Skip to Main Content
November 2, 2023

Enterprise Information Security Policies and Standards are minimum internal controls

Graphic with a red pause button, a yellow check mark, and a green play button and the words pause, verify, report for leadership and IT underneath.

The Executive Office of Technology Services and Security (EOTSS) Enterprise Information Security Policies and Standards apply to all Executive state department offices and agencies and are the default standard for non-Executive departments who have not adopted comparable cyber and data security standards as part of their Internal Control Plan. 

Action Steps

The Commonwealth’s default data and security standards and internal controls must be included in a state department’s Internal Control Plan, implemented, tested, and included in staff training.   

 Our Cybersecurity Responsibilities for Leadership and Managers page can assist Leadership and managers to ensure compliance with cybersecurity requirements, including the EOTSS Enterprise Information Security Policies and Standards. 

CTR helps with cybersecurity awareness

See Pause Verify Report - For Leadership/IT

Free resources available to Leadership and IT at Commonwealth of Massachusetts departments to support cybersecurity internal controls.


Contact CTR with suspected cyber incidents or fraud

CTR is here to support with internal controls