+1, except that A3 tends to require auditing logs of some sort. And yes, get your General Counsel involved if you're not a lawyer or play one on TV.
-ASB: http://XeeSM.com/AndrewBaker On Fri, Mar 12, 2010 at 6:47 PM, Ben Scott <[email protected]> wrote: > On Fri, Mar 12, 2010 at 2:59 PM, David Lum <[email protected]> wrote: > > Can someone clarify who this applies to? > > The law applies to anyone who processes protected information of a > MA resident. > > Protected information is basically Social Security, bank account, > and/or credit card numbers. > > I'm told US Congress is encouraging all states to adopt similar > legislation. > > > Does that mean if my company does business with someone in Mass that any > > personal data of theirs I have needs to be encrypted when transmitted or > > stored on my systems? > > Requirements are mostly: > > A1. You need to have a plan. The plan needs to address all of the > following. > A2. Identification of protected information > A3. Protection against improper access internally > A4. On-the-wire encryption for transmission across a public network > A5. Encryption of all storage for portable devices > > A1 can be a single page that tells all employees about this. > > A2 can be as simple as having designated server folders where all > this stuff gets stored. > > A3 can be NTFS ACLs. > > A4 would mean things like VPN instead of open access, SSH instead of > Telnet, SSL instead of HTTP, etc. > > A5 would mean whole-disk encryption for laptops, password encryption > of BlackBerry, etc. Does *not* apply to desktops. > > Most of this should be stuff we're all doing already anyway. :) > > -- Ben > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
