Chat Radio Now!
Call Now 888.445.4843

201 CMR 17.00 ESSENTIAL GUIDE

The Essential Guide for 201 CMR 17.00 Compliance

Back in 2009, Roy Avila, CEO ITLNOW, identified a need to help small to medium size businesses comply with the challenges presented in the Code of Massachusetts Regulation 201 CMR 17.00. HeBenefits has teamed with his longtime colleague, Joe Burns, to create, The Essential Guide for 201 CMR 17.00 Compliance, a practical and cost-effective tool for facilitating the development a company’s comprehensive written information security program consistent with the regulations.

The Guidebook contains the policies, procedures, best practices, forms, risk-based analysis, and tips from the Federal Trade Commission needed to facilitate the compliance process.

At that time, ITLNOW  provided a hub for data security, including identity theft, fraud prevention, and consumer protection. Businesses and consumers both need a place to get reliable unbiased information and help with information privacy. The guide assists companies to comply with the growing multitude of (and somewhat overlapping) federal and state regulations for protecting the consumer and personal information from identity theft and fraud.

We know, first-hand, what it’s like for a person to suffer identity theft.

Hundreds if not thousands of dollars in bounced checks and fraudulent charges, leading to canceled credit cards, dealing with law enforcement and all the other entanglements that go with it.

Millions of unsuspecting citizens, even as I write this, have had their identities were stolen or their credit card compromised. The havoc this problem can wreak upon an individual is relentless.

ABOUT THE AUTHOR

Joe Burns is an Information Technology veteran of more than 40 years. He has held senior IT leadership positions in such organizations as BankBoston, Prime Computer, and Iron Mountain. At Iron Mountain, he was instrumental in the architecture, development, and marketing of their Digital Archive service and Document Imaging and Management offerings.

Joe also founded a variety of companies that provided; IT consulting, a PC-Based human resource system and document imaging and management solutions. He was asked to write The Essential Guide for 201CMR17 Compliance to help small to medium size companies implement a reasonable and cost-effective comprehensive written information security program (WISP) that is consistent with the requirements of Code of Massachusetts Regulations (CMR) – 201CMR17.

ABOUT THE PUBLISHER

Roy Avila, CEO, ITLNOW, Inc. has been a long time advocate for helping small to medium size business implement sound information security practices.

With The Essential Guide for 201CMR17 Compliance, Avila believes that finally the small business owner has been put on an equal footing with much larger organizations that have the built-in advantage of an IT infrastructure and the necessary capital to implement a comprehensive information security program.

ITLNOW, Inc focuses on enabling business with the right tools for cost effectively establishing best business practices for safeguarding sensitive corporate information, including but not limited to consumer and employee information.

ITLNOW is structured to bring competitive advantage to business through leading-edge information security programs.

MISSION STATEMENT

ITLNOW provides the business community with practical approaches to the complex challenges of protecting sensitive (essential) information assets from unauthorized access or use. We serve to demystify the techno-babble and legalese that surrounds information security, terms such as, SSL, AES, encryption, firewalls, intrusion detection and the like are all being used to scare and confuse the business owner, by heightening fear, uncertainty, and doubt (FUD) while lining the pockets of the opportunists.Benefits

What is Information Security?

Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction.

The terms information security, computer security, and information assurance are frequently interchanged incorrectly. The differences lie primarily in the approach to the subject, the methodologies used, and the areas of concentration.

Information security is concerned with the confidentiality, integrity, and availability of data regardless of the form the data may take – electronic, print, or other forms.

Computer security focuses on ensuring the availability and correct operation of a computer system without concern for the information stored or processed by the computer.

Information assurance concentrates on the confidential information that companies of all size and industries amass about their employees, customers, products, research, and financial status. Most of this information is now collected, processed and stored on electronic computers and transmitted across networks to other computers. Should confidential information about a business’ customers, employees, or finances or new product line fall into the hands of a competitor, such a breach of security could lead to lost business, law suits or even bankruptcy of the business. Protecting confidential information is a business requirement, and in many cases also an ethical and legal requirement.

Who is the Intended Audience for this Guidebook?

The Essential Guide for 201 CMR 17.00 Compliance is targeted at helping small to medium size businesses implement a reasonable and cost effective comprehensive, written information security program (WISP) consistent with the regulations for safeguarding the personal information (PI) about the residents of the Commonwealth of Massachusetts. It has been our experience that companies which have ready access to capital, resources and technology will be able to easily comply with these and other identity theft and fraud regulations, whereas, the smaller size businesses which do not have adequate levels of capital, resources, and/or technology are going to find it very challenging to meet the requirements of 201 CMR 17.00.

Focus on 201 CMR 17.00 Information Security

Please note that this Guidebook takes a relatively narrow view of the need for a company-wide comprehensive Information Security Program (ISP) by focusing the information security discussion solely on 201 CMR 17.00 requirements for protecting personal information (PI) from identity theft and fraud. However, we believe that this Guidebook could easily be expanded to form the basis for a much more encompassing approach to information security.

Business Need to Comply

Most companies keep sensitive personal information in their files—names, Social
Security numbers, credit card, or other account data—that identifies customers or employees.

This information often is necessary to fill orders, meet payroll, or perform other necessary business functions. However, if sensitive data falls into the wrong hands, it can lead to fraud, identity theft, or similar harms. Given the cost of a security breach—losing your customers’ trust and perhaps even defending yourself against a lawsuit—safeguarding personal information is just plain good business.

Some businesses may have the expertise in-house to implement an appropriate plan. Others may find it helpful to hire a contractor. Regardless of the size—or nature—of your business, the principles in this Guidebook will go a long way toward helping you keep personal information secure.

Generic_CoverThe Essential Guide for 201 CMR 17.00 Compliance

Who is the Intended Audience for this Guidebook?
Identity Theft This 5‐Year High
Business Need to Comply
201 CMR 17.00 Enforcement

Getting Started

  • Before you do Anything!
  • Office of Consumer Affairs Says, Size Matters!
  • What is Personal Information (PI)?
  • The Importance of Policies & Procedures
  • Policy Caveat!! Federal Trade Commission (FTC)
  • FTC Tip: Download Protecting Personal Information: A Guide for Business
  • MS Word: Helpful Hints for Completing Your WISP
  • Developing Your WISP is a 4‐Part Process
  • For Best Results – Follow the Guidebook

Part 1: Performing a Risk‐Based Analysis
Reminder – Continue to Follow the Guidebook

Part 2: Implementing and Documenting Your WISP
Section 17.03: Duty to Protect and Standards for Protecting…..
 Section 17.03: Eight (8) Steps to Implementing and Documenting….
 STEP 1: Storage, Access & Transportation of Personal Information
 STEP 2: Imposing Disciplinary Measures for Violating the WISP
 STEP 3: Preventing Terminated Employee from Accessing Personal….
 STEP 4: Overseeing Third‐Party Service Provider Policy
 STEP 5: Restricting Physical Access to Personal Information
 STEP 6: Monitoring the Effectiveness of Your WISP
 STEP 7: Annual Review of Your WISP
 STEP 8: Reporting Breaches
Section 17.04: Computer Systems Requirements
 Section 17.04: Eight (8) Steps to Implementing and Documenting….
 STEP 1: Secure User Authentication Protocols
 STEP 2: Implementing Secure Control Measures
 STEP 3: Encryption of Personal Information Transmitted Over Public….
 STEP 4: Reasonable Monitoring of Systems for Unauthorized Access…
 STEP 5: Encrypting Personal Information
 STEP 6: Firewall Protection and Operating System Security Patches
 STEP 7: Reasonably Up‐To‐Date Versions of Security Agent Software
 STEP 8: Educating and Training of Employees on the Proper Use of…
Part 3: Designating an Employee(s) to Maintain Your WISP
Part 4: Approving Your Business’ Information Security Program
Appendix
 What is Code of Massachusetts Regulation (CMR)
 Frequently Asked Questions Regarding 201 CMR 17.00
 201 CMR 17.00: Compliance Readiness
 Developing 201 CMR 17.00 Security Policies
 How to use the Sample Policies & Procedures in Your WISP
 Expert Websites
 Information Technology (IT) Project Management
Glossary
 201 CMR 17.00 Important Definitions
 Mobile Computing and Storage Devices
 Systems Administrator
 Administrator Rights or Privileges

Risk-Based Analysis for 201 CMR 17.00 Compliance

Over overview

  • Risk-Based Analysis & Actions Planned Tables
  • IT Support Group can help Complete the Risk-Based Analysis!
  • Risk-Based Analysis Summary
  • Email Questionnaire Templates for Locating Personal Information
  • IT Support can Speed up Your WISP Development!  

Information Security Program for 201 CMR 17.00 Compliance

  • Section 17.03: Sample Policies and Procedures      
  • Storage, Access, and Transport of Records Containing Personal…  
  •  Imposing Disciplinary Measures for Violating Your WISP    
  • Preventing Terminated Employees from Accessing Records…..   
  • Third-Party Service Provider Policy      
  • Restricting Physical Access to Personal Information Policy   
  • Storage of Personal Information in Secure Facilities Policy   
  • Monitoring WISP Effectiveness Policy      
  • Monthly or Quarterly or Annual> Review of Business Practices   
  • Requirements for Security Breach Notification under MGL Chapter 93H:

Section 17.04: Sample Policies and Procedures

  • User Authentication Protocols Procedure      
  • Secure Public Network Transmission Procedure
  • Secure Wireless Transmission Procedure      
  • Monitoring for Unauthorized Access or Use Procedure    
  • Encrypting Personal Information Procedure     
  • Firewall Protection and Operating System Patches Procedure   
  • System Security Agent Software Procedure     
  • Importance of Personal Information Security Policy    
  • Proper Use of the Computer Security System Policy    

Designating an Employee(s) to Maintain Your WISP     

Your WISP Support Documents  

  • Employee Acknowledgement of <Your Company Name’s>
  • <Your Company Name> Information Security Program Approval  
  • Post-Incident Review (MS Word document)      
  • Post-Incident Review (MS Word document – MS Table format)  
  • Sample Letter: 201CMR17 Statement of Compliance

This Guidebook, related materials, and accompanying storage media contain the opinions and ideas of its author and publisher. It is sold with the understanding that neither the author nor its publisher is engaged in rendering legal, technical, accounting or other professional advice or services. If the reader requires such advice or services, a competent professional should be consulted.

Disclaimer:

This Guidebook, related materials, and accompanying storage media are designed to help business in their compliance efforts. The “Essential Guide for 201 CMR 17.00 Compliance” and related materials is not a substitute for compliance. They are tools to achieve compliance and need to be adapted to the particular circumstances of a particular business or individual handling “personal information” covered by this regulation. No warranty is made with regard to the accuracy or completeness contained herein, and both the author and the publisher specifically disclaim any responsibility for any liability, loss, or risk, personal or otherwise, which is incurred as a consequence, directly or indirectly, of the use and application of any of the contents of this Guidebook or its related materials. At all times, the reader must keep in mind that wherever there is a conflict found this guidebook and its related material and the provisions of 201 CMR 17.00, it is the latter that will govern.

Legal Notice

The right to use the material found in this guidebook, related storage media, and accompanying materials is granted only to licensed and registered purchasers as described in the copyright notice.

The information in this guidebook, related storage media, and accompanying materials is provided as a service to the business community in their efforts to comply with Massachusetts Regulation 201 CMR 17.00. They are tools to achieve compliance and need to be adapted to the particular circumstances of a particular business or individual handling “personal information” covered by this regulation. At the time of its publication this guidebook, the other materials found on the related storage media and the accompanying materials are believed to be current, relevant, useful and appropriate for organizations concerned about establishing a comprehensive written information security program consistent with 201CMR17. Such information is nonetheless subject to change without notice. Although every reasonable effort has been made to ensure the accuracy, completeness, and relevance of the information contained herein, iComplyNow, a unit of ITLNOW, Inc., including its affiliates (such as the author) cannot be responsible for errors and omissions, or any party’s interpretations or applications of the ideas or words contained therein. It is sold with the understanding that neither the author nor its publisher is engaged in rendering legal, technical or other professional advice or services. If the reader requires such advice or services, a competent professional should be consulted. Neither the author nor iComplyNow, a unit of ITLNOW, Inc., make any warranties, guarantees, or representations about the fitness for any purpose of the material found in this guidebook, related materials found on the storage media and accompanying materials. At all times, the reader must keep in mind that wherever there is a conflict found between this guidebook, related materials found on the storage media or accompanying materials and the provisions of Massachusetts Regulation 201 CMR 17.00, it is the latter that will govern © 2009-2010, Joe Burns.

An organization-specific license to copy, modify, and republish parts of this guidebook, related materials found on the storage media and accompanying materials for developing a comprehensive written information security program in compliance with Massachusetts Regulation 201 CMR 17.00 is granted only to registered purchasers. This material is for internal use only at licensed organizations and may not be remarketed or redistributed by the organization or its agents. A license is extended only to the purchasing organization (as recognized by a legal organizational name). Separate licenses are required for subsidiaries, affiliates, and other organizations if they have a legal name that differs in any way from the name of the licensee organization. Consultants, VARs, OEMs, and other third parties using this material on behalf of another organization must purchase separate licenses for each organization where this material is employed. Licensees are prohibited from using this material to develop substantially similar material or enhance other policy material if the resulting material will be published outside the licensee organization.

Permission to quote brief passages is granted to authors preparing a review for publication. Otherwise, no part of this material may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without the written permission of the publisher, except where permitted by law.

Talk NOW

Schedule Your Appointment Here…
  • :
  • :