Technology Advisor Blog

8 Things to Know About the Massachusetts Data Security Law

Posted by Ann Westerheim on 3/28/13 9:32 AM

MA Data Security LawMarch is the anniversary of the Massachusetts Data Security Law which went into effect March 1, 2010:  201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth.  The anniversary is a good time to refresh your team about the requirements!

The goal of the law is to help prevent identity theft and we all have a role to help.

Here are the eight technology requirements included in this law:

1.  Secure user authentication protocols including:

(i) control of user IDs and other identifiers;
(ii) a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices;
(iii) control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect;
(iv) restricting access to active users and active user accounts only; and
(v) blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system;

Use of STRONG passwords is required (uppercase letters, lower case letter, numbers, and symbols) and NEVER put your password on a post-it by your monitor, or under your keyboard or anywhere else that's easily accessible!

2.  Secure access control measures that:

(i) restrict access to records and files containing personal information to those who need such information to perform their job duties; and
(ii) assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls;

If an employee doesn't need access to personal information to do their job, make sure they can't get to it.  This is very important if multiple users share a system.

3.   To the extent technically feasible, encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data to be transmitted over a wireless network.

Do not email personal information.  Instead use SSL transmission of data to secure web sites.

4.  Reasonable monitoring of systems, for unauthorized use of or access to personal information;

Are logs routinely checked?  There are several great tools to help you decipher server logs to get the information you need.

5.   Encryption of all personal information stored on laptops or other portable devices;

Laptops MUST have encryption technology.  Other portable devices such as flash drives must also be protected.  Backup tapes (if used) must be encrypted.

6.  For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information. 

7.  Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.

Do you know if your security patches and Antivirus definitions are up to date?

8.   Education and training of employees on the proper use of the computer security system and the importance of personal information security.

Users often break basic rules for “convenience” so they can get their work done faster. Ongoing education is needed!

In your next team meeting, review these requirements and make sure everyone understands the importance of compliance.  For more information, visit the Massachusetts Office of Consumer Affairs and Business Regulations web site.  Give us a call if you'd like us to review your site security with you.

 

Tags: MA Data Security Law, 201 CMR 17.00, Security Requirements

Get S.M.A.R.T and save your data BEFORE you lose it!

Posted by Ann Westerheim on 3/20/13 10:00 AM


Hard DriveOne of the things we strongly advise our clients to get on board with is proactive monitoring of all their systems with our managed services.   With this service, we monitor all systems for a long list of parameters including Antivirus software updates, Security Patch updates, system performance and when capable, S.M.A.R.T monitoring of hard drives.  

S.M.A.R.T definition from Wikipedia:  

"S.M.A.R.T. (Self-Monitoring, Analysis and Reporting Technology; often written as SMART) is a monitoring system for computer hard disk drives to detect and report on various indicators of reliability, in the hope of anticipating failures.  When a failure is anticipated by S.M.A.R.T., the user may choose to replace the drive to avoid unexpected outage and data loss."

Recently, Brian rescued a client's system when he received a SMART alert that the hard drive was showing signs of failure.  Rather than waiting for the drive to fail, and potentially risking the client's data, we went ahead and initiated the the process to replace the drive.  The system was still under warranty with Dell, but the problem was that the drive hadn't failed yet, so initially they wouldn't proceed with the warranty replacement, and Brian replaced the drive.

Brian didn't give up, though, and wrote to Dell:

Dell Support,

In regards to hard drive replacement policy, Waiting till the hard drive FAILS is NOT a good policy for Helping customers.  In our case we use remote monitoring and management software that is extremely reliable and efficient at reporting errors, and when is a SMART Error you need to take notice.

We have provided our services and resources to take care of YOUR Customer and ours By acknowledging that an ERROR from SMART needs attention and should never be taken lightly we purchased an identical replacement drive, was able to quickly and efficiently save the customers data and get them back up and running with no loss. 

Any customer regardless of how many computers they purchase, from 1 to 10,000 are equal.

Waiting for the hard drive to fail is like closing the Barn doors after the horses have run off, it's too late.

I have been a PC/Server tech for over 20 years and  I know how hard it is to repair an intermittent problem But when reliable monitoring tells you there's a problem, there is a problem.  Computers  know 2 things. 1's & 0's.

And as you know if one of them is out of place.. problems happen.  People can hide what their problems are, computers can't.  Preventing a Problem from happens before it happens is GOOD for Business for Both of us.

I hope you would consider replacing the hard drive, I see the Man. Date is either 6/2012 or 8/2012 and the SMART reporting started to show a problem on 01/28/2013 04:25 AM.

I have the Hard drive ready to ship.

Brian Brackett

Help Desk Tech

Ekaru

Dell eventually stepped up and honored a parts replacement of the hard drive and shipped back a drive.  Being proactive saved the aggravation of a failed system and potential data loss.  Even with an almost brand-new system, a hard drive can fail (in fact, if you think about a disk spinning at 7200 RPM, it's a miracle that any hard drive can work!).  Hard drives are the most common failure point in PCs, and proactive monitoring is definitely advised.

 

Tags: S.M.A.R.T, hard drive, Monitoring, Managed Services

Why did that Spam message get through my filter?

Posted by Ann Westerheim on 3/7/13 8:43 AM

SpamOne of the services we provide to our clients is spam filtering.  The goal is to stop the spam BEFORE it gets to the mail server so it doesn't wind up on the users' desktop, laptop, iPad, smart phone, etc....  Each month when we do the reporting and roll up the numbers, it's amazing how much volume there is. Overall, around 80% of all email traffic is flagged as spam.  For some of our clients, this means blocking out tens of thousands of messages a month.  I looked at our own domain yesterday, and in February, over 10,000 messages were blocked or quarantined, including 348 emails containing viruses.  

One of the frustrating things is that with all the sophisticated algorithms involved with the spam security filters we put in place, some spam still gets through.  Just yesterday we heard from two clients who reported receiving a spam message that to any human reviewing the email, the disposition should be obvious, but to a computer scanning thousands of messages with respect to certain algorithms, a few get through.  In both cases, we saw "Breaking News" emails where for one user, the server logs showed that one email got through and seven were blocked in the past week, and for the other users, one got through, and 65 were blocked/quarantined.  In this case, we can see that the filters ARE working, but they are not 100%.  For a message with carefully crafted language, the initial emails typically get through, and it isn't until the volume of identical messages is detected that the rest get properly dispositioned as spam.

It's annoying for all of us that these spam messages just keep coming to us, but at least with good filtering, the vast majority are stopped.

Tags: eMail, email security, spam, spam filtering

Subscribe by Email

Most Popular Posts

Browse by Tag

See all tags...

Connect With Us

Older Blog Posts

For older Ekaru blog posts, go to ekaru.blogspot.com.