Comments on: Looking further into MA regulation 201 CMR 17.00 http://slagwerks.com/blog/index.php/2008/10/22/looking-further-into-ma-regulation-201-cmr-1700/ Thu, 30 Jul 2009 15:44:17 +0000 hourly 1 http://wordpress.org/?v=3.0 By: joe http://slagwerks.com/blog/index.php/2008/10/22/looking-further-into-ma-regulation-201-cmr-1700/comment-page-1/#comment-8113 joe Fri, 24 Oct 2008 14:32:33 +0000 http://slagwerks.com/blog/?p=150#comment-8113 Thanks, Tom. In particular, I found the table comparing the relevant standards helpful. Thanks, Tom. In particular, I found the table comparing the relevant standards helpful.

]]> By: Tom Cornelius http://slagwerks.com/blog/index.php/2008/10/22/looking-further-into-ma-regulation-201-cmr-1700/comment-page-1/#comment-8112 Tom Cornelius Thu, 23 Oct 2008 21:20:20 +0000 http://slagwerks.com/blog/?p=150#comment-8112 The ramifications go beyond the potential fines from the law. Where this really will affect every business and organization is in terms of liability. If a business fails to comply with a known requirement (e.g. 201 CMR 17.00), that company can be found professionally negligent. Since it is easy to prove or disprove due care and due diligence by the fact there are quantifiable standards, a law as this makes it easy to hold a company accountable. Unfortunately for the company, if they are not compliant and a verdict is awarded, insurance will not cover the loss. This is unfamiliar to most business owners, since they do not equate non-compliance with their computer security with negligent behavior. This can easily put a business into bankruptcy. Here is an interesting handout on the new law from MA and how it stacks up against other requirements such as HIPAA, SOX, GLBA, FACTA, and the PCI DSS. Check out: http://www.isecuritypolicy.com/pdf/commonwealth.pdf The ramifications go beyond the potential fines from the law. Where this really will affect every business and organization is in terms of liability. If a business fails to comply with a known requirement (e.g. 201 CMR 17.00), that company can be found professionally negligent. Since it is easy to prove or disprove due care and due diligence by the fact there are quantifiable standards, a law as this makes it easy to hold a company accountable. Unfortunately for the company, if they are not compliant and a verdict is awarded, insurance will not cover the loss. This is unfamiliar to most business owners, since they do not equate non-compliance with their computer security with negligent behavior. This can easily put a business into bankruptcy.

Here is an interesting handout on the new law from MA and how it stacks up against other requirements such as HIPAA, SOX, GLBA, FACTA, and the PCI DSS. Check out: http://www.isecuritypolicy.com/pdf/commonwealth.pdf

]]> By: gribley http://slagwerks.com/blog/index.php/2008/10/22/looking-further-into-ma-regulation-201-cmr-1700/comment-page-1/#comment-8110 gribley Thu, 23 Oct 2008 19:07:07 +0000 http://slagwerks.com/blog/?p=150#comment-8110 Yeah, I was wondering about this too. Does it have any relevance for a certain project we have worked on together? I fear that it does... Yeah, I was wondering about this too. Does it have any relevance for a certain project we have worked on together? I fear that it does…

]]>