Thursday, February 18, 2010

Hey Massachusetts, where is your application security requirement?

This relates to my last post where Boaz Gelbord (Security Scoreboard), cited something very interesting about the Massachusetts data security regulation going into effect March 1. Their listed “Computer System Security Requirements” of their "risk-based approach" is pasted below. While I can’t say any one of these security controls is a bad idea, but can someone please tell me how any of this stuff is going to thwart Web-based attacks!? You know the kind of attack organizations and end-users are really dealing with!

No mention at all of (Web) application security, the thing we desperately need, but sure enough more firewalls, SSL, and anti-malware is legally mandated.


(1) Secure user authentication protocols including:
(a) control of user IDs and other identifiers;
(b) a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices;
(c) control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect;
(d) restricting access to active users and active user accounts only; and
(e) blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system;
(2) Secure access control measures that:
(a) restrict access to records and files containing personal information to those who need such information to perform their job duties; and
(b) assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls;
(3) Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly.
(4) Reasonable monitoring of systems, for unauthorized use of or access to personal information;
(5) Encryption of all personal information stored on laptops or other portable devices;
(6) For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information.
(7) Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.
(8) Education and training of employees on the proper use of the computer security system and the importance of personal information security.

1 comment:

Boaz Gelbord said...

You hit the nail on the head Jeremiah! What's most surprising is that the Massachusetts regulation (201 CMR 1700) is not some poorly thought out piece of legislation that somehow slipped under the radar. There have been numerous revisions and a great deal of discussion during the drafting of this regulation.

I have blogged before about the mistake of omitting application security from the Massachusetts regulation. And the Massachusetts regulation might now become a model for other states. When California introduced the first data breach notification law a few years back, it was eventually replicated in almost all 50 states.

201 CMR 17.00 is essentially the first state-level regulation with specific technical mandates for protecting PII. So there are undoubtedly other states considering a version of their own. Although it is too late for this version of the Massachusetts regulation, hopefully this will be corrected in future versions or in other states.