| 201 CMR 17 – Massachusetts’ New Regulation |
 |
| Written by Barry MacQuarrie CPA.CITP | |||
| Friday, 26 June 2009 14:14 | |||
Essentially, the regulations apply to any company that employs residents of Massachusetts and any CPA firm that prepares returns for Massachusetts residents. The requirements of the regulation are comprehensive and will require organizations to devote significant amounts of time, money and energy to ensure compliance. If the new regulations apply to your firm, you must review the regulation, determine how it impacts your organization, and implement the technologies required to ensure compliance. The regulations require that you develop and maintain a comprehensive written information security plan. In addition, you may need to implement technologies that include secure client communications, drive encryption, an “up-to-date firewall”, virus protection and “secure user authentication protocols”. The effective date for the new regulations is January 1, 2010. | |||
|
About the Author: Brett Owens is CEO and Co-Founder of Chrometa, a Sacramento, Calif.-based provider of software that records activity in real time. Previously marketed to the legal community, Chrometa is branching out to accounting prospects; gains include the ability to discover previously undocumented billable time, save time on billing reconciliation and improve personal productivity. Brett is also blogger and founder at CommodityBullMarket.com and ContraryInvesting.com, as well as a regular contributor to two leading financial media sites, SeekingAlpha.com and BeforeItsNews.com. |
Below are my procedures to help you begin development of the Computer Systems Security portion of your Written Information Security Program (WISP), it starts with the Risk Assessment survey.
I would start the process by asking some simple questions.
Physically-
* Where is the data kept and how do you protect it from unauthorized access?
* If it’s on paper or media like a CD or tapes how do you keep track of who has access to it during normal daily operations?
* How and where do you store it when it’s not in use?
* How do you decide who has/needs access to it and who doesn’t need access to it?
* How do you destroy it when it’s no longer needed?
* Are your team members given security awareness training so they are aware of the threats to your organization?
* Do you check your trash to make sure that protected data is not mistakenly discarded?
Logically-
If you have some or no established programs at all, you “MUST” conduct a risk assessment survey identifying what sensitive information you have, where you have it, and how you plan to protect it.
* If the data is on a desktop or network what protective measures are in place?
* Do you use a firewall and antivirus protections?
* What are your policies on patches and hot fixes that the hardware and software manufacturers recommend for known vulnerabilities?
* Do you have a password policy?
* Is the physical security of the spaces containing ADP adequate?
* How often do you read your logs, or audit who has been accessing the protected data and how are they using it?
After you complete all the tasks above; you have just completed your ADP risk assessment survey!
Now implement the procedures necessary for identified risks based on industry best standards.
* Document as a policy the procedures how staff members are to utilize ADP in their day-to-day operations.
* Train your staff on the procedures established, and what’s expected of them, don’t forget to have them sign an acknowledgement of understanding, which includes disciplinary actions for failure to adhere to the requirements of the policy.
Congratulations! You have just created one portion of your Written Information Security Program (WISP).
Bottom line is; if you don’t ask questions on how the protection process works, can you have any confidence that your business will survive even if it is never audited? The law just requires that you take common sense steps to protect the information that your customers have entrusted to you.
By properly conducting the risk assessment, combined with some solid Lean Six Sigma practices, you will reduce duplicated operations by staff and unnecessary storage of Personal Information which helps to protect your business.
If some, none, or all of this doesn't make any sense to some of you reading it, and you’d like to learn more on simplifying the compliance process, visit our website at www.TCIPP.com.
I Hope this help you get on the correct path to compliance!
Regards,
Tom Considine, CIPP
Tom Considine & Associates
Information Privacy Professionals
Thank you for your write up to assist the community.
If you will, I would like to do my part to assist.
Compliance with 201 CMR 17 doesn’t have to be difficult or complex, it requires a plan of attack and a little bit of knowledge or training to accomplish your goals.
Below are my procedures to help you begin the development of your Computer Systems Security Portion of your Written Information Security Program (WISP), it starts with the Risk Assessment survey.
Some of you may have seen the below post from another group regarding 201 CMR 17. If you have, nothing’s changed...
I would start the process by asking some simple questions.
Physically-where is the data kept and how do you protect it from unauthorized access? If it’s on paper or media like a CD or tapes how do you keep track of who has access to it during normal daily operations? How and where do you store it when it’s not in use? How do you decide who has/needs access to it and who doesn’t need access to it? How do you destroy it when it’s no longer needed? Are your team members given security awareness training so they are aware of the threats to your business? Do you check your trash to make sure that protected data is not mistakenly discarded?
Logically- If you have some or no established programs at all, you “MUST” conduct a risk assessment survey identifying; what sensitive information you have, where you have it, and how you plan to protect it.
If the data is on a desktop or network what protective measures are in place? Do you use a firewall and antivirus protections? What are your policies on patches and hot fixes that the hardware and software manufacturers recommend for known vulnerabilities? Do you have a password policy? Is the physical security of the spaces containing ADP adequate? How often do you read your logs, or audit who has been accessing the protected data and how are they using it?
After you complete all the tasks above; you have just completed your ADP risk assessment! Now you implement the procedures necessary for identified risks based on industry best standards.
* Document as a policy the procedures how staff members are to utilize ADP in their day-to-day operations.
* Train your staff on the procedures established, and what’s expected of them, don’t forget to have them sign an acknowledgement of understanding, which includes disciplinary actions for failure to adhere to the requirements of the policy.
Congratulations! You have just created one portion of your Written Information Security Program (WISP).
Bottom line is; if you don’t ask questions on how the protection process works, can you have any confidence that your business will survive even if it is never audited? The law just requires that you take common sense steps to protect the information that your customers have entrusted to you.
Properly conducting the risk assessment, combined with some solid Lean Six Sigma practices, you will reduce duplicated operations and storage of unnecessary PI which helps to protect your business.
If some, none, or all of this makes any sense to some of you reading it, and you’d like to learn more on simplifying the compliance process, visit our website at www.TCIPP.com.
I Hope this help you get on the right road to compliance!
Regards,
Tom Considine, CIPP
Tom Considine & Associates
Information Privacy Professionals
It would add new language saying that "industry standard" security measures need to be in place and remove pretty much all of the specific requirements (encryption, secure passwords, firewalls, antivirus, etc). It would also say that industries which have existing privacy compliance standards (i.e. banks, HIPAA compliant health care organizations, etc) would be exempted from the law.
At compliancehelp.net we are eagerly following the news, because we sell a very affordable compliance kit for small businesses in Massachusetts which includes easy-to-follow instructions and templates for all the required paperwork.