Software Sources | Privacy | Info  


33 Gardner St. Hingham, MA 02038 1-800-886-0199


P.O. Box 958 Attleboro, MA 02703 888-744-5357


Sales  or Support




"Your PC and Networking Solution"


Highlights of MA Reg. 201 CMR17.00: M.G.L. c. 93H and what you must do to comply

The new Massachusetts Regulation is nearly thirty pages, but its essence is captured in Section 17.04: Computer System Security Requirements.

We recognize that some companies are small and/or store or transmit very little of the targeted data cited in the regulation. Firms of this nature will find it easier to meet the new requirements. As there is a wide range in terms of exposure and budget, we have developed a number of options for our customers to help them meet today’s and tomorrow’s needs. Listed below are pertinent requirements that will become effective on 3/1/2010, followed by general suggestions of what you need to do.

This is what Section 17.04 states:

Every person that owns or licenses personal information about a resident of the Commonwealth and electronically stores or transmits such information shall include in its written, comprehensive information security program the establishment and maintenance of a security system covering its computers, including any wireless system, that, at a minimum, and to the extent technically feasible, shall have the following elements:

  1. Secure user authentication protocols including:

    Control of user IDs and other identifiers;


    A reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices;


    Control of data security passwords to ensure that such passwords are kept in a location and/or format that do not compromise the security of the data they protect;


    Restricting access to active users and active user accounts only; and


    Blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system;

  2. Secure access control measures that:

    Restrict access to records and files containing personal information to those who need such information to perform their job duties; and


    Assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls;

  3. Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly.

  4. Reasonable monitoring of systems, for unauthorized use of or access to personal information;

  5. Encryption of all personal information stored on laptops or other portable devices;

  6. For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information.

  7. Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.

  8. Education and training of employees on the proper use of the computer security system and the importance of personal information security.

This is, by the numbers, what you need to do to meet the new MA regulation:

Regulatory items covered in number (1), above, are a combination of server-related and operating-system-related. For the most part, Microsoft has this covered with their newer offerings (e.g., Vista, Windows 7). We can help you determine if your server meets the requirements, or, if you are not using a server, how the version's of the operating systems you are now running stack up. After a short evaluation, we can provide you with specific feedback and recommendations to meet the minimum levels of security.

Regulatory items covered in number (2), above, are also server-related. Here, again, we need to determine if you are not using a server and/or find out what versions of operating systems you currently are running, and what levels of security those meet.

Regulatory items covered in number (3), above, are typically handled by vendors, such as Cisco.  As one viable example, their SSL VPN communications helps you to insure that what you send outside is properly encrypted. This particular product is roughly $1,000, plus subscription fee of approximately $100 per year or so. We recognize that, for some clients, this may be overkill or outside their budget. For these clients we can offer less expensive alternative solutions.

Regulatory items covered in number (4), above, are handled by a new feature that ProNet will soon be offering to its clients. In short, we will soon offer a monitoring system that proactively guards against virtually all avoidable system failures. This not only helps our clients meet the stated requirements of number 4, above, it will increase uptime and reduce the likelihood of catastrophic failure as well. A description of this product will be in the next newsletter, but feel free to call us about this at any time.

Regulatory items covered in number (5), above, are similarly handled as the standalone systems described in (3), above, within the newer Microsoft operating systems, e.g., Vista and Windows 7. The encryption features within these newer versions also cover the hard drives on laptops.  We just need to help you insure that you are taking full advantage of these protection features.

Regulatory items covered in number (6), above, are handled by such products as an ASA Firewall. For firms with several computers, our system of choice for this is Cisco. However, for smaller clients this may be overkill or beyond their budget. For our smaller clients we have a number of less expensive alternatives.

Regulatory items covered in number (7), above, are typically handled by Anti Virus (hardware or software) solutions. As one example, Computer Associates has a product that handles both viruses and malware. When it is used in conjunction with a product from MX Logic, mail security, mail management, spam tracking, etc. will also be covered. Again, these are high-quality, robust solutions, but for some clients this may be overkill or beyond their budget. For these clients we can offer several less expensive alternatives.

Regulatory items covered in number (8), above are handled by ProNet’s dedicated staff. In short, this is what we do. In conjunction with our system monitoring we can also help monitor your level of compliance.

What’s the bottom line?

Netting all of out, there is a new regulation coming out in March 2010. It will affect some companies more than others as there are layers within the compliance. Some level of adherence can be met by way of procedures; some can be met with hardware; some can be achieved using software, and many via some mix of all three. Fortunately there is time to prepare. Perhaps even more fortuitous, the right mix of changes designed to help you meet the requirements of this new regulation will also be good for your business. After all, your data is your data, and you always want it fully protected from outsiders, from corruption and from needless downtime.

What should you do?

Call ProNet LAN Systems. We will provide you with a free evaluation over the phone and help determine if an onsite audit is prudent. If so, we’ll schedule it and provide you with a report of our findings and recommendations. If you need changes we will tailor a solution that takes into consideration how many systems you have, your level of staffing, your budget, how much of this sensitive material you maintain, etc. It’s that easy.


Copyright 2002-2009  Software Sources - All Rights Reserved