Highlights of EOTSS IS.000 Enterprise Information Security Policy and IS.001 Organization of Information Security Standard
- The EOTSS IS.000 Enterprise Information Security Policy outlines information security requirements to safeguard information assets and assist the Commonwealth of Massachusetts to achieve its strategic objectives. Agencies are required to implement internal controls to safeguard the confidentiality, integrity, and availability of its information assets which incorporate each of the 16 Enterprise Information Security Policies/Standards.
- The IS.001 Organization of Information Security Standard outlines requirements for protecting the Commonwealth’s business information and establishes responsibility and accountability for information security in the organization. The Policy outlines EOTSS Roles and Responsibilities, Information Security Policy Framework and the process for Policy/Standard Lifecycle management.
See the Enterprise Information Security Standards Self Assessment Questionnaire [Excel] that can be used to track compliance with implementing these internal controls. Departments should expect to be audited on compliance with these internal controls.
The Executive Office of Technology Services and Security (EOTSS) publishes Enterprise Information Security Policies and Standards which must be included in a Department’s Internal Control Plan, implemented, tested, and included in staff training. These standards apply to all Executive Department offices and agencies and are the default standard for non-Executive Departments who have not adopted comparable cyber and data security standards as part of their Internal Control Plan.