Massachusetts 201 CMR 17.00 Policy Mapping
Below you will find an overview of 201 CMR 17.00, mapping each requirement to the policy that covers that requirement. Some requirements are paraphrased due to length, so please refer to the final standard for complete compliance information.
By purchasing the Gold Security Package, you will receive a set of policies that has been designed specifically for compliance with complex security regulations such as Massachusetts 201 CMR 17.00.
InstantSecurityPolicy.com Massachusetts 201 CMR 17.00 Mapping
17.03: Duty to Protect and Standards for Protecting Personal Information
(2) Every comprehensive information security program shall include, but not be limited to:
(2) a. Designating one or more employees to maintain a comprehensive information security program.
✓Covered by Network Security Policy, section 4.18.1 Security Program Manager.
(2)b. Identifying risks to the security, confidentiality, and/or integrity of records containing personal information, and improving current safeguards where necessary, including 1) ongoing employee/contractor training, 2) employee compliance with policies, and 3) means for detecting and preventing security system failures.
✓Covered by Incident Response Policy, sections 4.7.1 Risk Assessment and section 4.7.2 Risk Management Program.
✓Covered by multiple sections of the Network Security Policy.
(2)c. Developing policies relating to the storage, access, and transportation of personal information outside of business premises.
✓Covered by Confidential Data Policy, section 4.2 Use of Confidential Data, and section 4.3 Security Controls for Confidential Data.
✓Covered by Mobile Device Policy, section 4.2 Data Security
(2)d. Imposing disciplinary measures for violations of the security policy.
✓This requirement is best handled by your company's Human Resources department, however, from a policy perspective, security violations are discussed in the Enforcement section of each policy.
(2)e. Preventing terminated employees from accessing records containing personal information.
✓Covered by Network Access and Authentication Policy, section 4.3 Account Termination.
(2)f. Oversee service providers by 1) selecting and retaining service providers capable of securing personal information and 2) requiring service providers by contract to implement and maintain appropriate security measures for personal information.
✓Covered by Outsourcing Policy, section 4.5 Outsourcing Contracts.
✓Covered by Third Party Connection Policy, section 4.2 Security of Third Party Access and 4.3 Restricting Third Party Access.
(2)g. Placing restrictions on physical access to records containing personal information and securely storing of this information
✓Covered by multiple sections of the Physical Security Policy.
✓Covered by Confidential Data Policy, section 4.1.1 Storage of Confidential Data, and 4.3 Security Controls for Confidential Data.
✓Covered by Backup Policy, section 4.5 Backup Storage.
(2)h. Regular monitoring to ensure the security program is operating in the intended manner and upgrading safeguards where necessary.
✓Covered by Network Security Policy, section 4.7 Security Testing and 4.18.3 Security Policy Review.
✓Covered by Incident Response Policy, sections 4.7.1 Risk Assessment and section 4.7.2 Risk Management Program.
(2)i. Reviewing security measures at least annually or whenever it is reasonably necessitated by a change in business practices.
✓Covered by Network Security Policy, section 4.18.3 Security Policy Review.
✓Covered by Network Security Policy, section 4.7 Security Testing.
✓Covered by Incident Response Policy, sections 4.7.1 Risk Assessment and section 4.7.2 Risk Management Program.
(2)j. Documenting actions taken in response to any incident involving a breach of security, and a post-incident review of events and actions taken.
✓Covered by Incident Response Policy, sections 4.4 Electronic Incidents and 4.5 Physical Incidents.
17.04 Computer System Security Requirements
(1) Secure user authentication protocols including:
(1)a. Control of user IDs and other identifiers
✓Covered by Network Access and Authentication Policy, section 4.2 Account Use.
(1)b. A reasonably secure method of assigning and selecting passwords or other unique identifiers.
✓Covered by Password Policy, section 4.1 Construction of Passwords.
✓Covered by Network Security Policy, section 4.1 Network Device Passwords.
(1)c. Control passwords to ensure that the location and/or format does not compromise data security.
✓Covered by Password Policy, section 4.2 Confidentiality of Passwords.
✓Covered by Encryption Policy, section 4.2 Encryption Key Management.
✓Covered by multiple sections of the Network Security Policy.
(1)d. Restricting access to active user accounts only.
✓Covered by Network Access and Authentication Policy, section 4.3 Account Termination.
(1)e. Blocking access after multiple unsuccessful logon attempts.
✓Covered by Network Access and Authentication Policy, section 4.10 Failed Logons.
✓Covered by Network Security Policy, section 4.1.2 Failed Logons.
(2) Secure access control measures that:
(2)a. Restrict access to files containing personal information to those who need such access.
✓Covered by Confidential Data Policy, sections 4.1 Treatment of Confidential Data, 4.2 Use of Confidential Data, and 4.3 Security Controls for Confidential Data.
(2)b. Assign non-vendor-supplied, unique identifications and passwords to each person with computer access, that are designed to maintain the integrity of the security of the access controls.
✓Covered by Network Access and Authentication Policy, section 4.2 Account Use.
✓Covered by multiple sections of the Password Policy.
(3) Encryption of all transmitted files containing personal information when traveling across a public network or a wireless connection.
✓Covered by Confidential Data Policy, section 4.1.2 Transmission of Confidential Data.
✓Covered by Wireless Policy, section 4.3 Accessing Confidential Data.
(4) Monitoring of systems for unauthorized use of or access to personal information.
✓Covered by Network Security Policy, section 4.6 Intrusion Detection/Intrusion Prevention.
✓Covered by Acceptable Use Policy, section 4.12 Monitoring and Privacy.
(5) Encryption of all personal information stored on laptops or portable devices.
✓Covered by Mobile Device Policy, section 4.2 Data Security.
(6) Use firewall protection and reasonably up-to-date patches on Internet-connected systems that contain personal information.
✓Covered by Network Security Policy, sections 4.3 Firewalls and 4.12 Software Use Policy
(7) Use anti-virus/anti-malware software with reasonably up-to-date patches and virus definitions on Internet-connected systems that contain personal information.
✓Covered by Network Security Policy, section 4.11 Antivirus/Anti-Malware.
(8) Education and training of employees of the proper use of the computer security system and the importance of information security.
✓Covered by Network Security Policy, section 4.18.2 Security Training.
The information above maps the 201 CMR 17.00 requirements to the InstantSecurityPolicy.com policies that cover the requirement. As with any regulation, the procedures you put into place to enforce your policies are critical to your compliance. 201 CMR 17.00 provides some latitude as to what is "technically feasible" for individual organizations, so specific compliance requirements may vary from company to company. We recommend that as you answer the questionnaire, you keep these requirements in mind and answer the questions accordingly.
The Gold Security Package goes well above and beyond what is required for 201 CMR 17.00 compliance. You can view the details of the Gold package here.
Selected Client Logos
"Your product saved me many hours of boring work, thank you."
Jim Owens - IT Manager, Portland, Maine
"InstantSecurityPolicy.com saved me thousands in consulting fees. Thank you."
Lei Chang - Startup Founder, San Jose, CA
"The policy format was nice and clean. I like that you offer a mix of both technical and non-technical policies. I am very happy with the product, and the fact that I had my policies 30 minutes after I first found your site."
Joe Upton - Business Owner, Miami, FL
"We used your product help us achieve compliance with Massachusetts 201 CMR 17.00 without having to spend dozens of hours developing the policies ourselves."
Linda Neal - CISO, Boston, MA
The above information is based on interpretation by an experienced policy professional and is believed to be correct. Please note, however, that InstantSecurityPolicy.com is not in the business in dispensing legal advice and thus any policies generated should be reviewed for applicability to your specific situation.
