Mass 201 CMR 17: A Survival Guide for the Anxious

Security experts offer tips for navigating Mass 201 CMR 17. Will your business be ready?

FRAMINGHAM, Mass. -- David Escalante has as much cause as any IT security practitioner to be nervous about Mass 201 CMR 17, the tough Massachusetts data protection requirements organizations must comply with by Jan. 1, 2010.

As director of computer policy and security at Boston College, he oversees the security of a computer network accessed daily by some 10,000 students who storm the campus after Labor Day with myriad personal computing devices loaded with any number of sinister programs. (See Six Essential Steps to Secure Academia.)

Yet he was cool and calm during a CSO Executive Seminar on Mass 201 CMR 17.00 Thursday, as were the other legal and security experts on hand.

The reason -- they're reasonably confident most companies will survive this latest compliance push unscathed. And why not? Many of the provisions are basic best practices other government regulations and industry standards have required for years.

That's not to say this is a piece of cake. Compliance doesn't always ensure security. The Hannaford supermarket chain learned this the hard way after suffering a data breach despite all the PCI DSS compliance work it had done.

And so the seminar speakers tried to give attendees a clearer picture of what's needed. Among the advice -- have a plan on the shelf that outlines who will do what in the event of a data breach, and invest time and money in awareness campaigns that won't put employees to sleep.

"Much of this you should be doing anyway," Escalante said. "If you follow best practices such as those outlined in things like Cobit and ISO 17799, you WILL be okay."

High anxiety Mass 201 CMR 17.

Despite the calmness described above, few challenges have been more worrisome to IT security practitioners than meeting all the requirements of

With a Jan. 1 compliance deadline, companies are scrambling to make sense of just what exactly needs doing in the next five months, and, where the security controls they installed for previous regulatory requirements may or may not fit in.

(See also: Mass. 201 CMR 17: The Darkness and the Light)

Issued last September, the regulations require that businesses encrypt documents sent over the Internet or saved on laptops or flash drives, encrypt wirelessly transmitted data, and deploy up-to-date firewalls to create "an electronic gatekeeper" between the data and the outside world that only allows authorized users to access or transmit data.

Because of the ongoing economic crisis and concern from companies that need more time to digest the provisions, the compliance deadline has been moved twice. First it was moved from Jan. 1, 2009 to May 1, 2009. Companies now have until January 2010 to have all their security ducks in a row -- see Mass. Data Protection Law Amended, Deadline Extended (Again).

Security that's more than just academic

Escalante described how his organization is trying to meet the challenge with a program heavily focused on identity and access management, encryption and having an incident response plan to quickly and calmly deal with any security breach that may happen despite his organization's best efforts.

Regarding the incident response plan, he said, "You need to have a plan that's clear about who will be called and who will do what in the event of a breach."

His security program also includes:

  • A serious awareness effort: Escalante said it's vital to help employees understand why security is important to them. "It has to be about more than saying 'here's a policy, here's how it works.' That'll only put them to sleep," he said. An excellent example of an awareness program, he said: The ID theft commercials CitiBank was using a few years ago.
  • A vigorous scanning program: Even if users are made super-aware of the dangers, Escalante said people are still bound to be carrying forbidden programs on their work machines. "Having told people to get rid of all unnecessary data, we started scanning computers of employees who legitimately thought they eliminated what they were supposed to, and scanning determined they had not."
  • A migration process: As much as possible, he said, the goal is to move information "off of all these USB sticks and other devices" and onto one secure location.
    • Despite all these measures, chances of a breach are still fairly high, he said.

      "A big problem in last 2 years is the inability of technology to really keep people secure from botnets and such," he said. "Despite all the controls in place, we still find a machine every couple days that's caught up in a botnet." (See Botnets: 4 Reasons It's Getting Harder to Fight Them )

      The legal perspective

      Experts at the event also sought to clarify the language of the law. Matt Karlyn, senior counsel at Foley & Lardner in Boston, has spent an increasing amount of his time helping companies navigate the language of the Bay State's data breach law. He insisted it's not as hard as one might think.

      "Go back to your offices and print out the law," he said. "It's not hard to read. It really is a checklist. Take the panic out of it."

      For him, some of the big takeaways are that organizations must designate responsible employees to maintain a comprehensive security program; must identify risks to the security confidentiality and integrity of the information one holds; must develop employee security policies; and must impose disciplinary measures for violations.

      "You can't just have a policy that says if you break policy we will do X. You must DO X," he said. "You must follow through. Be prepared to fire someone [if that is what your policy dictates]."

      He said the law is also clear that companies must restrict physical access to records, conduct regular monitoring and conduct annual reviews of security. For breaches, it's crucial to the document responsive actions taken.

      Karlyn also sought to make clear something he doesn't think all organizations understand -- that this law is not just one affecting companies inside the Bay State.

      "This applies to all who carry personal information of Massachusetts residents," he said. "If so, this applies to you no matter where in the world you are."

Copyright © 2009 IDG Communications, Inc.

The 10 most powerful cybersecurity companies