Key compliance information for the most common cybersecurity and data security internal control standards that leadership of Commonwealth of Massachusetts departments is responsible for managing as part of their normal operations.
Department leadership and managers are responsible for establishing a “tone from the top” and assigning appropriate staff to ensure that cybersecurity internal controls are developed, tested, updated and that all staff are routinely trained to prevent operational disruption and data or financial losses due to a cyber incident.
Government financial and operational audits now evaluate data reliability and cybersecurity internal controls as a standard part of normal government operations.
Enterprise Security Standards are now included as part of a department’s Internal Controls and have compliance responsibilities at all levels of the organization.
Tone from the Top – Cybersecurity is a top priority
Cybersecurity compliance in not solely an “IT” or technology function, but is a series of controls, operations, procedures and training that apply to all employees at all levels in a department.
Leadership and managers are responsible to establishing a strong tone from the top that identifies that cybersecurity internal controls are part of the foundation of all operations and are a top organization priority.
Assign Key Staff to Ensure Cybersecurity Compliance
As part of cybersecurity preparedness, leadership and managers must assign appropriate staff at all levels of the organization to ensure compliance with required cybersecurity and data protection internal Controls.
Cybersecurity internal controls require collaboration across the organization including IT, HR, Legal, Policy, Fiscal, Budget, Payroll, Program and Operations staff and extend to any contractor or 3rd party supporting operations.
a. Credit card payment standards (if accepting credit cards)
b. Health care privacy (HIPAA) (health and medical records)
c. Protecting student privacy (FERPA)
Enterprise Information Security Policies and Standards
The Commonwealth’s default data and security standards and internal controls must be included in a Department’s Internal Control Plan, implemented, tested, and included in staff training. These standards apply to all Executive Department offices and agencies and are the default standard for non-Executive Departments who have not adopted comparable cyber and data security standards as part of their Internal Control Plan.
See Enterprise Information Security Policies and Standards Self Assessment Questionnaire tool below to assist in assessing your compliance with these standards.
Primary Cyber and Data Security Internal Controls
The following are several tools to assist with compliance with implementation of the Enterprise Security Policies and Standards. These should be part of Commonwealth departments' systems of internal controls.
Enterprise Information Security Standards Self Assessment Questionnaire
CTR has developed this voluntary tool to be used to evaluate the level of compliance with EOTSS Enterprise Security Standards.
Records Retention Internal Controls, Digitizing of Records, Security and Custody of Records
Records Conservation Board page for the policies and procedures regarding retention and digitization of records including information about secure retention and destruction to protect from unauthorized access, theft, and destruction.
Ransomware is now one of the biggest threats to both businesses and private citizens. This guidance can assist with preventing and mitigating ransomware attacks.
Internal Controls Policy
Internal Controls should be updated to include ransomware considerations, perform risk assessments, additional internal controls, and updated Incident Response, Business Continuity, and Disaster Recovery Plans.
CISA offers several free scanning and testing services to help organizations assess, identify, and reduce their exposure to threats, including ransomware. By requesting these services, organizations of any size can find ways to reduce their risk and mitigate attack vectors.
For compliance services, departments are required to use Statewide Contract PRF73DesignatedCTR – Payment Data & Payment Card Industry (PCI) Compliance Services Statewide Contract. (Updated: December 30, 2020)
Health Care Privacy (HIPAA)
Health Insurance Portability & Accountability Act (HIPAA) 1996
A national standard for the security of electronic health information, including the protection of individually identifiable health information, the rights granted to individuals, breach notification requirements, and the role of the Office for Civil Rights.
A summary of key elements of the Security Rule including who is covered, what information is protected, and what safeguards must be in place to ensure appropriate protection of electronic protected health information.
NIST National Checklist Program (NCP) Repository
U.S. government repository of publicly available security checklists (or benchmarks) that provide detailed low-level guidance on setting the security configuration of operating systems and applications.