Technical Requirements Matrix for 201 CMR 17

Servers/Desktops/Laptops

Computers that house records containing personal information require the following controls, as outlined from 201 CMR 17.00, section 17.04:

17.04(1)  Secure authentication protocols

  • Control over User-IDs on the system
  • Secure method for assigning and selecting passwords
  • Passwords must be confidential and controlled so that they don't compromise the security of the data they protect
  • Restrict access to active users and active user accounts only.
  • Block access after multiple unsuccessful attempts to gain access

17.04(2)  Secure access control measures

  • Restrict access to only those who need such information to perform their job
  • Utilize unique IDs, and disable all vendor default passwords

17.04(3)  When technically feasible, encrypt all data containing personal information when sent over the Internet. Data must be encrypted while transmitted over wireless networks.

17.04(4) 
Reasonably monitor system for unauthorized use of or access to personal information

17.04(5) 
Encrypt the data if it resides on a laptop or is transferred to portable devices.

  • Laptop Whole Disk Encryption

17.04(6)  Protect the server behind a firewall, either Hardware or Software based. Any server with Personal Information must be TTS-managed.

17.04(7)  Ensure that malware prevention software is installed and up to date. Tufts provides Trend Micro for malware prevention.

17.04(7)  Ensure that the latest security updates are installed and kept up-to-date.

17.04(8)  Provide training on the proper use of the system and importance of personal information security.