hover animation preload hover animation preload hover animation preload
wordpress post entry title background
MA 201 CMR 17
post entry title background
wordpress post entry meta background
post entry date iconTuesday, February 10, 2009
post entry comments background
By Hugh Garber - 848 views

Are you familiar with MA 201 CRM 17?
If not, don’t worry…. you will be soon.
MA 201 CRM 17 is the new Massachusetts Data Protection regulation that goes into effect on May 1, 2009. This new compliance regulation will require that companies doing business with Massachusetts residents comply with stringent data protection requirements.
Every company, business partner and service provider that owns, licenses, stores, handles and/or maintains personal information about a resident of Massachusetts will need to meet set standards for protecting personal information of Massachusetts residents – whether that business is located in MA or not.
Nice to see Ipswitch out in front of the 201 CRM 17 regulation, already stating that their WS_FTP and MOVEit secure managed file transfer solutions will enable companies to comply with MA 201 CRM 17.
Here are the details from the Mass.gov website.
IMHO, this is comforting news for all us Massachusetts residents, assuming it’s actively enforced. I’m sure we’ll all be hearing more about MA 201 CMR 17 in the coming months….. Stay tuned!

No related posts.

Tags:
  • 2 Comments
  • P from Compliance Help
    June 23, 2009 15:07

    Hugh,
    Actually the date for compliance has been pushed back to January 1st, 2010. There is also a bill in the Massachusetts state senate, SB 173, that would tone down some of the technical requirements and the extra requirements on industries that already have strong security compliance standards.
    SB 173 would also only apply to companies based in Massachusetts — I think this may have come out of some complaints from the Attorney General’s office that the rules would be difficult to enforce on out-of-state businesses.

    Patrick Engelman
    Compliancehelp.net


    Reply
  • Tom Considine, CIPP
    July 23, 2009 18:35

    Compliance with 201 CMR 17 doesn’t have to be difficult or complex, it requires a plan of attack and a little bit of knowledge or training to accomplish your goals.

    Below are my procedures to help you begin the development of your Computer Systems Security Portion of your Written Information Security Program (WISP), it starts with the Risk Assessment survey.

    Some of you may have seen the below post from another group regarding 201 CMR 17. If you have, nothing’s changed…

    I would start the process by asking some simple questions.

    Physically-where is the data kept and how do you protect it from unauthorized access? If it’s on paper or media like a CD or tapes how do you keep track of who has access to it during normal daily operations? How and where do you store it when it’s not in use? How do you decide who has/needs access to it and who doesn’t need access to it? How do you destroy it when it’s no longer needed? Are your team members given security awareness training so they are aware of the threats to your business? Do you check your trash to make sure that protected data is not mistakenly discarded?

    Logically- If you have some or no established programs at all, you “MUST” conduct a risk assessment survey identifying; what sensitive information you have, where you have it, and how you plan to protect it.

    If the data is on a desktop or network what protective measures are in place? Do you use a firewall and antivirus protections? What are your policies on patches and hot fixes that the hardware and software manufacturers recommend for known vulnerabilities? Do you have a password policy? Is the physical security of the spaces containing ADP adequate? How often do you read your logs, or audit who has been accessing the protected data and how are they using it?

    After you complete all the tasks above; you have just completed your ADP risk assessment! Now you implement the procedures necessary for identified risks based on industry best standards.

    * Document as a policy the procedures how staff members are to utilize ADP in their day-to-day operations.
    * Train your staff on the procedures established, and what’s expected of them, don’t forget to have them sign an acknowledgement of understanding, which includes disciplinary actions for failure to adhere to the requirements of the policy.

    Congratulations! You have just created one portion of your Written Information Security Program (WISP).

    Bottom line is; if you don’t ask questions on how the protection process works, can you have any confidence that your business will survive even if it is never audited? The law just requires that you take common sense steps to protect the information that your customers have entrusted to you.

    Properly conducting the risk assessment, combined with some solid Lean Six Sigma practices, you will reduce duplicated operations and storage of unnecessary PI which helps to protect your business.

    If some, none, or all of this makes any sense to some of you reading it, and you’d like to learn more on simplifying the compliance process, visit our website at http://www.TCIPP.com.

    I Hope this help you get on the right road to compliance!

    Regards,

    Tom Considine, CIPP
    Tom Considine & Associates
    Information Privacy Professionals


    Reply
  • Leave a Reply
    CAPTCHA Image
    *


Welcome to File Transfer Planet!

Formerly FTPplanet.com, we have redesigned and relaunched as FileTransferPlanet.com, a community site for discussions about file transfer, web design, software deals, and other cool topics! Registration is free -- Post a question in the Discussion Forums or comment on any blog posts.

Lets Get Social!

Follow us on Twitter

Newsletter Signup

FTPplanet Archives

Recent Tweets