Skip to Main Content

Cybersecurity Risk Assessments must be part of annual Internal Control Plan review

Graphic with a red pause button, a yellow check mark, and a green play button and the words pause, verify, report for leadership and IT underneath.

In addition to ongoing cybersecurity compliance, state departments are required to include a cybersecurity risk assessment as part of the annual Internal Control Plan review.   Risk assessments normally include confirming data security legal requirements, data inventories, inventories of technology equipment and infrastructure, and data maps and network diagrams.  Assessments also confirm where data is stored and what employees and 3rd party vendors can access the data and systems.  

Action Steps

Leadership should ensure, in addition to ongoing cybersecurity compliance, that the annual Internal Control Plan review process includes a risk assessment evaluates the mitigating cybersecurity internal controls currently in place to prevent fraud, disruption or theft of Commonwealth resources, including funds and data. 

Cybersecurity requirements, and ways that Commonwealth department leadership and management can ensure compliance with those requirements, are available on our Cybersecurity Responsibilities for Leadership and Managers page

CTR helps with cybersecurity awareness

See Pause Verify Report - For Leadership/IT

Free resources available to Leadership and IT at Commonwealth of Massachusetts departments to support cybersecurity internal controls.


Contact CTR with suspected cyber incidents or fraud

CTR is here to support with internal controls