Hybrid Clouds

Download the White Paper Now! Pavis Cloud

Follow Me

Interested in Cloud Storage for Your Organization? Contact Us!

Most Popular Posts

Browse by Tag

IT Consultants' Insight on Business Technology | NSK Inc.

Current Articles | RSS Feed RSS Feed

Your Timeline for Compliance with MGL 93H 201CMR17.00

Posted by Cathie Briggette on Thu, Jul 23, 2009
  | Share on Twitter Twitter | Share on Facebook Facebook | Submit to Digg digg it |  Add to delicious  delicious |  Submit to StumbleUpon StumbleUpon |  Share on LinkedIn LinkedIn | Submit to Reddit reddit 

Compliance for 201 CMR 17.00 is going to take a little time... We have written out a Guideline for your Timeline!

 

April

Designate an Information Security Officer - You will need to designate at least 1 person at your place of business who will maintain the comprehensive information security program.  Finding that person now will help get the rest of the items in line for when they need to be done.  You can get a compliance checklist at:  201 CMR 17.00 Compliance Checklist

May

Start Assessing Your Information:

  1. Identify the paper, electronic and other type records, including storage media, laptops and portable devices that contain personal information.**
  2. Check all anti-virus and security patches on all computer systems and servers -- make sure they are up to date.**
         a. Check that you have reasonably up-to-date versions of
             system security agent software (including malware
             protection)**
  3. Identify what "personal information" moves around your business and out of your office including:**
        a. healthcare/insurance information
        b. benefits/401K information
        c. Accounting/Tax information
        d. Employment and Credit Applications
        e. Checks and credit card information
  4. Identify persons who need to see the "personal information" and those who do not. 
  5. Identify where encryption for personal information is needed.**
  6. Identify what third-party service providers your business may use that have access to personal information. 
  7. Identify reasonably foreseeable internal and external risks to paper and electronic records containing personal information.**
  8. Identify any systems that are connected to the internet and make sure the firewall protection for files containing personal information are up-to-date.**

June

  1. Purchase any hardware or software upgrades that are needed**
  2. Get control of user IDS and other identifiers**
  3. Come up with a reasonably secure method of assigning/selecting passwords for users**
  4. Start developing your WISP (Written Information Security Program)

Make sure that your WISP is applicable to all records containing personal information about a resident of the Commonwealth of Massachusetts

     Make sure that you include:

  • Administrative, technical and physical safeguards for Personal information protection
  • Any identified and reasonably foreseeable internal and external risks to paper and electronic records
  • Regular and ongoing employee training, and procedures for monitoring employee compliance
  • Disciplinary measures for violators
  • Policies and procedures for when and how records containing personal information should be kept, accessed or transported off your business premises
  • Processes for blocking terminated employees physical and electronic access to personal information, including deactivating their passwords and user names
  • Steps taken to verify third party service providers access
  • The length of time that you are storing records containing personal information.
  • Specifically the manner in which physical access to personal information records is to be restricted
  • Whether you are storing your records and data in locked facilities, storage areas or containers and the security measures taken to keep these areas secure
  • Actions and documenting that is taken in connection with any breach of security

July

  1. Install all hardware and software upgrades**
  2. Test policies that have been written
  3. Start Training Employees on new policies
  4. Finalize WISP

August

  1. Finish Training Employees
  2. Send out WISP Policy to all Employees and get signatures from all that they understand and will comply

September and beyond

  1. Continue monitoring your systems and procedures**
  2. Continue providing training to new and existing employees
  3. Update policies as required
  4. Assure all computers and servers remain up-to-date with patches and anti-virus software**

    201CRM17.00 Compliance

** NSK Inc. can help you with any of these tasks, just fill out the form to the right or give us a call at 617-303-0480.

Tags: , , ,

Comments

Currently, there are no comments. Be the first to post one!
Post Comment
Name
 *
Email
 *
Website (optional)
Comment
 *

Allowed tags: <a> link, <b> bold, <i> italics

NSK Inc. IT Services