Thursday, March 04, 2010

201 CMR 17

I've been hearing some buzz about this legislation lately. For those that have not heard, 201 CMR 17 is a Massachusetts state law that specifies standards for the access, storage and management of personal information for state residents. (Full text of the law can be found here.)
While this blog has been more of a forum about Identity Management rather than Identity Theft, I still thought this was an interesting thing to discuss.

For the first time there is real comprehensive discussion of how data should be managed for the general public. While HIPAA and SOX mandate similar practices, this is the first legislation that says all personal information is important, not just the information as it pertains to specific groups or industries.

I do think that this is good for the Identity Management industry for a few basic reasons:
  • There's no such thing as too much security
  • Laws like this promote development of good access management infrastructure
  • It gives us a chance to reexamine existing role / access assignments
Of course this is always interesting to an old fashioned provisioning guy like me since it means we need to develop the existing User Life-cycle process to make sure that we are building in stronger access management as noted above. Laws like this will make us think again about concepts of:
  • Attestation / Recertification
  • Role Assignment / Segregation of Duties
Sometimes this will be an audit of what rights / permissions users have over various File System / ERP / Database objects. Sometimes it will be a complete reassignment of these rights.

Planning for complying with this law will require planning and forethought. The state of Massachusetts has provided a FAQ and a checklist to help begin the planning process. However, I think at the very least a complete review of current processes combined with a through gap analysis from a knowledgeable project team.

As I think more on this, I will be posting my thoughts on what the 201 CMR 17 planning process will look like.






5 comments:

Chris said...

Nice read Matt. This is an interesting regulation in the sense that it may very well spawn other states to follow suite. It can be viewed very much as a social issue as well as a data security issue.

Another write up can be found here:
http://blog.maas360.com/massLaw

Matt Pollicove said...

Thanks, Chris. I've been asking the same question. Somehow I don't think the Massachusetts law will remain the Gold Standard for long. I'm sure other tech centric states such as California, New York, New Jersey and Texas will establish their own versions. Then the fun will really begin!

Adrian said...

Nice entry Matt...As identity management purists we have been pushing the awareness that identity theft and identity management have too many ties to be placed into separate containers. This regulation makes everyone responsible for securing their identity and raises the bar for service providers to be more cognicent of the importance or securing more than just an SSN. Since you have some interest in this I will get you connected with a few folks that I have been interacting with who are very close to the regulation and can provide more background for you.

Matt Pollicove said...

Always welcome, Adrian. Thanks. I think this represents a future step in IdM. We need to start looking at what happens after provisioning...

Adrian said...

Good to see you are staying on top of things Matt. As identity management purists we have been preaching the similarities between identity fraud and identity management and this regulation just hits the mark again. It makes the service provider even more responsible for identity attributes that could be mapped back to an identity. Protecting an SSN is not enough. I have a few contacts that I have been communicating with who are closely involved in this regulation that I can get you in contact with. Feel free to ping me if you are interested.