In a couple of posts and presentations I have taken shots at one of the supporting documents the Commonwealth of Massachusetts has published to assist in complying with 201CMR17.00, the "Small Business Guide For Formulating A Comprehensive Written Information Security Program ". Maybe it is time to elaborate (emphasis below is mine):
On page three there is a section which begins "Employment contracts must be amended immediately..." Amending contracts "immediately" seems problematic and potentially burdensome- unless 201CMR17.00 somehow invalidates employment contracts, both parties will need to agree to renegotiate and re-sign the contract.
On page four, there is a section which states "Electronic access to user identification after multiple unsuccessful attempts to gain access must be blocked." As good an idea as this is, there are many systems which do not support this, it may not always be practical or even possible.
Later on page four, in the section beginning with "A terminated employee’s physical...", the end of the section states "The Data Security Coordinator shall maintain a highly secured master list of all lock combinations, passwords and keys." Maintaining a list of combinations and keys is a great idea, maintaining a list of passwords is a very bad idea.
And the really stupid one, on page five, the seventh bullet point begins "Visitors’ access must be restricted to one entry point for each building in which personal information is stored, and visitors shall be required to present a photo ID, sign-in and wear a plainly visible “GUEST” badge or tag." Where to start- how about building codes, possibly fire codes (although they are generally more interested in egress), simple feasibility, or maybe common sense. Any mall is a "building in which PI is stored", and even in the small businesses this guide is designed to assist there are similar issues. I would hate to see the AG use the same interpretation for enforcement.