Highlights of IS.015 Third Party Information Security Standard
Massachusetts Executive Office of Technology Services and Security IS.015 Third Party Information Security Standard establishes the security requirements needed when a third party is working with the Commonwealth’s confidential information, either by storing, processing, transmitting or receiving information. This standard outlines the following controls to reduce the information security risks associated with contracted services and staff:
- Identification of risks related to third parties to ensure appropriate protection of Commonwealth information assets.
- Definition of information security requirements for third-party agreements.
- Third-party information management oversight from contract initiation through termination.
See the Enterprise Information Security Standards Self-Assessment Questionnaire [Excel] that can be used to track compliance with implementing these internal controls. Departments should expect to be audited on compliance with these internal controls.
The Executive Office of Technology Services and Security (EOTSS) publishes Enterprise Information Security Policies and Standards which must be included in a Department’s Internal Control Plan, implemented, tested, and included in staff training. These standards apply to all Executive Department offices and agencies and are the default standard for non-Executive Departments who have not adopted comparable cyber and data security standards as part of their Internal Control Plan.