With the rising tide of data leakage, break-ins and thefts, regulators across the country are adopting a proactive approach to protecting data. And time is up for Massachusetts based organizations: MA 201 CMR 17 went into effect March 1, 2010.

Previous laws required organizations to notify individuals once a breach occurred, but these new proactive and comprehensive state laws mandate security measures be in place to prevent breaches.  All personal data—for example: driver’s license, social security number, financial account numbers, or credit/debit card numbers—that belongs to state residents must be protected at rest and in transit. And that’s not all. Companies and other entities must prove that they are in compliance with these requirements.

This seminar focuses on the details and requirements of the Massachusetts data protection regulation. Beyond helping you understand the current requirements of the regulation, this seminar provides tactical tips for assessing your risk and required compliance. Our independent experts explain how to create a written information security program (WISP), and clarify the encryption, identity management and partner management requirements to help you create a comprehensive security program that complies with this new regulation.  

During this seminar, our experts answer all of the key questions surrounding this regulation and its requirements, including:

• What is the Massachusetts’ “Standards for The Protection of Personal Information of Residents of the Commonwealth” law?
• Why has the Commonwealth decided to enforce stricter data protection laws?
• What are the implications to Massachusetts businesses?
• What kind of policies need to be enacted? What is a WISP?
• What type of technology needs to be leverage to meet the new law?
• How does this law map to existing regulations?
  

Register to gain free admission or call Ryan Hawley at 617-431-9712 to reserve your seat today!

 

Session 1: Massachusetts' Data Protection Law: A Proactive Approach

John Moynihan, President and Founder of Minuteman Governance, Inc, CGEIT
In the context of the rapidly evolving data protection regulatory landscape, John Moynihan examines how Massachusetts regulators have adopted a proactive approach to safeguarding personal information. Focusing on the main elements of 201 CMR 17, he provides an overview of the administrative, technical and physical security controls now required of organizations that collect personal information.

Attend and get real world examples of how companies have prepared for and complied with this regulation and understand common deficiencies that have been revealed during assessments. During this session discover:

• How the data protection regulation is evolving from reactive (notification based) to proactive (control based)
• How the Massachusetts regulation compares and contrasts with other state laws
• The broad scope of the Mass regulation and varying degrees of exposure for organizations
• Common misconceptions regarding 201 CMR 17:00 and the associated requirements
• The consequences of non-compliance and what your organization needs to do now
• Unique aspects of the regulation (emphasis on internal risk, applies to out of state entities, focus upon non-technical controls)
• Examples (sanitized) of common exceptions (violations) of companies trying to comply
• The future of data protection regulations and the pending federal law HR 2221
  

Session 2: MA 201 CMR 17 – How Much Do I Need to Do?

Richard Mackey, Vice President of Consulting, SystemExperts, ISACA/CISM
201 CMR 17 is a risk-based regulation that, while prescriptive, must be interpreted based on factors such as the type and amount of personal identifying information an organization possesses, the size of the organization, the resources an organization can apply to its security program, and most importantly, the risk to the information in the context of the organization’s business and technical environment. Mackey introduces the basic requirements of the regulation and explains how to assess risk and determining what controls are necessary. Learn how to:

• Assess the level of risk associated with your environment in the context of the regulation
• The types of data you store, where you store your data, and who has access to it affects compliance
• Determine which controls are critical in your business to comply
• Determine how much of your information security program you need to document
• Decipher ways that service providers affect compliance
  
  

Session 3: Structuring a 201 CMR 17 Compliance Program

Richard Mackey, Vice President of Consulting, SystemExperts, ISACA/CISM
Organizations working to comply with the new Massachusetts privacy regulation are often concerned about the formality of the security program described in the regulation. This presentation describes approaches for dealing with some of the more problematic elements; such as risk assessments, managing access, managing partners, encrypting information effectively, documenting policy, and creating a living security program that will meet 201 CMR 17 requirements. Attend this session to get a better understanding of:

• The critical aspects of identity and access management for compliance
• How to assess and manage partners that have access to personal data
• Where encryption is necessary and examples of methods for achieving compliance
• The structure of policies for protecting data
• The need for regular assessments of your own security practice and regulatory requirements
  

Session 4: 99 Days to Compliance: How MassMutual Responded to the Massachusetts Data Protection Regulation

Rick Gammell, Director of Enterprise Information Risk Management, MassMutual
On September 24th, 2008, the Commonwealth of Massachusetts passed new regulations for the protection of PII of Commonwealth residents in paper and electronic records. At that time, like every company, it seemed we had only 99 days to comply. As a Fortune 100 life insurance and financial services company, MassMutual was challenged like other companies but on a much larger scale – how to achieve compliance in a mere 99 days? By the time the extension was issued MassMutual was in a very good spot and throughout the extension focused on minor adjustments and maintaining compliance. Join in as MassMutual's Rick Gammell discusses:

• How developing a comprehensive IT Standards Framework in advance paid huge dividends
• Some of the critical business decisions that needed to be made as MassMutual went through the process
• How the regulation helped solve a nagging business problem and strengthened their overall security posture

Session 5: The Road to an Enforcement Action is Paved with Good Intentions: What Will Happen When a Security Breach Arises

David Goldstone, Partner, Litigation Department, Goodwin Procter
Understanding how to frame your security program to avoid a breach is pertinent in this day in age. However, being prepared to proactively handle a breach quickly and quietly is important to ensure your organization recovers as seamlessly as possible. So, what can you expect should the unthinkable happen? In this session, Goldstone, who is nationally recognized for his experience in litigation relating to information technologies, explains what actions you must take once a breach has occurred. Attend and understand:

• Enforcement priorities of the class action bar, government, and other stakeholders
• How enforcement priorities differ and where you should focus your efforts
• Best practices in responding to a security breach
• Highlights and low lights of recent security breach cases

 

 

 

 

 

 

 

 

 

 

Additional Security Training

The Information Systems Security Association (ISSA) The pre-eminent trusted global information security community. ISSA serves security and assurance professionals with over 140 chapters and members in 70 countries, ranging from the first-year systems administrator to your senior-most executive. ISSA is a peer-to-peer network of 10,000 members, who collaborate to combat the security threats of today and those that will face us tomorrow. Together ISSA members mobilize collective expertise and resources to anticipate and prevent threats to security and data privacy. Through ISSA Connect, our exclusive online professional network, you will be able to leverage your knowledge and relationships within a trusted global community. Connect, Collaborate, Learn & Advance –Join ISSA today! www.issa.org