MA 201 CMR 17.00 STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH
Personal Information - Defined Personal information, a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident s financial account;
Internal & External Threats 700,000+ MA residents compromised (>10% of population) 470 firms reported being breached 2/3 of breaches go unreported Internal Threats Abound FTC reports Identity Theft attacks over 10 million victims / yr costs $52+ billion / year Victims spend countless hours to repair damaged credit External Threats Viruses, Mal-ware, Hackers, Professional Cyber- Thieves, Vendors, improper firewall or Wireless AP s configuration or management, lost backups 88% of IT admins would steal critical data if they were laid off 59% admitted to stealing company data 67% used their former company's confidential information to leverage a new job
201CMR17 effects virtually everyone If you touch MA Resident Personal Data, you must comply No Organization is Exempt Industry sector, Size, Profit, Non-profit, Church, School, municipalities, in-state and out of state MA Regulation is Unique PCI --- SOX --- HIPAA --- SAS 70 --- GLBA Compliance with other regulations does not mean you are 201CMR17 compliant Detailed Requirements Written Information Security Policies (WISP), Staff Training, Authentication & Access Controls, Data Encryption and Security Monitoring, Annual Reviews Vendor Due Diligence, Intrusion Detection APPLIES TO PAPER AND ELECTRONIC RECORDS
Non-compliance could be Expensive Major Fines $5,000 for each security failure $5,000 per violation to notify Lawsuits Civil lawsuits Class-action lawsuits New Federal Laws will make it easier for Civil Suits related to data loss Lost Revenues Customer blame firms that lose their data 80% of the time Insurance Standard Liability / E&O insurance won t pay costs
What is 201 CMR 17.00? Regulation created in Massachusetts under MA MGL 93H to answer the call for tighter controls of resident data Created out of concerns over identity theft and the fallout from well known breaches (TJX, Hannafords, Heartland, etc) Requires businesses to ensure the safekeeping of MA resident s data Requires notification if a breach occurs
201CMR17.00 - Defined Requires businesses to implement policies, procedures, processes, and controls that apply to stored resident data Requires the Identification of MA resident data that needs protection Defines computer and record retention security requirements in order to comply with the law Requires creating secure access control
201CMR17.00 - Defined Requires secure authentication controls Encryption of communications Defines requirements for ongoing monitoring of WISP program controls Anti-Virus and protection agents Employee training Defines requirements for proper disposal of MA resident personal data
Understanding the Process Perform in-depth risk assessment in order to identify deficiencies and needs Create WISP in order to define controls that meet regulation objectives Develop controls such as policies, processes, and procedures in order to support and maintain security objectives outlined in the WISP Remediate shortfalls in compliance with technology or additional policy development Monitor, maintain, and audit for ongoing effectiveness
Understanding the Process Copyright 2008 Peritus Security Partners, LLC. All rights reserved
Creating Compliance - The Process Copyright 2008 Peritus Security Partners, LLC. All rights reserved
The Compliance Process - Continued MA 201 CMR 17.00 Copyright 2008 Peritus Security Partners, LLC. All rights reserved
The Compliance Process - Cont d MA 201 CMR 17.00
Achieving Compliance Summary After the Risk Assessment is completed organizations need to address the findings Create or refine WISP and the controls that are required by the regulations Create policies, processes and controls that meet the needs of the specific discovered deficiencies Define actionable items for remediation that includes technology and infrastructure Copyright 2008 Peritus Security Partners, LLC. All rights reserved
Using a framework to get compliant The regulation requires that you develop your WISP and policies using accepted industry standards ISO 27001 is an internationally accepted best practices framework for the development and management of information security programs MA used the ISO 27001 framework as the foundation for the creation of the regulatory guidelines Using the same ISO 27001 best practices framework for your own WISP development will allow you to be more consistent with the expectations of the state Helps create living documentation that is cost effective to maintain and applicable to future compliance efforts Copyright 2008 Peritus Security Partners, LLC. All rights reserved
Who Can Help? Qualified Information Security Professionals will hold key certifications such as CISA, CGEIT, or CISSP and will specialize in the creation of WISPs Have qualified legal counsel review your WISP Contact MA OCABR for clarification. DO NOT assume a computer guy is qualified to write a WISP or the policies, procedures and controls that are necessary for compliance. They can help with remediation but there s a big difference between technology and compliance.