need to address the findings Create or refine WISP and the controls that are required by the regulations Create policies, processes and controls that meet the needs of the specific discovered deficiencies Define actionable items for remediation that includes technology and infrastructure Copyright 2008 Peritus Security Partners, LLC. All rights reserved

15 Using a framework to get compliant The regulation requires that you develop your WISP and policies using accepted industry standards ISO is an internationally accepted best practices framework for the development and management of information security programs MA used the ISO framework as the foundation for the creation of the regulatory guidelines Using the same ISO best practices framework for your own WISP development will allow you to be more consistent with the expectations of the state Helps create living documentation that is cost effective to maintain and applicable to future compliance efforts Copyright 2008 Peritus Security Partners, LLC. All rights reserved

16 Who Can Help? Qualified Information Security Professionals will hold key certifications such as CISA, CGEIT, or CISSP and will specialize in the creation of WISPs Have qualified legal counsel review your WISP Contact MA OCABR for clarification. DO NOT assume a computer guy is qualified to write a WISP or the policies, procedures and controls that are necessary for compliance. They can help with remediation but there s a big difference between technology and compliance.