Archive

Posts Tagged ‘General Security’

Reading Tea Leaves – The Difference Between Old And New CMR Rules Part I

August 18, 2009 - כ"ח אב תשס"ט Ariel No comments
This entry is part of a wonderful series, 201 CMR 17 Revision»

 

As I reported yesterday, here, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) issued an update to 201 CMR 17:00, the Massachusets data breach notification rules, have been updated.   Let’s go line by line and analyze the differences between the "old" and the "new" CMR rules.

And yes, I do love the Tea metaphors.

Comparison Between 201 CMR 17 Versions

 

Comparison between versions of MASS 201 CMR 17

 Section

Old

 New

Meaning of Change

 17.01(1)

(old 17.01(a))

… by persons who own, license, store or maintain personal information…

…by persons who own or license personal information…

 This is a major shift in policy, taking storage companies, such as hosting providers, out of the compliance equation.

 

 Further purposes are to (i) ensure the security and confidentiality of such information in a manner consistent with industry standards, (ii) protect against anticipated threats or hazards to the security or integrity of such information, and (iii) protect against unauthorized access to or use of such information in a manner that creates a substantial risk of identity theft or fraud against such residents. The objectives of this regulation are to insure the security and confidentiality of customer information in a manner fully consistent with industry standards; protect against anticipated threats or hazards to the security or integrity of such information; and protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any consumer. This seems to be a minor, cosmetic change
17.01(2) (old 17.01(b)) The provisions of this regulation apply to all persons that own, license, store or maintain personal information about a resident of the Commonwealth. The provisions of this regulation apply to all persons that own or license personal information about a resident of the Commonwealth. Same as the very first comment
       
 17.03 – Definitions

"Encrypted," transformation of data through the use of a 128-bit or higher algorithmic process, or other means or process approved by the office of consumer affairs and business regulation that is at least as secure as such algorithmic process, into a form in which there is a low probability of assigning meaning without use of a confidential process or key.

Encrypted, the transformation of data into a form in which meaning cannot be assigned without the use of a confidential process or key.

This is also a major policy change:

a)No longer will the Mass OCABR will be required to approve encryption;

b)No longer is 128-bit and above demanded;

c)The word "probability" is removed from the equation

Note:  The phrase "meaning cannot be assigned" may be a grammar error.
   

Owns or licenses, receives, maintains, processes, or otherwise has access to personal information in connection with the provision of goods or services or in connection with employment.

 A new definition.  Not sure why this is called out, as it seems to me as conflicting with the direction-change inherent in the change I outlined in the first part of this table.
    Service provider, any person that receives, maintains, processes, or otherwise is permitted access to personal information through its provision of services directly to a person that is subject to this regulation; provided, however, that “Service provider” shall not include the U.S. Postal Service.

This is a new definition in the regulation, detailing who a service provider is.  This too seems to me as conflicting with the direction-change inherent in the change I outlined in the first part of this table

The OCABR here seems to be a tad "confused"…  I am not sure why they are calling out the USPS, and not, for example, HUD or The FBI.

 

 

The usual disclaimer:  I am not a lawyer.  I don’t even play one on TV.  This is not a legal advice.

Tomorrow, I will continue the analysis of the difference between both new and old version of the 201 CMR 17 rules.

 

Permalink

Categories: Law, Privacy Tags: , , , , , , , , , , ,

The Biggest Hole of It All

August 4, 2009 - י"ד אב תשס"ט Ariel No comments

(or) How to win at security and influence people

                                                                                                

If you agree with me and see the legendary Gene Spafford as the 2nd generation of security, and people of my experience as the third, then what we have today in the marketplace is the fourth generation of security professionals.   People 20 years my junior who never had to grow up without the Internet (or, for that matter, without a remote control or with tethered-only phones, and I could go on…) are now the backbone of information security in the country, nay, in the world.

And yet, the problem that my generation referred to as “the loose nut on the keyboard” and today’s generation calls “layer 8”, is still seen as a problem in security circles.

Well, I got news.   They are not a problem, we, security professionals, are. They are the solution.

 

THE PRINCESS BRIDE, Mandy Patinkin, 1987, TM and Copyright (c)20th Century Fox Film Corp. All rights reserved.

Let me ‘xplain. Yes, I have time, don’t have to sum-up

Early on in my career I learned that there are very few technical solutions to human action problems. 

I used to say that “there aren’t any”, but I wised up. We must teach, train, mentor and repeat. 

Allow me to draw a picture of life today –  inside the corporate world or with-out.

 

 

 

Part I – Social Media

Quite a large part of our workforce today, and certainly all of tomorrow’s, has been exposed to, used, and even reveled in Social Media. From BBS (I will explain to those who request) through Wikis; from Facebook to Twitter, our workers have not only become accustomed to using these tools, they enjoy them.

You, Ms., Mr. or Mrs. Security Person, have two choices:

    1.   Fight an uphill battle, never to be won even in the US Military (as you can see here)

 Or

     2.   Embrace it.

 

“How do I embrace it?” you say? Well. Here is a road map to embracement (I made that word up, I think):

 

 

 

Permalink

 

Categories: General Security, Privacy Tags: , , , , ,