Skip to Main Content

Make sure you are using the current Enterprise Information Security Policies and Standards

CTR Compliance Corner
The Office of the Comptroller and the Executive Office of Technology Services and Security (EOTSS) have partnered and designated the Enterprise Information Security Policies and Standards as the Commonwealth’s default information security framework and internal controls. These internal controls must be included in a department’s Internal Control Plan or written system of internal controls, implemented, tested, and included in staff training. The EOTSS policies and standards map to key cybersecurity and privacy controls, including NIST 800-53, CIS, and NIST CSF.

These standards apply to all Executive Department offices and agencies and are the default standard for non-Executive departments who have not adopted a comparable framework for information cybersecurity and privacy controls (e.g. NIST, ISO, FISMA).

Internal controls must also include additional written procedures and protocols that outline how these policies standards are integrated into daily operations, and personnel comply with these requirements to safeguard information and systems.

That means it is not enough to “adopt” the policies and standards as part of your written system of internal controls.  Your department also needs to have internal procedures on “how” you are implementing the policies and standards for your specific environment, users and systems. IT audits will sample certain policies and standards and ask for details about your department documentation, day-to-day management, and monitoring.

Your Internal Control Officer (ICO) and IT staff can review and assist with verifying your written system of internal controls are up-to-date to support compliance goals and ensure your department is accurately completing the annual Internal Control Certification (ICC). You can find links to the policies and standards on our CTR Cyber Department Responsibilities page.

Action Steps:

Bookmark our new CTR Compliance Corner as your one-stop shop for alerts and success factors that you can integrate into your daily operations to keep you safe on your mission.