Friday, October 30, 2009

diff MA 201 CMR 17.00

What changed in the latest "final" version of Massachusetts 201 CMR 17.00?  Here's what I see (emphasis is mine):

Under 17.02, Definitions

"Owns or licenses: receives, maintains, processes, or otherwise has access to personal information in connection with the provision of goods or services or in connection with employment."

became

"Owns or licenses: receives, stores, maintains, processes, or otherwise has access to personal information in connection with the provision of goods or services or in connection with employment.

That's a big win, adding that little word stores to the mix.

Also in definitions:

"Service provider: any person that receives, stores, maintains, processes, or otherwise is permitted access to personal information through its provision of services directly to a person that is subject to this regulation."

is now

"Service provider: any person that receives, maintains, processes, or otherwise is permitted access to personal information through its provision of services directly to a person that is subject to this regulation; provided, however, that “service provider” shall not include the U.S. Postal Service."

This just reflects the change in definition for those who store data, moving them from the "service provider" category to the "owns or licenses" group.  The USPS exclusion seems redundant, the Commonwealth cannot impose regulations on federal agencies (especially that one).

17.03 (2)(f) 2 changed from

"Requiring such third-party service providers by contract to implement and maintain such appropriate security measures for personal information; provided, however, that any contract a person has entered into with a third party service provider prior to March 1, 2012, shall be deemed to be in compliance herewith, notwithstanding the absence in any such contract of a requirement that the service provider maintain such protective security measures, so long as the contract was entered into before March 1, 2010."

to

"Requiring such third-party service providers by contract to implement and maintain such appropriate security measures for personal information;  provided, however, that until March 1, 2012, a contract a person has entered into with a third party service provider to perform services for said person or functions on said person’s behalf satisfies the provisions of 17.03(2)(f)(2) even if the contract does not include a requirement that the third party service provider maintain such appropriate safeguards, as long as said person entered into the contract no later than March 1, 2010."

And that's it.  No more changes.  See the previous version here for reference.

 

Jack

201 CMR 17.00, Final Version (really, I think)

The "Final" (I think this is the third final version, but who's counting?) version of Massachusetts 201 CMR 17.00 was released today.  I believe this is really final, I doubt that anyone has the stomach for more of the political process that crafted this regulation.  Below is the complete and unedited final version.  The changes seem subtle at first glance, I'll follow up once I have time to review and compare.

201 CMR 17.00: STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH

Section:

17.01: Purpose and Scope

17.02: Definitions

17.03: Duty to Protect and Standards for Protecting Personal Information

17.04: Computer System Security Requirements

17.05: Compliance Deadline

17.01 Purpose and Scope

(1) Purpose

This regulation implements the provisions of M.G.L. c. 93H relative to the standards to be met by persons who own or license personal information about a resident of the Commonwealth of Massachusetts. This regulation establishes minimum standards to be met in connection with the safeguarding of personal information contained in both paper and electronic records. The objectives of this regulation are to insure the security and confidentiality of customer information in a manner fully consistent with industry standards; protect against anticipated threats or hazards to the security or integrity of such information; and protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any consumer.

(2) Scope

The provisions of this regulation apply to all persons that own or license personal information about a resident of the Commonwealth.

17.02: Definitions

The following words as used herein shall, unless the context requires otherwise, have the following meanings:

Breach of security, the unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information, maintained by a person or agency that creates a substantial risk of identity theft or fraud against a resident of the commonwealth. A good faith but unauthorized acquisition of personal information by a person or agency, or employee or agent thereof, for the lawful purposes of such person or agency, is not a breach of security unless the personal information is used in an unauthorized manner or subject to further unauthorized disclosure.

Electronic, relating to technology having electrical, digital, magnetic, wireless, optical, electromagnetic or similar capabilities.

Encrypted, the transformation of data into a form in which meaning cannot be assigned without the use of a confidential process or key.

Owns or licenses, receives, stores, maintains, processes, or otherwise has access to personal information in connection with the provision of goods or services or in connection with employment.

Person, a natural person, corporation, association, partnership or other legal entity, other than an agency, executive office, department, board, commission, bureau, division or authority of the Commonwealth, or any of its branches, or any political subdivision thereof.

Personal information, a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that “Personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.

Record or Records, any material upon which written, drawn, spoken, visual, or electromagnetic information or images are recorded or preserved, regardless of physical form or characteristics.

Service provider, any person that receives, stores, maintains, processes, or otherwise is permitted access to personal information through its provision of services directly to a person that is subject to this regulation.

17.03: Duty to Protect and Standards for Protecting Personal Information

(1) Every person that owns or licenses personal information about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to (a) the size, scope and type of business of the person obligated to safeguard the personal information under such comprehensive information security program; (b) the amount of resources available to such person; (c) the amount of stored data; and (d) the need for security and confidentiality of both consumer and employee information. The safeguards contained in such program must be consistent with the safeguards for protection of personal information and information of a similar character set forth in any state or federal regulations by which the person who owns or licenses such information may be regulated.

(2) Without limiting the generality of the foregoing, every comprehensive information security program shall include, but shall not be limited to:

(a) Designating one or more employees to maintain the comprehensive information security program;

(b) Identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks, including but not limited to:

1. ongoing employee (including temporary and contract employee) training;

2. employee compliance with policies and procedures; and

3. means for detecting and preventing security system failures.

(c) Developing security policies for employees relating to the storage, access and transportation of records containing personal information outside of business premises.

(d) Imposing disciplinary measures for violations of the comprehensive information security program rules.

(e) Preventing terminated employees from accessing records containing personal information.

(f) Oversee service providers, by:

1. Taking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect such personal information consistent with these regulations and any applicable federal regulations; and

2. Requiring such third-party service providers by contract to implement and maintain such appropriate security measures for personal information; provided, however, that until March 1, 2012, a contract a person has entered into with a third party service provider to perform services for said person or functions on said person’s behalf satisfies the provisions of 17.03(2)(f)(2) even if the contract does not include a requirement that the third party service provider maintain such appropriate safeguards, as long as said person entered into the contract no later than March 1, 2010.

(g) Reasonable restrictions upon physical access to records containing personal information,, and storage of such records and data in locked facilities, storage areas or containers.

(h) Regular monitoring to ensure that the comprehensive information security program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information; and upgrading information safeguards as necessary to limit risks.

(i) Reviewing the scope of the security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information.

(j) Documenting responsive actions taken in connection with any incident involving a breach of security, and mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of personal information.

17.04: Computer System Security Requirements

Every person that owns or licenses personal information about a resident of the Commonwealth and electronically stores or transmits such information shall include in its written, comprehensive information security program the establishment and maintenance of a security system covering its computers, including any wireless system, that, at a minimum, and to the extent technically feasible, shall have the following elements:

(1) Secure user authentication protocols including:

(a) control of user IDs and other identifiers;

(b) a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices;

(c) control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect;

(d) restricting access to active users and active user accounts only; and

(e) blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system;

(2) Secure access control measures that:

(a) restrict access to records and files containing personal information to those who need such information to perform their job duties; and

(b) assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls;

(3)Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly.

(4) Reasonable monitoring of systems, for unauthorized use of or access to personal information;

(5) Encryption of all personal information stored on laptops or other portable devices;

(6) For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information.

(7) Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.

(8) Education and training of employees on the proper use of the computer security system and the importance of personal information security.

17.05: Compliance Deadline

(1)Every person who owns or licenses personal information about a resident of the Commonwealth shall be in full compliance with 201 CMR 17.00 on or before March 1, 2010.

REGULATORY AUTHORITY

201 CMR 17.00: M.G.L. c. 93H

 

I expect that additional information will be posted to the OCABR site soon.  NOTE: they still have the old version of the regulation posted.

 

Jack

Monday, October 26, 2009

ROSI, not that nonsense again.

I recently listened to a panel discussion on the regulation which shall not be named and heard someone say something stupid (amazing, I know).  He tossed out some very large numbers of dollars that Hannaford Bros has lost and will likely lose in the future due to their breach, he said it could total up to one billion dollars over time- but that it could have been prevented with an expenditure of "only" ten million dollars.  I'm with him so far, even if I am skeptical of the accuracy of some of the figures.  Then he said that "ROI is the answer to your question" and I lost it.  This has nothing to do with ROI, there is no such thing as Return on Security Investment, that's what led to the development of FOI, a real metric.  But back to the case in question, lose a billion because you didn't spend ten million has nothing to do with ROI.  If you must play acronym bingo, it is a case of LoFtI (Loss on Failure to Invest).  Although LoFtI itself is bad, it is a valuable asset in the ITYS (I Told You So) budgeting process (assuming your company survives the loss).  So, what if they spent the ten million and nothing happened?  There's no tangible return on that.  What if you spent the ten million and something bad happened anyway?  That is FOI.

Can we say Hannaford didn't spend "enough"?  While some make that argument, I certainly will not.  How about the opposite- can we say Hannaford (ChoicePoint, TJX, Heartland, et. al.) spent too much?  Well, not TJX, but that is a story best told over adult beverages.  But for the rest, there is a strong argument to be made for this, because what they spent didn't prevent breaches, and thus was a waste of resources (unless the expenditures prevented other breaches- but we can't really prove the negative).  At least we could argue that Hannaford and others spent money in the wrong places.  Yes, I'm talking this in circles, which is all you can do if you talk about security solely in terms of money.  Security is about exposures, vulnerabilities, mitigations and much more.  Of course security costs money, but so does marketing.

Marketing, you say?  Yes, let's talk about marketing in comparison to security.  Marketing people try to provide the most effective programs possible for the money spent, and can measure the results in terms of leads per dollar, and then dig deeper into closing ratios, margins on closed deals, etc.  That is measurable ROI.  That kind of ROI can help steer effective future actions and expenditures.  That kind of ROI doesn't exist in information security.  (By the way, I am well aware that not all marketing expenses deliver measurable ROI).

I'm not suggesting that money isn't important, or that your security efforts shouldn't have value- but I am saying you cannot tell how blue the sky is with a yardstick.

 

Jack

Monday, October 19, 2009

Holding a grudge.

I should be over it by now, but I'm not. I can accept that 201 CMR 17.00 has been reduced to a feeble checklist which only provides real security in the form of political cover for OCABR, the Office of Consumer Affairs Abandonment and Business Regulation. I cannot accept OCABR's behavior during the process, however. The hearings were scheduled for weekday mornings in an inconvenient location in downtown Boston, an arrangement guaranteed to skew attendance to those with a business need or justification. The location and timing of the events was very effective at keeping average citizens (aka victims) from attending or speaking. I have to hand it to AIM, they did an outstanding job of educating their members and rallying the troops- and their arguments carried the hearings. Of course, it is generally easier to win when you are largely unopposed.

The first hearing I attended was in a too-small room, many people were left standing, more couldn't get in and left, or left once the sweltering and stagnant air in the room became too much for them. The most recent hearing was in a slightly larger room, but still nowhere near adequate- it was completely predictable, unacceptable, and avoidable with reasonable planning. In such situations you might expect those responsible to be apologetic for their failures, you would be mistaken to expect such from Undersecretary Anthony and her team. Just another embarrassment for the beleaguered Commonwealth.

I am also astounded that in the Commonwealth of Massachusetts, one of the most openly hostile business environments in the US, OCABR chose to abandon their responsibility to protect consumers and repeatedly caved in to business demands. Come on guys, be consistent in your hostilities.

The OCABR welcome page states "At OCABR, we are committed to protecting consumers through consumer advocacy and education." If you happen to believe that, please contact me about some sure-fire business opportunities I have available for a nominal investment. Prospectus is on display in a locked file cabinet in the dark basement of a local planning office. Disregard the "Beware of Leopard" sign.

Jack

Tuesday, October 13, 2009

Hot off the [virtual] presses

I recently mentioned NIST's draft document, "Small Business Information Security: The Fundamentals".  You will be happy (or at least you should be) to hear that the final document has been has been released.  The 146kb, 20 page PDF is  available at: http://csrc.nist.gov/publications/nistir/ir7621/nistir-7621.pdf

After the introduction there are three main sections:

  • The “absolutely necessary” actions that a small business should take to protect its information, systems, and networks
  • Highly Recommended Practices
  • Other planning considerations for information, computer, and network security

Followed by three appendices/worksheets:

  • Identifying and prioritizing your organization’s information types
  • Identifying the protection needed by your organization’s priority information types
  • Estimated costs from bad things happening to your important business information

This is a simple, easy to understand, introduction to information security, focused on the small business.  There is nothing earth-shattering here, just the basics.  You could easily pick apart some of the oversimplification or other shortcomings in this document- but that misses the point, this is not for the seasoned infosec or IT professional, this is a tool to help us get the message out to those who need it.

Take a look at it, and spread the word to those who can benefit from it.

 

Jack

Sunday, October 11, 2009

NAISG Updates

It's been a while since I wrote about NAISG- so it must be time for an update.  The original chapter in Boston has just kicked off its seventh year, and there are several other chapters running and a few forming.  The current list includes:

  • Atlanta, GA
  • Boston, MA
  • Chicago, IL
  • Connecticut River Valley
  • Dallas , TX
  • Houston, TX
  • Midland, MI
  • Orlando, FL
  • Seattle, WA
  • Washington, DC
  • Bangalore, India

A few highlights of upcoming meetings:

This week's Atlanta meeting is on Wednesday night, October 14 and features "The Girls of Errata", Elizabeth Wharton, VP Legal Affairs & Business Development, and Marisa Fagan, Security Project Manager.  The presentation is a Case Study Analysis: Social Networking ID Theft – Who You Gonna Call?  The meeting will be at Taco Mac Lindbergh, and starts  at 7pm.  This pair delivered an outstanding presentation at Security B-Sides Las Vegas this summer and this one shouldn't be missed.  More details on Andy Willingham's Andy, IT Guy blog.

The Boston meeting will be the following night, Thursday the 15th, and will feature The Pursuit of Security "Happyness," presented by Mike Rothman, SVP Strategy & Chief Marketing Officer for eiQ Networks, Chief Blogger at Security Incite and author of the Pragmatic CSO.  The meeting will be at the usual location, Microsoft's Waltham offices.  Details at the NAISG Boston site.

And [drumroll, please] NAISG's newest chapter, in Houston, will hold their inaugural meeting on Monday, Nov. 2.  The presentation will be "Breaking Down the Enterprise Security Assessment" by Michael R. Farnum, CISSP.   There will be "Eating and Mingling", the Official Chapter Kickoff and a book giveaway as well as the presentation and Q&A.  The chapter will hold meetings at the Houston area Microsoft offices.  Details and directions are on their NAISG page.

Note- even though Microsoft provides a venue for many of the meetings, NAISG is not a "Microsoft" group.  Presentation topics span the spectrum of Information Security, regardless of venue- local Microsoft offices are simply generous with offers to provide meeting space for NAISG (and many other groups), and many chapters take advantage of this.

 

Jack

Saturday, October 3, 2009

A starting point

Starting with the fundamental idea that information security is supposed to "secure information", we first need to determine what information must be protected.  Here regulations may help specify, but there is much more information to protect in your environment than what is required- certainly confidential patient data and customer financial records must be protected, and not just because HIPAA or PCI DSS require it.  Your organization may also have trade secrets, marketing campaigns, merger plans or other information which should be protected regardless of regulatory imperatives.

A basic rule of protection is that you must know what you have and where it is before you can protect it- even if the folks at MA OCABR can't figure this out.  It doesn't matter if you need to defend jewelry from theft or credit card numbers from loss, you have to know where they are before you can protect them- so identifying the information you must protect is a logical first step towards both security and compliance.

The information to be secured will vary by organization and change over time, and therefore will require a flexible and versatile identification method.  One effective approach is to start by asking three questions about the information to be protected:

  • How does the information enter the environment?
    • Identify every point of entry for the information.
    • Include the origins of internally created information.
  • Where is the information stored and accessed internally?
    • Not simply where it is stored, but also where it is used.
    • Not just where it is supposed to be, but where it really is stored and used.
  • How does the information leave your organization?
    • Map every egress point, including submissions to any outside organizations.

Note that you will have to account for remote workers, road warriors, and others "insiders" who store and access information while "outside".

Now for the truly informative step: connect the dots.  All of the dots.  Map all of those entry and creation points to the storage points to the use points, and then to the egress points.  You will likely discover paths and storage locations previously overlooked, you may even need to go back and re-answer the three questions armed with your new insights.

With this exercise complete you can pick up the ClueBat and start cracking heads begin to build a plan for both securing the information, and meeting your compliance goals.  Streamlining the information flow and reducing the number of storage points would be good starting points, these will reduce your exposure and simplify future security and compliance tasks.

 

Jack