The Security Blog

 Section

Old

 New

Meaning of Change

The first change is, as we discussed before, removing the need from organizations that store or mainitain information to be compliant.

The second change is the addition of the phrase "to the extent technically feasible".  I take this phrase as non-needed nonsense.   If it was not possible, no one would anyways be required to do it, right?

(1)        Secure user authentication protocols including:

(i)         control of user IDs and other identifiers;

(ii)        a secure method of assigning and selecting passwords consisting of at least seven letters and numbers;

(1) Secure user authentication protocols including:

(a) control of user IDs and other identifiers;

(b) a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices;

The first change is the addition of the word "reasonable".  Again, a "fluff" change.   What’s reasonable?  I guess the courts will have to decide.

The second change is more reasonable, removing the need for "at least seven…".  Not sure why they picked that number to begin with, so this is a good change.

The third change is really cool.   Mass is now cognizant that we are at the end of the 20th century, or maybe even in the 21st, and there are other ways than passwords to secure access.

I really have no comment.  Sigh.  Scratch that.

There are two changes here, and one error.

Firstly, the removal of password safekeeping as an explicit call is ok, because of the way it is clarified.

Secondly, the addition of "or format" hints at encryption, which is also cool with me.

The error is that, again, OCABR apparently let different people write and not anyone that understand computer technology, review, this paragraph.   Look. they forgot the phrase just above about technologies other than passwords.   So – how should tokens or keys be kept?

(iv) restricting access to active users and active user accounts only; and

(v) blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system;

(d) restricting access to active users and active user accounts only; and

(e) blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system;

(2)        Secure access control measures that:

(i)restrict access to records and files containing personal information to those who need such information to perform their job duties; and

(ii)  assign a unique identification plus a password, which is not vendor supplied, to each person with computer access;

2) Secure access control measures that:

(a) restrict access to records and files containing personal information to those who need such information to perform their job duties; and

(b) assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls;

The change to add the word default is a welcome clarification.

However, as if to negate the value of the clarity, they went and added the "that are reasonably….".  Meaningless.  Even if it HAD meaning, the word reasonably is one of those weasel words that negates all the value of any addition.

This is not a change at all.  Just a clarification.

What a weasel-y change!

Removal of periodic and using the word "reasonable" again.  I can imagine the discussions that led to that word being inserted so vacuously.

Then, the removal of monitoring of networks.    Don’t they understand what this mean?  Now only individual system need to be monitored, allowing network pieces, including wireless networks, to simply not being looked at.

And to make matters much worse… removal of the requirement for an audit trail….  Just this simple change means the Rule has lost 99% of its value.   Why?  Because without an audit trail, you can’t prove anything.

The single, only, change for the better, in this Rule is the mandatory addition of encryption to mobile devices.

I wonder what this means, however, to iPhone users holding private data of their friends…

(6) For files containing personal information on a system that is connected to the Internet, there must be firewall protection with up-to-date patches,including operating system security patches. 

A firewall must, at a minimum, protect devices containing personal information from access by or connections from unauthorized users.

(6) For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and

operating system security patches, reasonably designed to maintain the integrity of the personal information.

Big changes.   Firstly, the weasel-word "reasonably" has shown up again and negates the value of the intent in the original Rule.

Then, there is an addition, requiring reasonably patched operating systems holding the data.  This is now not a reference to the firewall.   However, I can not see where most operating systems, other than Level C and above secure operating systems, are designed to maintain the integrity of the personal information.  I suspect this will not stand the test of time.

(7) The most current version of system security agent software which

must include antispyware and antivirus software

, including up-to-date  patches and virus definitions,

or a version of such software that can still be supported with up-to-date patches and virus definitions, and which includes security software that is set to receive the most current security updates on a regular basis.

7) Reasonably up-to-date versions of system security agent software which

must include malware protection

and reasonably up-to-date patches and virus definitions,

or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.

I am reasonably sure that by now you are, too, sick of this word.

The other change is clarification of antispyware and antivirus into "malware".

All other changes here are cosmetic.

(9)        Restricted physical access to computerized records containing personal information, including a written procedure that sets forth the manner in which physical access to personal information is restricted. When notified of any unauthorized entry into a secure area by either an employee or any other unauthorized person, the integrity of the computerized records must be reviewed.

This is a major change, for the worse.  Even PCI regulations demand a modicum of sensitivity to physical security.   Now Mass OCABR does not.

Further, to make it MUCH worse, the removal of the mandatory review in case of unauthorized access, removes the need/duty to do so and therefore perhaps find that the systems/networks have been tampered with.

 Section

Old

 New

Meaning of Change

 17.03

Such comprehensive information security program shall be reasonably consistent with industry standards, and shall contain administrative, technical, and physical safeguards to…

…ensure the security and confidentiality of such records.  Moreover, the safeguards contained in such program must be consistent with the safeguards for protection of personal information and information of a similar character set forth in any state or federal regulations by which the person who owns, licenses, stores or maintains such information may be regulated.

in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to…

…The safeguards contained in such program must be consistent with the safeguards for protection of personal information and information of a providers that are capable of maintaining appropriate security measures to protect such personal information consistent with these regulations and any applicable federal regulations; and

Whether the comprehensive information security program is in compliance with these regulations for the protection of personal information, shall be evaluated taking into account

(i) the size, scope and type of business of the person obligated to safeguard the personal information under such comprehensive information security program,

(ii) the amount of resources available to such person,

(iii) the amount of stored data, and

(iv) the need for security and confidentiality of both consumer and employee information.

(b) the amount of resources available to such person;

(c) the amount of stored data; and

(d) the need for security and confidentiality of both consumer and employee information…

Without limiting the generality of the foregoing, every comprehensive information security program shall include, but shall not be limited to:

(a)        Designating one or more employees to design, implement and coordinate the maintenance of the comprehensive information security program;

(b)        Identifying and assessing internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information in each relevant area of the person’s operation, and evaluating and improving, where necessary, the effectiveness of the current safeguards for minimizing such risks, including but not limited to: (i) ongoing employee (including temporary and contract employee) training; (ii) monitoring employee compliance with policies and procedures; (iii) upgrading information systems, including network, system and software design, as well as information processing, storage, and transmission, as necessary; (iv) storage of records and data in locked facilities, storage areas or containers; and (v) improving, as necessary, means for detecting, preventing and responding to security, including but not limited to security systems, failures.

(c)        Developing security policies for employees who telecommute that take into account whether and how such employees should be allowed to keep, access and transport data containing personal information.

(d)        Imposing disciplinary measures for violations of the comprehensive information security program rules.

(e)        Preventing terminated employees from accessing records containing personal information by immediately terminating their physical and electronic access to such records, including deactivating their passwords and user names.

Whoa!  This is a major difference.  The regulation just became a lot looser and less defined.   Risk assessment is no longer a requirement, nor is assigning a data security person.  The disciplinary measures are missing, and so are the mandatory requirements to handle terminated employees’ access.

In my view, this is a shortcoming which will be decried for years to come, especially regarding the responsible person and the risk assessments.

This lack of risk assessment make the entire rule worthless.   Just write a piece of paper and you are done.

(f)         Taking reasonable steps to verify that third-party service providers with access to personal information have the capacity to protect such personal information, including

(i) selecting and retaining service providers that are capable of maintaining safeguards for personal information; and

(ii) contractually requiring service providers to maintain such safeguards. 

Prior to permitting third-party service providers access to personal information, the person permitting such access shall obtain from the third-party service provider a written certification that such service provider has a written, comprehensive information security program that is in compliance with the provisions of these regulations.

The changes here have several meanings.  The first is that contracts signed prior to a (new) date of March 2012 with third-party provider are automatically assumed to be compliant.   Doesn’t matter how long they will last.

This, again, is a major weakening of the rules.  And on several levels:  first, remember how people that store or monitor the data are not responsible under this, new, version?  Well guess what – here the third party does not own the data.   So Who is responsible?  Second, this is a license, in perpetuity, as far as I can tell, to never be compliant, as long as the contract gets signed in time…

Next, the dual dating of March 1 2010 and 2012 here is quite confusing.  I asked three legal professionals to read this paragraph and they all indicated this writing is confusing and clearly done in a rush.

One additional, fourth point, on these paragraph changes is that the data owner no longer has to take reasonable steps.  As long as the owner has a contract, he or she are in the clear!

And finally, the requirement that the 3rd Party Provider has any sort of a CISP program is tossed out of the window.

(g)        Collecting the minimum amount of personal information necessary to accomplish the legitimate purpose for which it was collected; retaining such information for the minimum time necessary to accomplish such purpose; and permitting access to the smallest number of persons who are reasonably required to know such information in order to accomplish such purpose.

(h)        Inventorying paper, electronic and other records, computing systems, and storage media, including laptops and portable devices used to store personal information, to identify those records containing personal information.

Are you kidding me?  Removing both the requirements to keep least records for least amount of time and the least access?  These are major tenets of Information Security, not to speak of Privacy.   Why?

I guess inventory of what you have records on is no longer important.  That together with the row above that no longer requires risk assessment make this entire rule weaker by 90%.

While this seems like a good improvement, it is completely meaningless.   Wait for the courts to define "Reasonable"? 

My opinion:  Worthless

(i)         Regularly monitoring and auditing employee access to personal information in order to ensure that the comprehensive information security program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information. 

(j)         Reviewing the scope of the security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information. 

(k)        Documenting responsive actions taken in connection with any incident involving a breach of security or the potential therefor, and mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of personal information.

(h) Regular monitoring to ensure that the comprehensive information security program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information; and upgrading information safeguards as necessary to limit risks.

(i) Reviewing the scope of the security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information.

(j) Documenting responsive actions taken in connection with any incident involving a breach of security, and mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of personal information.

While this seems almost identical, let me call out the omission of four small words.  By removing those words, an almost-breach no longer needs to be investigated.

Further weakening of the Rule, by another 80%.   100-90= 10.  10-80%= 2% of original strength?

Further purposes are to

(i) ensure the security and confidentiality of such information in a manner consistent with industry standards,

(ii) protect against anticipated threats or hazards to the security or integrity of such information, and

(iii) protect against unauthorized access to or use of such information in a manner that creates a substantial risk of identity theft or fraud against such residents