201 CMR 17 – Requirements
| 201 CMR 17 Requirements | Support | Alarms | Investigations | Reports | |||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 17.03.2.b: Identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks. | Direct | 201 CMR 17: Attack Alert | 201 CMR 17: Critical/Error Condition Summary | ||||||||||||||||||||||||||||||||||||||||||
| 17.03.2.b.3: Means for detecting and preventing security system failures. | Direct | 201 CMR 17: Critical/Error Condition Summary | |||||||||||||||||||||||||||||||||||||||||||
| 17.03.2.e: Preventing terminated employees from accessing records containing personal information. | Augment | 201 CMR 17: Account Deletion Summary | |||||||||||||||||||||||||||||||||||||||||||
| 17.03.2.h: Regular monitoring to ensure that the comprehensive information security program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information; and upgrading information safeguards as necessary to limit risks. | Direct | 201 CMR 17: Account Access Summary | |||||||||||||||||||||||||||||||||||||||||||
| 17.03.2.j: Documenting responsive actions taken in connection with any incident involving a breach of security, and mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of personal information. | Direct | 201 CMR 17: Alarm And Response Activity | |||||||||||||||||||||||||||||||||||||||||||
| 17.04.1.d: Restricting access to active users and active user accounts only. | Augment | 201 CMR 17: Account Deletion Summary | |||||||||||||||||||||||||||||||||||||||||||
| 17.04.1.e: Blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system. | Augment | 201 CMR 17: Disabled/Locked Account Summary | |||||||||||||||||||||||||||||||||||||||||||
| 17.04.2.a: Restrict access to records and files containing personal information to those who need such information to perform their job duties. | Augment | 201 CMR 17: File Integrity Monitoring Summary | |||||||||||||||||||||||||||||||||||||||||||
| 17.04.2.b: Assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls. | Augment | 201 CMR 17: Default Account Access Summary | |||||||||||||||||||||||||||||||||||||||||||
| 17.04.3: Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly. | Augment | 201 CMR 17: Network Connection Detail | 201 CMR 17: Network Connection Summary | ||||||||||||||||||||||||||||||||||||||||||
| 17.04.4: Reasonable monitoring of systems, for unauthorized use of or access to personal information. | Direct | 201 CMR 17: Account Access Summary | |||||||||||||||||||||||||||||||||||||||||||
| 17.04.6: For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information. | Augment | 201 CMR 17: Host Firewall Error Summary | |||||||||||||||||||||||||||||||||||||||||||
| 17.04.7: Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis. | Augment | 201 CMR 17: Antivirus Information Summary | |||||||||||||||||||||||||||||||||||||||||||