Skip to content

Defending the Commonwealth

February 23, 2009

The Commonwealth of Massachusetts is now the latest state to jump on the concept of security and privacy mandates.  Mass. Law 93H (and it’s corresponding data destruction law, 93I) went into effect at the beginning of the year, and affect any entity (from the commercial enterprise down to the individual) who owns, licenses, stores, and/or maintains information about Massachusetts residents.

On the surface, this law – and the defined standards behind it – is strikingly complete for a state-level law, and is more comprehensive than what we’ve seen from other states.  Most unexpectedly, the standard includes a broad set of process controls (containing governance and assurance requirements) that, while not entirely complete (for example, data retention and restoration are not addressed), represent a very strong, programmatic approach to information security and privacy.  The process controls include mandates for: a comprehensive information security program; risk management; written policies (with sanctions!); access control; third-party certification; limited scope of the use of data; asset identification and classification; physical security; periodic review; and security program documentation.

The system security controls also mandated by the law and its corresponding standard include the scope of controls you would expect to find in a major security framework: secure authentication; access control; encryption for data in transit; encryption for data at rest; monitoring; system security mechanisms like firewalls and antimalware; patching; and employee awareness and training.

So what does this all tell us?  It tells us that states are starting to take security and privacy requirements seriously, in the absence of either federal mandates (which may explicitly cover personal data, but are not comprehensively audited) or industry standards (which may be audited frequently, but the scope of which does not specifically include personal data).  It also suggests that state-level security and privacy mandates are becoming more mature as time goes on: the overlap between state-level mandates and major security standards like ISO27001/2, COBIT, and NIST800-53 are decreasing, and as such, every organization operating states with these mandates needs to start looking at more complete, effective, and programmatic approaches to implementing security and privacy.

Most of all, it’s likely that, as time goes on, these state-level mandates are going to have some teeth to them; you can bet that cash-strapped states are going to look to fine-based sanctions for failure to comply with these regulations as a way to close burgeoning budget gaps.  Let’s hope that organizations can proactively address these requirements before they get hit with significant penalties.

No comments yet

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: