The 201 CMR 17.00 Compliance Deadline of March 1, 2010 Is Rapidly Approaching.

Sounds a little like Chicken Little running around saying “the sky is falling, the sky is falling”.  However, the clock is ticking off precious minutes as your organization races to meet the compliance deadline for 201 CMR 17.00.  If your organization has been holding out for another extension from OCABR, then I’m afraid you’re out of luck.  March 1, 2010 is the drop dead date for compliance.

The final version of the regulation was released in late October and nobody has the stomach to take a crack at watering down this regulation any more than it has been over the last several months.  With time running out for organizations to comply with 201 CMR 17.00 we thought it would be helpful to lay out the activities your organization should be undertaking to meet the March 1, 2010 deadline for compliance.  What follows below are those activities.

January 2009

• Get a copy of the Final Version of 201 MR 17.00
• Obtain and complete the 201 CMR 17.00 Compliance Checklist to determine where your organization needs to focus their compliance efforts
• Designate an Information Security Officer – You will need to designate at least 1 person at your place of business who will maintain the comprehensive information security program.
• Identify the process flows as they pertain to personal information.  Examples of these would be
  • Hiring Process
  • Healthcare enrollment and termination process
  • Retirement Plan enrollment and termination process
  • Tax processing
  • Background Check process
  • Process of issuing company credit cards
  • Termination Process
• Based on the findings from the process flows, determine and document which employees need access to the Personal Information identified in the process.  A Personal Information Authorization policy should evolve from this step.
• While developing the process flows, you should have determined which systems contain Personal Information in an electronic format.  Based on those findings you should determine where encryption for personal information is needed.
• Third-party service providers for your business should have been identified in the process flows as should their requirements for access to Personal Information. Identify reasonably foreseeable internal and external risks to paper and electronic records containing personal information.
• Develop encryption plan to address encryption requirements throughout the organization.
• Develop a process to check all security patches on all systems and insure they’re up to date and regularly monitored.  A similar process should be used to insure that firewalls are updated and monitored regularly.

February 2010

• Start developing your CISP (Comprehensive Information Security Program) making sure that you include:
  • Administrative, technical and physical safeguards for Personal information protection
  • Make sure that your CISP is applicable to all records containing personal information about a resident of the Commonwealth of Massachusetts
  • Any identified and reasonably foreseeable internal and external risks to paper and electronic records
  • Regular and ongoing employee training, and procedures for monitoring employee compliance
  • Disciplinary measures for violators
  • Policies and procedures for when and how records containing personal information should be kept, accessed or transported off your business premises
  • Processes for blocking terminated employees physical and electronic access to personal information, including deactivating their passwords and user names
  • Steps taken to verify third party service providers access
  • The length of time that you are storing records containing personal information.
  • Specifically the manner in which physical access to personal information records is to be restricted
  • Whether you are storing your records and data in locked facilities, storage areas or containers and the security measures taken to keep these areas secure
  • Actions and documentation that is taken in connection with any breach of security
• Insure all hardware and software upgrades have been installed.
• Implement encryption plan developed in the previous month.
• Finalize your CISP, Comprehensive Information Security Program.
• Test all policies contained in the CISP.
• Develop your organizations Security Training Program and begin your employee training program.

March 1, 2010 and beyond

• Continue ongoing monitoring and maintenance to systems and procedures.
• Continue providing training to new and existing employees.
• Update policies as required.
• Spot Check your policies and procedures on a regular basis and make the changes necessary to insure your organizations continued compliance with 201 CMR 17.00.

As you can see there’s an immense amount of work ahead for you and your organization. If you’ve not undertaken something of this magnitude before, are understaffed or have no idea where to even start in implementing a Comprehensive Information Security Program, we’d love to help you out. For more information on how TBG Security can help your organization reach compliance contact our Compliance Practice Manager or call us directly at 877.233.6651 ext 707.