Skip to Main Content

Cybersecurity Risk Assessment When Updating Internal Control Plan

Graphic with a red pause button, a yellow check mark, and a green play button and the words pause, verify, report for leadership and IT underneath.

In addition to ongoing cybersecurity compliance, state departments are required to include a cybersecurity risk assessment as part of the annual internal control plan review. Risk assessments normally include confirming data security legal requirements, data inventories, inventories of technology equipment and infrastructure, and data maps and network diagrams. Assessments should also confirm where data is stored and what employees and third party vendors can access the data and systems.


Leadership should ensure, in addition to ongoing cybersecurity compliance, that the annual internal control plan review process includes a risk assessment which evaluates the mitigating cybersecurity internal controls. The cybersecurity internal controls are in place to prevent fraud, disruption of theft of Commonwealth resources, including funds and data.

Always report any suspicious activity to your security staff immediately. See our CTR Cyber page for more cybersecurity internal controls and contact [email protected] with any incidents or suspected incidents of fraud or cyber threats or if you need support from our Statewide Risk Management Team.