http://www.tbgsec.com/index.php en kgorsline@tbgsec.com Copyright 2010 2010-12-23T15:31:11+00:00 http://www.tbgsec.com/index.php/blog/are_fax_transmissions_covered_under_201_cmr_17.00/ http://www.tbgsec.com/index.php/blog/are_fax_transmissions_covered_under_201_cmr_17.00/#When:21:17:08Z Massachusetts Privacy Protection Law 201 CMR 17.00, which goes into effect March 1, 2010, does not specifically call for the encryption of fax transmissions, nor does it specifically mention how fax transmissions should be handled.  With that said, the intention of the law was NOT to exempt fax transmissions of personal information (PI) from consideration when creating a Comprehensive Information Security Program (CISP).  There are a couple of sections in the regulations that do refer to the transmission of PI and therefore, one could reasonably assume, that the Commonwealth would have you consider these sections when considering your organizations policy around the handling of fax transmissions containing PI. Here’s a few things to consider when you begin encorporating fax policies into your Comprehensive Information Security Program. When transmitting PI outside your organization, to third party vendors in particular…. Section 17:03.2f.1 Taking reasonable steps to select and retain third?party service providers that are capable of maintaining appropriate security measures to protect such personal information consistent with these regulations and any applicable federal regulations; and Section 17:03.2f.2 Requiring such third?party service providers by contract to implement and maintain such appropriate security measures for personal information; provided, however, that until March 1, 2012, a contract a person has entered into with a third party service provider to perform services for said person or functions on said person’s behalf satisfies the provisions of 17.03(2)(f)(2) even if the contract does not include a requirement that the third party service provider maintain such appropriate safeguards, as long as said person entered into the contract no later When transmitting PI within the organization… Section 17:03.2b.2 Identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks. Section 17:03.2.g Reasonable restrictions upon physical access to records containing personal information,, and storage of such records and data in locked facilities, storage areas or containers. Section 17:04.3 Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly. Things Your Organization Should Consider When considering incorporating fax policies into your CISP, there are some considerations that will fall under best practices.  I believe the handling of fax transmissions should be considered as such an area.  Here are a few questions to answer. Is the fax machine using Plain Old Telephone System? If so this would not be considered a public transport but rather a private, 2nd party connection.  Therefore it would not fall under Section 17.04.3. However, from a best practices approach you need to consider how the process of transmitting PI via fax is going to be handled within your organization to insure that the risk of exposing PI s minimized. Where is the fax going? Is the recipient another fax machine or is it an email account or an eFax account? If the transmission is going to another fax machine then putting a process in place for handling faxes should suffice to meet the requirements of 201 CMR 17.00.  However, if the recipient is an email account or an eFax account you may also need to consider the requirements for encryption of the PI stored on the recipients computer as specified in Section 17:04.5 Encryption of all personal information stored on laptops or other portable devices. From a best practices process approach to handling fax transmissions you should consider. Maintaining transmission and transaction log summaries. Verify all destination numbers prior to any transmission. Notify recipients that a fax containing PI is on the way prior to its transmission. Confirm with the recipient that the fax was delivered (email or phone). Store received faxes in a secure location Insure that a cover sheet is included with every fax containing PI and that the cover sheet clearly states that there is PI contained in the transmission All fax machines should be placed in a secure area and should not be generally accessible Insure that fax transmissions are sent to secure destinations.  At a minimum, the recipient should be following the same security procedures as your organization. Maintain a copy of the confirmation sheet or the fax transmission While it might be easier to take the approach that says, “the regulation didn’t specifically state how we should handle fax transmissions, therefore they must have excluded that on purpose”,  we know that’s not the spirit of 201. The objectives of this regulation are to insure the security and confidentiality of customer information in a manner fully consistent with industry standards; protect against anticipated threats or hazards to the security or integrity of such information; and protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any consumer. Let’s roll up our sleeves here and do a bit of heavy lifting here.  Even if it’s only to get that fax into a secure area…… Special thanks to the MA 201 CMR 17 Data Privacy and Protection Laws group on Linkedin for all the input.  201 CMR 17.00 2010-01-14T21:17:08+00:00 http://www.tbgsec.com/index.php/blog/201_cmr_17.00_about_to_be_enforced/ http://www.tbgsec.com/index.php/blog/201_cmr_17.00_about_to_be_enforced/#When:15:31:11Z Dtaa Breach could test the Massachusetts Provacy Protection Law 201 CMR 17.00 The Massachusetts Attorney General has been notified that financial data on 1,800 residents were exposed in a database breach linked to CitySights NY, a sightseeing firm. The case could set the stage for enforcement of the State’s nine month-old data privacy law.Financial data on 1,850 Massachusetts residents was among account information for 110,000 customers stolen from servers belonging to Twin America LLC, the parent company of CitySights NY, according to Amie Breton, Deputy Press Secretary in the Office of Massachusetts Attorney General Martha Coakley. Could this be the test case for the enforcement of the Massachusetts Provacy Law 201 CMR 17.00? 201 CMR 17.00 2010-12-23T15:31:11+00:00 http://www.tbgsec.com/index.php/blog/pci_dss_v2.0/ http://www.tbgsec.com/index.php/blog/pci_dss_v2.0/#When:19:01:07Z he PCI Security Standards Council unveiled a summary of changes expected to appear in version 2.0 of the Payment Card Industry Data Security Standard (PCI DSS), which will be published October 28, 2010. Finally, after years of waiting and certainly hundreds of conversations with stakeholders and the card brands, the PCI SSC has release the highlights of the long-anticipated PCI DSS 2.0. According to the PCI Security Standards Council, the updated PCI standard, which will now be refreshed every three years instead of two, was based on hundreds of pieces of feedback. PCI DSS 2.0 incorporates a stronger emphasis on scoping sensitive data and a more risk-based approach for assessing vulnerabilities. Some believe, however, that the bigger news is not what is included in the revised standard, but what IS NOT included. “I think the reaction to what’s missing is the most important part of this announcement because it will push the council to move faster on areas they have not yet,” Avivah Litan, vice president and distinguished analyst at Gartner, told SCMagazineUS.com. “A lot of fundamental questions are still unanswered.” A summary of upcoming changes to the PCI DSS is available online at https://www.pcisecuritystandards.org/pdfs/summary_of_changes_highlights.pdf. Information Security 2010-08-25T19:01:07+00:00 http://www.tbgsec.com/index.php/blog/getting_ready_for_201_cmr_17.00/ http://www.tbgsec.com/index.php/blog/getting_ready_for_201_cmr_17.00/#When:17:38:21Z Don’t forget about the paper! There’s been a tremendous amount written lately about how to prepare for the upcoming March 1 deadline for compliance with Massachusetts 201 CMR 17.00.  Almost everything I’ve read has focused on the electronic aspect of the regulation with little or no attention paid to how an organization will change the way they handle paper containing personal information.  Just as a reminder, the intent of 201 CMR 17.00 is to establish minimum standards to be met in connection with the safeguarding of personal information contained in both paper and electronic records. While a great number of postings have focused on encryption products or secure data storage technology with scary facts to support their implementation, relatively few address the internal paper processes inherent in any organization.  For example, do you know what happens to job applications that contain personal information for those candidates that are not hired into your organization?  Typically they’re disposed of rather than being stored somewhere in the organization.  If you’re simply throwing these applications into the trash bin in your cubicle then you’ve overlooked the fact that identity thieves and cybercriminals commonly collect information from garbage containers and use information they find to steal money and access confidential information.  In Massachusetts, if your organization was found negligent in the proper disposal of personal information which violates the provisions of M.G.L. 93I shall be subject to a civil fine of up to $50,000 for each instance of improper disposal. One of the first steps in determining what policies make sense for your organization is to find out how you currently handle personal information. This is of course after you’ve appointed a designated person to maintain and monitor your Comprehensive Information Security Program (CISP).  The person you designate to maintain your CISP will be an integral part of the team you put together to map out the company’s current practices and policies. The assessment exercise should identify how the company collects, handles, accesses, stores and disposes of sensitive and valuable information. This typically requires the involvement of every department within the organization.  Unfortunately most organizations see the process of implementing security policies and procedures as an IT function.  Yet with laws as comprehensive as M.G.L. 93H, 93I it and the 201 CMR 17.00 regulations, it requires an organizational conscience and cultural change to be successful at implementing the policies and procedures required to protect your organization from a serious data breach. Where Do We Start? By reviewing the employment process from the initial contact of a prospective employee straight thru termination you will determine where Personal Information resides within the organization in both paper and electronic form.  A good starting point for assessing where personal information, stored in paper form, is stored within the organization is to create a process flow for job applicants.  Typically you’ll collect at least the candidate’s social security number on the application.  Now track the flow from the point at which the candidate submits the written job application through the hiring flow as well as the not hired flow.  As you go through this exercise, ask the following questions: What personal information is collected from an applicant and at what point in the process is it necessary?  You may find that you can eliminate the information from the form until such time as you actually need that info to proceed to the next step in the hiring process. Is there a difference between the hourly employees hiring process versus the salaried employees? Where does a candidate submit an application: Career Fairs Job Boards Headquarters Group Hiring On Site At a Kiosk Online What happens to the applications of those candidates not hired? What happens to applications of candidates that get hired? Who has access to the job applications? How are the applications stored? How are the applications disposed of? Are any applications are stored offsite? Who is your offsite storage provider? Do you know if they meet the requirements of 201 CMR 17.00? What is the organizations retention policy? What’s the disposal process? Who determines what is retained or what is destroyed and when? As you can see this will not be an insignificant amount of work for the team assessing your current processes.  It will also require input from various departments to insure success so I’d suggest that this process be an inclusive one.  The more people involved, the more likely it is that you’ll uncover exceptions within the process that could result in your organization exposing personal information. Above, we started to look at the process of submitting a job application.  But that’s just the beginning of the process.  To be successful you’ll need to track that application from cradle (the point at which it enters the organization) to grave (the point at which it exits the organization or is destroyed) identifying all the points at which a candidates personal information could be subject to theft.  The job application is just one piece of paper containing personal information for a candidate or employee.  You’ve also got to consider W4 forms, I9’s, benefit forms, and the plethora of forms any employee may receive in their “New Hire Package”.  You should track each of these forms throughout the organization to insure that the proper safeguards are in place to insure the protection of personal information for your employees as well as potential employees. In going through this process, it is extremely important to collect and review any existing policies and procedures that could impact personal information security. Prior policies will give an organization a jump start in drafting its CISP while they also help identify any threats and security measures previously identified. As part of the review, be sure to identify where current business practices, policies and public statements have diverged over time. In closing, we advise our clients to assess their information security practices broadly and to assess how intellectual property and any other valuable information asset are handled whether it be personal information or not.  In keeping an organizations intellectual property in view during the assessment process it will help not only frame policies but also determine what level of security access is appropriate. A company that completes an all-inclusive review of its existing information security practices and policies will be in the best possible position to address the requirements of new laws and regulations. 201 CMR 17.00 2010-01-08T17:38:21+00:00 http://www.tbgsec.com/index.php/blog/201_cmr_17.00_compliance_deadline_rapidly_approaching/ http://www.tbgsec.com/index.php/blog/201_cmr_17.00_compliance_deadline_rapidly_approaching/#When:20:20:49Z Sounds a little like Chicken Little running around saying “the sky is falling, the sky is falling”.  However, the clock is ticking off precious minutes as your organization races to meet the compliance deadline for 201 CMR 17.00.  If your organization has been holding out for another extension from OCABR, then I’m afraid you’re out of luck.  March 1, 2010 is the drop dead date for compliance. The final version of the regulation was released in late October and nobody has the stomach to take a crack at watering down this regulation any more than it has been over the last several months.  With time running out for organizations to comply with 201 CMR 17.00 we thought it would be helpful to lay out the activities your organization should be undertaking to meet the March 1, 2010 deadline for compliance.  What follows below are those activities. January 2009 Get a copy of the Final Version of 201 MR 17.00 Obtain and complete the 201 CMR 17.00 Compliance Checklist to determine where your organization needs to focus their compliance efforts Designate an Information Security Officer - You will need to designate at least 1 person at your place of business who will maintain the comprehensive information security program.  Identify the process flows as they pertain to personal information.  Examples of these would be Hiring Process  Healthcare enrollment and termination process Retirement Plan enrollment and termination process Tax processing Background Check process Process of issuing company credit cards Termination Process Based on the findings from the process flows, determine and document which employees need access to the Personal Information identified in the process.  A Personal Information Authorization policy should evolve from this step. While developing the process flows, you should have determined which systems contain Personal Information in an electronic format.  Based on those findings you should determine where encryption for personal information is needed. Third-party service providers for your business should have been identified in the process flows as should their requirements for access to Personal Information. Identify reasonably foreseeable internal and external risks to paper and electronic records containing personal information. Develop encryption plan to address encryption requirements throughout the organization. Develop a process to check all security patches on all systems and insure they’re up to date and regularly monitored.  A similar process should be used to insure that firewalls are updated and monitored regularly. February 2010 Start developing your CISP (Comprehensive Information Security Program) making sure that you include: Administrative, technical and physical safeguards for Personal information protection Make sure that your CISP is applicable to all records containing personal information about a resident of the Commonwealth of Massachusetts Any identified and reasonably foreseeable internal and external risks to paper and electronic records Regular and ongoing employee training, and procedures for monitoring employee compliance Disciplinary measures for violators Policies and procedures for when and how records containing personal information should be kept, accessed or transported off your business premises Processes for blocking terminated employees physical and electronic access to personal information, including deactivating their passwords and user names Steps taken to verify third party service providers access The length of time that you are storing records containing personal information. Specifically the manner in which physical access to personal information records is to be restricted Whether you are storing your records and data in locked facilities, storage areas or containers and the security measures taken to keep these areas secure Actions and documentation that is taken in connection with any breach of security Insure all hardware and software upgrades have been installed. Implement encryption plan developed in the previous month. Finalize your CISP, Comprehensive Information Security Program. Test all policies contained in the CISP. Develop your organizations Security Training Program and begin your employee training program. March 1, 2010 and beyond Continue ongoing monitoring and maintenance to systems and procedures. Continue providing training to new and existing employees. Update policies as required. Spot Check your policies and procedures on a regular basis and make the changes necessary to insure your organizations continued compliance with 201 CMR 17.00. As you can see there’s an immense amount of work ahead for you and your organization. If you’ve not undertaken something of this magnitude before, are understaffed or have no idea where to even start in implementing a Comprehensive Information Security Program, we’d love to help you out. For more information on how TBG Security can help your organization reach compliance contact our or call us directly at 877.233.6651 ext 707. 201 CMR 17.00 2009-12-29T20:20:49+00:00 http://www.tbgsec.com/index.php/blog/obama_makes_the_right_choice_with_Howard_Schmidt_appointment/ http://www.tbgsec.com/index.php/blog/obama_makes_the_right_choice_with_Howard_Schmidt_appointment/#When:15:08:46Z We’re happy that President Barack Obama picked Howard Schmidt to serve as National Cybersecurity Coordinator. Schmidt’s experience in both the public and private-sector sides of the security fence along with his dedication and decision making skills make him a great choice.  Good luck Howard! Information Security, People 2009-12-28T15:08:46+00:00