Compliance with 201 CMR 17 doesn’t have to be difficult or complex, it requires a plan and a bit of knowledge or training to accomplish your goals.
Below are my procedures to help you begin the development of the Computer Systems Security Portion of your Written Information Security Program (WISP), it starts with the Risk Assessment survey.
I would start the process by asking some simple questions.
Physically-where is the data kept and how do you protect it from unauthorized access? If it’s on paper or media like a CD or tapes how do you keep track of who has access to it during normal daily operations? How and where do you store it when it’s not in use? How do you decide who has/needs access to it and who doesn’t need access to it? How do you destroy it when it’s no longer needed? Are your team members given security awareness training so they are aware of the threats to your business? Do you check your trash to make sure that protected data is not mistakenly discarded?
Logically- If you have some or no established programs at all, you “MUST” conduct a risk assessment survey identifying; what sensitive information you have, where you have it, and how you plan to protect it.
If the data is on a desktop or network what protective measures are in place? Do you use a firewall and antivirus protections? What are your policies on patches and hot fixes that the hardware and software manufacturers recommend for known vulnerabilities? Do you have a password policy? Is the physical security of the spaces containing ADP adequate? How often do you read your logs, or audit who has been accessing the protected data and how are they using it?
After you complete all the tasks above; you have just completed your ADP risk assessment! Now you implement the procedures necessary for identified risks based on industry best standards.
* Document as a policy the procedures how staff members are to utilize ADP in their day-to-day operations.
* Train your staff on the procedures established, and what’s expected of them, don’t forget to have them sign an acknowledgement of understanding, which includes disciplinary actions for failure to adhere to the requirements of the policy.
Congratulations! You have just created one portion of your Written Information Security Program (WISP).
Bottom line is; if you don’t ask questions on how the protection process works, can you have any confidence that your business will survive even if it is never audited? The law just requires that you take common sense steps to protect the information that your customers have entrusted to you.
Properly conducting the risk assessment, combined with some solid Lean Six Sigma practices, you will reduce duplicated operations and storage of unnecessary PI which helps to protect your business.
If some, none, or all of this makes no sense to you, help is available. To learn more on simplifying the compliance process, visit our website at www.TCIPP.com.
Mass. Data Protection Law Amended, Deadline Extended (Again)
Extension gives businesses until next year to comply with tough data privacy rules.
» View Article
Compliance with 201 CMR 17 doesn’t have to be difficult or complex, it requires a plan and a bit of knowledge or training to accomplish your goals.
Below are my procedures to help you begin the development of the Computer Systems Security Portion of your Written Information Security Program (WISP), it starts with the Risk Assessment survey.
I would start the process by asking some simple questions.
Physically-where is the data kept and how do you protect it from unauthorized access? If it’s on paper or media like a CD or tapes how do you keep track of who has access to it during normal daily operations? How and where do you store it when it’s not in use? How do you decide who has/needs access to it and who doesn’t need access to it? How do you destroy it when it’s no longer needed? Are your team members given security awareness training so they are aware of the threats to your business? Do you check your trash to make sure that protected data is not mistakenly discarded?
Logically- If you have some or no established programs at all, you “MUST” conduct a risk assessment survey identifying; what sensitive information you have, where you have it, and how you plan to protect it.
If the data is on a desktop or network what protective measures are in place? Do you use a firewall and antivirus protections? What are your policies on patches and hot fixes that the hardware and software manufacturers recommend for known vulnerabilities? Do you have a password policy? Is the physical security of the spaces containing ADP adequate? How often do you read your logs, or audit who has been accessing the protected data and how are they using it?
After you complete all the tasks above; you have just completed your ADP risk assessment! Now you implement the procedures necessary for identified risks based on industry best standards.
* Document as a policy the procedures how staff members are to utilize ADP in their day-to-day operations.
* Train your staff on the procedures established, and what’s expected of them, don’t forget to have them sign an acknowledgement of understanding, which includes disciplinary actions for failure to adhere to the requirements of the policy.
Congratulations! You have just created one portion of your Written Information Security Program (WISP).
Bottom line is; if you don’t ask questions on how the protection process works, can you have any confidence that your business will survive even if it is never audited? The law just requires that you take common sense steps to protect the information that your customers have entrusted to you.
Properly conducting the risk assessment, combined with some solid Lean Six Sigma practices, you will reduce duplicated operations and storage of unnecessary PI which helps to protect your business.
If some, none, or all of this makes no sense to you, help is available. To learn more on simplifying the compliance process, visit our website at www.TCIPP.com.
Dirty Tricks: Social Engineers' Favorite Pickup Lines
Tabletop Exercises: 3 Sample Scenarios
19 Ways to Build Physical Security Into Your Data Center
Get instant notifications when whitepapers, webcasts and case studies are added to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
» More blogs
CSO Perspectives
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
Trend Micro ranked #1 against real-world malware. Read more.
64-page prescriptive guide to security, compliance, and IT operations.
Removing Barriers To Better Server Virtualization Efficiency
Mining for Gold: Cybercrime Prevention and the Role of Log Management
The Executive Guide to Data Loss Prevention
Organizations can spend up to 50% more on compliance efforts than necessary.
White Paper: A Security Blueprint Delivered From within the Network
Read the RSA report: Security for Business Innovation
Upgrading to VMware vSphere with vWire
Explore the increasing importance of log management as cybercrime threats grow.
The Tripwire HIPAA Solution: Meeting the Security Standards Set Forth in Section 164
Implementing Best Practices for Web 2.0 Security
Five Ways to Reduce Your IT Audit Burden
THE IDG NETWORK