MA 201 CMR 17.00 Personal Information Protection Standards

Massachusetts 201 CMR 17.00 - Standards for the Protection of Personal Information of Residents of the Commonwealth

For MA 201 CMR 17 Compliance,you can purchase a professionally developed Written Information Security Program (WISP) for your business and have it ready to implement the next business day. You will receive the WISP in Microsoft Word format (via email delivery), as well as helpful guidance on how to properly implement the WISP and what controls in the WISP map to the MA 201 CMR 17 requirements.

For a reason to buy a Written Information Security Program (WISP), it is hard to beat an excerpt directly from the Massachusetts law itself since there is a legal requirement to obtain and implement a WISP:

MA 201 CMR 17.00: “Every person that owns, licenses, stores or maintains personal information about a resident of the Commonwealth shall develop, implement, maintain and monitor a comprehensive, written information security program applicable to any records containing such personal information. Such comprehensive information security program shall be reasonably consistent with industry standards, and shall contain administrative, technical, and physical safeguards to ensure the security and confidentiality of such records. Moreover, the safeguards contained in such program must be consistent with the safeguards for protection of personal information and information of a similar character set forth in any state or federal regulations by which the person who owns, licenses, stores or maintains such information may be regulated.”
 

MA 201 CMR 17.00 Compliant Written Information Security Program (WISP)

The Commonwealth of Massachusetts implemented a strict Information Security law (201 CMR 17.00), effective on March 1, 2010. MA 201 CMR 17.00 not only requires businesses to secure their networks, but they are responsible for ensuring their vendors / contractors are equally compliant and secure. MA 201 CMR 17.00 is broken up into two sections, the first explicitly dictating what roles and responsibilities are required from businesses; the second dealing with the more specific Information Security requirements that businesses must implement (please read the requirements of those two sections below).

Our Written Information Security Program (WISP) meets ALL of the requirements of MA 201 CMR 17.00 so any business that maintains Personally Identifiable Information (PII) on a Massachusetts resident could purchase and implement a WISP to become compliant with this new law.  ✓Easy to implement & tailored to your company
  ✓Policies are based on NIST 800-series and ISO 27000-series standards
  ✓Dozens of policies and standards specifically tailored for small to medium businesses
  ✓Covers the PCI DSS, GLBA, SOX, HIPAA, FACTA and more!
      - Identifies administrative, technical and physical controls
      - Provides standards for both assessing risk and hardening of networks and systems
      - Ongoing user education and security awareness training
      - Incident response procedures
      - Procedures to audit user accounts and deal with terminated employees
  ✓Includes many helpful forms to implement the WISP;
      - Employee acknowledgement forms
      - Appointment orders for an employee to be in charge of IT Security
      - Incident Response Plan (IRP) forms
      - Any more!! (see the example for more)

 

What Are the Requirements of the MA 201 CMR 17.00?

MA 201 CMR 17 Business Requirements - 17.03: Duty to Protect and Standards for Protecting Personal Information
(1) Every person that owns or licenses personal information about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to (a) the size, scope and type of business of the person obligated to safeguard the personal information under such comprehensive information security program; (b) the amount of resources available to such person; (c) the amount of stored data; and (d) the need for security and confidentiality of both consumer and employee information. The safeguards contained in such program must be consistent with the safeguards for protection of personal information and information of a similar character set forth in any state or federal regulations by which the person who owns or licenses such information may be regulated. 

(2) (a) Designating one or more employees to maintain the comprehensive information security program;
  ✓MA 201 CMR 17.00 requirement covered by the WISP

(2)(b) Identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks, including but not limited to: 
  ✓MA 201 CMR 17.00 requirement covered by the WISP

(2)(b)(1) ongoing employee (including temporary and contract employee) training; 
  ✓MA 201 CMR 17.00 requirement covered by the WISP

(2)(b)(2) employee compliance with policies and procedures; and 
  ✓MA 201 CMR 17.00 requirement covered by the WISP

(2)(b)(3)means for detecting and preventing security system failures. 
  ✓MA 201 CMR 17.00 requirement covered by the WISP

(2)(c) Developing security policies for employees relating to the storage, access and transportation of records containing personal information outside of business premises.
  ✓MA 201 CMR 17.00 requirement covered by the WISP

(2)(d) Imposing disciplinary measures for violations of the comprehensive information security program rules.
  ✓MA 201 CMR 17.00 requirement covered by the WISP

(2)(e) Preventing terminated employees from accessing records containing personal information. 
  ✓MA 201 CMR 17.00 requirement covered by the WISP

(2)(f) Oversee service providers, by: 

(2)(f)(1) Taking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect such personal information consistent with these regulations and any applicable federal regulations; and 
  ✓MA 201 CMR 17.00 requirement covered by the WISP

(2)(f)(2) Requiring such third-party service providers by contract to implement and maintain such appropriate security measures for personal information; provided, however, that until March 1, 2012, a contract a person has entered into with a third party service provider to perform services for said person or functions on said person’s behalf satisfies the provisions of 17.03(2)(f)(2) even if the contract does not include a requirement that the third party service provider maintain such appropriate safeguards, as long as said person entered into the contract no later than March 1, 2010. 
  ✓MA 201 CMR 17.00 requirement covered by the WISP

(2)(g) Reasonable restrictions upon physical access to records containing personal information, and storage of such records and data in locked facilities, storage areas or containers. 
  ✓MA 201 CMR 17.00 requirement covered by the WISP

(2)(h) Regular monitoring to ensure that the comprehensive information security program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information; and upgrading information safeguards as necessary to limit risks. 
  ✓MA 201 CMR 17.00 requirement covered by the WISP

(2)(i) Reviewing the scope of the security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information. 
  ✓MA 201 CMR 17.00 requirement covered by the WISP

(2)(j) Documenting responsive actions taken in connection with any incident involving a breach of security, and mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of personal information. 
  ✓MA 201 CMR 17.00 requirement covered by the WISP MA 201 CMR 17


MA 201 CMR 17 Security Requirements - 17.03: Computer System Security Requirements
Every person that owns or licenses personal information about a resident of the Commonwealth and electronically stores or transmits such information shall include in its written, comprehensive information security program the establishment and maintenance of a security system covering its computers, including any wireless system, that, at a minimum, and to the extent technically feasible, shall have the following elements: 

(1) Secure user authentication protocols including: 
  ✓MA 201 CMR 17.00 requirement covered by the WISP

(1)(a) control of user IDs and other identifiers;
  ✓MA 201 CMR 17.00 requirement covered by the WISP

(1)(b) a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices; 
  ✓MA 201 CMR 17.00 requirement covered by the WISP

(1)(c) control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect; 
  ✓MA 201 CMR 17.00 requirement covered by the WISP

(1)(d) restricting access to active users and active user accounts only; and 
  ✓MA 201 CMR 17.00 requirement covered by the WISP

(1)(e) blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system; 
  ✓MA 201 CMR 17.00 requirement covered by the WISP

(2) Secure access control measures that: 

(2)(a) restrict access to records and files containing personal information to those who need such information to perform their job duties; and 
  ✓MA 201 CMR 17.00 requirement covered by the WISP

(2)(b) assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls; 
  ✓MA 201 CMR 17.00 requirement covered by the WISP

(3)Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly. 
  ✓MA 201 CMR 17.00 requirement covered by the WISP

(4) Reasonable monitoring of systems, for unauthorized use of or access to personal information; 
  ✓MA 201 CMR 17.00 requirement covered by the WISP

(5) Encryption of all personal information stored on laptops or other portable devices; 
  ✓MA 201 CMR 17.00 requirement covered by the WISP

(6) For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information. 
  ✓MA 201 CMR 17.00 requirement covered by the WISP

(7) Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis. 
  ✓MA 201 CMR 17.00 requirement covered by the WISP

(8) Education and training of employees on the proper use of the computer security system and the importance of personal information security.
  ✓MA 201 CMR 17.00 requirement covered by the WISP

Sort by:

Sign up for our Newsletter!

×
×