B13 Network Security Solutions

This is what B13 NSS will do for your SMB to ensure compliance with 201 CMR 17.00.

I will create a comprehensive, written information security program ("WISP") applicable to all records containing personal information about a resident of the Commonwealth of Massachusetts ("PI").

The Components of a Comprehensive Written Information Security Program (WISP)

The WISP shall include administrative, technical, and physical safeguards for PI protection.

It will designate one or more employees or outside services to maintain and supervise WISP implementation and performance.

It will identify the paper, electronic and other records, computing systems, and storage media, including laptops and portable devices that contain personal information.

One option for total compliance is to treat all your records as if they all contained PI.

The WISP will identify and evaluate reasonably foreseeable internal and external risks to paper and electronic records containing PI.

The WISP will include policies and procedures for when and how records containing PI should be allowed to kept, accessed or transported off your business premises.

The WISP will provide for immediately blocking terminated employees' physical and electronic access to PI records (including deactivating their passwords and user names).

I will take all reasonable steps to verify that any third-party service provider with access to personal information has the capacity to protect such personal information in the manner provided for in 201 CMR 17.00.

I will take all reasonable steps to ensure that your third party service providers with access to personal information are applying to such personal information protective security measures at least as stringent as those required to be applied to personal information under 201 CMR 17.00.

I will evaluate the effectiveness of current safeguards.

The WISP include policies for regular ongoing employee training, and procedures for monitoring employee compliance.

The WISP will include disciplinary measures for violators.

I will ensure the amount of PI that you collect in the course of business is limited to the amount reasonably necessary to accomplish your legitimate business purposes, or to comply with state or federal regulations.

I will ensure the length of time that you are storing records containing PI is limited to the time reasonably necessary to accomplish your legitimate business purpose or to comply with state or federal regulations.

I will assure that access to PI records is limited to those persons who have a need to know in connection with your legitimate business purpose, or in order to comply with state or federal regulations.

Your WISP will specify the manner in which physical access to PI records is to be restricted.

I will institute a procedure for regularly monitoring to ensure that the WISP is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of PI; and for upgrading it as necessary.

I will offer services to ensure security measures are reviewed at least annually, or whenever there is a material change in business practices that may affect the security or integrity of PI records.

The WISP will detail the procedure for documenting any actions taken in connection with any breach of security; as well as the post-incident review of events and actions taken to improve security.

Requirements for Electronic Records

For access to Electronic Records containing Personal Information I will institute secure authentication protocols that provide for:

• Control of user IDs and other identifiers

• A reasonably secure method of assigning/selecting passwords, or for use of unique identifier technologies (such as biometrics or token devices)

• Control of data security passwords such that passwords are kept in a location and/or format that does not compromise the security of the data they protect

• Restricting access to PI to active users and active user accounts

• Blocking access after multiple unsuccessful attempts to gain access

• Secure access control measures that restrict access, on a need-to-know basis, to PI records and files

• Assign unique identifications plus passwords (which are not vendor supplied default passwords) to each person with computer access; and are those IDs and passwords reasonably designed to maintain the security of those access controls

• To the extent technically feasible, encrypt all PI records and files that are transmitted across public networks, and that are to be transmitted wirelessly

• Encrypt all PI stored on laptops or other portable devices

• Set up monitoring to alert you to the occurrence of unauthorized use of or access to PI

• On any system that is connected to the Internet, use firewall protection for files containing PI; and operating system security patches to maintain the integrity of the PI

• I will ensure you have up-to-date versions of system security agent software (including malware protection) and up-to-date security patches and virus definitions