Anybody in charge of Massachusetts CMR 201 compliance for your company?

L

LOLANG

Limp Gawd
Joined
Mar 13, 2009
Messages
147
The two people in my company in charge are likely to dump it on me, with less than two weeks remaining for compliance. One of them believes Firefox is a firewall, the other could not find the power button on a laptop...

For 9 months they have worked to keep me out of meetings to get the company up to code, and now that the contractors are telling them they need to do most of this work, which they are refusing to do, I surely believe I will be assigned to do this.
 
Go over their heads, see what their management says about how they haven't been including you in mandatory project meetings and then expect you to do all the work. Stand up for yourself, plain and simple. If upper management tells you that you need to do what they tell you, you're pretty much hosed.
 
I'm in the middle of dealing with Massachusetts laws for SEC data security, is that what you are referring to?
 
K1pp3r yes this is what I'm referring to. We have a vendor that takes care of our network and all the viruses and trojans the these two people constantly have on their computers. I spoke with the directors and they said I would have to get involved, but when there was a meeting with our vendor, our compliance people, and a contractor they hired to write the compliance document I was not asked to come. My main concern is finding a program to encrypt .pdf files and training the staff and our site managers on this new law. The two people I mentioned above are the most computer literate in the company, and as it stands they are in charge of the training.
 
LOLANG said:
The two people in my company in charge are likely to dump it on me, with less than two weeks remaining for compliance. One of them believes Firefox is a firewall, the other could not find the power button on a laptop...

For 9 months they have worked to keep me out of meetings to get the company up to code, and now that the contractors are telling them they need to do most of this work, which they are refusing to do, I surely believe I will be assigned to do this.
Click to expand...
*raises hand* Thankfully we've been preparing for about a year now though. I would definitely go to management with this one if you are getting resistance. If nothing else, you did your part bringing up your concerns and going to the right people
 
Lol, they've known about this for a year too. I was hired 9 months ago, they knew nothing about my computer enthusiast background at the time. As they found out they dumped some handouts they got from seminars about the law, then all of a sudden they excluded me from any dealings with it. I am thoroughly amused by the computer illiteracy in this company; I was practically accused of witchcraft when I setup dual monitors.

@devvoid I did what I could, people here are just very territorial. What program are you guys using for encryption?
 
I'm in charge of it for our client, We are using vipre enterprise AV, Cisco ASA 5505 with IPS module or intrusion prevention.

Backups are encypted int 256 bit aes and transfered to two data centers over 256 bit SSL tunnels.

Desktops and laptops are about to receive Sophos enterprise encryption. We are in the process of testing it right now.

Its a pain honestly.

Edit,

Forgot to add, attach plus is great for sending encrypted emails
 
Last edited:
That stuff is out of our league, we're a small non-profit. The CFO told me free was best when I asked him about encryption programs four months ago or so.
 
I've participated in countless audits that included everything from classified gov't systems to health care and have yet to see how it's possible to achieve compliance with a "zero-cost" footprint for any published audit criteria.

I actually just finished an audit by Mitre in which we did extremely well however there were many items that would require vast sums of money to implement if you want a "flawless" report. Most of the time those kind of items get shot down from a cost/benefit standpoint.

I don't have any specific experience with the criteria in this thread though. I don't think any standard regardless of it being based on ITIL, FIPS, PCI, etc, etc can be quickly and cheaply adhered to.
 
Non-profits are affected by this as well? Man that sucks.

Truecrypt is always an option, it wasn't for us due to size and recovery options. We liked the central management of Sophos. Teamed with Cisco IPS and AV is pretty strong. Much cheaper than some of the other hardware options out there
 
LOLANG said:
Lol, they've known about this for a year too. I was hired 9 months ago, they knew nothing about my computer enthusiast background at the time. As they found out they dumped some handouts they got from seminars about the law, then all of a sudden they excluded me from any dealings with it. I am thoroughly amused by the computer illiteracy in this company; I was practically accused of witchcraft when I setup dual monitors.

@devvoid I did what I could, people here are just very territorial. What program are you guys using for encryption?
Click to expand...
Thankfully we have a smaller fleet of laptops so we're using TrueCrypt. It lacks central management, but it's free and it works great for our purpose
 
When companies undermine the importance of IT and shit hits the fan, its not pretty. Write an official letter to management, and two those two "trainers" telling them that you've warned them and that they are not stressing the significance of the situation enough. Sign it, and retain a copy of it. When the 2 weeks are up and shit DOES hit the fan, go to them and the management and say "did you read the memo I sent you?" Then have it ready in your hands to show them once again. Then you can say, "I warned you."

Unfortunately I've seen this happen on a couple of occasions. When I tell a client that I'm serious as a heart attack about something, they don't take it seriously, even after an e-mail and a letter, they all end up ignoring me or not wanting to put forth the effort to resolve the matter at hand. Unfortunately, some companies are like antibodies in your immune system, once you've had a disease, your body builds up a resistance to it after it passes. And like companies, the only way for them to take the matter seriously is when things go horribly wrong.
 
@kypp3r I work for a non-profit housing company and we send CORI requests to other agencies hence why we need encryption. Had I not mentioned this to the trainers and the Directors 5 months ago they would have skipped right over that part of the law, and they still have not figured out how many people out of the 40 or so employees need encryption software.

One of the trainers understands the importance of the situation, but is too computer illiterate to do anything about it; the only way to fix a printer problem is to reinstall the drivers from the HP disk, Word is opening .pdf files so Outlook must be broken, etc... I am acknowledged as the authority on computers at the company (14 of us in the office), but because of their territorial tendencies the company is getting screwed over.

I appreciate your help on this topic, but my hands are tied until the ask me because people pull rank at this office. I have looked into a few of the programs and ideas, and I may start formulating the compliance document on my own next week just in case. Again thanks for letting me vent.
 
As far as I can tell the company decided to go with off site encryption of emails, paying a monthly charge for everyone at the office, and at the 20 sites, even though a handful of us will need the service. Our contractor told HR that he would not be doing the work they have been trying to force on him unless they put him on payroll, lol, so that was pretty fun.

In terms of the training required by the CMR 201, do any of you know what sort of training they plan to do?
 
You must log in or register to reply here.
Back
Top