I have heard quite a bit about the new Massachusetts Data protection law, so your question has caused me to spend...
some time studying the law and its expectations. It certainly is quite specific, but it also contains adequate guidance to build a fairly reasonable information security policy that you probably want to have in place anyway.
Because this is really a compliance issue, you should treat this like any other standard. Essentially, you need to have something in your security policy that "answers the question" posed by each line of 201 CMR 17. So, I'd suggest you first go line-by-line through the law and make sure that you have a clause, statement or rule in your WISP that addresses each of the requirements posed.
As I read through the law with your question in mind, I thought about a possible WISP structure that would satisfy the law; the outline below could also be a structure for PCI DSS or even the ISO 27001 or 27002 security standard requirements. In the following information security policy example, I've included where some of the sections of the law should be placed (e.g., 17.03 (2)):
Title: XXX Corporation Information Security Program
Purpose: To satisfy the requirements cited by the following: Massachusetts Data Protection Law 201 CMR 17 and PCI Data Security Standard and etc. (as applicable)
Scope: This program applies to all personnel, vendors and contractors performing work at XXX Corporation Definitions: (Use the exact same definitions from 201 CMR 17 (minimum) and PCI DSS and ISO 27001/2 (as appropriate).
Policy: The XXX Corporation management expects all personnel and business units of the XXX Corporation to ensure that all critical information used and held by the company is protected to assure its confidentiality, integrity and availability. In particular, this information security program shall apply to safeguarding sensitive, personal and customer information in both paper and electronic records from anticipated threats and hazards to the security and integrity of this information including unauthorized access, abuse, theft or inadvertent or unauthorized destruction. Exceptions to this policy are only permitted by the XXX Corporation CEO or manager designated by the CEO.
- Program responsibility – Designated manager/owner of the program
- 17.03(2)(a) – Designate security leadership by title (and by name in separate letter from CEO)
- 17.03(2)(h) – Monitor to ensure information security program Is effective
- 17.03(2)(i) – Annual review of security measures (document this review)
- Risk management
- 17.03(2)(b) – Identify and assess internal and external risks
- Handling exceptions
- Information protection, classification, handling and marking
- 17.03(2)(c) – Develop policies for storage, access and transportation of records
- 17.03(2)(g) – Restrictions on access to records containing personal records
- 17.04(2)(a) – Access to only what you need to know and do job
- 17.04(2)(3) – Encrypt all transmitted records with personal information
- 17.04(2)(5) – Encrypt personal info on laptops or other portable devices (e.g. USB drives)
- Access control
- 17.03(2)(e) – Terminated employees cannot access personal records within xx hours for hostile termination and xx days for friendly termination
- Vendor management and control
- 17.03(2)(f)(1, 2) – Vendor management and oversight
- 17.04(1) – User authentication
- 17.04(1)(a) – Control of user identification
- 17.04(1)(b, c) – Password management
- 17.04(2)(b) – Unique ID plus passwords
- 17.04(1)(d, e) – Restrict access to active users with need to know
- Change control and configuration management
- Personnel and training
- 17.03(2)(b)(1, 2) – Employee training, compliance
- 17.04(8) – Education and training
- Physical security
- Systems security management
- 17.04(6) – Firewall protection and patching
- 17.04(7) – Malware protection, patching, antivirus definitions
- Incident reporting and response planning
- 17.03(2)(j) – Document response plan for any security breach
- 17.03(2)(b)(3) – Detecting and preventing security system failures
- 17.04(4) - Monitor for unauthorized use or access of personal information
- Recovery planning
- 17.03(2)(d) – Discipline for failure to follow security program rules
Note: There is also a checklist from the State of Massachusetts (.pdf) to help ensure you meet the requirements in a policy document.
For more information:
- Whose in charge of the Mass. data protection law audits? Learn more in this expert response.
- Read more about interpreting "risk" in the Mass. data protection law.
Dig Deeper on Data privacy issues and compliance
Related Q&A from Ernie Hayden
Dealing with lawyers is often a challenge. Ernie Hayden offers advice for CISOs dealing with enterprise information security legal issues. Continue Reading
Which will be more likely to further your infosec career: A certification, or an advanced degree? Expert Ernie Hayden weighs in. Continue Reading
While employee termination may be necessary in cases of insecure conduct, most employees are more encouraged by the carrot than the stick when it ... Continue Reading