THE MASSACHUSETTS DATA PROTECTION LAW

Transcription

1 2 Moving Trget 5 Identity Theft? 11 An Ounce of Prevention 18 Encrypt It or Else 25 Get Ahed to Sty Ahed THE MASSACHUSETTS DATA PROTECTION LAW Msschusetts businesses fcing down MA 201 CMR cn meet the chllenge with preprtion nd execution. A SEARCHCOMPLIANCE.COM/SEARCHSECURITY.COM E-BOOK

2 : MOVING TARGET Keeping up with the Msschusetts dt protection lw my be more difficult thn complying with it. BY SCOT PETERSEN AND KELLEY DAMORE REGULATORY COMPLIANCE cn be chllenging tsk for ny corportion, but it cn be prticulrly onerous if the regultion is moving trget. This is the cse of Msschusetts dt protection regultion 201 CMR 17.00, which seemed redy to go into effect Jn. 1, 2010 (lredy delyed once from My 2009 enforcement dte). Just few months go, this stte regultion ws positioned s gme chnger. It frmed dt privcy in wy tht forced orgniztions to tke steps to protect personl dt. Tody most stte privcy lws focus on notifying people of dt brech rther thn protecting the informtion in the first plce. MA 201 CMR ws proctive, rther thn rective, security. But due to the uncertin economy, costs ssocited with meeting the regultions nd complints from the public, businesses nd orgniztions, the Msschusetts Sente is now considering wekening the scope nd specifics of the regultion. The criticl issues of encryption, jurisdiction nd smll business needs re t the hert of the proposed chnges to 201 CMR 17.00, which put undo pressures on IT budgets nd personnel, critics hve chrged. The current regultions exceeded the intent of the legislture nd re very problemtic, sys Anne Doherty Johnson, executive director of trde ssocition TechAmeric New Englnd, t the My 12 Sente hering for the mendments. CLIMATE FOR CHANGE But in legisltively ggressive climte such s we re in now, with new security exploits being discovered 2 THE MASSACHUSETTS DATA PROTECTION LAW

3 : every dy nd dt brech disclosures such s those from The TJX Cos. nd Hertlnd Pyment Systems Inc., strict privcy nd dt protection lws from the stte nd federl levels In legisltively ggressive climte such s we re in now, with new security exploits being discovered every dy, strict privcy nd dt protection lws re inevitble. re inevitble. Simply stted, MA 201 CMR is good security prctice. So despite the ner-term uncertinty bout the prticulrs, the prudent move by corporte IT is to tke steps now to be redy for tough encryption nd policy sttements lter. As we outline in this e-book, joint effort of SerchComplince.com nd SerchSecurity.com, CIOs nd senior IT mngers ll the wy down to sole proprietorship with no IT stff need to be wre of coming regultions, the technology nd processes needed to secure privcy nd dt, nd the cost of noncomplince. In this issue, SerchComplince. com Associte Editor Alexnder B. Howrd detils the ltest news on the sttus of MA 201 CMR nd wht business leders, legisltors nd experts re sying bout it. In An Ounce of Prevention, Richrd E. Mckey outlines wht dt must be protected nd who must comply ccording to the regultion s it stnds tody. He lso offers suggestions on how to build written informtion security progrm, or WISP, nd n informtion security progrm. Right now, MA 201 CMR mndtes encryption. In Encrypt It or Else Lis Phifer nd Rich Mogull explin technology options for encrypting lptops, portble medi nd wireless devices. Mny orgniztions utilize these three types of solutions to protect confidentil informtion or meet other regultions, such s the Srbnes-Oxley Act. Finlly, in Get Ahed to Sty Ahed, Lind Tucci looks t how proctive security strtegy will help business meet inevitble complince regultions from stte nd federl legisltures. We hope this e-book will help guide your compnies decisions on how to prepre nd comply with Msschusetts 201 CMR Moreover, we hope tht the security nd privcy mndtes included in the regultion become prt of your overll security strtegy, regrdless of whether the Msschusetts Sente cuts bck on some of the more stringent requirements. It s the sfe nd secure thing to do. 3 THE MASSACHUSETTS DATA PROTECTION LAW

4 Frncis Bcon my hve stted tht OR COMPANY DISASTER? An Executive Whitepper - The Legl Risks of Customer nd Employee Dt Loss Identify the RISKS Understnd the LAW Execute the BEST PRACTICE Click Here to downlod your free whitepper For more informtion bout Becrypt visit or cll us (800)

5 : IDENTITY THEFT? Msschusetts tough dt protection regultion still hs not found its true self. BY ALEXANDER B. HOWARD BY NOW, MOST people hve herd bout, if not experienced, identity theft. Not nerly s mny hve herd bout Msschusetts identity theft nd dt protection lws nd regultions. The Msschusetts Office of Consumer Affirs nd Business Regultion hs received 516 dt brech notifictions in the pst 16 months, ffecting more thn 800,000 residents, ccording to Dvid Murry, OCABR s generl counsel. Ntionwide, Murry sys, 10 million Americns suffer identity theft nnully. And more thn 94 million credit crd holders were victims in the 2007 dt brech of one of Msschusetts lrgest businesses, The TJX Cos., in erly In response to these threts, Msschusetts encted security brech lw (M.G.L. Chpter 93H) tht went into effect in October The lw, lso known s the Msschusetts Identity Theft Lw, uthorized the cretion of specific regultions on dt protection nd privcy by OCABR. The result ws 201 CMR 17.00, dt protection regultion for citizens of the commonwelth tht will require businesses to crete nd mintin comprehensive written informtion security progrm tht describes in detil where personlly identifible informtion (PII) resides, how it is being trnsmitted nd wht steps re being tken to protect it. They lso must implement strong user uthentiction protocols, encrypt records nd files tht contin the personl informtion of residents nd restrict ccess to ctive users nd user ccounts. Orgniztions lso must ensure 5 THE MASSACHUSETTS DATA PROTECTION LAW

6 : resonble monitoring of systems so tht unuthorized use of or ccess to PII is detected nd implement resonbly up-to-dte firewlls nd security ptches to operting systems tht re connected to the Internet. Similrly, orgniztions must implement resonbly up-to-dte versions of ntivirus softwre tht includes mlwre protection, ptches nd virus definitions. Eduction nd trining of employees on the proper use of the security systems nd protocols must lso be demonstrted. In ddition, the sttute lso requires resonble stndrd of security preprtion nd response to dt breches. Despite the specificity of certin prts of the lw, some of the lnguge of how to enforce it is vgue: Wht is resonble response to dt brech, or resonble pproch to security preprtion? I think ll interprettion will be done with 20/20 hindsight bsed upon post-incident court outcomes, sys Seth Peter, chief technology officer t NetSPI Inc. Mny of the orgniztions outside of Msschusetts tht I ve spoken to do not even hve this on their rdr, even though they clerly fll under it with employment or credit crd records. The Msschusetts orgniztions I ve spoken to re wre of it but believe they re lredy in complince due to existing efforts ssocited with GLBA, HIPAA or PCI. I do think it will undoubtedly crete huge stir once the first significnt brech is tried ginst it. Adrin Lne, senior security strtegist t Securosis LLC, sys he likes tht there is no loophole for compnies tht hve brech, hd some prt of their dt processing or dt storge encrypted, but wide open security holes elsewhere. I like the fct tht they understnd tht mobile dt is super-set of dt in motion, nd tht lptops nd other portble devices tht move dt re considered t risk s well s network connections. The 201 CMR regultion ws originlly due to begin enforcement in My, but tht dte hs been moved to Jn. 1. (For more on wht is specificlly required by the regultions, see An Ounce of Prevention. ) NOT SO FAST Or mybe not. Stte officils were proud to sy tht 201 CMR ws the toughest such regultion in the country, but due to complints nd pushbck by businesses nd security experts, the Msschusetts Sente is debting Sente Bill 173 (SB 173), which seeks to mend the Identity Theft Lw to tke out some of the more stringent requirements, such s specific technologicl requirements nd stte jurisdiction, nd whether smll businesses should be mde exempt. Public herings nd debte round 6 THE MASSACHUSETTS DATA PROTECTION LAW

7 : SB 173 hve clled into doubt some of the specifics of the dt protection regultion but not the intent or desire by legisltures to require businesses to sfegurd PII of the residents of the commonwelth nd round the country. Peter sys he sees the lw s good strt becuse it specifies key progrm elements tht every compny from Fortune 100 down to smll business must consider when hndling personlly identifible informtion. Mick Kless, mnging prtner t Regultory Informtion Security Complince (R.I.S.C.) Assocites, sys, Informtion security officers, IT professionls nd consulting firms hve been telling the compnies for whom they work to do this for yers. But mny firms, even those tht re highly regulted, hve trditionlly tken wit-nd-see pproch since they cn t seem to find the ROI. Locking down USB ports, encrypting hrd drives nd encrypting mil tht contins sensitive dt is just too inconvenient for them. I sk them, Wht s your reputtionl risk worth? Whether or not the dt protection regultions re too tough depends on who is mking the judgment. Whtever protocols we put in plce hd to be cpble of being complied with by wide vriety of businesses, OCABR s Murry sys. The only wy to do tht ws to write minimum stndrd where the protections would be such tht the informtion protected would be tht which the sttute sid must be protected. In his ssessment, the lw requires rethinking of some stndrd business Informtion security officers, IT professionls nd consulting firms hve been telling the compnies for whom they work to do this for yers. MIKE KLESS, MANAGING PARTNER, R.I.S.C. ASSOCIATES principles: the bsis on which we decide how much personl informtion we wnt to collect, why we wnt to collect it, nd who gets ccess to it. Murry notes tht the estimted cost of dt brech is mesured t $200 for ech stolen customer record. But others re not sure the sttutes would necessrily represent the minimum security preprtions tht would be fmilir to ny informtion security professionl. Stte Sente Chirmn Michel Morrissey, who sponsored the SB 173 mendment, sid in the hering tht the dt protection regultion from OCABR went beyond its intent, s it extended jurisdiction beyond stte borders nd included specific technicl requirements. 7 THE MASSACHUSETTS DATA PROTECTION LAW

8 : STATE JURISDICTION IN QUESTION In fct, some experts sy the problems with the Msschusetts regultions strted in 2003, with Cliforni s lndmrk dt brech notifiction lw, SB The groundswell strted by SB 1386 hs gotten little out of control, sys Jim Hietl, reserch director nd principl t Complince Reserch Group. And to the extent tht ech new stte regultion hs prescriptive controls tht re little different, or hve different notifiction requirements, it s hrd for those responsible for security nd privcy t n orgniztion to ctully be in complince. Pity the poor CIO/CISO/CPO tht hs to sk, Let s see, we lost lptop with PII on it, with informtion on customers from ll 50 sttes, but the dt s encrypted. Who do we hve to notify? ENFORCEMENT ISSUES When it comes to enforcement, more questions surfce. The OCABR is moving forwrd with 201 CMR s it is currently constituted. Our regultions were promulgted pursunt to enbling legisltion tht ws pssed in 2007, sys Brbr Anthony, recently ppointed the new undersecretry for OCABR, in sttement. This new legisltive proposl differs from the enbling legisltion which guided our efforts. We do not hve n officil comment on the new legisltion t this time except to sy tht it does not contin the sme scope of consumer protections tht our enbling legisltion does. R.I.S.C. Assocites Kless sys he would love to her how the regultors pln to enforce it for those outside the bnking sector, which t lest mkes strong effort to comply nd do the right thing. Kless notes tht this legisltion goes hnd in hnd with the Red Flgs identity theft prevention rule. After deeper look, it ws determined tht there were more thn 10 million businesses throughout the country tht would need to be exmined, which is nerly 10 million more thn the number of exminers in the field to ssess them. As result, the tendency is tht compnies get udited only if there is n ctul brech, where the holes in security would be found fter the fct. Lck of complince ppers to be met with resonble punishments, but will this only be enforced s breches re reported? If so, then the lws re destined to fil before they re implemented, sys Tyler Reguly, Toronto-bsed security prctitioner t ncircle Network Security Inc. Reguly sys he s 100% confident tht the distinction between SMB nd the enterprise is required, s is the bility for federl lws such s HIPAA to still pply. After ll, you cn t expect SMB to spend the money on securi- 8 THE MASSACHUSETTS DATA PROTECTION LAW

9 : ty tht n enterprise is ble to spend. One of the most interesting spects of the bill is the removl of the requirement for specific encryption technologies. The requirement still exists tht the dt be protected, nd I m not sure which other technologies cn fill tht criteri, Reguly sys. The first time compny hs brech nd isn t using encryption it will be interesting to see how they explin it nd if tht explntion is ccepted. WHAT IS TO BE DONE? Despite the questions nd doubts surrounding the regultions, no one doubts the need for dt protection nd privcy regultions. The guidelines just need to be more relistic, experts sy, nd perhps some sttes will begin to look to pending federl legisltion for more resonble solutions. The originl [Msschusetts] dt protection legisltion probbly overreched for stte, nd I understnd the pushbck from SMBs. Enforcement ws gp s well, Hietl sys. I think the sttes tend to get into trouble when they try to get too prescriptive; the Nevd lw is good exmple of poorly written lw tht hd good intent. The thing I her from customer orgniztions is tht the prolifertion of lws nd regultions impcting security nd privcy hs creted n bsolute qugmire for them, nd to the extent tht individul sttes get deeply prescriptive bout the controls they need to use, it gets worse. There s n obvious need for federl lw. Until then, it s still good security prctice to get in line with encryption nd other sfegurds, to protect now nd be redy if nd when federl lws pper. Securosis Lne sys, Hertlnd s lck of end-to-end encryption ws bit of wke-up cll, especilly those tht rely upon third-prty processors in the chin. We were bound to see something go beyond pure disclosure nd strt specifying some bsic security principles without mndting specific technologies or implementtion strtegies. Sooner or lter there will be ntionl version of this, or nother stte s, disclosure lws, Lne sys. We re just not there. Ed Moyle, mnger with Computer Tsk Group Inc. s informtion security solutions prctice nd founding prtner of SecurityCurve, wrote on SerchSecurity.com tht, It s possible tht mny orgniztions will find implementing the mndtes of the lw cross the bord to be the pth of lest resistnce. As such, sitting up nd tking notice of this lw now is pretty good ide. (See Encrypt it or else ) Alexnder B. Howrd is n ssocite editor for SerchComplince.com. Write to him t howrd@techtrget.com. 9 THE MASSACHUSETTS DATA PROTECTION LAW

10

11 : Next yer, Msschusetts will enct potentilly demnding dt privcy lw. Here s wht the lw requires nd wht you cn do tody to meet the regultion. BY RICHARD E. MACKEY DURING ANY GIVEN week, compny X discloses tht it hs been breched. In fct, this yer lone more thn 100 compnies the likes of Merrill Lynch, Pepsi nd Monster.com, mong others hve disclosed tht personl informtion hd been compromised. As result, new dt protection nd identity lws re tking different pproch to protecting sensitive informtion. While certinly not cure-ll, tody s new lws re focusing on prevention rther thn notifiction. Insted of legislting rective dt lws requiring compnies to notify customers fter dt hs been compromised, these new regultions re mndting technologies nd policies in hopes of preventing brech in the first plce. Msschusetts 201 CMR is such n exmple. This regultion, set to go into effect in Jnury, requires ll businesses tht re entrusted with personlly identifible informtion by Msschusetts residents to tke set of prescribed steps to protect tht dt. While the lw tkes dt privcy regultions to new level, it lso forces orgniztions to tke some mesures tht re just generlly good security prctice. Here s wht you need to know bout the lw nd wht you cn do to meet the requirements nd the pending dedline. WHAT INFORMATION MUST BE PROTECTED? The 201 CMR regultion defines the informtion tht needs to be protected s: 11 THE MASSACHUSETTS DATA PROTECTION LAW

12 : Personl informtion, Msschusetts resident's first nme nd lst nme or first initil nd lst nme in combintion with ny one or more of the following dt elements tht relte to such resident: () Socil Security number; (b) driver's license number or stteissued identifiction crd number; or (c) finncil ccount number, or credit or debit crd number, with or without ny required security code, ccess code, personl identifiction number or pssword, tht would permit ccess to resident s finncil ccount; provided, however, tht Personl informtion shll not include informtion tht is lwfully obtined from publicly vilble informtion, or from federl, stte or locl government records lwfully mde vilble to the generl public. WHO IS AFFECTED? The requirements of the lw pply to persons (or orgniztions) tht own, license, store or mintin personl informtion bout resident of the commonwelth of Msschusetts. There is no concept of covered entity like there is in the Helth Insurnce Portbility nd Accountbility Act (HIPAA) or clerly defined set of orgniztions required to comply, like there is in the Federl Trde Commission s Red Flg rules. For those unfmilir with those regultions, they distinguish the orgniztions tht re directly entrusted with the sensitive informtion from those tht hndle the dt on behlf of those orgniztions. In the cse of HIPAA, hospitl would be covered entity, while service provider tht stored or processed the informtion would be considered business ssocite. In HIPAA, the lw pplies to only the covered entity. Covered entities re responsible for mnging nd policing their service providers or business ssocites. Under the Msschusetts lw, ny orgniztion, whether intercting directly or indirectly with Msschusetts resident informtion, is fully responsible to comply with the regultion. Under the Msschusetts lw, ny orgniztion, whether intercting directly or indirectly with Msschusetts resident informtion, is fully responsible to comply with the regultion. This difference is significnt. It ppers to men tht ny compny with personl identifying informtion cn be prosecuted directly for brech rther thn just the orgniztion directly entrusted with the 12 THE MASSACHUSETTS DATA PROTECTION LAW

13 : informtion. The lck of covered entity concept mkes it pper s if service provider could be leglly ssiled by ll ffected prties rther thn just the compny tht contrcted the service. There does not pper to be wy to reduce libility. WHAT DOES COMPLIANCE MEAN? The regultion requires orgniztions to sfegurd personl informtion in both pper nd electronic form ginst nticipted threts to the confidentility or integrity of the informtion. Wht s more, the regultion protects ginst the unuthorized ccess or use of the dt tht my led to frud or identity theft. While the intent of the lw is firly strightforwrd, the regultion goes on to specify number of requirements tht some orgniztions, prticulrly smll ones, might not hve in plce. For exmple, orgniztions need to crete nd mintin comprehensive written informtion security progrm (WISP) to secure the records contining Msschusetts residents personl informtion. Complince with this requirement is supposed to tke into ccount the size nd resources of the business, the mount of informtion mnged nd the security requirements of the informtion. The controls estblished need to be consistent with industry best prctice nd with controls specified by other The regultion requires orgniztions to sfegurd personl informtion in both pper nd electronic form ginst 'nticipted threts' to the confidentility or integrity of the informtion. federl nd stte regultions. Further, the WISP needs to include 12 items: A designted person or group responsible for mnging the security progrm. A method for identifying, ssessing nd treting risks. A method for improving effectiveness of security controls. Security policies regrding the mngement of personl informtion. A policy nd procedure for disciplinry ction in the event of policy infringement. A relible method of terminting ccess when employees leve or re fired. A methodology to verify tht third-prty service providers will tke dequte steps to secure the personl informtion entrusted to them. 13 THE MASSACHUSETTS DATA PROTECTION LAW

14 : A prctice of limiting the collection nd storge of personl informtion to wht is required. A prctice of identifying ll physicl ssets contining personl informtion to ensure they will be treted with due cre. Regulr monitoring of the security progrm nd t lest nnul ssessment of its effectiveness. Review of incidents, the orgniztion s response ctivities nd ny corrective ctions tken. Institution of security eduction nd trining progrm for employees. If you re cquinted with the ISO series of security stndrds, this list should look fmilir. Virtully every one of the controls is included in those stndrds. Unfortuntely, it is unlikely tht midsized or smller compny would be fmilir with these stndrds nd, more importntly, hve nything resembling written progrm including ll these elements. In ddition to the progrm requirements, the regultion describes the following computer system security requirements designed to implement the policies included in the WISP: Secure uthentiction protocols, good identity mngement prctices, strong psswords nd utomtic lockout on multiple filed logins. Secure ccess mngement tht ensures tht only pproprite people gin ccess to protected informtion. Encryption of ll personl informtion tht trvels cross public networks or on wireless networks. Monitoring of systems for unuthorized ccess. Encryption of ll personl informtion stored on lptops or other portble devices. Up-to-dte (ptched) firewll nd operting systems for ll systems contining personl informtion connected to the Internet. WHAT DO ORGANIZATIONS NEED TO DO? All orgniztions need to step through process to understnd wht they need to protect, wht systems ffect tht informtion, the risks to the informtion nd systems nd the controls they should deploy to mitigte the risk. This process is described in ISO 27001, but it my seem too Drconin for mny orgniztions to dopt. Furthermore, while developing forml security progrm my be nturl prt of lrger orgniztions, smller ones my find the process dunting. In short form, if compny hs very little in the wy of security progrm, it should follow this pth: 1. Appoint responsible prty to led the security progrm. This person should hve some IT knowledge nd n understnding of the informtion the orgniztion hs. 14 THE MASSACHUSETTS DATA PROTECTION LAW

15 : 2. Identify the ssets in other words, identify the personl informtion tht is in your possession nd where it is. If possible, isolte it to mke controlling ccess to the informtion s esy s possible. 3. Anlyze the risk consider the mgnitude of risk ssocited with the vrious forms of informtion including where the informtion is stored, who hs ccess to it, wht skills n ttcker would need to compromise it, the vlue it might hve to the TECHNOLOGY REQUIREMENTS MUST-HAVE TECHNOLOGIES: q Lptop encryption q Portble device encryption q Firewlls q Antivirus softwre q Ptch mngement softwre q Authentiction system tht supports lockout fter multiple filures. NOT REQUIRED, BUT USEFUL: q Monitoring softwre to help nlyze logs nd system use. q Intrusion detection systems q Identity mngement softwre q Vulnerbility mngement ttcker nd the controls tht might impede the ttck. This prctice my be beyond the rech of mny non-it orgniztions, so it could be reson to seek professionl help. 4. If you don t hve them, drft policies regrding who should hve ccess to the informtion nd ensure tht the ccounts tht exist on your systems nd the ccess to pper files mtch tht policy. 5. Estblish tight controls over ccount cretion on ll your systems, disbling those for nyone who doesn t need one (or hs left the compny). 6. Estblish regulr process of reviewing ccounts nd ccess controls. 7. Inspect your technology to ensure tht you hve strong psswords, good virus protection nd encryption of dt on portble devices nd dt trnsmitted over the Internet. 8. Ensure tht employees know the importnce of security of personl informtion to the business nd their role in protecting it. You cn do this by drfting security guide or mnul tht describes the importnce of protecting physicl security of records, keeping psswords secret nd following the other policies you hve defined. Reinforce this documenttion with regulr trining. 15 THE MASSACHUSETTS DATA PROTECTION LAW

16 » RISK MANAGEMENT: THE RIGHT BALANCE 9. Drft procedure for responding to incidents like informtion lekge, virus infections nd ny other security compromise. This could men clling in IT support personnel to help sort out the problem, but it's criticl to outline the steps leding to bringing in outside help. 10. Mke sure systems re configured to lock out users fter multiple filed login ttempts 11. Estblish process for monitoring who logged in to systems storing personl dt with specific provisions for identifying unuthorized ccess. 12. Ensure tht ll systems with personl dt on them re protected by firewll nd re running up-todte softwre. 13. Identify ll externl prties with whom you shre personl informtion. Their tretment of the dt is criticl to your complince. Ask ech of them for some evidence tht they comply with the requirements of the lw. If possible, void exposing the dt to them to bypss the problem ltogether. These steps describe ctivities tht ll compnies should follow to ensure tht their sensitive dt is protected. Unfortuntely, some orgniztions my not hve the IT stff nd the security skill to tke these tsks on, but this should not be reson to ignore the problem. The most importnt step is to tke the time to think bout your dt nd to know where it is stored nd who hs ccess to it. The better contined the informtion is, the esier the IT problems become. The rest of the steps cn be done with the help of IT contrctors. Lrger orgniztions fce different problem. While they my hve the IT stff, mny will not hve the forml, documented security policies nd procedures tht would meet the requirement of WISP. Further, they my not hve estblished the kinds of orgniztionl roles, service provider mngement processes, monitoring nd incident response procedures for which the regultion clls. These compnies simply hve to bite the bullet nd do wht it tkes to comply. If you tke more globl view, the steps you tke to ddress these requirements should improve your overll security pproch. After ll, it pys to recognize tht this lw is likely the first of long line of stte nd federl lws tht will require the sme types of controls. Richrd E. Mckey, vice president, SystemExperts Corp., ISACA/CISM, is leding uthority on enterprise security rchitecture nd complince. Before joining SystemExperts, Mckey ws director of collbortive development for The Open Group (the merger of the Open Softwre Foundtion nd X/ Open). Prior to the merger, he ws technicl led of the OSF Distributed Computing Environment project. 16 THE MASSACHUSETTS DATA PROTECTION LAW

17 Reduce Your Insider Risk Appliction for FIPS Certifiction In Progress Enforce Removble Medi Policy Proctive Mlwre Protection Lern how to effectively protect your vitl informtion by going to our resource center t DATA PROTECTION: The cost of mobility is high. Unmnged removble devices, like USB sticks nd PDA s, put your dt t risk through dt lekge nd mlwre introduction. Lumension Dt Protection gives you the power to enble the secure use of these devices letting you run your business effectively while protecting your dt on the go. Vulnerbility Mngement Endpoint Protection Dt Protection Reporting nd Complince

18 : OR ELSE... Like PCI, MA 201 CMR is mndting encryption. Here re some pproches you cn tke. BY LISA PHIFER AND RICH MOGULL IN ITS CURRENT form, the new Msschusetts dt privcy lw, 201 CMR 17.00, mndtes dt protection by wy of encryption. Specificlly, the lw sttes tht ny firm conducting business with stte residents needs to protect personlly identifible informtion, which includes person s nme long with his Socil Security number, bnk ccount number or credit crd number, nd the informtion must be encrypted when stored on portble devices or trnsmitted wirelessly on public networks. Encryption of personl informtion on portble devices such s lptops, personl digitl ssistnts (PDAs) nd flsh drives must lso be completed by Jn. 1, ccording to the Msschusetts Office of Consumer Affirs nd Business Regultion. We ll explin the options you cn put in plce to meet the regultion. LAPTOP ENCRYPTION OPTIONS File nd folder encryption: To meet these demnds, most businesses will choose IT-dministered stored dt protection, bsed on file/folder encryption, full-disk encryption or some combintion thereof. File/folder encryption is lso selective but encrypts files utomticlly, bsed on defined ttributes like file loction (e.g., folder), file type (e.g., spredsheets) or source ppliction (e.g., everything Excel touches). For exmple, the Windows Encrypting File System (EFS) is Microsoft s bsic file/folder encryption tool. It cn be centrlly ctivted by using Active Directory Group Policy Objects (GPOs) to encrypt specified files or folders. However, EFS still relies on sensitive dt being written into protected loctions nd cnnot stop users from copying encrypted 18 THE MASSACHUSETTS DATA PROTECTION LAW

19 : OR ELSE... files to unencrypted loctions (e.g., thumb drives). More sophisticted file/folder encryption products do more. For exmple, some offer stronger policies tht mke dt lekge less likely, provide reports tht document complince fter lptop goes missing nd cn pply consistent encryption pltform nd policy to heterogeneous devices, e.g., PCs, PDAs nd removble storge. Full-disk encryption: For generlpurpose computers, the other populr pproch is to simply encrypt everything stored on physicl disk or logicl volume. The gol is to ensure tht nothing is ever written to storge without being encrypted. Tht includes not only sensitive user dt, but lso ppliction nd operting system files. An exmple of volume encryption is the BitLocker feture in Windows Vist. It divides PC s boot drive into n unencrypted boot volume nd n encrypted operting system volume, which is unlocked nd verified t boot time using Trusted Pltform Module chip, USB key or recovery pssphrse. But dt written to non-os volumes is still unprotected, lthough it cn optionlly be encrypted using EFS. More comprehensive full-disk encryption (FDE) scrmbles the entire hrd drive s contents, including boot sectors, swp files, OS files nd user dt. Authentiction, encryption, provisioning nd reporting cpbilities vry, but enterprise FDE products offer fetures like Windows single sign-on nd centrl logging for security udit nd complince reporting. Compring lterntives: The min wekness of file/folder encryption is the possibility of dt lekge. So why doesn t everyone use full-disk encryption? For strters, encrypting n entire disk cn tke hours not including the time required to mke full system bckup first. Therefter, ll dt will be encrypted on the fly, slowing overll system performnce to some (not necessrily noticeble) degree. Some FDE pre-boot uthentiction methods interfere with other progrms tht my lso be used on the protected system, from sset-trcking products to sign-on processes tht modify the Windows grphicl identifiction nd uthentiction librry. Moreover, desktop dministrtion, ptching nd uditing tools nd prctices my be ffected, since they cnnot unlock encrypted system files without the user s credentils. If protected system is corrupted or dmged, dt recovery cn be similrly ffected. Finlly, when routine bckups re creted, it s wise to encrypt those, too. Combining methods cn enble n orgniztion to obtin the best of both worlds. For exmple, use file/ folder encryption on less cpble devices like PDAs, while pplying FDE 19 THE MASSACHUSETTS DATA PROTECTION LAW

20 : OR ELSE... to lptops. Applying both methods to the sme device might seem like overkill, but it is vible option prticulrly for mobile users who crry regulted dt. FDE offers foolproof protection ginst device loss or theft, while file/folder encryption cn protect sensitive user dt without obscuring files tht IT requires to perform mintennce nd recovery tsks. Of course, the decision will lso be influenced by workforce size nd budget, privcy needs, risk tolernce nd compny politics. PORTABLE MEDIA PROTECTION While it s firly strightforwrd to protect lptop using full-disk encryption, portble medi presents more chllenges. Mobile employees often hve legitimte need to use such devices to trnsfer dt, even sensitive dt, while on the rod. At one time specilized hrdwre ws considered for this tsk, but prices hve dropped so much tht even gigbyte thumb drives re routinely hnded out for free on conference floors, nd it s hrd to find lptop without CD or DVD burner included s stndrd. Although there re still few orgniztions sending techs out rmed with hot glue guns to gum up the USB ports nd red-only CD drives on their client mchines, most enterprises rely on slew of softwre options to mnge these potentil lek points. Let s review few of them below: 1. On Windows XP nd Vist, group policy objects cn be used to restrict device instlltion. Vist offers more grnulr policies thn XP, but devices lredy instlled by the user my still be ccessible depending on how the GPO is configured. This option is free, but it is not s flexible s lterntives, nd it my not offer s much security. 2. A vriety of third-prty softwre tools cn restrict ccess to portble storge, including CD-ROM nd USB devices. Policies cn be extremely grnulr, llowing ccess to only corporte-pproved devices, or llowing red-only connections to digitl cmers nd music lyers while still preventing outbound dt trnsfers. Most tools support rolend system-bsed policies, llowing restrictions for different user nd computer groups (e.g., completely disbling write ccess for desktops, while llowing it for executive lptops). 3. Third-prty softwre cn block or udit ccess to portble storge. Policies cn llow ccess while keeping secure copy of the files, which re then sent to the mngement server the next time the lptop connects to the corporte network. An dministrtor cn then review the 20 THE MASSACHUSETTS DATA PROTECTION LAW

21 : OR ELSE... ctivity, including the contents of the file, to see if it complies with policy. 4. Encryption softwre cn be used for optionl or mndtory encryption of dt on portble storge. Users cn choose (depending on policy) between corporte nd group keys, or self-decrypting rchives with pssword protection for trnsfer to prtners not using the sme encryption softwre. Some tools cn pply policies bsed on user, group, system or even storge device. 5. Dedicted USB devices cn be tied to centrl policies. This is probbly the most expensive option, nd such devices don t offer mteril security benefits over softwre solutions. 6. Dt loss prevention (DLP) products with endpoint protection cn be used. These tools cn pply dynmic policies bsed on detected content. For exmple, file with credit crd numbers cn be restricted, while PowerPoint presenttion with no sensitive content cn be trnsferred. The best tools use deep content nlysis to protect not only esily recognizble dt like credit crd nd ccount numbers, but lso less structured dt like portions of protected documents. Some tools include or prtner for encryption. DLP is the most flexible option, nd ll tools will eventully hve to include contentbsed cpbilities. They re more complex to define policies for, however, nd mturity levels vry gretly. Enterprises hve wide vriety of options, from simply blocking devices to rel-time content-bsed policies tied to dynmic encryption. The best option for your orgniztion will depend on your specific needs, user tolernce, budget nd existing infrstructure. WIRELESS ENCRYPTION Wi-Fi Protected Access (WPA) hs been stndrd technology on ll wireless equipment. WPA nd WPA2- Enterprise provide robust WLAN ccess control, but deploying 802.1X cn be overwhelming for compnies with limited IT stff nd budget Outsource 802.1X services: WPA nd WPA2-Enterprise use the 802.1X port ccess control frmework to uthenticte wireless users. This frmework pirs with uthentiction servers commonly found in corporte networks, like RADIUS servers, Windows Active Directories, RSA SecurID Authentiction Mngers nd Certificte Authorities. Compnies tht do not hve n uthentiction server nd prefer not to instll one cn outsource this component to third prty like BoxedWireless or WiFiRdis. These providers offer mnged Wi-Fi uthentiction services. Insted 21 THE MASSACHUSETTS DATA PROTECTION LAW

22 : OR ELSE... of consulting your own locl RADIUS server, your ccess points (APs) forwrd 802.1X / Protected Extensible Authentiction Protocol (PEAP) messges through Trnsport Lyer Security (TLS) tunnel, cross the Internet, to the provider s RADIUS server. Tht server vlidtes the sttion s identity nd pssword before grnting or denying ccess to your WLAN. Usernmes cn be dded to nd removed from your ccount through n dministrtor Web portl. These services differ in detil for exmple, BoxedWireless supports both EAP-TLS nd PEAP/MSCHAP v2, while WiFiRdis supports only the ltter. BoxedWireless is commercil service, while WiFiRdis is free. Either wy, bsic setup is esy. By outsourcing 802.1X services, you cn chieve enterprise security with little more effort thn it tkes to configure personl pre-shred secrets. However, ber in mind tht these services re intended to fill gp for very smll businesses; they re not business-oriented mnged security products. Roll your own 802.1X infrstructure: Some compnies would rther hve their own uthentiction server but lck the budget to buy commercil RADIUS product. Another option is freely vilble RADIUS server softwre like FreeRADIUS. But don t kid yourself: Rolling your own RADIUS server will require spre hrdwre, tech svvy nd t lest little swet. To run FreeRADIUS, you ll need spre time nd server hrdwre running Linux, FreeBSD, OpenBSD, OSF/Unix or Solris. FreeRADIUS is relesed under the GNU Generl Public License, which mens it is free to downlod nd instll. When used s wireless uthentiction server, Free- RADIUS cn process EAP-MD5, EAP- SIM, EAP-TLS, EAP-TTLS, EAP-PEAP nd LEAP ccess requests. Security policies, server configurtions nd user credentils re ll up to you. But once you ve invested the effort, you ll hve flexible RADIUS server tht cn be used for other purposes, like remote user virtul privte network uthentiction. Advice on configuring FreeRADIUS for wireless cn be found t org/wpa_howto. Alterntively, consider turning Microsoft Windows Server into RADIUS server for your WLAN. If you hve spre PC running Windows Server 2003, it cn be configured to run Microsoft s Internet Authentiction Server (IAS). To lern how to set up IAS for use with 802.1X, visit If you hve spre PC running Windows Server 2008, you cn ccomplish similr results using Microsoft s new Network Policy Server. While these solutions re not open source, they cn help you roll your own RADIUS server using products nd pltforms tht you lredy own. 22 THE MASSACHUSETTS DATA PROTECTION LAW

23 : OR ELSE... Skip 802.1X ltogether: Compnies tht find the whole ide of 802.1X overwhelming cn use WPA or WPA2-Personl insted. These personl mesures still represent n improvement over Wired Equivlent Privcy when bsed on strong preshred key (PSK). When PSKs re too short or composed of words found in the dictionry, they cn esily be guessed. An ttcker simply needs to cpture few pckets exchnged by legitimte user when connecting to the WLAN, then run dictionry ttck tool like cowpatty. To prevent this, choose PSK vlue tht s t lest 20 rndom lphnumeric chrcters. For best results, use rndom pssword genertor nd include numbers nd mixed cse (e.g., T2dREfsACch 646Us). Better yet, if your AP nd client support Wi-Fi Protected Setup (WPS), configure long, rndom PSK by pushing the button on the front of your AP or by typing client-generted WPS PIN into your AP s GUI. Furthermore, when using PSKs, it s importnt to ssign your WLAN reltively unusul network nme (extended service set identifier, or ESSID). Why? PSKs cn be guessed much fster by contemporry crcking tools when your WLAN uses common defult ESSID. Here gin, WPS cn be used to configure good ESSID for you. No mtter how rndom or long your PSK might be, users connected to your WLAN must know tht vlue or hve it configured into their systems. A configured pssword mkes life esier becuse users don t hve to remember or correctly type long, rndom string. But tht configured pssword will be compromised if someone loses lptop or leves it unttended. On the other hnd, prompting for PSKs increses the chnce tht users will give them to guests, write them down on sticky notes or otherwise disclose the entire WLAN s pssword. Updting your WLAN s PSK t regulr intervls cn help reduce risk but, ultimtely, group psswords cn only tke you so fr. If your compny is relly concerned bout keeping outsiders off your WLAN or knowing who is using your WLAN t ny point in time then upgrde to WPA or WPA2-Enterprise. EDITORS NOTE: This informtion ws originlly published on SerchSecurity.com. While 201 CMR is mndting encryption for lptops, USB devices nd informtion trnsmitted over wireless networks, new Sente bill, SB 173, proposes to mke revisions to these specific requirements. At press time no resolution hs occurred. Lis Phifer is president of Core Competence Inc. Rich Mogull is the founder of Securosis LLC, n independent security consulting prctice. 23 THE MASSACHUSETTS DATA PROTECTION LAW

24 Jnury 2010 is fst pproching. Are you redy? If you re conducting business with customers within the Commonwelth of Msschusetts, you re running out of time before their sweeping dt protection lw goes into effect. Rzorpoint s Network Security Umbrell includes everything you need to develop, implement, mintin nd monitor security system complint with 201 CMR 17.00, including: Control of user IDs Secure method of ssigning nd selecting psswords Secure method of protecting psswords Restrict ccess to ctive users only Blocking ccess to user ID fter multiple unsuccessful ttempts Restrict ccess to records nd files only to those who need it Assign unique ID & psswords Encrypt ll records contining personl informtion trnsmitted cross public networks Monitoring of systems for Implement firewll protection for personl informtion on system connected to the Internet Apply OS security ptches for files contining personl informtion on systems connected to the Internet Deploy mlwre protection Deploy virus protection Apply up-to-dte ptches on security gent softwre Develop written informtion security progrm (WISP) to protect personl informtion Estblish mens for detecting nd preventing security system filure Secure storge nd bck-up of dt unuthorized use Annul review of security mesures Encrypt ll dt contining personl Ensure tht third prty service providers deploy informtion to be trnsmitted wirelessly security mesures consistent with 201 CMR Encryption of ll personl informtion stored Trin employees on proper use of computer on lptops or other portble devices security prctices For more informtion on how to get your compny complint before Jnury 2010, cll Rzorpoint representtive t ext. 103, emil secure.now@rzorpoint.com, or visit 31 est 32nd street, sixth floor new york city, new york us office: fx:

25 : GETAHEAD TO STAYAHEAD Despite ppernces, the Msschusetts dt protection lw does offer opportunities for those who ct proctively. BY LINDA TUCCI ASK INTERNET entrepreneur-turnedretiler Dennis Kelly how he feels bout the new Msschusetts personl dt protection stndrds tht re scheduled to tke effect next yer, nd you d think the gret commonwelth of Msschusetts hd fshioned them s mrketing tool just for him. Given wht hs hppened with vrious retilers, systems getting hcked, we figured we needed to get out hed of it s ggressively s possible nd use it s n opportunity to crete higher level of trust with our customers, Kelly sys. Kelly co-owns Wireless City, fstgrowing chin of 27 wireless stores tht cn be found in Florid, Georgi nd Msschusetts. In business five yers, the chin is n exclusive licensee for Verizon wireless products nd its motto is tht buying cell phone should be fun, not pinful. Or led to identity theft. To purchse wireless devices, customers need to give crriers their Socil Security numbers. People re hesitnt nd concerned when they give tht number out long with whole bunch of other personl informtion, he sys. Adhering to 201 CMR 17.00, s the regultion is clled, mkes good business sense, he sys. Indeed, Kelly hs spent close to $10,000 on professionl services from security expert Kurt Bumgrten, CISA nd vice president of informtion security t Peritus Security Prtners LLC, to ensure his enterprise fulfills the 201 CMR complince checklist nd more. When ll the boxes re checked, he sys he plns to instll signs dvertising tht fct t every csh register in his stores. 25 THE MASSACHUSETTS DATA PROTECTION LAW

26 : AS MASSACHUSETTS GOES, SO GOES THE NATION Wireless City s tke on the regultion is something of n exception, judging from the complints registered by mny of the 64 compnies tht filed letters during the public comment period, including Verizon in Jn. 15 There is lso movement to look more upstrem nd tke more holistic view of dt protection. IAN GLAZER ANALYST, BURTON GROUP INC. letter. And the comprehensive stndrds my be subject to chnge. There is legisltion introduced in the Msschusetts Sente tht would wter down the requirements. Still, Wireless City is probbly smrt in getting hed on the security requirements. Mny nlysts believe the commonwelth s decision to mke firms tke proctive, policynd procedure-bsed pproch to dt protection is the wve of the future, likening 201 CMR to Cliforni s groundbreking dt brech notifiction lw pssed in After tht lw ws pssed nd strengthened, 44 other sttes not only followed suit but lso hve been rmping up their post-brech penlties. There is lso movement foot on the federl level to look more upstrem nd tke more holistic view of dt protection, sys nlyst In Glzer of Burton Group Inc. H.R. 2221, federl bill moving through committee on the Hill, tlks lot more bout dt protection thn post-brech penlties, Glzer sys, dding tht he would not be surprised to see some kind of federl legisltion on dt protection by yer s end. WHAT WILL IT COST: THE STATE'S NUMBERS Type Mss. dt privcy lw into Google nd list of dvertisements pops up in the right-hnd mrgin. There re kits you cn purchse, security experts for hire, consultnts, lw firms t the redy. So wht will it cost compnies to comply? According to the stte s Fiscl Effect nd Smll Business Impct Sttement, hypotheticl smll business with 10 employees should py no more thn $3,000 yer. The nlysis, which is worth reding in full, ssumes the hypotheticl compny hs three lptops nd one network server serving seven desktops, s well s multiple, lockble file cbinets oh, yes, nd n expert on hnd: we think it more thn likely tht 10-employee business would lredy hve retined such consultnt to monitor nd mintin the current instlltion nd softwre in con- 26 THE MASSACHUSETTS DATA PROTECTION LAW

27 : nection with protecting the compny s own, nd customer, informtion. If the business does not hve n existing technicl support progrm, mke tht $6,000, or $500 per month in consulting fees (see sidebr). IT'S THE DATA, NOT THE COMPUTERS Before rushing to spend $3,000 or $6,000 or more on complying with 201 CMR 17.00, it is importnt to understnd wht the regultion does nd does not require. $3,000 OR LESS TO COMPLY WITH 201 CMR 17.00? IN ITS FISCAL Effect nd Smll Business Impct Sttement, the Msschusetts Office of Consumer Affirs nd Business Regultion (OCABR) estimtes tht smll nd medium-sized businesses (SMBs) with 10 employees, for exmple, should py no more thn $3,000 to comply with the consumer dt protection requirements lid out in 201 CMR CIO Gerry Young sys he believes the cost of complince could be even less. Wht we ve been doing is working with the SMB to find s much freewre, shrewre, open source code s we cn. I think we cn ctully drive some of tht cost down, sys Young, who ws until recently CIO of the OCABR nd is now Secretrit CIO of the Executive Office of Housing nd Economic Development. He rgues tht businesses or consulting firms tht clim the costs of complince will in fct be much higher thn $3,000 hve n ntipthy towrd using open source nd free softwre. Yet if you look t the stte of freewre, shrewre, open source code you cn t dismiss out of hnd wht they cn do to contribute to this [dt protection] model. Free options re out there to encrypt USB drives, lptops nd PCs, requiring only the lbor cost to do it. Much of the technology needed to comply comes with the equipment mny compnies lredy own. Indeed, he sys he does not believe the rough spots for complying with 201 CMR will be technology-relted. But if there is n issue, it is the regultion s push to mke key mngement front nd center. Tht, I think, will be the biggest issue for SMBs, Young sys, becuse they re just not used to deling with symmetric nd symmetric keys nd being ble to hng on to the keys to decrypt. Asked if tht would not require hiring n expert, Young notes tht key mngement-for-dummies-type books might cost $20. Even if people don t understnd ll of the technicl detils behind key mngement, it is not going to tke much eduction to bring them up to speed. L.T. 27 THE MASSACHUSETTS DATA PROTECTION LAW