Mass 201 CMR 17: A Survival Guide for the Anxious
Security experts offer tips for navigating Mass 201 CMR 17. Will your business be ready?
by Bill Brenner, Senior Editor, CSO July 23, 2009
FRAMINGHAM, Mass. -- David Escalante has as much cause as any IT security practitioner to be nervous about Mass 201 CMR 17, the tough Massachusetts data protection requirements organizations must comply with by Jan. 1, 2010.
As director of computer policy and security at Boston College, he oversees the security of a computer network accessed daily by some
10,000 students who storm the campus after Labor Day with myriad personal computing devices loaded with any number of sinister programs. (See Six Essential Steps to Secure Academia.)Yet he was cool and calm during a CSO Executive Seminar on Mass 201 CMR 17.00 Thursday, as were the other legal and security experts on hand.
The reason -- they're reasonably confident most companies will survive this latest compliance push unscathed. And why not? Many of the provisions are basic best practices other government regulations and industry standards have required for years.
That's not to say this is a piece of cake. Compliance doesn't always ensure security. The Hannaford supermarket chain learned this the hard way after suffering a data breach despite all the PCI DSS compliance work it had done.
And so the seminar speakers tried to give attendees a clearer picture of what's needed. Among the advice -- have a plan on the shelf that outlines who will do what in the event of a data breach, and invest time and money in awareness campaigns that won't put employees to sleep.
"Much of this you should be doing anyway," Escalante said. "If you follow best practices such as those outlined in things like Cobit and ISO 17799, you WILL be okay."
...
I'm assuming that this is telecom related because data standards include proper management of modems.
Bill Horne