As of March 1, 2010, Massachusetts-based firms and those who maintain records on its residents (regardless of the state they’re based in) will be required to meet increased information security standards that will force many firms into their next major wave of technology management investments. With the passing of this legislation, you can be certain that other states will follow closely behind.

Here’s the Readers Digest view of what you need to begin preparing for the following:

Duty to Protect
With many of our current security management activities being reactive in nature, we will soon be required to proactively ensure the safety and security of private information.   

201 CMR 17.00 stipulates that we have a “Duty to protect” the following:   

• Personal information. (i.e. a resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number.)  

• Records. (i.e. written, drawn, spoken, visual, or electronic)  The firm must designate one or more employees to design, implement, and coordinate maintenance of a comprehensive written information security program. This program consists of identifying and assessing internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information.

 This written plan must:
• be managed by one or more employees

• provide regularly scheduled employee training

• actively monitor compliance

• include properly upgraded and maintained systems (i.e. network, software, storage, etc.)

• provide for locked facilities with monitored access

• include telecommuting policies that address access and transport of private data

• require third-party vendor access procedures and requirements

• provide an inventory of all paper and electronic records, media, devices, etc.

• include documented procedures for post-incident responsive actions

Computer System Security Requirements
“Every person that owns, licenses, stores or maintains personal information about a resident of the Commonwealth and electronically stores or transmits such information shall include in its written, comprehensive information security program the establishment and maintenance of a security system covering its computers, including any wireless system, that, at a minimum, shall have the following elements:”

• complex passwords that contain greater than 7 characters and ideally include multiple special characters (such as: *!()$#@)

• access enabled for only active accounts and automatic blocking after multiple failed attempts

• restricted access to data based on job function requirements with disciplinary measures imposed for policy violations

• 128-bit (or higher) encryption of portable devices containing private data (USB drives, USB memory keys, corporately connected PDAs/smart phones, laptops, etc)

• backup tapes must be encrypted; otherwise the use of armored guard or similar service is required

• monitoring and access logging of networks and systems for unauthorized access

• up-to-date patches and protection definitions on firewall(s), anti-virus, anti-spyware

• restricted physical access to systems containing private information and written access procedures that log access by all parties

If you don’t currently shut the door to your server room, because “it gets too hot in there”, or the servers are located in a public area such as a hallway or copier/production room, compliance to this legislation will require that you either relocate the servers to a secure location, or retrofit the existing location with adequate security and cooling. Most servers have an internal self-protection function that automatically and forcibly shuts them down when they reach a certain temperature, so proper cooling will be an essential concern.

Unless you can accommodate the janitorial schedules, you’ll need to be comfortable with the server room. not being cleaned -- since now your cleaning crew will need escorted access to the server room by an authorized employee.

Pose these questions to your technology personnel:
• Is our firewall updated to the most current patch release?

• How many of our PCs and/or servers are running the latest security patches?

• Are our PCs and servers running the most current security definitions for anti-virus and anti-spyware?

• Is our wireless access encrypted using WPA2 or better?

• Are our tape backups encrypted and stored offsite in a secure location?

• Do our auditors store client data on USB sticks (or USB drives)? If so, are they encrypted?

• Do we have a written security policy?

Should the responses you receive fall short of giving you confidence, it may be time to get a head start on 201 CMR 17.   

If your firm is based in Massachusetts, you’ll be thankful to know that the original compliance deadline of January 1, 2010 has been extended until March 1, 2010. Given that accounting firms have copious amounts of free time in the first quarter, the added grace will come in handy. Wahoo!