Enterprise Information Security Policies and Standards are minimum internal controls
The Executive Office of Technology Services and Security (EOTSS) Enterprise Information Security Policies and Standards apply to all Executive state department offices and agencies and are the default standard for non-Executive departments who have not adopted comparable cyber and data security standards as part of their Internal Control Plan.
The Commonwealth’s default data and security standards and internal controls must be included in a state department’s Internal Control Plan, implemented, tested, and included in staff training.
Our Cybersecurity Responsibilities for Leadership and Managers page can assist Leadership and managers to ensure compliance with cybersecurity requirements, including the EOTSS Enterprise Information Security Policies and Standards. https://www.macomptroller.org/cyber-center/cybersecurity-responsibilities