Author: brangberg

Massachusetts Standards for the Protection of Personal Information of Massachusetts Residents.

Created by Massachusetts to ensure the confidentiality and security of customer information. It applies to all persons who own or license personal information about a resident of Massachusetts.

What it means for you:

Organizations must anticipate threats to protect against malicious actors obtaining protected information. Unauthorized access to protected information or the use of such information should be prevented to avoid harm or inconvenience the consumer.

Why is it important to you:

Failure to comply may result in legal penalties as it is a mandate. Complying also demonstrates you commitment to protecting customer data to your customers. Breaches can damage your companies reputation and trust, implementation helps you reduce the risk of a breach. These proactive measures also prevent substantial harm to consumers.

What you need to do:

1. Create a COMPREHENSIVE Written Information Security Plan (WISP).
2. Make sure it applies to all protected data.
3. Include administrative, technical and physical safeguards (Security in Layers).
4. Designate an Information Security Manager (ISM), congrats, this is probably you.
5. Know the risks associated to paper records.
6. Regularly audit the WISP, actually do this.
7. Limit the data you collect to the data you need wherever possible.
8. Store the records for the proper time.
9. Ensure any data you get rid of is properly disposed of and destroyed.
10. Properly terminate the access of terminated employees.
11. Ensure third-party service providers with any data access are properly vetted.
12. Ensure any third-party service providers are contractually required to protect the protected data.
13. As always, trust then verify.

What else should I know:

1. Massachusetts requires organizations to PROMPTLY detect and report any security incidents or breaches involving personal information.
2. You MUST notify the affected individuals and the Massachusetts Attorney General’s Office.
3. The Massachusetts Attorney General’s Office will investigate the reported incident, you better have an updated WISP!
4. Severity, Impact and Circumstances of the data breach will be investigated.
5. If they don’t like what they find you could face fines, corrective measures, injunctions and legal proceedings.

Compliance with 201 CMR 17.00 is essential to protect personal information and avoid legal consequences. Organizations should prioritize security measures to prevent breaches and demonstrate due diligence.

There are many different compliances and regulations happening in the United States. Some have been federal mandates but most have been state level. I expect this to be wide spread and happen more often as more attacks on personal data are happening year over year.

Creating a great and effective Incident Response plan is very critical. There are many reasons why people struggle to get one properly implemented despite a lot of different materials out there.

Challenges:

1. Lack of Comprehensive Planning:
   DO NOT rush into this, it will be different for every organization based on different factors. This is not a “check box” activity. DO NOT rush to put an Incident Response Plan and Procedure in place to fulfill a requirement.
   
2. Limited Resources and Budget Constraints:
   I get it, you are a small organization or an organization that hasn’t put much value into cybersecurity or incident response. “We are too small of a company to be targeted”, “We have nothing they want”. Get something together from a high level, keep working to get it better. Cybersecurity is about continuous improvement, this will take genuine effort to make this process better and from multiple people, communication will be a key factor in success.
   
3. Skills Shortage and Training Gaps:
   Are you the lead? Train thru practice. Get your baseline created and then test the users that you will need to communicate with during an Incident Response scenario. Your lessons learned after the scenario will better prepare your team and get them to think about “what ifs” and “how can I better prepare”.
   
4. Complexity of IT Environments:
   Not only is this a common obstacle but it is also a huge reason why preparation is key. Know your environment, the better you know and the better it is documented the easier it will be to notice when something is wrong. Identify your critical assets or “crown gems”, doing that will help you understand what needs to be done to create better Defense in Layers.
   
5. Effective Communication and Coordination:
   This is the most common obstacle I find and the most important thing I want everyone to work on. If something bad happened right now and you wanted to alert your Incident Response Team how would you do it? If you message in Teams or Slack and don’t have a dedicated place to do this, good luck getting their proper attention that it is an emergency. Have an Incident Response area so that users know “If I post here I need your immediate attention because it is a RED LEVEL EMERGENCY”.

PICERL Incident Response Framework

PICERL is a well-structured framework for incident response that guides organizations through the process of handling security incidents.

PREPARE
Fail to Prepare, Prepare to Fail. When not actively responding to an incident, you are in this phase. Strive to get better with continuous improvement and attack surface reduction. System hardening, vulnerability management, patching, monitoring, documentation, training and practice are some things you should focus on.

IDENTIFY
Something has happened, act quickly and accurately to assess the situation and properly determine if it really is in incident. Make sure to categorize the incident and prioritize the incident based on severity, risk and impact. Make sure to escalate if needed to ensure the proper incident responders are working any confirmed incidents.

CONTAIN
The goal here is to stop the attack from spreading. Do not rush into this to ensure there are no holes in your containment. You need to prevent things from getting worse by being decisive with your actions.

ERADICATE
Get the attacker completely out and keep them out in the future. This should be the more permanent fix that happens after the threat has been contained. Complete any hardening, patching and additional configuration required. Make sure to continue monitoring.

RECOVER
Restore affected systems back to their previous state with additional measures in place to ensure the incident or a similar incident cannot happen again. Test monitor and validate your systems as they are restored. Get things back to normal.

LESSONS LEARNED
Document and Learn. What happened in the incident? How did the incident happen? How was the incident dealt with? What went well with the incident response? What went bad with the incident response? What needs to be changed in the incident response plan?

Stop reading this, go plan your Incident Response!