I previously talked about how the new "201 CMR 17.00: STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH" regulations might affect me and my customers. Here I'd like to take a closer look at what the regulations seem to require.
Please remember that I am not a lawyer and not a certified security expert. My purpose here is simply to raise questions that you and your customers may want to discuss with a lawyer, insurers and or a security firm. As the fines for non-compliance could be quite large, this is not something you should ignore.
So. let's get started. The regulation starts off like this:
The interesting part here is that "the size, scope and type of business of the person obligated to safeguard the personal information under such comprehensive information security program; (b) the amount of resources available to such person; (c) the amount of stored data." Does that mean that there is going to be more lenience toward the "little guy"? There seems to be some indication of that, but I doubt it means that a Mom and Pop shop can just ignore this entirely.
OK, that's easy enough: George, this is your problem. Start documenting.
Now we start getting into areas where I'd have questions. Who is qualified to identify and assess "reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information"?
I have over 30 years experience in computer systems and I know a lot more about potential risks than most of my customers do, but I don't think I'm fully qualified. What standards will be used here? Do you need to hire certified people?
OK, looks like some outs here. If you hired me before March 1st, 2010, it looks like neither of us need do anything. That can't be as simple as it sounds, though. If I have access to personal information that you store, I just can't imagine that I and you are exempt from all this just because you contracted with me before March 1st. That makes no sense.
Does that mean that servers holding personal information need to be in locked server rooms where nobody ordinarily has access? If so, does it mean that the door has to be locked all day long or only outside of business hours? I don't know.
Does this mean we need Intrusion Detection Systems or is this just human monitoring?
See Mike Desrosier's Incident Response article. My question: who does this? The designated person referred to above or does this need to be a security professional? Does it matter whether you are Jan's Card and Gift or T.J. Maxx ?
What does "control of user id's" mean? Does it mean that Mary can't know Sam's login information? How about "secure user authentication protocols" - how secure? Obviously the hundreds of systems I know that have accounts with no passwords wouldn't comply. How about the systems where the admin password is written on a Post-It note tacked on the monitor? I think not.
Does this require enforced changing of passwords? Some people insist that it does, but I don't see that it actually says that. Does "technically feasible" let you off the hook if you are running a very old system that can't do those things?
So - no passwords tacked up on the wall. Login lockout - I can't think of too many systems that don't do that, but does that include VPN's? I know a lot of systems running simple PPTP VPN's - I don't know, but I'd guess that most of those couldn't meet these requirements.
Oh, and then there are the Samba systems that aren't authenticating against some other machine. Many of these are setup with shares that use "Connect as a different user" and a fixed name/password to make for easy acess. Compliant? I'd guess probably not.
Now we are inside application software. Some apps have these user level controls, some don't. Most have their own internal password systems - do those systems and methods have controls and lockouts? Most don't. Should they? I don't know.
I know many a system where logins are related to a physical station. That is, if you are using the station nearest the front door, you are supposed to login as "pos1". Multiple people use that login and the system assigns resources like printers based on that. My guess would be that you can't do that anymore.
Here's a big problem. You have users accessing a server and inputting or accessing personal information. If they are wireless, that's plain enough: you have to encrypt. If they are accessing it remotely from home or a hotel room, you have to encrypt. Encrypt to what standards? Is ROT13 encryption? OK, that's silly, but are older PPTP VPN's compliant? Older ssh? I don't know.
Again, is that Intrusion Detection Systems?
Is a $50 Linksys firewall compliant? How about if you've never updated the firmware?
There are many, many Multitech firewall appliances out there. Multitech no longer manufacturers these. Does that matter?
OS security patches? What if you are running an old server where the vendors no longer provide patches? Are you required to upgrade? What if your application software won't run on a newer operating system? That's reality for many small businesses.
What is "reasonably up-to-date"? Three days old? Three weeks? Three months?
Is this just for the servers or (more likely) all systems that access the server? What about those VPN and ssh users - are you responsible for auditing their home operating systems? You obviously can't audit public access systems - how will you handle that?
Malware and virus protection? How exactly is that defined for Unix/Linux systems? What about very old Windows systems again?
Company meeting? Memo? Formal training by outside folks? Would this include janitors who might access that locked computer room? OK, that's maybe silly, but it is vague.
This law could cost small businesses a lot of money. At best it will be annoying, confusing and inconvenient.
As I said before, I suspect it will cause problems for small consultants also. As just about anything you do on a computer is likely to have security implications, companies may feel they need to hire larger firms with formally trained and certified security professionals on staff. The small consultant may not be able to afford the training and certifications necessary - or at least perceived to be necessary. Nothing here specifically says that I can't interpret and apply my best efforts to help someone comply, but a client concerned about compliance might not see it that way and honestly, I think they'd be correct to protect themselves in that way.
Some people have said that Massachusetts can't realistically enforce this law today. That is probably true, but I don't think it makes good business sense to ignore this on that basis.
Got something to add? Send me email.
More Articles by Anthony Lawrence © 2012-06-30 Anthony Lawrence
Securing a computer system has traditionally been a battle of wits: the penetrator tries to find the holes, and the designer tries to close them. (Gosser)