Final Version of MGL 93H 201CMR 17.00 Filed

OCABR (Massachusetts Office of Consumer Affairs and Business Regulation) on October 29th, 2009 filed the "Final" version of the "Standards for the Protection of Personal Information" also know as MGL 93H 201 CMR 17.00 with the Secretary of State's office. The first issue was in September of 2008, and after more than a year of amendments to the original regulations this is the final step before the regulation takes effect on March 1, 2010. The final regulations include some further clarifications than the amendment that was released in August of this year, but are substantially similar.

The latest revisions were written in response to requests from companies and business leaders that were looking for further clarification of the regulation.

Following are the changes:

17.02 Definitions
Owns or licenses - adds the word "stores"
Service provider - adds the word "stores" and deletes the phrase provided, however that "Service provider" shall not include the U.S. Postal Service.

17.03 Duty to Protect and Standards for Protecting Personal information

Clarifies the language in section (2)(f)(2) relating to service provider contracts - A contract entered into with a third party service provider is deemed to be in compliance with this section until March 1, 2012, even if the contract does not include a requirement that the third party service provider maintain such appropriate safeguards, as long as the contract was entered into no later than March 1, 2010

"Definition of Owns or Licenses. A company owns or licenses personal information if it "receives, stores, maintains, processes, or otherwise has access to personal information in connection with the provision of goods or services or in connection with employment." The final regulations make clear for the first time that a company that "stores" the personal information of a Massachusetts resident is subject to the regulations' requirements, even if the company does not otherwise process or access such information.

Definition of Service Providers. A service provider is defined as "any person that receives, stores, maintains, processes, or otherwise is permitted access to personal information through its provision of services directly to a person that is subject to this regulation." The final regulations eliminate a previous carve-out that had stated, "‘service provider' shall not include the U.S. Postal Service." It is not clear that the OCABR intends this change to mean that a company using the U.S. Postal Service to transmit personal information must contractually require the U.S. Postal Service to implement and maintain appropriate security measures for such personal information, as it must do with other service providers. But the OCABR has stated that a company must assess the risks of using a common carrier, including the U.S. Postal Service, to transmit personal information and take steps to protect that personal information.

Amending Existing Contracts with Service Providers. The final regulations clarify prior language related to a grace period for amending existing contracts with service providers so that such contracts require the service providers to implement and maintain appropriate security measures for personal information. The regulations now make clear that a company has until March 1, 2012 to amend existing contracts with service providers to include personal information security provisions, as long as the existing contracts were entered into before March 1, 2010. As before, service-provider contracts that the company entered into after March 1, 2010, must include personal information security provisions." [1]

For a copy of the most up to date Regulation please click here.

MPICA - Massachusetts Personal Information Compliance Assessment

[1] David M. McIntosh, Lisa M. Ropple Christine Santariga - Ropes & Gray LLP Boston Office

Your Timeline for Compliance with MGL 93H 201CMR17.00

October 2009

Designate an Information Security Officer - You will need to designate at least 1 person at your place of business who will maintain the comprehensive information security program. Finding that person now will help get the rest of the items in line for when they need to be done. You can get a compliance checklist at: 201 CMR 17.00 Compliance Checklist

November
Start Assessing Your Information:

Identify the paper, electronic and other type records, including storage media, laptops and portable devices that contain personal information.**
Check all anti-virus and security patches on all computer systems and servers -- make sure they are up to date.**
a. Check that you have reasonably up-to-date versions of
system security agent software (including malware
protection)**
Identify what "personal information" moves around your business and out of your office including:**
a. healthcare/insurance information
b. benefits/401K information
c. Accounting/Tax information
d. Employment and Credit Applications
e. Checks and credit card information
Identify persons who need to see the "personal information" and those who do not.
Identify where encryption for personal information is needed.**
Identify what third-party service providers your business may use that have access to personal information.
Identify reasonably foreseeable internal and external risks to paper and electronic records containing personal information.**
Identify any systems that are connected to the internet and make sure the firewall protection for files containing personal information are up-to-date.**

December 2009

Purchase any hardware or software upgrades that are needed**
Get control of user IDS and other identifiers**
Come up with a reasonably secure method of assigning/selecting passwords for users**
Start developing your WISP (Written Information Security Program)
Make sure that your WISP is applicable to all records containing personal information about a resident of the Commonwealth of Massachusetts

Make sure that you include:

Administrative, technical and physical safeguards for Personal information protection
Any identified and reasonably foreseeable internal and external risks to paper and electronic records
Regular and ongoing employee training, and procedures for monitoring employee compliance
Disciplinary measures for violators
Policies and procedures for when and how records containing personal information should be kept, accessed or transported off your business premises
Processes for blocking terminated employees physical and electronic access to personal information, including deactivating their passwords and user names
Steps taken to verify third party service providers access
The length of time that you are storing records containing personal information.
Specifically the manner in which physical access to personal information records is to be restricted
Whether you are storing your records and data in locked facilities, storage areas or containers and the security measures taken to keep these areas secure
Actions and documenting that is taken in connection with any breach of security

January 2010

Install all hardware and software upgrades**
Test policies that have been written
Start Training Employees on new policies
Finalize WISP
December

Finish Training Employees
Send out WISP Policy to all Employees and get signatures from all that they understand and will comply

February 2010 and beyond

Continue monitoring your systems and procedures**
Continue providing training to new and existing employees
Update policies as required
Assure all computers and servers remain up-to-date with patches and anti-virus software**

** NSK Inc. can help you with any of these tasks, just let us know.

What is AJAX? Does Microsoft do AJAX?

Ajax is “Asynchronous JavaScript and XML”. If you’ve ever used Microsoft Outlook Web (OWA), then you’ve used AJAX. Microsoft wrote OWA with hidden embedded web requests, so OWA could get and display new mail without refreshing the page all the time. Within a few years, everyone was doing this in several different ways. Microsoft was a pioneer, but AJAX is not Microsoft technology.

JavaScript (the modest little webpage scripting language) was one surprising ingredient. JavaScript was combined with something we got from Web Services: XML. That’s right-- Microsoft’s hidden browser function was combined with JavaScript and with some of the fast, light, network-ready data formats that we all learned from web services and SOAP, to create AJAX. Like magic, XML was being sent into web pages, “from behind”, to display data and reformat pages. The best part? It’s fast.

“Atlas” was Microsoft’s first AJAX toolkit, released in 2007. When Microsoft renamed it to “AJAX toolkit 1.0”, many Microsoft developers were unhappy because they lost the cool name. But Microsoft knew what they were doing, because we’ve already been asked by clients why our AJAX is working, even though they never installed Microsoft AJAX on their
server!

Unfortunately, Microsoft AJAX toolkit is not yet a tool of common choice, and many Microsoft.NET programmers compare the AJAX toolkit to early versions of FrontPage(they assume it will get much better before being replaced with something else entirely). As of right now, Microsoft AJAX Toolkit doesn’t easily stand up to such libraries as Prototype, Dojo, Scriptaculous, and General Interface, in the same manner that Front Page (which has now been replaced by SharePoint Designer) didn’t survive well in the market against Adobe Dreamweaver.

Before MS AJAX arrived, these other toolkits were listing clients on their websites from Gucci to NASA to Apple to ESPN to Sony, and even Microsoft! Developers who use only Microsoft tools may say AJAX is slow, because Microsoft AJAX can be slow. AJAX tools are already far more sophisticated than Web Service tools ever became, and the simple truth is that good web programming now requires qualified, experienced pros.

How does NSK do AJAX?

NSK uses an in-house AJAX library, which was specifically designed to do three things. It performs as well or better than equivalent Windows-based applications. It is learned easily by developers, so work for our clients can be done quickly and inexpensively. And our framework is useable on many browsers (in addition to Internet Explorer), and is 100% compatible with all current major server and development technologies, including Microsoft.NET. We’ve seen development turn-around as short as eight months, on financial industry projects of considerable complexity.

Written by Keith Mitchell, Senior Developer at NSKinc

Web 2.0, AJAX, XML, Thin Clients, and You

"Web 2.0 and AJAX have already changed web programming and business application development to the same extent that managed care has already changed the healthcare industry, and boxing gloves have already changed boxing."

Most web programmers learn quickly how to use a submit button, which allows a user to wait for the next web page to come back to them and tell them the results of their action. Most accomplished web programmers have learned how to display a table of data, and to sort the data by waiting for the page to refresh. Most accomplished web programmers have also explained to clients many times, that they can’t type into a dropdown list; they can only choose one of the values in the list, because “that’s the way the web thing works”.

Now, web programming isn’t so simple. Forms can be updated and data can be sorted, faster than you can read the confirmation messages. No one has to wait for pages to reload any more. New descriptions can be added to a list, and stored into a database, simply by typing them into a dropdown box. A web form can enter and correct data faster than a user can type.

The admission requirements for the web programmer club are getting higher. Microsoft and Adobe are writing tools to make these tasks easy, but these tools are still in their infancy.

Written by Keith Mitchell, Senior Developer at NSKinc

201 CMR 17 Compliance Timeline

Compliance for 201 CMR 17.00 is going to take a little time... We have written out a guideline for your timeline!

August

-Designate an Information Security Officer - You will need to designate at least 1 person at your place of business who will maintain the comprehensive information security program. Finding that person now will help get the rest of the items in line for when they need to be done.

September

Start Assessing Your Information:

-Identify the paper, electronic and other type records, including storage media, laptops and portable devices that contain personal information.**
-Check all anti-virus and security patches on all computer systems and servers -- make sure they are up to date.**

a. Check that you have reasonably up-to-date versions of
system security agent software (including malware
protection)**

-Identify what "personal information" moves around your business and out of your office including:**

a. healthcare/insurance information
b. benefits/401K information
c. Accounting/Tax information
d. Employment and Credit Applications
e. Checks and credit card information

-Identify persons who need to see the "personal information" and those who do not.
-Identify where encryption for personal information is needed.**
-Identify what third-party service providers your business may use that have access to personal information.
-Identify reasonably foreseeable internal and external risks to paper and electronic records containing personal information.**
-Identify any systems that are connected to the internet and make sure the firewall protection for files containing personal information are up-to-date.**

October

-Purchase any hardware or software upgrades that are needed**
-Get control of user IDS and other identifiers**
-Come up with a reasonably secure method of assigning/selecting passwords for users**
-Start developing your WISP (Written Information Security Program)
-Make sure that your WISP is applicable to all records containing personal information about a resident of the Commonwealth of Massachusetts

Make sure that you include:

-Administrative, technical and physical safeguards for Personal information protection
-Any identified and reasonably foreseeable internal and external risks to paper and electronic records
-Regular and ongoing employee training, and procedures for monitoring employee compliance
-Disciplinary measures for violators
-Policies and procedures for when and how records containing personal information should be kept, accessed or transported off your business premises
-Processes for blocking terminated employees physical and electronic access to personal information, including deactivating their passwords and user names
-Steps taken to verify third party service providers access
-The length of time that you are storing records containing personal information.
-Specifically the manner in which physical access to personal information records is to be restricted
-Whether you are storing your records and data in locked facilities, storage areas or containers and the security measures taken to keep these areas secure
-Actions and documenting that is taken in connection with any breach of security

November

-Install all hardware and software upgrades**
-Test policies that have been written
-Start Training Employees on new policies
-Finalize WISP

December

-Finish Training Employees
-Send out WISP Policy to all employees and get signatures from all that they understand and will comply

January 1, 2010 and beyond

-Continue monitoring your systems and procedures**
-Continue providing training to new and existing employees
-Update policies as required
-Assure all computers and servers remain up-to-date with patches and anti-virus software**

** NSK Inc can help you with any of these tasks, just let us know.

Written by Cathie Briggette

Linux, Apache Platforms

Linux/Apache as a platform has been doing web-based networking, backed by large-scale community development, for a long time. The most mature SPAM filters , email handlers, RSS tools, web data-miners, and web automation tools are Linux/Apache based. For those tasks, that’s what we may recommend. These services or components can be integrated easily with Microsoft Exchange and other Microsoft servers and systems.

Are we talking about “Open Systems” or “Open Software”?

No. We’re really trying to discuss the important business move toward open architectures. Enterprise or service architecture is not related to “open systems” or “open software”. For open systems, think “UNIX-like systems which have been standardized”. For open software, think free Linux software, free licensing, and community development.

Is Linux more “open” for business software architectures?

No. What matters are your software applications, not your systems. Linux is important, however, because most of the web runs on Apache web servers running on Linux, and the internet (worldwide) and intranet (corporate) ARE vital to open architectures.

Written by Keith Mitchell, Senior Developer at NSKinc

Open Architecture and Services

Service oriented architecture is a design of business systems where applications which store, manipulate, or use data, provide a mechanism or service to other applications in the system, for getting at that same data.

An open architecture is a business system where applications “expose” what they do, and the data they use, to other applications or network services.

Web Services started a lot of things (moderately well). A web service is a web page that another computer can go to, to get information. It’s that simple. By the time web services were popular in certain functions (weather info, product vending by middleware and B2B, and stock quotes), they had been very standardized and defined. That standard was clumsy to implement and was sometimes too slow for the speed of business. Much work went into creating lightweight wrappers for the data which was given out by web services, so that they would be fast. SOAP is a very lightweight data container for web services data.

What’s good about SOAP and web services? Data wrapped in a SOAP wrapper can move like a text file across networks, through firewalls, from a Windows machine into a Linux machine into a Mac, and then into a library mainframe. Data can be easily taken from one database and added into another, or made into a report. This was revolutionary several years ago. Web services tell other computers what they do (what “service” they provide) and what data to expect. However, the expected explosion of computer-consumed data didn’t happen with web services, except in some e-commerce and distributed corporate environments.

Why not? New and better ways are always being created for software
systems to become more open. This is a very important benefit to corporate software customers because new functionality can be added inexpensively, Have you noticed how quickly RSS newsfeeds became widespread? Compared to SOAP web services, RSS is very fast and easy to work with. Similarly, AJAX, without any SOAP wrappers at all, has been used to replace web services. RSS and AJAX are not just “Web 2.0”. They could be referred to as “Web Services 2.0”, as well.

Written by Keith Mitchell, Senior Developer at NSKinc

Open Services - The Only New Idea

Gone are the days that the DEC computer in the sales department won’t talk to the IBM in finance. Computers can talk to each other. But pulling an RSS feed into a system on a different server can still take time (and cost money).

What if applications talked to each other so easily, that you could expand your software by plugging on new pieces? Modern software design takes the first two foundations of scalability (open communication, robust expansion) and combines them.

The revolution in enterprise software has come from expanding complex systems, by developing task-specific pieces, which communicate easily. To grow, you develop applications to perform a particular service, or you buy them, and then someone plugs them in and they work.

Written by Keith Mitchell, Senior Developer at NSKinc

Enterprise and Architecture: Scalable Software

"Scalable software doesn’t blink when you add 10 users, doesn’t slow when you add 200,000 records, and won’t crash when you request from NSK 20 more features than it is currently doing."

Sometimes, “enterprise” software is simply software that has enough features for a large business. Microsoft SQL Server Enterprise is feature-filled. An average developer, faced with the challenge of writing a complex application, may believe “enterprise” means complex. But to a good developer, “enterprise” simply means “scalable”. Software which scales, expands as it is required to do so.

Enterprise means that when you program good user security on a database in accounting, and then put a similar database in another department, the two will be able to talk to one another, while still using that good security (instead of, in spite of that security).

Enterprise means that “3/14/2008” means “March 14” in New York, yet won’t crash a server in London because there’s no third day of the 14th month. Truly Enterprise software requires very high quality architecture—it needs a careful design, which is documented, and which has been well considered. Software which is architected, or designed, to be scalable, has three very important features.

Scalable software can talk to other software easily. Scalable software can be expanded easily. And scalable software is faster than it needs to be, or as fast as is presently possible with technology. Almost all the big buzzwords in business technology have to do with scalability.

Written by Keith Mitchell, Senior Developer at NSKinc

Corporate Technology Buzzwords

Let’s examine some of today’s corporate technology buzzwords, to discover any
common principles for corporate software development. We’ll provide guidelines for investing in custom development of business tools.

To do this, we’ll take apart Enterprise Architecture, Enterprise Portals, Open Source and Open Architecture, Service Oriented Architecture (SOA), and Web Services. We’ll clarify Web 2.0, XML, SOAP, AJAX, and SQL. We’ll see if Microsoft’s got anything new which may make our decisions easier. We’ll unravel .NET and the “Windows vs. Web” dilemma. We’ll briefly explain Apache, Perl, PHP, Python, and Ruby on Rails, and then we’ll talk about what has happened to Java, J2EE, and Oracle, and what is happening to tools such as Delphi and 4D.

Lastly, we’ll describe NSK's internal goals for long term software investment, and we’ll explain why our total cost of maintenance on a software application is low, only when our client’s total cost of ownership is low. We’ll show you how business buzzwords happen.

Written by Keith Mitchell, Senior Developer at NSKinc

Small Business IT

Make IT Work for You

Utilizing information technology at your company shouldn’t be a burden on you. It should help you run your business more efficiently. Although this is the way things should be, some implement information technology and are unsure how to use it to make it work for their business.

Some dwell over and fear IT with the preconceived notion that its complexity will ruin their business, so they fail to adopt any IT system. So often people let their fear blind them of the wonders that IT can work for their businesses.

IT is great for communications and cost effectiveness. It gives you a competitive edge, especially if you’re in an industry that doesn’t use IT as a crucial part of daily operations.

A few examples of how you can use IT even if you own a very small business:

Manage your supply chain, and keep track of when your orders are shipped

• This enables you to make sure the vendors you use are providing you with the best service possible, so you can have new inventory in on time to best serve your customers. This also makes it easy for you to keep track of what you’re personally shipping from your business.

It allows you to keep business going after office and store hours end

• Having a website that enables customers to browse and place orders when your business closes for the day or even when they are unable to make the trip in person can make a significant difference in your profitability.

Measure Your Business’ Performance

• Record sales into databases and use performance metrics to indicate how well your business is doing over difference time periods. This also helps analyze trends during promotional campaigns and business changes to help you understand why business is picking up or slowing down.

Customer Relationship Management

• Use CRM to retain contact information and customer preferences to maintain relationships. This makes searching for addresses and phone numbers much easier, as well as sending out newsletters, e-mails, updates and promotions.

Written by Melissa Cocks

Compliance for 201 CMR 17.00 is going to take a little time... We have written out a Guideline for your Timeline!

201 CMR 17.00: Standards for the Protection of Personal information of Residents of the Commonwealth of Massachusetts

"This regulation implements the provisions of M.G.L. c. 93H relative to the standards to be met by persons who own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts." (Purpose MGL c 93H)


August
Designate an Information Security Officer - You will need to designate at least 1 person at your place of business who will maintain the comprehensive information security program. Finding that person now, will help get the rest of the items in line for when they need to be done. You can get a compliance checklist at: 201 CMR 17.00 Compliance Checklist


September

Start Assessing Your Information:

1. Identify the paper, electronic and other type records, including storage media, laptops and portable devices that contain personal information.**
   


2. Check all anti-virus and security patches on all computer systems and servers -- make sure they are up to date.**
   a. Check that you have reasonably up-to-date versions of system security agent software (including malware protection)**
   


3. Identify what "personal information" moves around your business and out of your office including:**
   
   a. healthcare/insurance information
   
   b. benefits/401K information
   
   c. Accounting/Tax information
   
   d. Employment and Credit Applications
   
   e. Checks and credit card information
   


4. Identify persons who need to see the "personal information" and those who do not.
   


5. Identify where encryption for personal information is needed.**
   


6. Identify what third-party service providers your business may use that have access to personal information.
   


7. Identify reasonably foreseeable internal and external risks to paper and electronic records containing personal information.**
   


8. Identify any systems that are connected to the Internet and make sure the firewall protection for files containing personal information are up-to-date.**

October

Purchase any hardware or software upgrades that are needed**

Get control of user IDS and other identifiers**

Come up with a reasonably secure method of assigning/selecting passwords for users**

Start developing your WISP (Written Information Security Program) making sure that you include:

a. Administrative, technical and physical safeguards for Personal information protection

b. Make sure that your WISP is applicable to all records containing personal information
about a resident of the Commonwealth of Massachusetts

c. Any identified and reasonably foreseeable internal and external risks to paper and electronic records

d. Regular and ongoing employee training, and procedures for monitoring employee compliance

e. Disciplinary measures for violators

f. Policies and procedures for when and how records containing personal information should be kept, accessed or transported off your business premises

g. Processes for blocking terminated employees physical and electronic access to personal information, including deactivating their passwords and user names

h. Steps taken to verify third party service providers access

i. The length of time that you are storing records containing personal information.

j. Specifically the manner in which physical access to personal information records is to be restricted

k. Whether you are storing your records and data in locked facilities, storage areas or containers and the security measures taken to keep these areas secure

l. Actions and documenting that is taken in connection with any breach of security

November

1. Install all hardware and software upgrades**


2. Test policies that have been written


3. Start Training Employees on new policies


4. Finalize WISP

December

1. Finish Training Employees
   
2. Send out WISP Policy to all Employees and get signatures from all, verifying they understand and will comply

January 1, 2010 and beyond

1. Continue monitoring your systems and procedures**


2. Continue providing training to new and existing employees


3. Update policies as required


4. Assure all computers and servers remain up-to-date with patches and anti-virus software**
   

**There are many intricate requirements and rules involved with this law that have left many companies in Massachusetts with questions. NSK Inc. has formed a knowledgeable team to better assist with clarifying this law. If you have questions please fill out this form or contact:Danielle Carroll at 617.303.0480

Massachusetts Businesses: Are you in Compliance?

DO NOT WAIT ANY LONGER. MARCH 1, 2010 WILL BE HERE BEFORE YOU KNOW IT!

Do you have all the information you need to become compliant with the new Massachusetts Regulation 201 CMR 17.00?

This regulation is inherent to Massachusetts General Law 93H (MGL 93H). This law was written to define the security breaches and regulations for safeguarding the personal information of any Commonwealth of Massachusetts resident. This regulation implements the provisions of the law and describes what you need to have in place in your company in order to be compliant.

Why was 93H Created? Why 201 CMR 17.00


The Department of Consumer Affairs and Business Regluations issued this law and these regulations in response to the following data breaches occurred: ·TJ Max (TJX ) January 17, 2007 -Affected about 100 million account numbers Hacked several different ways - through wireless connections and kiosks ·Hannaford Supermarkets - between Dec. 7, 2007 and Mar 10, 2008 -More than 4 million card numbers were exposed, and by the time Hannaford publicly announced the breach, on March 17, 2008, about 1,800 fraudulent charges had been made. ·Other Security Threats
-Malware, viruses In response, M.G.L. c 93H was enacted in November, 2007. Within the first 10 months after enactment of M.G.L. c 93H, the office of Consumer Affairs and Business Regulation received 318 notifications of security breaches.

• 10 involved data that was encrypted
• 69 involved data that was password protected
• Total MA residents affected was 625,365

60% were due to stolen laptops or hard-drives and 40% were employee error or sloppy internal handling.
75% were in the financial services sector.

Massachusetts then took the lead in passing a new regulation -- 201 CMR 17.00 -- that required companies to implement a comprehensive data security plan that incuded encryption of all computer systems with personal information of a Massachusetts resident.

What Does This Mean to Your Business

It means that the Commonwealth of Massachusetts is setting minimum starndards for the protection of personal information, whether that information is stored in electronic or paper format. It means that if your company owns, licenses, stores or maintains personal information about a Massachusetts resident You MUST take steps to comply with this new regulation.

What is Personal Information

According to 201 CRM 17.00, personal information is defined as the First Name or First Initial, Last Name and any one or more of the following information:Social Security Number Credit Card or Debit Card Number State ID Card Bank or Financial Account Number Drivers Licence Number If you accept credit cards, you have the imprint of the card or the data from the magnetic strip.. This information falls in the above catagory. You MUST take steps to comply. If you are a business located in Massachusetts or you have employees who reside in Massachusetts and you have copies of driver's licences', employment applications, personnell files or payroll information on those employees You MUST take steps to comply.


What Do You Need To Do?

Establish and Maintain a security program to all who have access to personal information with the following Elements:

Computer System Security Requirements **

1. Control of user IDs and passwords
2. Secure method of assigning and selecting passwords
3. Assign unique identifications plus passwords which are not default passwords
4. Block access after multiple unsuccessful attempts to computers and servers holding the personal information
5. Restrict access to inactive accounts
6. Restrict access to files, to those that need acces to perform their job duties

Transmission of Personal Information**

1. Encryption of all transmitted rocords and files containing personal information that travels across public networks
2. Encryption of all wireless networks

Encryption of portable devices**

1. Personal information stored on laptops and other portable devices must be encrypted
   

Staying Up-To-Date**

Make sure all computer and servers that hold personal information stay up to date on:

1. Operating system patches
2. Firewall software
3. Antivirus software set to receive most current updates on a regular basis
4. Antivirus software must include malware protection

Training and Monitoring

1. Education and training of employees on the proper use of the computer security system and the importance of personal information security
2. Reasonable monitoring of systems for unauthorized use or access to personal information

Written Information Security Program (WISP)

1. Designate 1 or more persons to maintain the program
2. Identify risks and evaluate safegaurds
3. Develop security posicies for employees that work outside the office
4. Impose disciplinary measures for program violations
5. Prevent terminated employees from accessing personal information
6. Make sure that third-party service providers have an information Security program that is compliant
7. Limit the amount of personal information collected, the time it is retained and access to it
8. Identify system used to store personal information
9. Restrict physical access to records
10. Regularly monitor the program once it is in place
11. Review the scope of security measures at least annually or when there is a change in business practices
12. Document responsive actions taken in a security breach incident

**There are many intricate requirements and rules involved with this law that have left many companies in Massachusetts with questions. NSK Inc. has formed a knowledgeable team to better assist with clarifying this law. If you have questions please fill out this form or contact:
Danielle Carroll at 617.303.0480

Outsourced IT vs. In-House IT

At some point during the growth of your business, you may start to wonder if a different system would work in your favor. Right now is a time during which you may especially feel the need to budget more carefully. There are different areas in which you can cut costs in your business, and you might be considering your IT department as an appropriate department in which to do so. Many firms are downsizing their IT staff and looking to outsource to save money. Before you decide on one definite solution, let’s outline the differences.

Outsourced IT: When you outsource, you hire IT experts from an outside firm that typically tend to several different businesses. Depending on the IT firm, your relationship with your outsourced IT people can be very personal or impersonal. It is important to many businesses that they keep a close relationship with their outsourced IT specialists. This may mean that a single person or even two people are assigned to service your company so that there is a consistent knowledge of your IT history and problems. This is something you should probably consider as most important when evaluating your options. This way, during each new visit you don’t have to recap every IT problem you have had and what the status was during your last IT visit with a different person. Also, you get the convenience of having one person who has a broad spectrum of knowledge about all areas of IT.

In-House IT: Many businesses have several IT professionals in-house. For example, one person may be used for IT management, the other for systems engineering, and another for general support. The problem many businesses run into with this is each person might not be fully utilized for the amount they are paid in salary. You may actually use only a portion of each person’s skills, and only when something goes wrong. Also, some businesses that have a single IT person in-house may not get that broad spectrum of knowledge because it is hard to come by someone who is trained in all areas. On the other hand, you may be content with having IT people at the desk next to you as opposed to picking up the phone or logging into an online helpdesk.

Outsourced IT/In-House Combination: Some businesses prefer having both an IT professional staffed in-house and an outside IT team. This gives some businesses the comfort of having someone constantly on-site while having outside experts who are highly-skilled in many areas a phone call away.

Written by Melissa Cocks

Data Loss Prevention and Data Backup

It is not a good day at work for you when you realize you have lost an important document that you worked on for hours, or when you realize your hard drive has been completely wiped out. The importance of data backup may seem a bit repetitive at this point, but it does take more effort to replace the data once it is gone than it takes to back it up.

First off, you should have a backup schedule. You should also think about how you’re going to implement it. Will you hire someone to do continuous backup for you? Maybe you’ll just use backup tapes. Backup tapes may seem like a perfectly fine idea to you, but you need to keep in mind that if a disaster strikes on site, no electronic device will save your data unless it is in a remote location.

Continuous backup is a process by which your data is constantly backed up by frequent ‘snapshots.’ Remote backup is a process by which your data is maintained off site without having to manually transport your data. Manual transportation has proven time and again to be an unsafe measure. You may want to consider continuous remote data backup for your company to ensure the best security of your information.

Other measures to take include keeping your computers in cool, dry, areas that are free of dust. Use a generator – if there’s ever a power outage, you want your computer to stay on so that data doesn’t disappear because you didn’t get the chance to save it. In addition, antivirus software is essential for keeping your computer’s system healthy and decreasing your risk of losing data.

Written by Melissa Cocks

Preventing Computer Viruses

Far too many company and household computers become infected with viruses annually, and the affects of these infections can be devastating to the user. Since there are so many ways a virus can enter your computer’s system, it’s important that you know how to block off those entrances. Here are several ways to decrease the chances of your computer becoming infected:

-Don’t solely rely on anti-virus software, although you should have it installed. Be sure to update often to detect and protect your computer from the most recently created viruses.
(It also doesn't hurt to install a spyware, malware, and adware removal application)
-Read the headlines. Stay on top of the news to educate yourself about new viruses.
-Try not to open an e-mail attachment until you are sure it is safe. Make sure you know the person or why it may be sent to you.
-Once again, surf the web for news about viruses so you know common subject lines and file extensions relative to those viruses.
-Disable automatic attachment viewing in your e-mail settings.
-Set your Word and Excel settings so that Macros are disabled when a file is opened up for viewing.
- Use search engines that are well-known for generating results relevant to search terms. A site is probably safe if a lot of people have linked to it, but keep in mind that this isn’t always the case. This way, your chances of being directed to a site that hosts a virus is less likely.
-Make sure you set your security settings to ‘high’ in your web browser.
-Try to avoid downloading free applications from unverifiable websites.
-Configure your settings so that you can always view file extensions.
The following are examples of file extensions to be suspicious of when they show up in e-mail:

ADE, ADP, BAS, BAT, CHM, CMD, COM, CPL, CRT, DLL, EXE, HLP, HTA, INF, INS, ISP, JS, JSE, LNK, MDB, MDE, MSC, MSI, MSP, MST, OCX, PCD, PIF, POT, REG, SCR, SCT, SHB, SHS, SYS, URL, VB, VBE, VBS, WSC, WSF, WSH

It is easy to tell yourself you will regularly take these measures to maintain your computer security and implement virus protection, but it is also quite easy to forget. This is often how viruses end up finding their way into your computer.

Written by Melissa Cocks

The Importance of Having a Business Continuity Plan

What would happen if your data was lost or you lost internet for the day? If a hurricane hit and your information was gone, would you be able to continue performing your everyday business tasks? If not, how long would it take to recover your business? These questions are overwhelming, but important to ask yourself when it comes to threats to your business.

Whether you are the CEO or the CIO of your company, it is important to acknowledge the value of having an established business continuity plan. It is difficult to believe that something drastic enough to disrupt your everyday business activities could take place, but it is often when we assume things could never happen to us that they do.

Many U.S. companies encounter computer system failures annually. A lot of these failures last for over a day, which can significantly affect profit and customer relationship management (CRM). Also, it has been found that many businesses do not have a plan in place in case a disaster was to occur. That being said, there could be an even greater impact if disaster struck because many businesses depend on each other to operate efficiently and profitably. The potential domino effect that businesses would experience in the worst case scenario would be devastating.

On a lighter note, let’s just say that your email server was down for a day for whatever the reason may be. You might say, “But we could use the phone.” That is true, but consider how heavily businesses depend on databases, and rightfully so. Using them is easier and faster than going through a Rolodex of contacts, and they organize every piece of information regarding a single contact. You are going to want to make sure you have a plan in place and also seek help from IT professionals or an IT team in order to lessen the impact of disruption.

Assessing how vulnerable you are to being impacted by disaster or data loss is an important step in planning for business continuity. Here are a couple of questions that may make you think about how important a continuity plan is to your specific business:

-What activities are most important to your business?
-Can you survive without them or do you have an alternative?
-How much of your business’ productivity depends on computers/databases/internet?

Chances are that you feel concerned if you have not already established a plan, which isn’t surprising since most of America’s businesses rely on computers. Here are some steps you can take to make sure you are prepared in the case of disruption:

-Identify important roles in your company (who plays a crucial role in everyday business? If a certain person in your company was to no longer be there, would you have a backup?) Include solutions in your plan.

-Identify places for equipment rental and back-up supplies

-Implement off-site data backup or seek IT support/IT consulting

-Map out an alternate location (where would you move offices to temporarily if needed?)

-Have this plan set in stone

Additionally, you need to be sure every employee is informed of the plan, so it would be a good idea to conduct information sessions or send out newsletters regarding the business continuity plan.

Written by Melissa Cocks

NSK Offers MPICA for Compliance with MA Law

MPICA (Massachusetts Personal Information Compliance Assessment) is an IT support service that NSK Inc is offering to businesses that need to comply with the Massachusetts General Law Chapter 93H and its new regulations 201 CMR 17.00. The law requires that any companies who own, license, store, and/or maintain personal information about a Massachusetts resident make adjustments to further protect personal information. Both electronic and paper records will need to comply with the new law. The regulations go into effect on January 1, 2010. The law was originally supposed to go into effect on January 1, 2009, but then was pushed to May 1 and then January 1, 2010 due to the state of the economy, time restraints, and confusion about the law.

MPICA offers IT help to companies who are having difficulty making changes in their systems to adjust to this law. Identity theft and fraud are the major concerns at the core of the implementation of the 201 CMR 17.00, so it is important that the necessary changes are made within business IT systems. If a Massachusetts resident's information is leaked or captured, there could be serious consequences for the business that allowed the breach and for the individual whose information was leaked. Therefore, making changes to keep residents' information secure will be required to avoiding security breach and fines.

Companies will need a written security plan to safeguard their contacts' and/or employees personal information. It will need to be illustrative of policies that demonstrate technical, physical, and administrative protection for residents’ information. The plan needs to be written to meet industry standards. Companies will have to designate employees to oversee and manage security procedures in the workplace, as well as continuously monitor and address security hazards. Policies addressing employee access to and transportation of personal information will need to be developed, as well as disciplinary measures for employees who do not conform to the new regulations. Limiting the collection of data to the minimum that is needed for the purpose it will be used for is also part of the new regulations.

Since revisiting workplace data security procedures requires in-depth changes, this is a lengthy process. It takes months for businesses to make the necessary changes required by this law, so businesses might consider starting early at contacting an IT consulting firm and seeking its IT support.

Written by Melissa Cocks

The Need for IT Support

by Art Gib

When you use anything electronic, whether it's one computer or a cell phone at home, or whether you are a businessman with a whole network of computers, chances are at one point or another you will need technical support. It doesn't matter if you live in Boston or LA, the need for technical (IT) support will probably come up.

Basically, IT support is available to people and companies who need help solving a technical problem with their electronic device. The companies who offer IT support don't usually offer training, rather they work with the customer or client until the problem has been solved. The IT guy is well trained to handle your electronic malfunctions, which is a good thing because most of us have very limited knowledge of the inner working of electronics. We rely on them, but we don't fully understand them; the IT guy does.

Now, for the stay at home mom in Boston or California, or wherever, it might be necessary to call technical support a couple of times a year, but the businessman may need the help much more frequently. Most companies that offer technological products have a support system that comes with it. For example, if you go through Qwest for the internet, you can call Qwest support to get the answers to your problems. But for a businessman, calling Qwest isn't the solution. You need an IT support team because having the right amount of help in your IT department can save you time and money. It also frees up the time for your IT employees to work on ways to help your business.

A good IT support company in Boston will help you reduce the management costs of your IT department, will be able to help you use technology more efficiently, help you with data storage and recovery, and, of course, support the IT managers of your company. IT support doesn't only mean solving a problem on your computer. It also means freeing up the time of your regular employees by doing necessary infrastructure changes without them. For example, software needs to be updated frequently, and the updates can take time. A good IT support company will do the updates and installations of the software for you.

Don't sell yourself short by not having a good IT support center. Your employees can work more efficiently, making better use of their time, if they have a decent support network behind them. Your business will feel the benefits of a good network.

NSK Inc. offers IT support in Boston and San Francisco.

Art Gib is a freelance writer.

IT: The Secret Weapon of Competitive Business

By Art Gib

Apr 9, 2009

Information Technology or IT as it has been aptly nicknamed is the culmination of every aspect of business that incorporates computers. Essentially IT cover the spectrum of business needs from data storage and backup to building and maintaining computer networks to providing hosting and web services to developing customized software solutions and providing help desk support for business. In today's competitive marketplace IT solutions are the lifeblood of industry that keep small, medium and large businesses in business.

IT support is among the fastest growing industries, with the advent of newer and faster technologies that are designed to exchange more data quickly and store extraordinary amounts of information the need for IT service providers has steadily increased over the past decade. There are now in the United States over 1.6 million people working in the IT industry. Projections for employment growth are between 18 and 26 percent for all IT related employment by 2014.

With customized solutions available and the growing need for qualified technicians the IT industry has expanded to service not just large corporations that house hundreds of employees and network the entire office together through a system of servers, firewalls, and exchange interfaces, but the small and mid sized business is also experiencing the need for IT solutions that handle any computer related quandary such as web hosting or spam filtering or even the scaled down networking of three or four computers into a single server so that interoffice information can easily be shared with each employee.

The question posed to the small and medium sized business is one of cost effectiveness in finding an IT service provider that can meet the growing needs of small business and offset the expense of hiring a staff IT specialist. Some business owners are under the impression that IT can be handled by an existing employee that services the companies limited IT needs in addition to their other duties.

This thought process may be detrimental to the small business owner as technological advances require continued training and experience with emerging technology that the layperson does not understand. It is one thing to connect a computer to the Internet, but quite another to effectively network and entire offices exchange server and data storage.

Selecting the right IT solutions provider shouldn't be a difficult or costly prospect. With a little research business owners can find an IT provider that has the knowledge and experience to effectively and efficiently enhance business performance, keeping both small and medium sized businesses competitive with larger corporations.

NSK Inc is an information technology consulting company offering IT support in Boston and IT support in San Francisco.

About the Author
Art Gib is a freelance writer.

NSK Inc., helps with Junior League of Boston and Dress For Success

Junior League of Boston hosted a get together for the Boston’s Chapter of Dress for Success, monthly Professional Women’s Group on Newbury Street last evening. The get together was themed: “What they don’t tell you on the first day...written and unwritten rules in the workplace.” The panelists where Nikki Monchik from Bank of America, Cathie Briggette from NSK Inc., and Leslie Bull from Harvard/Vanguard.

The topics of discussion were the importance of:
· Networking
· Looking/acting professional
· Proper time management
· Working as a team
· Proper communication (cell phones/email/personal computer use)
· Taking/being responsible for personal breaks throughout the day

The Boston Junior League provided food and refreshments for all.

About 20 women from the Professional Women’s Group attended along with founders Jacqui Bud, Enith Lavine and Kim Todd from Dress for Success and Danielle Carroll and others from the Boston Junior League.

Dress for Success (DFS) provides interview appropriate suits and accessories free of charge to disadvantaged women who are entering or re-entering the job market. Women come to DFS for interview clothing, a personal shopper helps her find a suit, shirt, shoes, hosiery and a purse needed to make a great first impression. Once the woman has found a job, she can come back for more clothing items to help her build a professional wardrobe.

DFS also hosts a Professional Women's Group (PWG) for clients who are employed. The PWG provides practical information in a safe environment. Women are able to network with their peers as well as learn from (professional women) mentors in a variety of fields. Monthly "conversations with an expert" provide clients with an opportunity to speak with working professionals on topics ranging from understanding corporate culture to handling personal finances. It is the first and only job retention model that helps low-income women on their journey to self-sufficiency by addressing their social and economic needs in relation to work, home and community.

The Junior League of Boston is an organization of women committed to promoting voluntarism, developing the potential of women, and improving communities through the effective action and leadership of trained volunteers. Its purpose is exclusively educational and charitable.

Business Relocation: Do It Right

Relocating a business can be a stressful time for everyone involved, but sometimes it can become absolutely necessary. The reasons for a move can be many; they may include:

• The business climate in the original area is no longer conducive to bringing in clients.
• Your business is growing by leaps and bounds and your current facilities can no longer accommodate your needs.
• You can no longer find the type of labor you need in your area.
• You need to find a higher profile place where you can attract more street traffic.
• You can no longer afford to pay the high rents.

Whatever your reasons, you need to make sure that you make the move in the right way in order to minimize both the inconvenience to your customer base and the financial impact on your business . Here are some things to think about if you are considering making a move.

You may want to consider doing an assessment of the impact of your move by surveying your regular customers:

• Will they be willing to visit and patronize your business at its new location?
• Will you still be able to meet their needs effectively?

Once you and your associates have pored over the surveys, the data collected will help you to determine what geographical location might suit everyone best and it will also help you to make a decision as to whether it is even a good idea to relocate at all.

What are you trying to accomplish in making this move? It is important to have a concrete list of reasons why relocating is a good idea since it will be integral to choosing the right site. For example, do you want to streamline operations by being closer to a manufacturer? Are you trying to increase your customer base? Both of these and many more options will determine where your business should relocate.

Once you have decided that it would be best for your company to move, take into account the logistical realities that go along with it. You may wish to talk with business acquaintances who have moved in the past to get their input on possible snags you should look out for. Find out what worked for them and what didn't, so that you are not reinventing the wheel and to minimize your stress and hassle.

Most if not all modern businesses rely extensively on computer systems in their daily operations. You may wish to consider hiring an outside IT support firm that specializes in helping companies to relocate their systems quickly and correctly.

If you are considering moving your business, take your time, talk to those who have been through it before, and do a complete assessment: you'll be glad you did.

If you are moving your business or are relocating your company within the San Francisco, Ca or Boston, MA areas and need IT support, contact the experts at NSK, Inc (http://www.nskinc.com/).

Written by Art Gib

Art Gib is a freelance writer.Article Source

Massachusetts Consumer Protection Law

ARE YOU IN COMPLIANCE?

Does your company store and/or maintain personal information about a resident of Massachusetts? Do you have client databases, direct deposit records, payroll files, 401K information, employee records files or a QuickBooks company database? If so you need to be aware of this new regulation.

The new Massachusetts General Law (M.G.L.) Chapter 93H requires that companies that own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts establish minimum standards in safeguarding the personal information contained in both paper and electronic records. This new law’s further purpose is to:

Ensure security and confidentiality of information consistent with industry standards;
Protect against anticipated threats or hazards to the security or integrity of information;
Protect against unauthorized access to or use of such information


NSK Inc., along with Burns & Levinson are hosting a Free Seminar at the Omni Parker House Hotel, 50 School St., Boston, MA on February 24th, 2009, explaining:

The law and how it relates to you and your company.
The implications of the law
How to assess your information technology environment and make it comply with the new regulations.

There will be three (3) 1 hour sessions during the day. For more information and to sign up please call us at 617-303-0480 X 224 and we will sign you up.

New Data Security Law - Massachusetts – Personal Information Compliance Assessment

75 Kneeland Street, Suite 201, Boston, MA 02211

Tel: 617.303.0480
Fax: 617.303.0481

http://www.nskinc.com/

Are you aware of the new Massachusetts General Law (M.G.L.) Chapter 93H?

(201 CMR 17.00: M.G.L. c. 93H)

201 CMR 17.00: Standards for the Protection of Personal information of Residents of the Commonwealth.

This regulation implements the provisions of M.G.L. c. 93H relative to the standards to be met by persons who own, license, store or maintain personal information about a resident of the
Commonwealth of Massachusetts. This regulation establishes minimum standards to be met in
connection with the safeguarding of personal information contained in both paper and electronic records. Further purposes are to (i) ensure the security and confidentiality of such information in a manner consistent with industry standards, (ii) protect against anticipated threats or hazards to the security or integrity of such information, and (iii) protect against unauthorized access to or use of such information

NSK Inc. Is!

We have a new program that will handle your company's Personal Information that is covered under the electronic records of this new law.

The New Program is Called:

M-PICA (Massachusetts - Personal Information Compliance Assessment)

Every person that owns, licenses, stores or maintains personal information about a resident of the Commonwealth and electronically stores or transmits such information shall include in its written, comprehensive information security program the establishment and maintenance of a security system covering its computers, including any wireless system, that, at a minimum, shall have the following elements:

Secure user authentication protocols including:

1. Control of user IDs and other identifiers;

2. A reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices;

3. Control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect;

4. Restricting access to active users and active user accounts only;

5. Blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system;

Secure access control measures that:

1. Restrict access to records and files containing personal information to those who need such information to perform their job duties;

2. Assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls;

3. To the extent technically feasible, encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data to be transmitted wirelessly.

4. Reasonable monitoring of systems, for unauthorized use of or access to personal information;

5. Encryption of all personal information stored on laptops or other portable devices;

6. For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information.

7. Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.

8. Education and training of employees on the proper use of the computer security system and the importance of personal information security.


17.05: Effective Date
These regulations shall take effect on May 1, 2009.