MASS CMR 201 17.00

New Regulations for Protection of Massachusetts Residents’ Personal Information

Code of Massachusetts 201 17.00 deals with the protection of personally identifying information. These guidelines were enacted as law, and deal with information security standards and notification of security breaches. The laws apply to businesses that “own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts “. Massachusetts is not the first state to enact such laws, but rather has followed along with the new trend- creating regulations based around information security and the protection of state residents.

Personally Identifiable Information (referred to as PII) is loosely defined as a data entity including the first name or first initial, last name and combined with other non-public information such as financial account numbers, social security numbers, driver’s license numbers, or PIN numbers that when combined, create a unique profile of a person. The combination of these factors would be useful in assuming an identity or committing fraud using another party’s name. The Commonwealth of Massachusetts declares that lawfully obtained publically accessible information is excluded from being categorized as PII, as is information gathered in good faith. Oddly enough, Mass CMR 201 17.00 does not apply to state government, but a separate executive order (501) does. Continue reading “MASS CMR 201 17.00”

Sas70 Choosing An Audit Firm

About The SAS70

SAS70 is short for Statement on Auditing Standards Number 70. It defines the standards used by an auditor to assess the internal controls of an organization that provides services. In many cases, the controls that are audited are related to transaction processing, and the transactions are specific to the type of service being provided.

A SAS70 type 1 report is concerned with the controls that are in place in an organization and the auditor’s opinion of the effectiveness of the controls. The type 1 SAS70 report may include background information about a business and its processes, along with a detailed list of controls (broken out into subsections) and information about how the processes are interrelated, along with information about how the controls meet the specified goals.

A SAS70 type 2 report is issues after a period of observation of the practices specified in the type 1 report. The type 2 SAS70 will also include an opinion issued by an auditor on whether the controls were in operation during the observation time period. Type 2 reports are usually issued on an annual basis. Continue reading “Sas70 Choosing An Audit Firm”