Chief information officer

Clarifying mobile encryption requirements for 201 CMR 17.00 compliance

When I reported on amendments to the Massachusetts data protection law earlier this week, one of the comments that undersecretary of consumer affairs Barbara Anthony made was a point of interest to many enterprise IT professionals who must determine what 201 CMR 17.00 compliance will mean.

Specifically, Anthony stated that, “We know right now that there’s no widespread technology for encrypting mobile devices, but we know it’s there for laptops.”

Given that the regulation’s language includes a requirement for encryption where “technically feasible,” the issue demanded clarification. I contacted Secretariat CIO Gerry Young, who was involved in drafting the original regulation. He offered the following guidance on mobile encryption:

“This just belies unfamiliarity with the current state of encryption. Even a cursory scan will show that technologies like Snapcell, Navastream, AlertBoot, SecurStar PhoneCrypt, Endoacustica and Babylon nG have carried cell phone encryption to fairly sophisticated stages.

“Encryption for cellular phones has evolved beyond even enterprise-class smartphones, and you are beginning to see robust offerings for 3G phones available at attractive price points.

“European companies like Navastream (Germany) are making inroads in U.S. markets to fill a clear void. This will help to drive competition, and push price points lower for the consumer.

“I would think that once there are free, open source encryption alternatives — along with a plethora of low-cost encryption vendors in the cellular market — that we would be ready to mandate cell phone encryption in the near future.”

In other words, encrypting mobile devices and smartphones remains a best practice, particularly where resident PII is present, but is not mandated for 201 CMR 17.00 compliance — yet.

Professor McAfee on Enterprise 2.0 and compliance: Slight risk

This year, I approached the annual Enterprise 2.0 Conference in Boston with a specific question: Can an organization in a regulated industry adopt enterprise social software and remain compliant?

I received a range of answers, depending upon whether I talked to vendors, end users, analysts or CIOs. Later today, I’ll be publishing a feature that examines precisely this issue.

After reading C.G. Lynch’s Q&A on what’s next for enterprise 2.0 with Professor Andrew McAfee, who coined the term, I saw I’d need to ask him the same question.

When asked about whether CIOs should worry about “implementing Web 2.0 tools in the enterprise because of security and compliance,” Professor McAfee said he didn’t have any horror stories to relate – and that he asks for them, whenever he talks to big business. His “quick and dirty explanation” for that is:

”People know how to do their jobs. By this point, none of these tools are a week old, so the rules for using them aren’t unclear. We know the stuff that will get us fired if we talk about it. If you work in an investment bank, for example, you have it drummed into you, before any enterprise 2.0 tools even showed up, what you can and can’t talk about, and to whom.”

I asked McAfee a similar question: “Where do you see the intersection between enterprise 2.0 and regulatory compliance?” His answer:

I do not think these tools substantially alter the compliance risk profile of organizations. Employees today are acutely aware of compliance issues, and I don’t see that they’ll be tempted to disobey policy or break the law simply because 2.0 tools become available.

There may be some slight risk of inadvertent noncompliance, but the fact that contributions to 2.0 environments are so visible means that any such breaches are likely to be detected quickly.

When it comes to enterprise 2.0, I agree heartily with Thomas Jefferson, who wrote, “I know of no safe repository of the ultimate power of society but people. And if we think them not enlightened enough, the remedy is not to take the power from them, but to inform them by education.”

After reporting on the story for a week, it’s clear to me that CIOs, privacy and security professionals need better tools to monitor, log and filter communication with external social networking platforms. Data loss prevention (DLP) will be a line item in enterprise security budgets, driven by the need to reduce new risks posed by social messaging.

Even if political gaffes on social networking sites don’t cease — like Battle Creek Mayor Mark Behnke accidentally tweeting Social Security numbers or continued Congressional missteps on Twitter — compliance concerns about the use of enterprise 2.0 platforms are likely to increase with continued data leaks, from whatever vector they take.

Insider threats are a significant concern, given increased economic pressures stemming from the recession. As Forrester senior analyst Andrew Jacquith observed earlier this year, “as auditors have gained more experience assessing compliance with Sarbanes-Oxley and other statutes, they have become increasingly aware of the perils of excessive entitlements. Greater awareness has led to tougher audits. Now enterprises must be prepared to explain who got access to what application features, and why.”

What Professor McAfee’s answer reveals to me, primarily, is that the people aspect of compliance is a crucial consideration. The technology matters but, in the end, your security and ability to meet regulatory requirements rests on the mind-set and education of those entrusted with the sensitive data of an enterprise or its customers. Thanks to the good professor for his answer.

Gartner and CA on addressing compliance requirements in cloud computing

If you are a CIO, CTO or compliance officer tasked with evaluating a cloud vendor, give Linda Tucci’s excellent new SearchCIO.com article a read: “Addressing compliance requirements in cloud computing contracts.”

In the piece, Tucci reports on interviews with Debra Logan, an enterprise content management analyst at Stamford, Conn.-based Gartner Inc, and Tom McHale, vice president of product management for CA’s GRC Manager suite, to gain answers to the following questions:

• Who has access to sensitive data in the cloud?
• Data backup: How often, how long, how well?
• How will you manage e-discovery requests and satisfy different retention laws?

“Even before price negotiations begin, CIOs must understand that data backup and storage in the cloud does not remove a company’s responsibility for the legal, regulatory and audit obligations attached to that information,” Tucci writes. “CIOs should be ready with a list of compliance questions for cloud vendors. But don’t expect their answers to suffice.”

Gartner recommends, in fact, getting a security assessment from a neutral third party before committing to a specific vendor of cloud computing, In a report released in June, entitled “Assessing the Security Risks of Cloud Computing,” Gartner analysts Jay Heiser and Mark Nicolett write that cloud computing has “unique attributes that require risk assessment in areas such as data integrity, recovery, and privacy, and an evaluation of legal issues in areas such as e-discovery, regulatory compliance, and auditing.”

As noted in Tucci’s article, however, Logan is skeptical about adoption, especially for companies in heavily regulated industries. In Logan’s view, “If legal departments are paying attention when companies are adopting cloud services, they will put the brakes on fast. Early adoption of cloud services will be significantly inhibited by cloud providers’ failure to adequately address security, privacy and risk concerns, especially among highly regulated industries.”

How will the Massachusetts Data Protection Law affect IT compliance?

The Massachusetts Office of Consumer Affairs and Business Regulation established a significant new regulations in 2008, 201 CMR 17.00: Standards for The Protection of Personal Information. The strict new data protection law was set to take effect on January 1, 2009.

After the shift in the nation’s macroeconomic climate and strong resistance by state business leaders, however, the deadline for compliance with the basic provisions of the law was extended to May 1, 2009.

I’ll be traveling to Waltham to try to livestream the state’s public hearings on the legislation. Assuming that no technical difficulties occur in our use of uStream.com, you’ll be able to watch a webcast of the proceedings and ask question through the integrated chatroom. An archived version of the event will also be available for on-demand viewing.

We’re also preparing a podcast that will examines the new law from the perspective of a compliance software expert, a security expert and the Massachusetts Office of Consumer Affairs and Business Regulation MIS officer. You can expect the podcast to become available later this week.

Dr. John Halamka, CIO of CareGroup Health System and CIO/Dean for Technology at Harvard Medical School, provided some perspective on the relationship of the new MA data protection law to healthcare compliance on his blog.

UPDATE: Due to the expected 4-7″ of snow falling here in Massachusetts, the Greater Boston Network Users Group has cancelled today’s Q&A with David A. Murray, General Counsel and Gerry Young, CIO. Details are posted at the calendar at BNUG.org. We’ll update you when the next hearing is scheduled.