Week 3: Please Read over the WISP Compliance Checklist and Guidelinessec-plan-smallbiz-guide.pdf and write at least1-2 Pages of how your companies Regulation about WISP. compliance-checklist.pdf. If it inst regulated by WISP then how would it apply to a potential employer. proffeser comment on week 3 assignment: This sounds like, you were attempting to copy the Case Studys in the course. As well the paper doesnt have your name or course number on it. re-do this assignment please.(i attached my homework file just check out and re-do this assignment)week 4: Please find a relevant topic in regards to INFORMATION SECURITY, with a 2 page description of the article.proffeser comment on week 4 assignment: Article was not Attached, but references assisted in finding it. Also Formatting on the paper is not following college standards.(i attached my homework and just put article and do some format like college standards.)like name, profeser name, title, course number .please follow the profeser comments and re-do the assignmentsthank youCHARLES D. BAKER
SECRETARY OF HOUSING AND
KARYN E. POLITO
COMMONWEALTH OF MASSACHUSETTS
JOHN C. CHAPMAN
Office of Consumer Affairs and Business Regulation
10 Park Plaza, Suite 5170, Boston, MA 02116
(617) 973-8700 FAX (617) 973-8799
201 CMR 17.00 COMPLIANCE CHECKLIST
The Office of Consumer Affairs and Business Regulation has compiled this checklist to help small
businesses in their effort to comply with 201 CMR 17.00. This Checklist is not a substitute for
compliance with 201 CMR 17.00. Rather, it is designed as a useful tool to aid in the development of
a written information security program for a small business or individual that handles “personal
information.” Each item, presented in question form, highlights a feature of 201 CMR 17.00 that will
require proactive attention in order for a plan to be compliant.
The Comprehensive Written Information Security Program (WISP)
Do you have a comprehensive, written information security program (“WISP”) applicable to all
records containing personal information about a resident of the Commonwealth of Massachusetts
Does the WISP include administrative, technical, and physical safeguards for PI protection?
Have you designated one or more employees to maintain and supervise WISP implementation
Have you identified the paper, electronic and other records, computing systems, and storage
media, including laptops and portable devices, that contain personal information?
Have you chosen, as an alternative, to treat all your records as if they all contained PI?
Have you identified and evaluated reasonably foreseeable internal and external risks to paper and
electronic records containing PI?
Have you evaluated the effectiveness of current safeguards?
Does the WISP include regular ongoing employee training, and procedures for monitoring
Does the WISP include disciplinary measures for violators?
Does the WISP include policies and procedures for when and how records containing PI should
be kept, accessed or transported off your business premises?
Does the WISP provide for immediately blocking terminated employees, physical and electronic
access to PI records (including deactivating their passwords and user names)?
Have you taken reasonable steps to select and retain a third-party service provider that is capable
of maintaining appropriate security measures consistent with 201 CMR 17.00?
Have you required such third-party service provider by contract to implement and maintain such
appropriate security measures?
Is the amount of PI that you have collected limited to the amount reasonably necessary to
accomplish your legitimate business purposes, or to comply with state or federal regulations?
Is the length of time that you are storing records containing PI limited to the time reasonably
necessary to accomplish your legitimate business purpose or to comply with state or federal
Is access to PI records limited to those persons who have a need to know in connection with your
legitimate business purpose, or in order to comply with state or federal regulations?
In your WISP, have you specified the manner in which physical access to PI records is to be
Have you stored your records and data containing PI in locked facilities, storage areas or
Have you instituted a procedure for regularly monitoring to ensure that the WISP is operating in a
manner reasonably calculated to prevent unauthorized access to or unauthorized use of PI; and for
upgrading it as necessary?
Are your security measures reviewed at least annually, or whenever there is a material change in
business practices that may affect the security or integrity of PI records?
Do you have in place a procedure for documenting any actions taken in connection with any
breach of security; and does that procedure require post-incident review of events and actions
taken to improve security?
Additional Requirements for Electronic Records
Do you have in place secure authentication protocols that provide for:
o Control of user IDs and other identifiers?
o A reasonably secure method of assigning/selecting passwords, or for use of unique
identifier technologies (such as biometrics or token devices)?
o Control of data security passwords such that passwords are kept in a location and/or
format that does not compromise the security of the data they protect?
o Restricting access to PI to active users and active user accounts?
o Blocking access after multiple unsuccessful attempts to gain access?
Do you have secure access control measures that restrict access, on a need-to-know basis, to PI
records and files?
Do you assign unique identifications plus passwords (which are not vendor supplied default
passwords) to each person with computer access; and are those IDs and passwords reasonably
designed to maintain the security of those access controls?
Do you, to the extent technically feasible, encrypt all PI records and files that are transmitted
across public networks, and that are to be transmitted wirelessly?
Do you, to the extent technically feasible, encrypt all PI stored on laptops or other portable
Do you have monitoring in place to alert you to the occurrence of unauthorized use of or access to
On any system that is connected to the Internet, do you have reasonably up-to-date firewall
protection for files containing PI; and operating system security patches to maintain the integrity
of the PI?
Do you have reasonably up-to-date versions of system security agent software (including
malware protection) and reasonably up-to-date security patches and virus definitions?
Do you have in place training for employees on the proper use of your computer security system,
and the importance of PI security?
COMMONWEALTH OF MASSACHUSETTS
OFFICE OF CONSUMER AFFAIRS AND
10 Park Plaza – Suite 5170, Boston MA 02116
(617) 973-8700 FAX (617) 973-8799
DEVAL L. PATRICK
SECRETARY OF HOUSING AND
TIMOTHY P. MURRAY
A Small Business Guide:
Formulating A Comprehensive Written Information Security Program
While the contents of any comprehensive written information security program required
by 201 CMR 17.00 must always satisfy the detailed provisions of those regulations; and while
the development of each individual program will take into account (i) the size, scope and type of
business of the person obligated to safeguard the personal information under such comprehensive
information security program, (ii) the amount of resources available to such person, (iii) the
amount of stored data, and (iv) the need for security and confidentiality of both consumer and
employee information, the Office of Consumer Affairs and Business Regulation is issuing this
guide to help small businesses in their compliance efforts. This Guide is not a substitute for
compliance with 201 CMR 17.00. It is simply a tool designed to aid in the development of a
written information security program for a small business, including the self employed, that
handles “personal information.”
Having in mind that wherever there is a conflict found between this guide and the
provisions of 201 CMR 17.00, it is the latter that will govern. We set out below this “guide” to
devising a security program (references below to “we” and “our” are references to the small
business to whom the real WISP will relate):
COMPREHENSIVE WRITTEN INFORMATION SECURITY PROGRAM
Our objective, in the development and implementation of this comprehensive written
information security program (“WISP”), is to create effective administrative, technical and
physical safeguards for the protection of personal information of residents of the Commonwealth
of Massachusetts, and to comply with obligations under 201 CMR 17.00. The WISP sets forth
our procedure for evaluating our electronic and physical methods of accessing, collecting,
storing, using, transmitting, and protecting personal information of residents of the
Commonwealth of Massachusetts. For purposes of this WISP, “personal information” means a
Massachusetts residents first name and last name or first initial and last name in combination
with any one or more of the following data elements that relate to such resident: (a) Social
Security number; (b) drivers license number or state-issued identification card number; or (c)
financial account number, or credit or debit card number, with or without any required security
code, access code, personal identification number or password, that would permit access to a
resident’s financial account; provided, however, that “personal information” shall not include
information that is lawfully obtained from publicly available information, or from federal, state
or local government records lawfully made available to the general public.
The purpose of the WISP is to:
(a) Ensure the security and confidentiality of personal information;
(b) Protect against any anticipated threats or hazards to the security or integrity of such
(c) Protect against unauthorized access to or use of such information in a manner that creates a
substantial risk of identity theft or fraud.
In formulating and implementing the WISP, (1) identify reasonably foreseeable internal
and external risks to the security, confidentiality, and/or integrity of any electronic, paper or
other records containing personal information; (2) assess the likelihood and potential damage of
these threats, taking into consideration the sensitivity of the personal information; (3) evaluate
the sufficiency of existing policies, procedures, customer information systems, and other
safeguards in place to control risks; (4) design and implement a WISP that puts safeguards in
place to minimize those risks, consistent with the requirements of 201 CMR 17.00; and (5)
regularly monitor the effectiveness of those safeguards:
DATA SECURITY COORDINATOR:
We have designated ____________________ to implement, supervise and maintain the
WISP. That designated employee (the “Data Security Coordinator”) will be responsible for:
a. Initial implementation of the WISP;
b. Training employees;
c. Regular testing of the WISP’s safeguards;
d. Evaluating the ability of each of our third party service providers to implement and maintain
appropriate security measures for the personal information to which we have permitted them
access, consistent with 201 CMR 17.00; and requiring such third party service providers by
contract to implement and maintain appropriate security measures.
e. Reviewing the scope of the security measures in the WISP at least annually, or whenever there
is a material change in our business practices that may implicate the security or integrity of
records containing personal information.
f. Conducting an annual training session for all owners, managers, employees and independent
contractors, including temporary and contract employees who have access to personal
information on the elements of the WISP. All attendees at such training sessions are required to
certify their attendance at the training, and their familiarity with the firm’s requirements for
ensuring the protection of personal information.
To combat internal risks to the security, confidentiality, and/or integrity of any electronic,
paper or other records containing personal information, and evaluating and improving, where
necessary, the effectiveness of the current safeguards for limiting such risks, the following
measures are mandatory and are effective immediately. To the extent that any of these measures
require a phase-in period, such phase-in must be completed on or before March 1, 2010:
A copy of the WISP must be distributed to each employee who shall,
upon receipt of the WISP, acknowledge in writing that he/she has received
a copy of the WISP.
There must be immediate retraining of employees on the detailed
provisions of the WISP.
Employment contracts must be amended immediately to require all
employees to comply with the provisions of the WISP, and to prohibit any
nonconforming use of personal information during or after employment;
with mandatory disciplinary action to be taken for violation of security
provisions of the WISP (The nature of the disciplinary measures may depend
on a number of factors including the nature of the violation and the nature
of the personal information affected by the violation).
The amount of personal information collected should be limited to
that amount reasonably necessary to accomplish our legitimate business
purposes, or necessary to us to comply with other state or federal
Access to records containing personal information shall be limited
to those persons who are reasonably required to know such information in
order to accomplish your legitimate business purpose or to enable us
comply with other state or federal regulations.
Electronic access to user identification after multiple unsuccessful
attempts to gain access must be blocked.
All security measures shall be reviewed at least annually, or
whenever there is a material change in our business practices that may
reasonably implicate the security or integrity of records containing
personal information. The Data Security Coordinator shall be responsible
for this review and shall fully apprise management of the results of that
review and any recommendations for improved security arising out of that
Terminated employees must return all records containing personal
information, in any form, that may at the time of such termination be in
the former employee’s possession (including all such information stored
on laptops or other portable devices or media, and in files, records, work
A terminated employee’s physical and electronic access to
personal information must be immediately blocked. Such terminated
employee shall be required to surrender all keys, IDs or access codes or
badges, business cards, and the like, that permit access to the firm’s
premises or information. Moreover, such terminated employee’s remote
electronic access to personal information must be disabled; his/her
voicemail access, e-mail access, internet access, and passwords must be
invalidated. The Data Security Coordinator shall maintain a highly
secured master list of all lock combinations, passwords and keys.
Current employees’ user ID’s and passwords must be changed
Access to personal information shall be restricted to active users
and active user accounts only.
Employees are encouraged to report any suspicious or
unauthorized use of customer information.
Whenever there is an incident that requires notification under
M.G.L. c. 93H, §3, there shall be an immediate mandatory post-incident
review of events and actions taken, if any, with a view to determining
whether any changes in our security practices are required to improve the
security of personal information for which we are responsible.
Employees are prohibited from keeping open files containing
personal information on their desks when they are not at their desks.
At the end of the work day, all files and other records containing
personal information must be secured in a manner that is consistent with
the WISP’s rules for protecting the security of personal information.
Each department shall develop rules (bearing in mind the business
needs of that department) that ensure that reasonable restrictions upon
physical access to records containing personal information are in place,
including a written procedure that sets forth the manner in which physical
access to such records in that department is to be restricted; and each
department must store such records and data in locked facilities, secure
storage areas or locked containers.
Access to electronically stored personal information shall be
electronically limited to those employees having a unique log-in ID; and
re-log-in shall be required when a computer has been inactive for more
than a few minutes.
Visitors’ access must be restricted to one entry point for each
building in which personal information is stored, and visitors shall be
required to present a photo ID, sign-in and wear a plainly visible
“GUEST” badge or tag. Visitors shall not be permitted to visit unescorted
any area within our premises that contains personal information.
Paper or electronic records (including records stored on hard
drives or other electronic media) containing personal information shall be
disposed of only in a manner that complies with M.G.L. c. 93I.
To combat external risks to the security, confidentiality, and/or integrity of any
electronic, paper or other records containing personal information, and evaluating and
improving, where necessary, the effectiveness of the current safeguards for limiting such risks,
the following measures must be completed on or before March 1, 2010:
There must be reasonably up-to-date firewall protection and
operating system security patches, reasonably designed to maintain the
integrity of the personal information, installed on all systems processing
There must be reasonably up-to-date versions of system security
agent software which must include malware protection and reasonably
up-to-date patches and virus definitions, installed on all systems
processing personal information.
To the extent technically feasible, all personal information stored
on laptops or other portable devices must be encrypted, as must all records
and files transmitted across public networks or wirelessly, to the extent
technically feasible. Encryption here means the transformation of data into
a form in which meaning cannot be assigned without the use of a confidential
process or key, unless further defined by regulation by the Office of Consumer Affairs
and Business Regulation.
All computer systems must be monitored for unauthorized use of or
access to personal information.
There must be secure user authentication protocols in place, including:
(1) protocols for control of user IDs and other identifiers; (2) a reasonably
secure method of assigning and selecting passwords, or use of unique identifier
technologies, such as biometrics or token devices; (3) control of data security
passwords to ensure that such passwords are kept in a location.
Alcohol and Tobacco Tax and Trade Bureau (TTB) has implemented a virtual desktop
with the aim of minimizing the costs, time and efforts needed to refresh devices used for
computing requirements. TTB has identified a solution to unfunded computing solutions. TTB
has come up with a framework for turning old desktops and/or laptop computers to thin client
computing devices for a small fee. The implication is that the refreshed system is available to all
OS’s; transforming an end user device into a viewing and controlling device of the information
on virtual systems at TTB offices. No data is availed to end user devices. The virtual desktop
plan gives TTB the additional advantage of delivering the information to various systems
without conventional policy and legal issues. According to the guide for Comprehensive Written
Information Security Program (WISP), the development of systems for data protection must take
into account factors like the size, scope and type of business. In this case TTB does not fall under
the category of small business but the 201 CMR 17.00 Compliance Checklist applies to TTB.
The federal body handles personal information for residents of the Commonwealth of
Massachusetts to which the Comprehensive WISP covers. The virtual desktop is utilized by 70\%
of TTB personnel and is characterized by lack of a typical user set up. The requirement for
access to virtual network is a configuration to an individual’s numerous devices. The TTB virtual
desktop does not comply with the WISP Checklist because no data touches the user devices.
According to TTB the Virtual Desktop avoids the legal and compliance requirements by having a
feature whereby the BYOD device does not have physical data. The requests by users for
information can be accomplished while still not having physical information on the device. For
any potential employer, the WISP Checklist and the guide for small business offer the
framework for protecting personal information (PI) on mobile and electronic devices. The
Comprehensive Written Information Security Program Checklist is a fundamental mechanism for
establishing details of personal information protection by a small business and individuals that
require proactive attention to ensure compliance with PI protection.
Information security involves protection of the confidentiality, authenticity, utility,
availability and integrity of computer data and information from malicious persons. It is basically
the protection of information and their systems from unauthorized modification and access.
Anything that is likely to pose a threat to these five aspects of an information poses a general risk
to the security of that particular information. This is the reason as to why organizations as well as
individuals have worked towards putting in place measures to guarantee full security of any
information in their custody (Peltier, 2013). One of the methods that are being used to boost the
security of information is cryptography.
Cryptography is a method of mitigating the security threat whereby messages are
modified while they are in transit. This is done by malicious people who intercept it before
reaching the destination for which it is intended. Good tools of cryptography can be employed so
as to deal with this security threat. It ensures that the information is as authentic as it left the
source. Cryptography involves changing data into another form, storing it then transmitting it in
that particular form so that only the authorized recipients can process and read it (Kahate, 2013).
Cryptography is made possible by use of electronic cryptosystems that use mathematical
algorithms coupled with other methods and mechanisms to ensure that information and network
security is a guarantee under any circumstance. The cryptography techniques use some basic
components like message digest functions, Hashed Message Authentication Code (HMAC)
functions, Digital signatures, Secret key exchange and encryption algorithms to provide the best
security functions. Most operating systems also use these components to ensure that their users’
information is kept secure.
Cryptography has it’s building on the premise that a cipher which can be reliably used for
encryption of text so that once the information that is in transit has been converted into cipher
text, it can never be undone using any available technology by the malicious people. Ciphers can
be categorized on the basis of whether they can work as block ciphers or stream ciphers; and
whether only one key is used for encryption and decryption or if two keys are required for the
whole process to be complete (Kahate, 2013). The former is referred to as symmetric key
algorithms while the latter is called asymmetric key algorithms.
Cipher text is normally of three categories: The substitution cipher, the shift cipher and
the polyalphabetic cipher. Under the substitution cipher, a single character is used to replace each
letter in the message that is being transmitted. Since some letters and words in any message
appear more often than others, decryption of these types of ciphers is easier by highly
experienced cryptologists. The shift cipher which is also referred to as the Caesar type of cipher.
This is the type that can be easily understood and easily remembered for purposes of decoding. It
works by shifting the letters in the message that has been written by a number of positions to
either side. By so doing, the whole message becomes unreadable at first glance. Lastly, there is
the polyalphabetic cipher which is the most complex among the three types. Here, there is a one
to many relationship in that a keyword has to be used. This is unlike the commonly known cipher
types that employ the one to one technique (Kahate, 2013).
Despite a number of risk factors that are associated with cryptography like the public key
length and the symmetric key length, cryptography has a number of advantages in that the
complex mathematical algorithms that are used in encryption ensure that as much as a hacker
may be successful in getting access to the particular file, decrypting it may be a difficult task
unless they have the required authority and key for decryption (Peltier, 2013). It is therefore an
effective method that ensures information security.
Kahate, Atul. Cryptography and network security. Tata McGraw-Hill Education, 2013.
Peltier, Thomas R. Information security fundamentals. CRC Press, 2013.
Purchase answer to see full
Why Choose Us
- 100% non-plagiarized Papers
- 24/7 /365 Service Available
- Affordable Prices
- Any Paper, Urgency, and Subject
- Will complete your papers in 6 hours
- On-time Delivery
- Money-back and Privacy guarantees
- Unlimited Amendments upon request
- Satisfaction guarantee
How it Works
- Click on the “Place Order” tab at the top menu or “Order Now” icon at the bottom and a new page will appear with an order form to be filled.
- Fill in your paper’s requirements in the "PAPER DETAILS" section.
- Fill in your paper’s academic level, deadline, and the required number of pages from the drop-down menus.
- Click “CREATE ACCOUNT & SIGN IN” to enter your registration details and get an account with us for record-keeping and then, click on “PROCEED TO CHECKOUT” at the bottom of the page.
- From there, the payment sections will show, follow the guided payment process and your order will be available for our writing team to work on it.