Massachusetts Data Security Regulations – Technology Perspective

Posted on by

If you own or license personal information about a resident of the Commonwealth, you should already be familiar (and compliant, as of March 1, 2010) with the Massachusetts Data Security Regulations, set by The Massachusetts Office of Consumer Affairs and Business Regulation (OCABR).

While the Regulations themselves are best explained by Mr. Patrick Shea of HedgeOp Compliance in an earlier post of this blog, let’s take a moment to look at practical approaches to meeting (and exceeding) the requirements outlined in the Regulations. I will focus my post on the technological aspects of the Regulations but make sure you address the non-technology pieces, including risk identification and assessment, employee training, maintaining proper documentation, etc.

I would like to introduce you to what I call the C.I.A. of your data: Confidentiality, Integrity and Availability. As a business owner or IT gate keeper you want to make sure that your data remains secured, accurate and readily available to your employees and investors. We will get back to data C.I.A. in a second.

The Regulations start by requiring the development of a comprehensive information security program. You can definitely start this process from scratch, but you might want to check out Cisco Systems’ Security Policy Builder. By answering a few simple questions about your business, Cisco’s web based wizard will compile and email you a customized security policy. Although Cisco’s SPB is a terrific starting point for building your security policy, make sure you read through it, understand each section and modify it to meet your business, IT systems and needs.

After tackling the policy aspect, we are ready to implement our technological measures on the road to ensuring C.I.A.

Data Confidentiality

For our purposes, data confidentiality refers to defining who has the rights to access business information or more specifically, personal information regarding residents of the Commonwealth. Access to information deemed confidential should be on a “need-to-know” basis, rather than a firm-wide, unrestricted access. To ensure data confidentiality, IT staffers will most likely pick and choose some of the following technologies:

Strong password policies:
It is recommended to require employees to choose passwords that are hard to guess and to have them change the password regularly. Where possible, use two-factor authentication systems.

Email encryption:

  • Transport Layer Security (TLS) can be enabled on your email server and is used for encrypting email correspondence between your organization and trusted service providers that might be exposed to confidential information. Once enabled, TLS encryption is done by the servers without changes or burden on the employees. If you are a client of HedgeOp Compliance and would like to enable TLS encryption between your email server and ours, drop us a line and we will be happy to work with you on that!
  • Secure Socket Layer (SSL) can also be enabled on your public-facing servers like your email server, remote access server, extranet, etc. Whereas TLS encrypts communication between two participating servers, SSL encrypts data traffic between a server and a web browser (Firefox, Internet Explorer, etc.) on a remote computer. Websites that allow your employees to check your email remotely should definitely enforce SSL encryption.
  • Another form of remote email access that is popular among managers and other road warriors is using the Microsoft Outlook email client to connect to the email server remotely. In this case, and since internet traffic is insecure by default, we recommend enforcing the use of Remote Procedure Calls (RPC) over Hypertext Transfer Protocol Secure (HTTPS). RPC over HTTPS “hides” the RPC traffic used by MS Outlook (client) and MS Exchange (server) inside an encrypted HTTPS tunnel thus making the email data unreadable.

Storage level encryption:

  • If your employees travel with their notebook computers, Hard Disk Drive (HDD) encryption should be used to make all hard drive data unreadable unless the correct password is provided. This ensures that even if a laptop is stolen or lost, the data on the drive is scrambled and remains unusable. Disk encryption comes in two main flavors: whole disk encryption or container based encryption. Whole disk encryption comes standard with business laptops from leading manufacturers and is the recommended approach as it covers (encrypts) the entire content of the hard drive. Container based encryption allows you to encrypt a subset of data (certain files and/or folders) inside a single encrypted file. The advantage of this approach is that the encrypted file can be easily moved from one computer to another computer, as long as the password to decrypt the files is known.
  • The section about data availability will mention that you should have a robust plan for backing up your data but since we are still looking at data confidentiality, I can inform you that most modern backup programs on the market support password protection and encryption of backup data stored on tapes or to the network.
  • Lastly, please remember the very popular way of accessing corporate emails and files: smart phones. They come in all shapes and forms, named after all sorts of fruits and they are very capable of connecting to your computer systems and storing information on large internal memory chips (beyond your network boundaries). Make sure that you only allow access to those devices that sport secure connections to your systems, phone-based encryption and preferably the option to accept a remote command to wipe the device should it gets stolen or lost.

Enough about data confidentiality! It is time to protect the integrity of our data.

Data Integrity

Data integrity breaches occur when a person/system (either trusted or not) manipulates the data in an unauthorized way. Such manipulation either makes the data unusable or changes the original meaning/intent of the data.

  • To maintain the integrity of your data, consider using permission-based access control and enable access auditing. The auditing feature will maintain an electronic audit trail showing who accessed files, when and how.
  • It is also a best practice to keep all business files on your company servers rather than on dispersed computers. Maintaining a centralized repository for your data helps you control data confidentiality, lower risk of data integrity attacks and surely simplifies your backup, recovery and data availability planning.
  • The Regulations also call for regular monitoring of your security program and procedures. To simplify and automate the monitoring process, a large selection of network monitoring applications is available on the market and such a system can be implemented with relative ease. Monitoring systems are typically capable of monitoring the availability of your systems, as well as reviewing event logs on your systems. Noteworthy events are failed logon attempts and failed attempts to access restricted files. Once a monitored condition or event is found on the network, the monitoring application is capable of notifying the administrator via email, SMS or other means.

Data Availability

Data availability is not part of the Data Security Regulations but it is crucial for your business so I will briefly explain what it means. Data availability describes the practice of ensuring that our business files are readily available to those who need them (and no one else!) during normal business operation or in a Disaster Recovery (DR) situation. Two commonly mentioned DR considerations are Recovery Point Objective (RPO) and Recovery Time Objective (RTO). RPO is a fancy term for the last point of backup, after which data is lost as a result of a disaster. RTO simply means the time it takes a company to restore access to the data and resume normal operation following a disaster.

Key points to consider:

  • Take frequent backups to minimize the RPO. Backup frequency should be determined based on how quickly your stored data changes (added, modified, deleted) and can vary from real-time replication to hourly images to weekly backups. We recommend that at a minimum, you backup your data on a nightly basis.
  • Securely store a copy of the data off-site, either at your DR data center or with a trusted online backup provider.
  • To the extent possible, move data off-site electronically (using secure connections) rather than carrying tapes or DVDs.
  • Familiarize yourself with the different DR site options (Cold site, Warm site and Hot site). If possible, avoid Cold sites as these extend your recovery time (RTO) to hours and days.
  • Test your backups and disaster recovery procedures on a regular basis. This will shorten your RTO, ensure that files are intact and that your IT staff is familiar with the process.

I hope I was able to provide you with valuable information. If you have any question or would like to discuss a specific scenario, please post your question to the blog or contact me directly.

Dotan Akiva

This entry was posted in Best Practices, Regulation, State Compliance by Dotan. Bookmark the permalink.

About Dotan

Prior to joining HedgeOp Compliance as Director of IT in August 2004, Dotan was a co-founder and VP of Research & Development at a start-up software consulting company, where he managed the development and implementation of customized multimedia applications. Dotan had also supervised the sales and marketing departments of the company. Dotan has previously worked as a C++ programmer at Jigami Corporation in Israel. Dotan received a B.S. degree in Computer Science from Mercy College and is a certified programmer and instructor by the IBM Academy.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>