Final Version of MGL 93H 201CMR 17.00 Filed

OCABR (Massachusetts Office of Consumer Affairs and Business Regulation) on October 29th, 2009 filed the "Final" version of the "Standards for the Protection of Personal Information" also know as MGL 93H 201 CMR 17.00 with the Secretary of State's office. The first issue was in September of 2008, and after more than a year of amendments to the original regulations this is the final step before the regulation takes effect on March 1, 2010. The final regulations include some further clarifications than the amendment that was released in August of this year, but are substantially similar.

The latest revisions were written in response to requests from companies and business leaders that were looking for further clarification of the regulation.

Following are the changes:

17.02 Definitions
Owns or licenses - adds the word "stores"
Service provider - adds the word "stores" and deletes the phrase provided, however that "Service provider" shall not include the U.S. Postal Service.

17.03 Duty to Protect and Standards for Protecting Personal information

Clarifies the language in section (2)(f)(2) relating to service provider contracts - A contract entered into with a third party service provider is deemed to be in compliance with this section until March 1, 2012, even if the contract does not include a requirement that the third party service provider maintain such appropriate safeguards, as long as the contract was entered into no later than March 1, 2010

"Definition of Owns or Licenses. A company owns or licenses personal information if it "receives, stores, maintains, processes, or otherwise has access to personal information in connection with the provision of goods or services or in connection with employment." The final regulations make clear for the first time that a company that "stores" the personal information of a Massachusetts resident is subject to the regulations' requirements, even if the company does not otherwise process or access such information.

Definition of Service Providers. A service provider is defined as "any person that receives, stores, maintains, processes, or otherwise is permitted access to personal information through its provision of services directly to a person that is subject to this regulation." The final regulations eliminate a previous carve-out that had stated, "‘service provider' shall not include the U.S. Postal Service." It is not clear that the OCABR intends this change to mean that a company using the U.S. Postal Service to transmit personal information must contractually require the U.S. Postal Service to implement and maintain appropriate security measures for such personal information, as it must do with other service providers. But the OCABR has stated that a company must assess the risks of using a common carrier, including the U.S. Postal Service, to transmit personal information and take steps to protect that personal information.

Amending Existing Contracts with Service Providers. The final regulations clarify prior language related to a grace period for amending existing contracts with service providers so that such contracts require the service providers to implement and maintain appropriate security measures for personal information. The regulations now make clear that a company has until March 1, 2012 to amend existing contracts with service providers to include personal information security provisions, as long as the existing contracts were entered into before March 1, 2010. As before, service-provider contracts that the company entered into after March 1, 2010, must include personal information security provisions." [1]

For a copy of the most up to date Regulation please click here.

MPICA - Massachusetts Personal Information Compliance Assessment

[1] David M. McIntosh, Lisa M. Ropple Christine Santariga - Ropes & Gray LLP Boston Office

Your Timeline for Compliance with MGL 93H 201CMR17.00

October 2009

Designate an Information Security Officer - You will need to designate at least 1 person at your place of business who will maintain the comprehensive information security program. Finding that person now will help get the rest of the items in line for when they need to be done. You can get a compliance checklist at: 201 CMR 17.00 Compliance Checklist

November
Start Assessing Your Information:

Identify the paper, electronic and other type records, including storage media, laptops and portable devices that contain personal information.**
Check all anti-virus and security patches on all computer systems and servers -- make sure they are up to date.**
a. Check that you have reasonably up-to-date versions of
system security agent software (including malware
protection)**
Identify what "personal information" moves around your business and out of your office including:**
a. healthcare/insurance information
b. benefits/401K information
c. Accounting/Tax information
d. Employment and Credit Applications
e. Checks and credit card information
Identify persons who need to see the "personal information" and those who do not.
Identify where encryption for personal information is needed.**
Identify what third-party service providers your business may use that have access to personal information.
Identify reasonably foreseeable internal and external risks to paper and electronic records containing personal information.**
Identify any systems that are connected to the internet and make sure the firewall protection for files containing personal information are up-to-date.**

December 2009

Purchase any hardware or software upgrades that are needed**
Get control of user IDS and other identifiers**
Come up with a reasonably secure method of assigning/selecting passwords for users**
Start developing your WISP (Written Information Security Program)
Make sure that your WISP is applicable to all records containing personal information about a resident of the Commonwealth of Massachusetts

Make sure that you include:

Administrative, technical and physical safeguards for Personal information protection
Any identified and reasonably foreseeable internal and external risks to paper and electronic records
Regular and ongoing employee training, and procedures for monitoring employee compliance
Disciplinary measures for violators
Policies and procedures for when and how records containing personal information should be kept, accessed or transported off your business premises
Processes for blocking terminated employees physical and electronic access to personal information, including deactivating their passwords and user names
Steps taken to verify third party service providers access
The length of time that you are storing records containing personal information.
Specifically the manner in which physical access to personal information records is to be restricted
Whether you are storing your records and data in locked facilities, storage areas or containers and the security measures taken to keep these areas secure
Actions and documenting that is taken in connection with any breach of security

January 2010

Install all hardware and software upgrades**
Test policies that have been written
Start Training Employees on new policies
Finalize WISP
December

Finish Training Employees
Send out WISP Policy to all Employees and get signatures from all that they understand and will comply

February 2010 and beyond

Continue monitoring your systems and procedures**
Continue providing training to new and existing employees
Update policies as required
Assure all computers and servers remain up-to-date with patches and anti-virus software**

** NSK Inc. can help you with any of these tasks, just let us know.

What is AJAX? Does Microsoft do AJAX?

Ajax is “Asynchronous JavaScript and XML”. If you’ve ever used Microsoft Outlook Web (OWA), then you’ve used AJAX. Microsoft wrote OWA with hidden embedded web requests, so OWA could get and display new mail without refreshing the page all the time. Within a few years, everyone was doing this in several different ways. Microsoft was a pioneer, but AJAX is not Microsoft technology.

JavaScript (the modest little webpage scripting language) was one surprising ingredient. JavaScript was combined with something we got from Web Services: XML. That’s right-- Microsoft’s hidden browser function was combined with JavaScript and with some of the fast, light, network-ready data formats that we all learned from web services and SOAP, to create AJAX. Like magic, XML was being sent into web pages, “from behind”, to display data and reformat pages. The best part? It’s fast.

“Atlas” was Microsoft’s first AJAX toolkit, released in 2007. When Microsoft renamed it to “AJAX toolkit 1.0”, many Microsoft developers were unhappy because they lost the cool name. But Microsoft knew what they were doing, because we’ve already been asked by clients why our AJAX is working, even though they never installed Microsoft AJAX on their
server!

Unfortunately, Microsoft AJAX toolkit is not yet a tool of common choice, and many Microsoft.NET programmers compare the AJAX toolkit to early versions of FrontPage(they assume it will get much better before being replaced with something else entirely). As of right now, Microsoft AJAX Toolkit doesn’t easily stand up to such libraries as Prototype, Dojo, Scriptaculous, and General Interface, in the same manner that Front Page (which has now been replaced by SharePoint Designer) didn’t survive well in the market against Adobe Dreamweaver.

Before MS AJAX arrived, these other toolkits were listing clients on their websites from Gucci to NASA to Apple to ESPN to Sony, and even Microsoft! Developers who use only Microsoft tools may say AJAX is slow, because Microsoft AJAX can be slow. AJAX tools are already far more sophisticated than Web Service tools ever became, and the simple truth is that good web programming now requires qualified, experienced pros.

How does NSK do AJAX?

NSK uses an in-house AJAX library, which was specifically designed to do three things. It performs as well or better than equivalent Windows-based applications. It is learned easily by developers, so work for our clients can be done quickly and inexpensively. And our framework is useable on many browsers (in addition to Internet Explorer), and is 100% compatible with all current major server and development technologies, including Microsoft.NET. We’ve seen development turn-around as short as eight months, on financial industry projects of considerable complexity.

Written by Keith Mitchell, Senior Developer at NSKinc

Web 2.0, AJAX, XML, Thin Clients, and You

"Web 2.0 and AJAX have already changed web programming and business application development to the same extent that managed care has already changed the healthcare industry, and boxing gloves have already changed boxing."

Most web programmers learn quickly how to use a submit button, which allows a user to wait for the next web page to come back to them and tell them the results of their action. Most accomplished web programmers have learned how to display a table of data, and to sort the data by waiting for the page to refresh. Most accomplished web programmers have also explained to clients many times, that they can’t type into a dropdown list; they can only choose one of the values in the list, because “that’s the way the web thing works”.

Now, web programming isn’t so simple. Forms can be updated and data can be sorted, faster than you can read the confirmation messages. No one has to wait for pages to reload any more. New descriptions can be added to a list, and stored into a database, simply by typing them into a dropdown box. A web form can enter and correct data faster than a user can type.

The admission requirements for the web programmer club are getting higher. Microsoft and Adobe are writing tools to make these tasks easy, but these tools are still in their infancy.

Written by Keith Mitchell, Senior Developer at NSKinc

201 CMR 17 Compliance Timeline

Compliance for 201 CMR 17.00 is going to take a little time... We have written out a guideline for your timeline!

August

-Designate an Information Security Officer - You will need to designate at least 1 person at your place of business who will maintain the comprehensive information security program. Finding that person now will help get the rest of the items in line for when they need to be done.

September

Start Assessing Your Information:

-Identify the paper, electronic and other type records, including storage media, laptops and portable devices that contain personal information.**
-Check all anti-virus and security patches on all computer systems and servers -- make sure they are up to date.**

a. Check that you have reasonably up-to-date versions of
system security agent software (including malware
protection)**

-Identify what "personal information" moves around your business and out of your office including:**

a. healthcare/insurance information
b. benefits/401K information
c. Accounting/Tax information
d. Employment and Credit Applications
e. Checks and credit card information

-Identify persons who need to see the "personal information" and those who do not.
-Identify where encryption for personal information is needed.**
-Identify what third-party service providers your business may use that have access to personal information.
-Identify reasonably foreseeable internal and external risks to paper and electronic records containing personal information.**
-Identify any systems that are connected to the internet and make sure the firewall protection for files containing personal information are up-to-date.**

October

-Purchase any hardware or software upgrades that are needed**
-Get control of user IDS and other identifiers**
-Come up with a reasonably secure method of assigning/selecting passwords for users**
-Start developing your WISP (Written Information Security Program)
-Make sure that your WISP is applicable to all records containing personal information about a resident of the Commonwealth of Massachusetts

Make sure that you include:

-Administrative, technical and physical safeguards for Personal information protection
-Any identified and reasonably foreseeable internal and external risks to paper and electronic records
-Regular and ongoing employee training, and procedures for monitoring employee compliance
-Disciplinary measures for violators
-Policies and procedures for when and how records containing personal information should be kept, accessed or transported off your business premises
-Processes for blocking terminated employees physical and electronic access to personal information, including deactivating their passwords and user names
-Steps taken to verify third party service providers access
-The length of time that you are storing records containing personal information.
-Specifically the manner in which physical access to personal information records is to be restricted
-Whether you are storing your records and data in locked facilities, storage areas or containers and the security measures taken to keep these areas secure
-Actions and documenting that is taken in connection with any breach of security

November

-Install all hardware and software upgrades**
-Test policies that have been written
-Start Training Employees on new policies
-Finalize WISP

December

-Finish Training Employees
-Send out WISP Policy to all employees and get signatures from all that they understand and will comply

January 1, 2010 and beyond

-Continue monitoring your systems and procedures**
-Continue providing training to new and existing employees
-Update policies as required
-Assure all computers and servers remain up-to-date with patches and anti-virus software**

** NSK Inc can help you with any of these tasks, just let us know.

Written by Cathie Briggette

Linux, Apache Platforms

Linux/Apache as a platform has been doing web-based networking, backed by large-scale community development, for a long time. The most mature SPAM filters , email handlers, RSS tools, web data-miners, and web automation tools are Linux/Apache based. For those tasks, that’s what we may recommend. These services or components can be integrated easily with Microsoft Exchange and other Microsoft servers and systems.

Are we talking about “Open Systems” or “Open Software”?

No. We’re really trying to discuss the important business move toward open architectures. Enterprise or service architecture is not related to “open systems” or “open software”. For open systems, think “UNIX-like systems which have been standardized”. For open software, think free Linux software, free licensing, and community development.

Is Linux more “open” for business software architectures?

No. What matters are your software applications, not your systems. Linux is important, however, because most of the web runs on Apache web servers running on Linux, and the internet (worldwide) and intranet (corporate) ARE vital to open architectures.

Written by Keith Mitchell, Senior Developer at NSKinc

Open Architecture and Services

Service oriented architecture is a design of business systems where applications which store, manipulate, or use data, provide a mechanism or service to other applications in the system, for getting at that same data.

An open architecture is a business system where applications “expose” what they do, and the data they use, to other applications or network services.

Web Services started a lot of things (moderately well). A web service is a web page that another computer can go to, to get information. It’s that simple. By the time web services were popular in certain functions (weather info, product vending by middleware and B2B, and stock quotes), they had been very standardized and defined. That standard was clumsy to implement and was sometimes too slow for the speed of business. Much work went into creating lightweight wrappers for the data which was given out by web services, so that they would be fast. SOAP is a very lightweight data container for web services data.

What’s good about SOAP and web services? Data wrapped in a SOAP wrapper can move like a text file across networks, through firewalls, from a Windows machine into a Linux machine into a Mac, and then into a library mainframe. Data can be easily taken from one database and added into another, or made into a report. This was revolutionary several years ago. Web services tell other computers what they do (what “service” they provide) and what data to expect. However, the expected explosion of computer-consumed data didn’t happen with web services, except in some e-commerce and distributed corporate environments.

Why not? New and better ways are always being created for software
systems to become more open. This is a very important benefit to corporate software customers because new functionality can be added inexpensively, Have you noticed how quickly RSS newsfeeds became widespread? Compared to SOAP web services, RSS is very fast and easy to work with. Similarly, AJAX, without any SOAP wrappers at all, has been used to replace web services. RSS and AJAX are not just “Web 2.0”. They could be referred to as “Web Services 2.0”, as well.

Written by Keith Mitchell, Senior Developer at NSKinc