965 CMR, § 3.04

Current through Register 1533, October 25, 2024
Section 3.04 - Computer System Security Requirements

With respect to information stored and maintained in electronic form, the Auditor's WISP shall establish and maintain security measuring covering its computers, including wireless systems that, at a minimum, and to the extent technically feasible, has the following elements:

(1) Secure user authentication protocols, including: control of user IDs and other identifiers; a reasonably secure method of assigning and selecting passwords consisting of at least seven letters and numbers; periodic changing of passwords; control of data security passwords to ensure that such passwords are kept at a location separate from that of the data to which such passwords permit access; restricting access to active users and active user accounts, only; and blocking access to user identification after multiple unsuccessful attempts to gain access to the particular system.
(2) Secure access control measures that restrict access to records containing personal information to those who reasonably need such information to perform their job duties, and assignment of a unique user ID plus a password, which is not vendor supplied, to each person with computer access.
(3) Restricted access to computerized records containing personal information, including a written procedure that sets forth the manner in which access to personal information is restricted.
(4) Safeguards against access by former employees. The Auditor will ensure that departing or former employees cannot access electronic records containing personal information by terminating their electronic access to such records, including deactivating their passwords and user names.
(5) Safeguards against the transmission of personal information. To the extent technically feasible, encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly.
(6) Reasonable periodic monitoring of networks and systems for unauthorized use of or access to personal information, and recording the audit trails for users, events, dates, times, and success or failure of login.
(7) Encryption of personal information stored on laptops or other portable devices.
(8) For electronic files containing personal information on a system that is connected to the Internet, firewall protection with up-to-date patches, including operating system security patches. The firewall will, at a minimum, protect devices containing personal information from access by or connections from unauthorized users.
(9) The most current version of system security agent software which will include antispyware and antivirus software, including up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and which includes security software that is set to receive the most current security updates on a regular basis.
(10) Education and training of employees on the proper use of the computer security system, the importance of personal information security, and resources available to safeguard personal information.
(11) Enhanced network security.

965 CMR, § 3.04