I am working to be sure we are in compliance with Massachusetts law M.G.L c93H and here is a link to the provisions. They can choke a horse.
http://www.mass.gov/legis/laws/mgl/gl-93h-toc.htm Thirty-odd other states have enacted similar laws. If you serve visitors from any of these states, and 'store or transmit' any personal information, (their name plus any of: credit card numbers, soc.sec#, banking numbers of staff and beneficiaries (direct deposit, 403b) drivers license number) whether stored electronically or on paper (WISP, or 'written information security program) you have to give this serious attention. A lot of focus has been placed on portable devices and wireless security vulnerabilities. You need to have both written security policies covering areas of vulnerability, and a designated officer to implement, monitor and train/maintain the security provisions in place. Relatively simple things such as account password discipline, physical server access and security, file cabinets, hotspot encryption standards (WEP is not sufficient) 3rd party provider compliance (payroll, credit processing) all have to be not only in compliance but also fully documented, monitored, and maintained. Furthermore networks must be adequately protected by firewall, virus and malware protection, and a regular program for system software security updates. And we thought we were busy before. Things pop up out of nowhere. If we retain a visitors drivers license, as guarantee against loan of a gallery guide system, according to statute this must be reasonably protected, documented.. In my interpretation it is sufficient to have a compliance effort actively working to elevate your security posture where necessary, and if not, document compliance. I am obtaining compliance statements from vendors handling transmission of storage of any personal information, and making those statements part of our permanent security policy. This, along with safeguarding portable devices (Where they contain 'PI') including flashdrives, probably represent the largest areas of vulnerability for many institutions. We are also implementing (and training and documenting) inhouse account security practices equivalent to minimums in Server 2008 (and no passwords on post-its!) The state has released this handy checklist (which still runs to 3 pages) ... www.mass.gov/Eoca/docs/idtheft/compliance_checklist.pdf Chuck Eisenhardt Boston Children's Museum -----Original Message----- From: mcn-l-bounces at mcn.edu [mailto:[email protected]] On Behalf Of Janice Sent: Friday, January 29, 2010 1:38 PM To: Museum Computer Network Listserv Subject: Re: [MCN-L] Public Wi-Fi Chuck, We are about to do this also. We can limit bandwidth and have Barracuda Web filtering.. But, I would be interested in learning more about "New privacy laws are quite explicit about security requirements for wireless access" to make sure we are covered. Can you point me to a website? Janice Craddock Information Technology Manager Amon Carter Museum 3501 Camp Bowie Blvd., Ft. Worth, TX 76107 t. 817.989.5152 f.817.665.4333 http://www.cartermuseum.org -----Original Message----- From: mcn-l-bounces at mcn.edu [mailto:[email protected]] On Behalf Of Eisenhardt, Chuck Sent: Friday, January 29, 2010 11:16 AM To: Museum Computer Network Listserv Subject: Re: [MCN-L] Public Wi-Fi a myriad of illegal activities can be conducted over your network's Port 80 (HTTP), and are traceable back at least to your address space or router address, and even an individual workstation IP and MAC address. Around the time of the release of the film Matrix II, our domain technical and business contacts received a formal 'cease and desist' order from a film industry watchdog group, about a workstation on my network downloading bootleg copies. This was traceable down to a specific IP lease in the domain space. I quickly managed to locate that workstation, which was wired into the network by a staffer. This individual had previously (or regularly) visited a pirate video site on the laptop, and had a launch routine for this site as a startup routine. The industry group had installed a sniffer on the pirated site, and ID'd the laptop as soon as he powered up on my network. This has inspired strict policies about foreign computers being introduced unnecessarily to our secure domain space. New privacy laws are quite explicit about security requirements for wireless access, especially for potential unwarranted access to stored and transmitted personal information. Chuck Eisenhardt Boston Children's Museum _______________________________________________ You are currently subscribed to mcn-l, the listserv of the Museum Computer Network (http://www.mcn.edu) To post to this list, send messages to: mcn-l at mcn.edu To unsubscribe or change mcn-l delivery options visit: http://toronto.mediatrope.com/mailman/listinfo/mcn-l The MCN-L archives can be found at: http://toronto.mediatrope.com/pipermail/mcn-l/
