Monitor Problem

Hi Dusty -

Ideally the center of the monitor should be about at eye level, but never higher. Lower is okay, but laptops’ screens usually sit right on the desk & are sometimes too low.

Yes, attaching an external monitor to the laptop is no problem. There’s a video connector on the side or back of the laptop that would allow you to connect and monitor. Simply turn off the laptop, connect the monitor, turn the monitor on, then turn on the laptop. If the monitor is working correctly, you should see the same thing on the large screen that you see on the laptop screen.

Attaching an external keyboard to the laptop is also a possibility, thought it sounds like we’d have to find the right match.

Do you want to try connecting the monitor yourself and let us know if it doesn’t work or if you have any difficulties?

Best,

hunter greene Brainspiral Technologies, Inc. ————————————————————————————- hunter@brainspiral.com http://brainspiral.com w: 413-458-5755 c: 413-281-4918

On Feb 25, 2010, at 2:16 PM, wrote:

> Hi Hunter — > > My wife has a continuing problem with arthritis in her neck and shoulders, and we think that looking DOWN at the laptop keyboard may be producing neck/shoulder pain. But she needs the laptop since her arthritis-damaged fingers can handle its keyboard better than the keyboards for desktop she used to use. > > I am wondering if we can somehow hook up the laptop to an old desktop monitor (which we will put at eye level), and let her read off that monitor without having to look down at the laptop screen. > > Would that work, and can you do it? If not, do you have any other idea about how she could work at the computer without having to look down. >

Virus Protection Question

Hi Liz -

No problem.

Actually, neither update is related to the new Security Essentials software.

Both the Genuine Advantage and Malicious Software Protection Updates are common Windows XP system updates. They can be installed manually or they will ultimately be installed automatically (Windows schedules this kind of routine system update at odd times – but eventually they’ll occur).

If you feel inclined to install them, great. If not, just clear the messages – or ignore them. We usually run them whenever we’re in the office checking on things.

Best,

hunter greene Brainspiral Technologies, Inc. ————————————————————————————- hunter@brainspiral.com http://www.brainspiral.com

On Feb 24, 2010, at 12:44 PM, Liz wrote:

> Hunter — > > When I turned on my computer, I was prompted to install “Windows > Genuine Advantage” and “Microsoft Malicious Software Proctection > Updates” and some message about not getting spyware, etc. I ignored > the message, but as we know I’m bad with computers and don’t know > what I’m doing most of the time, so is this something I should be > installing? As far as I know, the virus protection I have is with > “Microsoft Security Essentials” — is this Genuine Advantage stuff > related? > > Thanks, > Liz > > > O

Flagging/Followup Issue Outlook

> > I may have some not so fantastic news. The reason the follow-up > options are not working as they did before is by design. > > We have set up your email account over the IMAP protocol. If you > remember, we did this so that changes you made inside of Outlook > would be consistent regardless of where else you viewed your mail > from. The IMAP protocol does not support all the flagging features > that Outlook offers. In past versions of Outlook, Microsoft chose > to ignore this and allow access to the full range of features > despite having to break the rules to do so. It was, technically > speaking, a hack. > > In Outlook 2007, the decision was made to be more compliant with the > IMAP protocol. What this means for you is that you can flag a > message still, but have only the option of flagged/unflagged. You > lose the follow-up & calendar tie-ins that you are used to. > > Unfortunately, these are your two options: > > 1) Stick with the IMAP protocol to keep changes in sync across > multiple systems. > 2) Change how you access email to support Outlooks full range of > Flagging options. You would lose the ability to keep changes to > your email messages in sync. > > Let me know which option would work better for you and I can help > you get it sorted out. > > Jacklyn Matts > Brainspiral Technologies

Mass 201 CMR 17

*Updates to Massachusetts data protection law

Some consultants here in the Commonwealth seem to be taking an “If You’ve got the Money, I’ve got the Time” approach to 210 CMR 17. After a careful review of the regulations, Brainspiral is happy to conclude that it may not take lots of time or money to comply with these new regulations. Also, we had many earlier discussions with Counsel on these somewhat burdensome regs. (Besides you can hire us until February 28th, 2010, and we’ll have many, many weeks to fully implement these regulations.)

So, a this late hour, we see nothing in the law that prohibits use of a Gmail-like web address, and the https:// standard would appear to be the most technologically feasible way to encrypt and store certain PI, as long as that address is assigned to your organization. We think that Google Apps Domain users are fine in regards to this new standard.

Thoughts? Please reply to info@brainspiral.com.

Courtesy of Alexander Howard

Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) issued an update to 201.CMR.17, the Massachusetts data protection law. The deadline for implementation is now March 1, 2010.

What are the differences between this version of 201 CMR 17.00 and the version issued in February of 2009?

There are some important differences in the two versions.

First, the most recent regulation issued in August of 2009 makes clear that the rule adopts a risk-based approach to information security, consistent with both the enabling legislation and applicable federal law, especially the FTC’s Safeguards Rule. A risk-based approach is one that directs a business to establish a written security program that takes into account the particular business’ size, scope of business, amount of resources, nature and quantity of data collected or stored, and the need for security. It differs from an approach that mandates every component of a program and requires its adoption regardless of size and the nature of the business and the amount of information that requires security. This clarification of the risk based approach is especially important to those small businesses that do not handle or store large amounts of personal information.

Second, a number of specific provisions required to be included in a business’s written information security program have been removed from the regulation and will be used as a form of guidance only.

Third, the encryption requirement has been tailored to be technology neutral and technical feasibility has been applied to all computer security requirements.

Fourth, the third party vendor requirements have been changed to be consistent with Federal law.

To whom does this regulation apply? The regulation applies to those engaged in commerce. More specifically, the regulation applies to those who collect and retain personal information in connection with the provision of goods and services or for the purposes of employment.

The regulation does not apply, however, to natural persons who are not in commerce.

Does 201 CMR 17.00 apply to municipalities? No. 201 CMR 17.01 specifically excludes from the definition of “person” any “agency, executive office, department, board, commission, bureau, division or authority of the Commonwealth, or any of its branches, or any political subdivision thereof.” Consequently, the regulation does not apply to municipalities.

Must my information security program be in writing? Yes, your information security program must be in writing. The scope and complexity of the document will vary depending on your resources, and the type of personal information you are storing or maintaining. But, everyone who owns or licenses personal information must have a written plan detailing the measures adopted to safeguard such information.

* *What about the computer security requirements of 201 CMR 17.00? All of the computer security provisions apply to a business if they are technically feasible. The standard of technical feasibility takes reasonableness into account. (See definition of “technically feasible” below.) The computer security provisions in 17.04 should be construed in accordance with the risk-based approach of the regulation.

* *Does the regulation require encryption of portable devices? Yes. The regulation requires encryption of portable devices where it is reasonable and technically feasible. The definition of encryption has been amended to make it technology neutral so that as encryption technology evolves and new standards are developed, this regulation will not impede the adoption of such new technologies.

* *Do all portable devices have to be encrypted? No. Only those portable devices that contain personal information of customers or employees and only where technically feasible The “technical feasibility” language of the regulation is intended to recognize that at this period in the development of encryption technology, there is little, if any, generally accepted encryption technology for most portable devices, such as cell phones, blackberries, net books, iphones and similar devices. While it may not be possible to encrypt such portable devices, personal information should not be placed at risk in the use of such devices. There is, however, technology available to encrypt laptops.

* *What does “technically feasible” mean? “Technically feasible” means that if there is a reasonable means through technology to accomplish a required result, then that reasonable means must be used.

* *Are there any steps that I am required to take in selecting a third party to store and maintain personal information that I own or license? You are responsible for the selection and retention of a third-party service provider who is capable of properly safeguarding personal information. The third party service provider provision in 201 CMR 17.00 is modeled after the third party vendor provision in the FTC’s Safeguards Rule.

* *Except for swiping credit cards, I do not retain or store any of the personal information of my customers. What is my obligation with respect to 201 CMR 17.00?* If you use swipe technology only, and you do not have actual custody or control over the personal information, then you would not own or license personal information with respect to that data, as long as you batch out such data in accordance with the Payment Card Industry (PCI) standards. However, if you have employees, see the previous question. * * *What is a financial account?* A financial account is an account that if access is gained by an unauthorized person to such account, an increase of financial burden, or a misappropriation of monies, credit or other assets could result. Examples of a financial account are: checking account, savings account, mutual fund account, annuity account, any kind of investment account, credit account or debit account. * * *Does an insurance policy number qualify as a financial account number?* An insurance policy number qualifies as a financial account number if it grants access to a person’s finances, or results in an increase of financial burden, or a misappropriation of monies, credit or other assets. * * *I am an attorney. Do communications with clients already covered by the attorney-client privilege immunize me from complying with 201 CMR 17.00?* If you own or license personal information, you must comply with 201 CMR 17.00 regardless of privileged or confidential communications. You must take steps outlined in 201 CMR 17.00 to protect the personal information taking into account your size, scope, resources, and need for security. * * *What is the extent of my “monitoring” obligation? *The level of monitoring necessary to ensure your information security program is providing protection from unauthorized access to, or use of, personal information, and effectively limiting risks will depend largely on the nature of your business, your business practices, and the amount of personal information you own or license. It will also depend on the form in which the information is kept and stored. Obviously, information stored as a paper record will demand different monitoring techniques from those applicable to electronically stored records. In the end, the monitoring that you put in place must be such that it is reasonably likely to reveal unauthorized access or use. * * *Is everyone’s level of compliance going to be judged by the same standard?* Both the statute and the regulations specify that security programs should take into account the size and scope of your business, the resources that you have available to you, the amount of data you store, and the need for confidentiality. This will be judged on a case by case basis.

Whew! a lot to digest. Here are some fundamental questions you should be asking of your organization for your Electronic records:

 Do you have in place secure authentication protocols that provide for:

□ Control of user IDs and other identifiers?

□ A reasonably secure method of assigning/selecting passwords, or for use of unique

identifier technologies (such as biometrics or token devices)?

□ Control of data security passwords such that passwords are kept in a location and/or

format that does not compromise the security of the data they protect?

□ Restricting access to PI to active users and active user accounts?

□ Blocking access after multiple unsuccessful attempts to gain access?

 Do you have secure access control measures that restrict access, on a need-to-know basis, to PI records

and files?

 Do you assign unique identifications plus passwords (which are not vendor supplied default passwords)

to each person with computer access; and are those IDs and passwords reasonably designed to maintain

the security of those access controls?

 Do you, to the extent technically feasible, encrypt all PI records and files that are transmitted across

public networks, and that are to be transmitted wirelessly?

 Do you, to the extent technically feasible, encrypt all PI stored on laptops or other portable devices?

 Do you have monitoring in place to alert you to the occurrence of unauthorized use of or access to PI?

 On any system that is connected to the Internet, do you have reasonably up-to-date firewall protection

for files containing PI; and operating system security patches to maintain the integrity of the PI?

 Do you have reasonably up-to-date versions of system security agent software (including malware

protection) and reasonably up-to-date security patches and virus definitions?

 Do you have in place training for employees on the proper use of your computer security system, and

the importance of PI security?

Brainspiral can help you implement your newly written Comprehensive Written IT Security Program. Just drop us a line.

(www.mass.gov/consumer)

AVG Upgrade Question

No – and just cancel any other screen.

Here are the instructions:

Go to Start->Settings->Control Panel. Open the Add/Remove control panel.

Wait for the list to refresh, find AVG, select it & hit ‘Remove’ on the right.

Follow the instructions to remove the software. You’ll be asked to restart when it’s finished. Do so.

Download Security Essentials.

Go to:

http://microsoft.com/security_essentials

Click the large ‘Download Now’ button. If you’re using Internet Explorer, choose the option to ‘Run’ the program. You’ll be asked to start the install automatically once the download has completed. If you’re using Firefox, choose the option to save, wait for the download to complete, then open the download from the Downloads window.

You may be asked to reboot. Otherwise, the program will open at the end of the installation, update itself and run a quick scan.

That’s it!

hunter

> I can try. Do you think I will be able to do it? I should also do > same to Don’s? So, at this point, I selected to upgrade something > and it’s now asking for a yes or no to run in advance mode. What > should I do? > > > > > > > —–Original Message—– > From: Hunter Greene > To: > Sent: Mon, Feb 1, 2010 5:39 pm > Subject: Re: AVG upgrade question > > > Hi Lisa – > > We’ve been replacing AVG with Microsoft Security Essentials. If I > send you instructions, do you want to try the upgrade yourself? > > Best, > > hunter greene > Brainspiral Technologies, Inc. > ————————————————————————————- > hunter@brainspiral.com > http://www.brainspiral.com > > > > On Feb 1, 2010, at 5:37 PM, lwrote: > >> Hi Hunter, >> >> I just ran AVG upgrade on my laptop and it’s asking if I want to >> run upgrade in advance mode. What should I say? I have no idea >> what this means. Let me know. Thanks. >> >> ~Lisa >> > > =