Malware On The Rise
Reuters recently published an article claiming that malware has hit an all time high. They state that McAfee, the number two security software provider, found that malware reached a new record in the first half of 2010. Malware is software code that, when introduced into a system, can hack the computer, steal passwords and identities, and reap havoc on system performance.
McAfee says that 10 million new pieces of malicious code have been catalogued. What is most noteworthy of these findings is that Mac systems are becoming increasingly vulnerable to attacks. Apple users tout that Macs are virtually “insusceptible to viruses,” however as Macs continue to increase their market share, their vulnerability is also rising.
Android Antivirus
In similar news, the first Trojan has been reported on the Android Operating System for smartphones. The malware poses as a media player and once installed on the phone, sends text messages to premium text numbers inadvertently charging the user. Hackers are usually on the receiving end of the text messages, and thus profit from the rouge SMS messages.
According to the article, posted on Mashable.com, Kaspersky Labs is in the process of developing a mobile antivirus application for Android phones, due to be released next year.
The Bottom Line
You need to take precautions. Whether you are dealing with your personal computer or your organization’s infrastructure, steps need to be made to make sure your system(s) are secured.
Basic necessities include using a firewall, password protecting your WiFi, and having an up to date antivirus system installed (including Mac systems).
Additional steps, such as security assessments and security audits can be performed to make sure your organization isn’t vulnerable to outside attacks.
Most importantly, self monitoring is the key. Be sure to stay away from sketchy websites (including those not suitable for the workplace) and making sure you only download files from people or websites you know and trust.
Even though it may be your job to handle sensitive information, how you handle the data is just as important as how well it is secured.
One of the best ways to avoid any sort of legal snafu is to have a privacy policy in place. The policy needs to be all encompassing, meaning it covers EVERYTHING accessed on the company’s network (i.e. email, network drives, Twitter, Facebook, VPN connections from offsite, etc).
The policy should mandate guidelines of acceptable computer usage while using company resources (including all data).
Another step would be to conduct a Security Assessment and Security Audit.
- A Security Assessment identifies vulnerabilities within an organization’s infrastructure and will then recommend solutions to secure the system.
- A Security Audit installs an application on the network that is designed to identify, classify, secure, monitor and report on sensitive data. A manager is then notified every time the data is accessed so organization’s can track who is accessing sensitive data and when and where the access happens.
If you aren’t sure of your organization’s policy in regards to sensitive data, ask them. If they don’t have a policy in place – inquire about initiating one. This will help to safeguard yourself as well as the data you are in charge of.
More Information on NSK's Security Assessments
NSK Inc Performs Compliance Assessment for Ziner & Murphy
Boston-based IT consulting firm runs assessment of new Massachusetts law on data privacy compliance for CPA firm
Boston, MA, April 12, 2010 - NSK Inc, a leader in IT consulting for small to medium businesses, was contacted by Ziner & Murphy regarding their data storage needs. Ziner & Murphy, a Certified Public Accountant (CPA) firm in Stoneham, MA approached NSK about the new state regulations regarding data privacy. NSK Inc. was hired to perform a Massachusetts Personal Information Compliance Assessment (MPICA).
Changes in Massachusetts General Law (M.G.L.) Chapter 93H, with new regulations 201 CMR 17.00, now require companies that own, license, store, and/or maintain personal information about a resident of the Commonwealth of Massachusetts, to establish minimum standards in guarding the data in both paper and digital records. MPICA is designed to scan a company's server and system components, locate where personal information is stored, and check to see if the current systems settings are in compliance with the new regulations.
According to David Murphy, the firm learned of the new regulations through the Massachusetts Society of CPAs, and subsequently contacted NSK Inc. "We had worked with NSK in the past, and knew that they are a very knowledgeable and professional firm." NSK Inc, already prepared for the new regulations, dispatched a technician to perform the assessment for the CPA firm.
An NSK Inc technician installs the MPICA software on a company's server as well as any desktops or laptops used by office personnel. The software locates where personal information is stored and analyzes whether or not the data is protected according to government standards. MPICA checks password strength and change frequency, current antivirus protection, firewall settings, e-mail and ftp settings, and if the client's computer systems are updating new releases on a regular basis. NSK Inc can then offer solutions to fix any vulnerabilities found in the system.
Murphy says that being a CPA firm "Our relationship with our clients is based on trust." Having the MPICA performed, and the system upgraded "We have enhanced this trust with our clients."
For more information about MPICA, please visit http://www.nskinc.com/it/201CMR17_mpica.html.
About NSK Inc
NSK Inc is a leader in information technology consulting, with a focus on IT management for SMB companies Headquartered in Boston, MA with an additional office in Palo Alto, CA, the company offers a wide array of IT services for business driven information challenges. They provide service and support for small and medium-sized businesses and groups working within large organizations. NSK Inc also creates custom software products for investment banks, equity management organizations, and other specialized industry areas. For more information, please visit http://www.nskinc.com.
Press Contact
For more information, please contact:
Cathie Briggette
NSK Inc.
(p) +1 617 303-0480
(e) cathie@nskinc.com
(w) http://www.nskinc.com
For Immediate Release
NSK Inc. IT Associate Receives CCENT Certification
Associate at Boston-based IT Consulting firm is now certified in small network implementation and management
Boston, MA, March 17, 2010 - One of NSK Inc's IT Associates, Michael McGowan, recently announced that he has received the CCENTTM certification from Cisco®. CCENT, short for Cisco Certified Entry Networking Technician, validates skills in installing and managing small enterprise network systems, and is a stepping stone towards the Cisco Certified Network Associate (CCNA®) certification. McGowan's new credentials demonstrate his knowledge and experience in data networks, IP addressing, wired and wireless networks, and network security in the small enterprise sector.
McGowan states "It took me about four months to prepare for the exam." His efforts have paid off immensely. "Having a CCENT certification will help me provide better support with internet/networking, troubleshooting, and configurations for NSK and its clients." Although time consuming, McGowan says, "The experience was totally worth it, as it is the largest industry-wide certification." He will spend the next four months working towards his CCNA certification.
McGowan isn't the only NSK member who is Cisco certified. Ben R. Howard, a Senior IT Associate, holds his CCNA certification. Howard says that "Having the CCNA Security certification ensures that NSK meets the standards set forth by Cisco to have an understanding not only of how to configure a range of Cisco products, but to recognize security issues and how to effectively configure and deploy the devices to address the issues." NSK Inc is consistently expanding their knowledge base, and with two employees now Cisco certified the company can manage a multitude of network systems for their growing client base.
About Cisco Systems
Cisco, (NASDAQ: CSCO), the worldwide leader in networking that transforms how people connect, communicate and collaborate, this year celebrates 25 years of technology innovation, operational excellence and corporate social responsibility. Information about Cisco can be found at http://www.cisco.com. For ongoing news, please go to http://newsroom.cisco.com.
About NSK Inc
NSK Inc is a leader in information technology consulting, with a focus on IT management for SMB companies. Headquartered in Boston, MA with an additional office in Palo Alto, CA, the company offers a wide array of IT services for business driven information challenges. They provide service and support for small and medium-sized businesses and groups working within large organizations. NSK Inc also creates custom software products for investment banks, equity management organizations, and other specialized industry areas. For more information, please visit www.nskinc.com.
Press Contact
For more information, please contact:
Cathie Briggette
NSK Inc.
(p) +1 617 303-0480
(e) cathie@nskinc.com
The Benefits of Public Cloud Computing
Simplicity and efficiency are the overarching benefits of having a public cloud. Public clouds are offered as a service, usually over an Internet connection. An off-site third party provider hosts and manages the system. Users connect to the system via web applications or services. Public clouds usually charge a monthly usage fee per gigabyte and bandwidth transfer charges.
Cost: Having a cloud computing model in place, organizations can trim their IT budgets because they don't have to purchase physical hardware (which also saves on energy costs), as the servers are virtual - hosted at a third party. Organizations can customize their clouds with specific storage parameters, applications, and security options so that they only pay for what they need. Since the cloud is hosted by a third party, the organization doesn't need to spend money to have an employee monitor the system; it is taken care of by the host.
Time: In house servers take time to maintain. If hardware or software configurations need to be altered, or if a server crashes or needs to be restarted, the process can often take a couple of hours or a couple of days depending on the situation. With cloud computing, because everything is virtualized, reconfiguring the cloud takes minutes.[1]Also - because the servers are hosted on the cloud, if one server fails, another can instantly be activated, reducing down time.
Maintenance: Due to the fact that the public cloud system is hosted off site, internal employees are not responsible for maintaining the system. The design lets users update or introduce technologies into the system at a much faster rate as everything is managed at the host company. Having a virtualized public cloud means never having to deal with a physical server; it can be maintained from a simple configuration screen.[2]
Disadvantages of a Public Cloud
Lack of Control: Due to the fact that third party providers are in charge of storing and maintaining the data systems, many feel as if they don't have enough control over their personal data.
Speed: Public Clouds are based on internet connections, meaning the data transfer rate is limited to that of the Internet Service Provider (ISP), which is usually no more than 10mbps. If an organization is storing and transferring large amounts of data (high definition video for example), a public cloud may not be the best bet.
Lack of Investment: Although a great cost saving method by reducing the need to invest upfront, renting the service from an outside provider also means that there is little capital gained. Having items such as servers and network equipment can pay off in the long run as assets and tax advantages.
The Benefits of Private Cloud Computing
Private clouds are built from software that runs on a piece of hardware at the organization. The difference between a public cloud and a private cloud is that a private cloud is controlled by the organization. The benefits of this system are that although an investment due to the fact hardware is required, it costs considerably less than traditional data management systems. The cost savings is due to virtualization in which one physical server acts as host to several virtual servers, each of which runs on a layer of software.[3]
Control: Due to the fact that the hardware is on-site, organizations have more control over their data. The organization is in charge of monitoring and maintaining the data giving them complete oversight of their data.
Performance: The private cloud is deployed inside the firewall on an organization's intranet, meaning that transfer rates are dramatically increased. Read access off of private clouds can be as fast as 100mbps, or even more if the organization has a gigabit Ethernet connection. Storage capacity is also higher with a private cloud. Private clouds usually start with a few terabytes and can be increased by adding additional disks.[4]
Disadvantages of a Private Cloud
Cost: Private clouds are more expensive than public because they require both hardware and maintenance personnel. To build a private cloud, an organization needs to invest in hardware or use already existing systems whereas a public cloud is all handled off site. Private clouds also require system administrators. However, one system administrator could easily manage a 100-node cloud with a part-time effort. [5]
Maintenance: Since the private cloud is hosted on sight, the organization needs to provide adequate power, cooling, and general maintenance. The host organization also runs the risk of data loss due to physical damage of the unit (i.e. fire, power surge, water damage).
[1] "Seeding the Clouds: Key Infrastructure Elements for Cloud Computing." IBM. Feb.2009. IBM Corporation. 26 Feb. 2010. <http://www-935.ibm.com/services/in/cio/pdf/oiw03022usen.pdf>.
[2] Fogarty, Kevin. "Cloud Computing Definitions and Solutions." CIO 10 Sep. 2009.Wed. 27 Feb 2010. <http://www.cio.com/article/501814/Cloud_Computing_Definitions_and_Solutions>.
[3] Ibid
[4] "Cloud Computing Public or Private? How to Choose Cloud Storage." Sys-Con Media. Sys-Con Media, 2008. Web. 26 Feb 2010. <http://www.sys-con.com/node/707840>.
[5] Ibid
Senior IT Associate Receives CISSP Certification
Ben. R Howard, a Senior IT Associate at NSK Inc recently took the CISSP Certification Exam and passed, placing him among roughly 64,000 other IT professionals in the world who have the certification.
The CISSP (Certified Information Systems Security Professional) is a highly prestigious certification that requires a massive amount of training and credentials in order to be considered to even take the exam.
CISSP candidates must have at least five years of experience in information security as well as experience with two of ten domains of security before they even apply. They then have to train and prepare for a sixty page exam that lasts for six-hours.
Those who pass receive the certification. A CISSP Certified Associate knows how to formally manage an all encompassing security program. The CISSP credential is a testament to the years of experience, knowledge, and competency of information systems, these personnel have achieved.
Howard hopes to broaden NSK's ability to provide security services to its clients with his new certification. Having a CISSP Certified IT Associate, will only help NSK Inc move forward as a premier consulting firm in Boston.
By: Ryan Hickey
IT Services Manager, NSK Inc
Here are five ways hackers can get into your computer system, and the steps you need to take to stay protected.
1. Peer to Peer networking sites
These include:
• Bit torrent - open source file sharing application
• Kazaa - free music downloads
• Limewire - free music and videos
• Sharezaa - video sharing site.
Peer to Peer sites really have no place in the workplace. They are rife with viruses, eat up bandwidth, decrease productivity and open your business up to copyright lawsuits. Ideally, they should be blocked at the hardware firewall separating your network from the internet.
2. Social Networking sites including:
a. Facebook - Hold on, hold on I am not telling you to get rid of your Facebook account, I am just telling you to be very careful. Hackers have figured out how to create computer-generated Facebook profiles and are using them to trick unsuspecting users into installing malware. This means that attackers have figured out a way to crack the Facebook captcha, which is used to ensure profiles are created by humans, rather than computer scripts that automate the process, allowing attackers to create thousands of profiles at a time. Facebook engineers are doing a good job killing these fake profiles, but you still need to be careful.
i. Don't click on profiles of people that you do not know.
ii. Do not click on the ads on the side of the page, because no one is monitoring what content may be in those ads.
iii. Malware is also being circulated via Facebook messages. Do not open messages from anyone who isn't a friend or from friends you haven't heard from in a long time. Also don't open any messages that have strange subjects that don't look right such as "Maan,yyou're great!" "I found this video of you", etc.
b. MySpace - If you happen to visit the MySpace Chat Forums without the benefit of the latest security updates for popular Web browsers and media player plug-ins, your computer is likely to get lots of malware, as well as Trojan horse programs that are very hard to identify and are even harder to delete using anti-virus programs. Make sure your web browser, and media player plug-ins are installed and up to date.
c. Twitter - Malware researchers are seeing signs that Twitter is now clearly large enough for attackers to use as a mechanism for malicious software
i. Most of the Twitter malware uses beautiful women as the profile picture. Don't be fooled, that person is not really using Twitter and they really don't want to follow you
ii. Most of the Tweets are for a date, or pornographic pictures -- Do Not Click on them!
The FBI issued this advisory warning people to be wary of fraud on social networking sites.
Ideally, it would be great if all businesses could block social networking sites at the firewall but in some circumstances such as small businesses or businesses that have Marketing and Sales departments that rely on Social Networking for business use it's not so easy.
3. IM (Instant Messaging)
a. Do not click on links in an Instant Message
i. If the link is from a friend, ask them if it is OK to open or try a different method of sending the link
b. Do not open attachments unless you know who they are from and you are expecting them
c. Do not download applets (small applications that perform specific tasks) when asked while trying to view pictures or other documents
4. Email
a. Do not click on a link if you do not know the sender.
b. Never open attachments unless you know who it's from and are expecting it.
i. Never download attachments with a .exe or .scr extension
ii. Good extensions are .doc, .xls, .pdf, .jpg
c. Do not click on a link if you KNOW the sender, but the message is STRANGE. (i.e. I LOVE YOU Email message from your boss).
d. Be wary of emails saying that say they are from your financial institution asking you for information. Almost every bank, credit card company, etc. will never request personal information from you via email.
5. Web Browsing
a. Pop-Ups. Do Not believe everything you see in pop-up windows
i. Messages telling you to:
• Optimize your computer
• Protect your computer
• Saying your computer is infected with spyware and you need a specific program to clean it.
These pop-ups will always download malware into your computer that will make it unusable, steal your information, or use your computer to send spam etc.
Cancelling a pop up window sometimes is just not enough. Sometimes the way it is worded will install the program if you click cancel. If you notice that information is still being downloaded Close the pop-up using the red X in the right corner of the pop-up or go to your task manager and close the application. (ctrl-alt-delete). If you can turn off your computer without losing your work, it may be best to hard shut down your computer when you feel like you're being trapped on a website. This can be done by pressing the power button on your computer and holding it down for 5 seconds until it powers off.
b. Make sure your browser settings do not allow files to automatically download. Change the settings to ask you first about installations or updates before they happen.
If you are unsure about opening something talk to your system administrator or IT Support Specialist. It is better to attempt to stop something before it goes into your computer, than to try and remove it or, even worse, have to rebuild your computer.
2009 Data Loss: Overlooking Important Points When Viewing Statistics
The end of a year is a time to look back and reflect on positive and negative incidents that have occurred in the past 12 months. Some people make a more general, qualitative assessment about performance, and others look at hard numbers and come to conclusions that way. Although there are many different ways of analyzing performance, it is important to ask yourself if the paradigm you’re using to assess improvement in any situation is hiding another truth. This applies all business matters, but right now we’ll focus on business IT. To demonstrate this concept, we’ll use the following example.
This year, as far as the number of data breaches is concerned, may seem like an improvement when we view last year’s numbers (2008). However, as Andy Greenberg points out in Forbes.com's November 24, 2009 article, The Year of the Mega Data Breach, it’s superficial to assume that data loss has decreased this year. This is a great observation. This is mainly because, according to Greenberg, “the number of personal records that were exposed [in 2009]--data like Social Security numbers, medical records and credit card information tied to an individual--that hackers exposed has skyrocketed to 220 million records so far this year, compared with 35 million in 2008.”
Forbes notes that the statistics at the Identity Theft Resource
Center indicate a 50 percent drop in overall data breach incidents since last year. Now here is the important part: This percentage refers to the number of events, NOT the
amount of personal data affected.
It’s important to be aware of the assumptions made based on the more obvious statistics in any situation. Sometimes you have to dig deeper for meaning in those large statistics and analyze the wording. Ask yourself if the words used to describe a statistic lead you to believe something other than getting at the core of whatever issue you face.
This post is in response to Forbes.com’s 11/24/09 article, The Year of the Mega Data Breach,
by Andy Greenberg.
Written by Melissa Cocks, NSK Inc.
What are the differences between this new version (August 17, 2009) of 201 CMR 17.00 and the version issued in February of 2009?
There are some important differences in the two versions:
- The most recent regulation issued in August of 2009 makes clear that the rule adopts a risk‐based approach to information security, consistent with both the enabling legislation and applicable federal law, especially the FTC's Safeguards Rule. A risk‐based approach is one that directs a business to establish a written security program that takes into account the particular business' size, scope of business, amount of resources, nature and quantity of data collected or stored, and the need for security. It differs from an approach that mandates every component of a program and requires its adoption regardless of size and the nature of the business and the amount of information that requires security. This clarification of the risk based approach is especially important to those small businesses that do not handle or store large amounts of personal information.
- A number of specific provisions required to be included in a business's written information security program have been removed from the regulation and will be used as a form of guidance only.
- The encryption requirement has been tailored to be technology neutral and technical feasibility has been applied to all computer security requirements.
- The third party vendor requirements have been changed to be consistent with Federal law.
To whom does this regulation apply?
The regulation applies to those engaged in commerce. More specifically, the regulation applies to those who collect and retain personal information in connection with the provision of goods and services or for the purposes of employment.
The regulation does not apply, however, to natural persons who are not in commerce.
Does 201 CMR 17.00 apply to municipalities?
No. 201 CMR 17.01 specifically excludes from the definition of "person" any "agency, executive office, department, board, commission, bureau, division or authority of the Commonwealth, or any of its branches, or any political subdivision thereof." Consequently, the regulation does not apply to municipalities.
Must my information security program be in writing?
YES, your information security program must be in writing. The scope and complexity of the document will vary depending on your resources, and the type of personal information you are storing or maintaining. But, everyone who owns or licenses personal information must have a written plan detailing the measures adopted to safeguard such information.
What about the computer security requirements of 201 CMR 17.00?
All of the computer security provisions apply to a business if they are technically feasible. The standard of technical feasibility takes reasonableness into account. (See definition of "technically feasible" below.) The computer security provisions in 17.04 should be construed in accordance with the risk‐based approach of the regulation.
Does the regulation require encryption of portable devices?
Yes. The regulation requires encryption of portable devices where it is reasonable and technically feasible. The definition of encryption has been amended to make it technology neutral so that as encryption technology evolves and new standards are developed, this regulation will not impede the adoption of such new technologies.
Do all portable devices have to be encrypted?
No. Only those portable devices that contain personal information of customers or employees and only where technically feasible The "technical feasibility" language of the regulation is intended to recognize that at this period in the development of encryption technology, there is little, if any, generally accepted encryption technology for most portable devices, such as cell phones, Blackberries, net books, iPhones and similar devices. While it may not be possible to encrypt such portable devices, personal information should not be placed at risk in the use of such devices. There is, however, technology available to encrypt laptops.
Must I encrypt my backup tapes?
You must encrypt backup tapes on a prospective basis. However, if you are going to transport a backup tape from current storage, and it is technically feasible to encrypt (i.e. the tape allows it) then you must do so prior to the transfer. If it is not technically feasible, then you should consider the sensitivity of the information, the amount of personal information and the distance to be traveled and take appropriate steps to secure and safeguard the personal information. For example, if you are transporting a large volume of sensitive personal information, you may want to consider using an armored vehicle with an appropriate number of guards.
What does "technically feasible" mean?
"Technically feasible" means that if there is a reasonable means through technology to accomplish a required result, then that reasonable means must be used.
Must I encrypt my e-mail if it contains personal information?
If it is not technically feasible to do so, then no. However, you should implement best practices by not sending unencrypted personal information in an e-mail. There are alternative methods to communicate personal information other through e-mail, such as establishing a secure website that requires safeguards such as a username and password to conduct transactions involving personal information.
Are there any steps that I am required to take in selecting a third party to store and maintain personal information that I own or license?
You are responsible for the selection and retention of a third‐party service provider who is capable of properly safeguarding personal information. The third party service provider provision in 201 CMR 17.00 is modeled after the third party vendor provision in the FTC's Safeguards Rule.
I have a small business with ten employees. Besides my employee data, I do not store any other personal information. What are my obligations?
The regulation adopts a risk‐based approach to information security. A risk‐based approach is one that is designed to be flexible while directing businesses to establish a written security program that takes into account the particular business's size, scope of business, amount of resources and the need for security. For example, if you only have employee data with a small number of employees, you should lock your files in a storage cabinet and lock the door to that room. You should permit access to only those who require it for official duties. Conversely, if you have both employee and customer data containing personal information, then your security approach would be more stringent. If you have a large volume of customer data containing personal information, then your approach would be even more stringent.
Except for swiping credit cards, I do not retain or store any of the personal information of my customers. What is my obligation with respect to 201 CMR 17.00?
If you use swipe technology only, and you do not have actual custody or control over the personal information, then you would not own or license personal information with respect to that data, as long as you batch out such data in accordance with the Payment Card Industry (PCI) standards. However, if you have employees, see the previous question.
Does 201 CMR 17.00 set a maximum period of time in which I can hold onto/retain documents containing personal information?
No. That is a business decision you must make. However, as a good business practice, you should limit the amount of personal information collected to that reasonably necessary to accomplish the legitimate purpose for which it is collected and limit the time such information is retained to that reasonably necessary to accomplish such purpose. You should also limit access to those persons who are reasonably required to know such information.
Do I have to do an inventory of all my paper and electronic records?
No, you do not have to inventory your records. However, you should perform a risk assessment and identify which of your records contain personal information so that you can handle and protect that information.
How much employee training do I need to do?
There is no basic standard here. You will need to do enough training to ensure that the employees who will have access to personal information know what their obligations are regarding the protection of that information, as set forth in the regulation.
What is a financial account?
A financial account is an account that if access is gained by an unauthorized person to such account, an increase of financial burden, or a misappropriation of monies, credit or other assets could result. Examples of a financial account are: checking account, savings account, mutual fund account, annuity account, any kind of investment account, credit account or debit account.
Does an insurance policy number qualify as a financial account number?
An insurance policy number qualifies as a financial account number if it grants access to a person's finances, or results in an increase of financial burden, or a misappropriation of monies,credit or other assets.
I am an attorney. Do communications with clients already covered by the attorney/client privilege immunize me from complying with 201 CMR 17.00?
If you own or license personal information, you must comply with 201 CMR 17.00 regardless of privileged or confidential communications. You must take steps outlined in 201 CMR 17.00 to protect the personal information taking into account your size, scope, resources, and need for security.
I already comply with HIPAA. Must I comply with 201 CMR 17.00 as well?
YES. If you own or license personal information about a resident of the Commonwealth, you must comply with 201 CMR 17.00, even if you already comply with HIPAA.
What is the extent of my "monitoring" obligation?
The level of monitoring necessary to ensure your information security program is providing protection from unauthorized access to, or use of, personal information, and effectively limiting risks will depend largely on the nature of your business, your business practices, and the amount of personal information you own or license. It will also depend on the form in which the information is kept and stored. Obviously, information stored as a paper record willdemand different monitoring techniques from those applicable to electronically stored records. In the end, the monitoring that you put in place must be such that it is reasonably likely to reveal unauthorized access or use.
Is everyone's level of compliance going to be judged by the same standard?
Both the statute and the regulations specify that security programs should take into account the size and scope of your business, the resources that you have available to you, the amount of data you store, and the need for confidentiality. This will be judged on a case by case basis.
Learn about the MPICA Compliance Assessment
