Sushila Nair, Product Manager, Managed Security Solutions Group, BT Global Services

By March 2010 every business that owns or licenses personal information about a resident of the Commonwealth of Massachusetts shall be in full compliance with state law 201 CMR 17.00.  The law has been delayed several times as smaller businesses and law makers negotiated over the fair balance between consumer protections and business realities, resulting in this version which requires safeguards that are appropriate to the size, scope, and type of business handling the data.

Although I’ve discussed the impact of 201 CMR 17.00 before, the passing of the law brings two critical questions that are primed for more discussion into sharp focus:

• Do you know where your data is and if it’s necessary to keep storing it?
• Is a risk-based approach the right way to bring ensure compliance?

Time and again, based on our experience with helping our customers meet their regulatory requirements, the need to locate data and evaluate whether it really needs to be retained is the number one challenge that most companies face.  Frequently, organizations try to avoid this step citing that it is simply too difficult.  Inevitably they end up doing some data location to segregate information, because the broader task of evaluating the data’s value to the organization and creating a data destruction protocol is often too expensive.  But for companies large and small who are affected by 201 CMR 17:00, it is crucial to discover where your information is and then rationalize and segregate.

Here is a list of tools that can be used to assist in locating privileged information:

• http://www.groundlabs.com
• www.dbdatafinder.com
• CCSRCH: http://sourceforge.net/projects/ccsrch
• SENF: https://source.its.utexas.edu/groups/its-iso/projects/snef/
• SPIDER: http://www/cit.cornell.edu/security/tools/sider-windows.html
• SPIDER: http://www.cit.cornell.edu/securitytools/spider-linux.html
• SNORT for sniffing: http://bleedingthreats.net/rules/bleeding-policy.rules

Once you’ve located the information the next step is to draw a data flow diagram to ensure you understand how confidential data enters your organization, where it is routed, and where it is eventually stored.  Having undertaken these two steps you’ve won at least half the battle!

The next step is to understand how you are going to secure the information that you have just located.  Every company, whether directly affected by industry or governmental regulations should invest time creating a written information security policy, which encompasses the storage, access, and transportation of records containing personal information and what is to be done in the event that information is breached.

While bringing in external consultants is an obvious action at this point, businesses with smaller resource bases should evaluate sample policies on the web and as well as tool kits that can be bought and act as building blocks towards the process of creating a policy which is in line with your business objectives.  The key is to always start with a policy and then map out standards which meet the technical requirements to protect the types of personal data and the locations of data your company needs to store.

Fortunately, for businesses in the Commonwealth of Massachusetts, the state has outlined the technology requirements needed to be compliance in the section entitled Computer System Security Requirements. The broad list includes:

1. Secure user authentication protocols
2. Secure access control
3. Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly.
4. Reasonable monitoring of systems, for unauthorized use of or access to personal information;
5. Encryption of all personal information stored on laptops or other portable devices;
6. Up-to-date firewall protection and operating system security patches
7. Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions
8. Education and training of employees on the proper use of the computer security system and the importance of personal information security

The technical requirements should encompass those that are outlined within CMR 17.00 but it is good business sense to really analyze any foreseeable risks to personal information and come up with a plan to eliminate or reduce those risks. The controls selected should be in line with the amount of data and the risk involved. Small organizations that store only personal records of their employees should simply ensure that information is kept under lock and key and handled in a manner to ensure that it cannot be lost or stolen. Organizations that are handling large amount of personal data including sensitive customer information need to place more stringent controls in place such as real time monitoring.

What makes CMR 17.00 most notable is, however, the risk-based approach to compliance.  The approach of the Massachusetts legislature is completely at odds with the prescriptive approach taken by PCI DSS. PCI DSS mandates the same controls independent of the quantity of card data or transactions. The risk based approach in the Massachusetts law is based on the concerns surrounding costs to small businesses for securing information. The lack of legal precedence and, to some degree the lack of knowledge on what controls are appropriate for varying risk levels, may make taking this approach confusing for some companies though it is undoubtedly the best approach from a security perspective.

Do you think that the risks of confusions businesses is more than made up for by the better security practice? Leave a comment here, or let us know what you think @SecureThinking on Twitter.