Do you have a comprehensive, written information security program (“WISP”) applicable to all records containing personal information about a resident of the Commonwealth of Massachusetts (“PI”)? |
MANDATED INFORMATION SECURITY PROGRAM – IT IS FURTHER ORDERED that Defendant shall establish and implement, and thereafter maintain, for twenty years after entry of this Order, a comprehensive information security program (“Information Security Program”) designed to protect the security, confidentiality, and integrity of Personal Information. To satisfy this requirement, Defendant must, at a minimum:
A. Document in writing the content, implementation, and maintenance of the Information Security Program, including the following: Documented risk assessments required under Section II.D; documented safeguards required under Section II.E; . . . and a description of the procedures adopted to implement and monitor the Information Security Program, including procedures for evaluating and adjusting the Information Security Program as required under Section II.I.
|
Does the WISP include administrative, technical, and physical safeguards for PI protection? |
E. Design, implement, maintain, and document safeguards that control for the material internal and external risks Defendant identifies to the security, confidentiality, or integrity of Personal Information … |
Have you designated one or more employees to maintain and supervise WISP implementation and performance? |
C. Designate a qualified employee or employees to coordinate, oversee, and be responsible for the Information Security Program. |
Have you identified the paper, electronic and other records, computing systems, and storage media, including laptops and portable devices that contain personal information? |
3. Identifying and documenting a comprehensive information technology (“IT”) asset inventory that includes hardware, software, and location of the assets. |
Have you chosen, as an alternative to treat all your records as if they all contained PI? |
[No clear parallel in FTC/Equifax Order] |
Have you identified and evaluated reasonably foreseeable internal and external risks to paper and electronic records containing PI? |
D. Assess, at least once every twelve months, internal and external risks to the security, confidentiality, or integrity of Personal Information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information and document those risks that are material. Defendant shall further assess and document internal and external risks as described above as they relate to a Covered Incident promptly (not to exceed forty-five days) following verification of such a Covered Incident. |
Have you evaluated the effectiveness of current safeguards?
|
F. Assess, at least once every twelve months, the sufficiency of any safeguards in place to address the risks to the security, confidentiality, or integrity of Personal Information, and evaluate and implement any needed modifications to the Information Security Program based on the results. Defendant shall further assess the sufficiency of safeguards as described above, as they relate to a Covered Incident, promptly (not to exceed forty-five days) following verification of such an incident. Each such assessment must evaluate safeguards in each area of relevant operation, including: Employee training and management; Information systems, such as network and software design, or information processing, storage, transmission, and disposal; and Prevention, detection, and response to attacks, intrusions, or other system failures. |
Does the WISP include regular ongoing employee training, and procedures for monitoring employee compliance?
Does the WISP include disciplinary measures for violators?
|
10. Establishing regular information security training programs, updated, as applicable, to address internal or external risks identified by Defendant, including, at a minimum:
a. At least annual information security awareness training for all employees, including notifying employees of the process for submitting complaints and concerns pursuant to Section II.E.12; and
b. Training for software developers relating to secure software development principles and intended to address well-known and reasonably foreseeable vulnerabilities, such as cross-site scripting, structured query language injection, and other risks identified by Defendant through risk assessments and/or penetration testing.
|
Does the WISP include policies and procedures for when and how records containing PI should be kept, accessed or transported off your business premises? |
[No clear parallel in FTC/Equifax Order] |
Does the WISP provide for immediately blocking terminated employees, physical and electronic access to PI records (including deactivating their passwords and user names)? |
[No clear parallel in FTC/Equifax Order] |
Have you taken reasonable steps to select and retain a third-party service provider that is capable of maintaining appropriate security measures consistent with 201 CMR 17.00? |
H. Select and retain service providers capable of safeguarding Personal Information they access through or receive from Defendant, and contractually require service providers to implement and maintain safeguards tailored to the amount and the type of Personal Information at issue. |
Have you required such third-party service provider by contract to implement and maintain such appropriate security measures? |
H. Select and retain service providers capable of safeguarding Personal Information they access through or receive from Defendant, and contractually require service providers to implement and maintain safeguards tailored to the amount and the type of Personal Information at issue. |
Is the amount of PI that you have collected limited to the amount reasonably necessary to accomplish your legitimate business purposes or to comply with state or federal regulations? |
[No clear parallel in FTC/Equifax Order] |
Is the length of time that you are storing records containing PI limited to the time reasonably necessary to accomplish your legitimate business purpose or to comply with state or federal regulations? |
[No clear parallel in FTC/Equifax Order] |
Is access to PI records limited to those persons who have a need to know in connection with your legitimate business purpose, or in order to comply with state or federal regulations? |
5. Designing, implementing, and maintaining measures to limit unauthorized access in any network or system that stores, collects, maintains, or processes Personal Information, such as segmentation of networks and databases and properly configured firewalls. |
In your WISP, have you specified the manner in which physical access to PI records is to be restricted?
Have you stored your records and data containing PI in locked facilities, storage areas or containers?
|
F. … Each such assessment must evaluate safeguards in each area of relevant operation, including: Employee training and management; Information systems, such as network and software design, or information processing, storage, transmission, and disposal; and prevention, detection, and response to attacks, intrusions, or other system failures. |
Have you instituted a procedure for regularly monitoring to ensure that the WISP is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of PI; and for upgrading it as necessary?
Are your security measures reviewed at least annually, or whenever there is a material change in business practices that may affect the security or integrity of PI records?
|
I. Evaluate and adjust the Information Security Program in light of any changes to Defendant’s operations or business arrangements, including, without limitation, acquisition or licensing of any new information systems, technologies, or assets through merger or acquisition, a Covered Incident, or any other circumstances that Defendant knows or has reason to know may have a material impact on the effectiveness of the Information Security Program. At a minimum, Defendant must evaluate the Information Security Program at least once every twelve months and, as it relates to a Covered Incident, promptly (not to exceed sixty days) following verification of such an incident and modify the Information Security Program based on the results. |
Do you have in place a procedure for documenting any actions taken in connection with any breach of security; and does that procedure require post-incident review of events and actions taken to improve security? |
G. Test and monitor the effectiveness of the safeguards at least once every twelve months and, as they relate to a Covered Incident, promptly (not to exceed sixty days) following verification of such an incident, and modify the Information Security Program based on the results. Such testing shall include vulnerability testing of Defendant’s network at least once every four months and, as it relates to a Covered Incident, promptly (not to exceed sixty days) following verification of such an incident, and penetration testing of Defendant’s network at least once every twelve months and, as it relates to a Covered Incident, promptly (not to exceed sixty days) following verification of such an incident. |
Do you have in place secure authentication protocols that provide for:
− Control of user IDs and other identifiers?
− A reasonably secure method of assigning/selecting passwords, or for use of unique identifier technologies (such as biometrics or token devices)?
− Control of data security passwords such that passwords are kept in a location and/or format that does not compromise the security of the data they protect?
− Restricting access to PI to active users and active user accounts?
− Blocking access after multiple unsuccessful attempts to gain access?
|
5. Designing, implementing, and maintaining measures to limit unauthorized access in any network or system that stores, collects, maintains, or processes Personal Information, such as segmentation of networks and databases and properly configured firewalls;
6. Implementing access controls across Defendant’s network, such as multi-factor authentication and strong password requirements;
7. Limiting user access privileges to systems that provide access to Personal Information to employees, contractors, or other authorized third parties with a business need to access such information and establishing regular documented review of such access privileges.
|
Do you have secure access control measures that restrict access, on a need-to-know basis, to PI records and files?
Do you assign unique identifications plus passwords (which are not vendor-supplied default passwords) to each person with computer access; and are those IDs and passwords reasonably designed to maintain the security of those access controls?
|
6. Implementing access controls across Defendant’s network, such as multi-factor authentication and strong password requirements;
7. Limiting user access privileges to systems that provide access to Personal Information to employees, contractors, or other authorized third parties with a business need to access such information and establishing regular documented review of such access privileges.
|
Do you, to the extent technically feasible, encrypt all PI records and files that are transmitted across public networks and that are to be transmitted wirelessly?
Do you, to the extent technically feasible, encrypt all PI stored on laptops or other portable devices?
|
8. Implementing protections, such as encryption, tokenization, or other at least equivalent protections, for Personal Information collected, maintained, processed, or stored by Defendant, including in transit and at rest. To the extent that any of the identified protections are infeasible, equivalent protections shall include effective alternative compensating controls designed to protect unencrypted data at rest or in transit, which shall be reviewed and approved by the qualified employee or employees designated to coordinate, oversee, and be responsible for the Information Security Program. |
Do you have monitoring in place to alert you to the occurrence of unauthorized use of or access to PI? |
4. Designing and implementing protections such as network intrusion protection, host intrusion protection, and file integrity monitoring, across Defendant’s network and IT assets, including Defendant’s legacy technologies. |
On any system that is connected to the Internet, do you have reasonably up-to-date firewall protection for files containing PI; and operating system security patches to maintain the integrity of the PI? |
1. Establishing patch management policies and procedures that require confirmation that any directives to apply patches or remediate vulnerabilities are received and completed and that include timelines for addressing vulnerabilities that account for the severity and exploitability of the risk implicated;
5. Designing, implementing, and maintaining measures to limit unauthorized access in any network or system that stores, collects, maintains, or processes Personal Information, such as segmentation of networks and databases and properly configured firewalls.
|
Do you have reasonably up-to-date versions of system security agent software (including malware protection) and reasonably up-to-date security patches and virus definitions? |
2. Establishing and enforcing policies and procedures to ensure the timely remediation of critical and/or high-risk security vulnerabilities. |
Do you have in place training for employees on the proper use of your computer security system, and the importance of PI security? |
10. Establishing regular information security training programs, updated, as applicable, to address internal or external risks identified by Defendant, including, at a minimum:
a. At least annual information security awareness training for all employees, including notifying employees of the process for submitting complaints and concerns pursuant to Section II.E.12; and
b. Training for software developers relating to secure software development principles and intended to address well-known and reasonably foreseeable vulnerabilities, such as cross-site scripting, structured query language injection, and other risks identified by Defendant through risk assessments and/or penetration testing.
|
[No clear parallel in Massachusetts WISP Checklist] |
B. Provide the written Information Security Program and any material evaluations thereof or updates thereto to Defendant’s board of directors or a relevant subcommittee thereof, or equivalent governing body or, if no such board or equivalent governing body exists, to a senior officer of Defendant responsible for Defendant’s Information Security Program at least once every twelve months. |
[No clear parallel in Massachusetts WISP Checklist]
|
9. Establishing and enforcing written policies, procedures, guidelines, and standards designed to: a. Ensure the use of secure development practices for applications developed in-house; and b. Evaluate, assess, or test the security of externally developed applications used within Defendant’s technology environment. |
[No clear parallel in Massachusetts WISP Checklist]
|
11. Establishing a clear and easily accessible process for receiving and addressing security vulnerability reports from third parties such as security researchers and academics. |
[No clear parallel in Massachusetts WISP Checklist] |
12. … establishing a clear and easily accessible process overseen by a senior corporate manager for employees to submit complaints or concerns about Defendant’s information security practices, including establishing a clear process for reviewing, addressing, and escalating employee complaints or concerns. |