Can I skip having an information security program in place in Massachusetts? What are the requirements?

In Massachusetts, it is mandatory to have an information security program in place. The Attorney General’s WISP and the Auditor’s WISP require that security measures be established and maintained for computers, including wireless systems, that cover at least the following elements: secure user authentication protocols, secure access control measures, restricted access to computerized records containing personal information, safeguards against access by former employees, safeguards against the transmission of personal information, reasonable periodic monitoring of networks and systems for unauthorized use of or access to personal information, encryption of personal information stored on laptops or other portable devices, firewall protection for electronic files containing personal information on a system that is connected to the Internet, the most current version of system security agent software, education and training of employees on the proper use of the computer security system, the importance of personal information security, and resources available to safeguard personal information, and enhanced network security ^[1.2][2.1].

Therefore, it is not possible to skip having an information security program in place in Massachusetts.

Source(s):

• [1.2] Computer System Security Requirements
• [2.1] Computer System Security Requirements

Jurisdiction

Massachusetts

• Privacy