MGL93h is in effect in Massachusetts. Now what?

April 28th, 2010

Massachusetts Information Security regulation (CMR 17.0) went into effect March 1, 2010. It calls for ‘reasonable’ measures to be taken to keep personnel information safe. So what are those reasonable measures? Massachusetts Department of Consumer Affairs has provided some guidelines on what those measures are.

 

It all starts with a WISP!

Comprehensive Written Information Security Program (WISP) should be integral to your compliance program. Every company handling privacy information (A combination of Name and/or Address PLUS SSN, Bank A/c#s, State IDs or any such unique numbers) should have a WISP.

WISP need not be extensive it can be 3-4 pages. A sample WISP template can be found at http://www.soltrixsolutions.com/docs/Sample-WISP.pdf

Soltrix Technology Solutions, Inc. is an approved statewide contractor in Commonwealth of Massachusetts (ITS43), Vermont and Maine. We are also a SOMWBA certified MWBE and DBE. In addition, we are SBA certified SDB and NMSDC certified minority owned business.

The following measures are to be taken at a minimum by all companies to ensure privacy information protection:

1. A designated employee to manage and maintain Information Security Program.

2. Training for employees for proper handling of confidentiality, security and integrity of personal information – either recorded electronically or on paper.

 3. A written policy that states how employees are allowed to keep, access and transport records containing personal information either within or off premises. Policy should be read and signed off by each employee. A sample of the policy should be part of WISP.

4. Same policy to include disciplinary measures for violations.

5. Same policy should state measure taken to prevent terminated employees from accessing records containing personal information.

6. Third-party vendors should certify that they have a WISP and a security program in place to prevent any personal information data that you would need to share, with them for business purposes. Such certificates should be made a part of vendor-agreements.

 7. Limited, restricted and controlled physical access to locations containing personal information (ex. locked cabinets, limited access to server rooms etc)

8. A standardized methodology to identify records and devices used to store personal information. If possible segregate devices containing personal and non-personal information.

9. Written approval from manager before employees gain physical access to personal information. Keep records of who has access to what information.

10. Regularly monitor and review all aspects of Comprehensive Security Program.

11. Annual review of the effectiveness of Information Security Program.

12. Document actions taken in response to a breach of security.

Apart from these twelve (12) administrative steps, the following eight (8) IT related steps are recommended by the Office of Consumer Affairs:

13. Secure user authentication protocols.

14. Secure access control measures.

15. All records transmitted are to be encrypted

16. Monitoring of the network traffic and servers containing personal information.

17. All laptops and storage devices must have their data encrypted.

18. All systems must be firewalled and have up-to-date operating system patches as per industry standards.

19. Activated and up-to-date anti-virus and anti-spam applications.

20. Employees should be trained to recognize potential security lapses and a clear procedure on how to escalate the lapse to appropriate personnel.

 These twenty (20) steps are deemed reasonable according to Department of Consumer Affairs, the regulatory body in charge of CMR 17.0 compliance.

In case of a breach of privacy information. As a company, you are responsible for:
1. Notifying the Attorney General’s office about the breach.

2. Notifying each of Massachusetts resident about the nature of the breach.

 

Disclaimer: Soltrix will not be responsible for any non compliance due to this article. Our intention is to only providing general framework on measures to be taken. We recommend you get specialists to validate the measures you take. Soltrix is an ITS43 approved statewide contractor and SOMWBA certified MWBE and DBE

Success depends on applying right technology -not necessarily the most current

October 18th, 2008

More often than not, systems integrators and technology companies fall in love with current hottest technologies. It is then common to propose the technology they love, to all of their clients -irrespective of the business pains those clients experience. Often the technology turns out not to be a good fit for the particular problem or that another solution could have been more appropriate unfortunately was completely ignored. This causes discontent and a blame for the entire technology and its shortcomings. This happens more in the software development arena.

For example, we had a construction management company who had a need for keeping track of inventory on each of it’s project sites, so that they may avoid double-ordering of material, a prevalent problem for the client. One of the technology companies they selected proposed a .NET solution that would take 4 months to develop. After about 6 months, the product was still half way completed with 2 software engineers working full time on the project. Finally, the construction company got frustrated and approached us. First thing we did was to assess what they needed and digging deeper what their actual business pain was. In the process we came to know they had sharepoint as well. We quickly, realized that the particular business pain could be solved by an application on sharepoint. After some design, we developed a web based application using sharepoint’s web parts that would not only show how much material was at each project site but also how much was ordered and allocated to go to any particular project along with the estimated time of arrival date. All this meant that project manager would know how much material was at hand and there by reduce to less than 3% down from 40% of double-order errors last year.

This was a simple system put in place in 4 weeks by two software engineers -from design to implementation. Needless to say, customer is very happy and satisfied. Only by applying right technology would you be able to provide good value to the customer.

Sometimes, I cringe when software professionals say they would never use access forms. In fact, we have used access forms and have developed many a complex applications using access forms. For small and medium sized business, this provides a great way to develop an application without breaking the bank. We work to make sure that we provide clients with a software solution that mitigates our client’s business pain at the most value to the client. Hence our motto – ‘We provide technology that work for you’