201 CMR 17.00

Massachusetts Privacy and Data Protection Regulation

Contact BrickLogix today for a complimentary 201 CMR 17.00 consulting engagement at no cost to you.

201 CMR 17.00 Standard

201 CMR 17.00 FAQ

201 CMR 17.00 compliance challenges include –

1. Businesses must develop, implement, maintain and monitor a comprehensive, written information security program that is consistent with industry standards.

2. The program must be monitored on a regular basis to help prevent unauthorized access to or unauthorized use of personal information.

3. The law also mandates that business take “reasonable steps” to verify that third-party service providers with access to personal information have the capacity to protect this information.

4. U.S. Guidelines for 201 CMR 17.00 are far-reaching, affecting any company that does business in Massachusetts or holds personal data of Massachusetts residents -- even if that company is based outside of the state.

5. The law mandates implementing number of administrative, technical, and physical safeguards, including -
- Encryption,
- User authentication,
- Password control,
- Access restrictions,
- Monitoring and audit records.

6. The law also requires that these security measures are consistent with similar laws passed in other states.

7. Noncompliance carries the risk of significant fines. For example, improper data disposal can result in a fine of up to $50,000 per incident.

8. March 1, 2010 deadline

What does 201 CMR 17.00 specify?

In order to achieve compliance, the regulation specifies that a number of security measures be in place, be reasonably monitored, and be audited periodically to ensure that no gaps have emerged. The regulation specifies the following:

1. A Written Information Security Policy (WISP) to govern the handling of personal and confidential data

2. A dedicated person(s) to run the information security program

3. Periodic audits to ensure compliance is maintained

4. Protection of Data - Encryption & Data Leakage to protect that data where it resides and in motion over public networks

* Encrypt internet FTP transfers
* Encrypt internet HTTPS transfers
* Encrypt Files for Internet transfers
* Encrypt Data on Laptops
* Encrypt Data on Portable Devices
* Manage Encryption Keys

5. "Reasonable" monitoring of networks & systems for unauthorized use or access

6. Patch Management - Operating System, Anti-Virus, other protection solutions

7. User account and rights management

8. Up to date Firewall Protections (Network & Endpoint)

9. Endpoint Security - Anti-Virus, Malware, Spyware

How can BrickLogix help -

Professional Security Services:
* 201CMR17 Specific Information Security Assessment to identify gaps
* Security Policy (WISP) Development services
* Employee Education Workshops
* Data Leakage Threat Assessments to monitor if sensitive data is leaving org
* Emergency Response Services and Readiness workshops

Security Technologies:
* Encryption - PGP's industry leading encryption solution to enforce data protection with central management and automatic enforcement of policies on Desktops, Laptops, and removable digital storage devices (such as USB flash drives and CD/DVD drives) and mobile connection technologies (such as Wi-Fi, FireWire, and Bluetooth) without requiring user intervention and by leveraging existing enterprise directory infrastructure. Can log usage and demonstrate compliance to auditors.

* Secure Email Encryption Solution - PGP Universal Gateway Email is used with PGP Universal™ Server to manage existing policies, users, keys, and configurations, expediting deployment and policy enforcement. Easy, automatic operation–Protects sensitive email without changing the user experience, enforces data protection with centrally managed policies, using the existing infrastructure and eliminating training and help-desk costs through clientless operation. Organizations can minimize the risk of a data breach and comply with partner and regulatory mandates for information security and privacy.

* Security Event Log Management - Collection, Correlation, Monitoring, Management and Reporting of security log data from variety of devices without the expensive upfront capital investments and on-going overhead to increase your visibility into security event and network data and potentially reducing costs attributed to multi-vendor log archiving and analysis alongwith meeting regulatory compliance requirements. This innovation is designed to dramatically improve the speed of conducting security investigations. In addition, we can archive your forensically-sound data, admissible as evidence in a court of law, for a period of up to seven years.

* Data Loss Prevention (DLP) - Data risk management solutions that provide discovery, classification, control, monitoring, and auditing (HIPPA, PCI, GLBA, SOX) capabilities to protect sensitive and private information (in the form of files, documents, application level data, database records, and images. Whether it's employee lists, personnel records, medical data (including data covered by HIPAA security requirements), financial records, or photos and other images) to move freely across global organizations greatly increasing collaboration and reducing risk of data leakge from within or ouside the organization.

* Intrusion Prevention solutions for network & server-based security analysis & threat protection.

* Unified Threat Management - Intrusion prevention systems (IPS), firewalls designed to block traditional attacks like worms, Trojans and intruders and web filtering, anti-spam and anti-virus technology to protect against objectionable Web content, aphishing scams, spyware and viruses.

* Remote Office gateway security - Centrally Managed Firewalls, IPS, Anti-Virus, and VPN solutions.

Managed Security Services:
* Managed Security Events Log Management (analyze, correlate logs & provide security alerts)
* Managed protection services for server
* Managed and monitored firewall service
* Managed e-mail security
* Managed Web security
* Managed identity services
* Managed intrusion prevention and detection service
* Managed protection services
* Managed security services for unified threat management
* 24x7x365 monitoring of multiple network segments.
* 7x24 rigorous monitoring of large variety of vendor solutions and security technologies
* Best SLA response guarantees for data protect against internal or external threat exposure.
* 24x7x365 telephone/e-mail/Web access to certified security professionals.

Managed Security Services