Cybersecurity Risk Assessments must be part of annual Internal Control Plan review
In addition to ongoing cybersecurity compliance, state departments are required to include a cybersecurity risk assessment as part of the annual Internal Control Plan review. Risk assessments normally include confirming data security legal requirements, data inventories, inventories of technology equipment and infrastructure, and data maps and network diagrams. Assessments also confirm where data is stored and what employees and 3rd party vendors can access the data and systems.
Leadership should ensure, in addition to ongoing cybersecurity compliance, that the annual Internal Control Plan review process includes a risk assessment evaluates the mitigating cybersecurity internal controls currently in place to prevent fraud, disruption or theft of Commonwealth resources, including funds and data.
Cybersecurity requirements, and ways that Commonwealth department leadership and management can ensure compliance with those requirements, are available on our Cybersecurity Responsibilities for Leadership and Managers page.