Skip to Main Content

About

Department leadership and managers are responsible for establishing a “tone from the top” and assigning appropriate staff to ensure that cybersecurity internal controls are developed, tested, updated and that all staff are routinely trained to prevent operational disruption and data or financial losses due to a cyber incident.

Government financial and operational audits now evaluate data reliability and cybersecurity internal controls as a standard part of normal government operations.

Enterprise Security Standards are now included as part of a department’s Internal Controls and have compliance responsibilities at all levels of the organization.

Tone from the Top – Cybersecurity is a top priority

Cybersecurity compliance in not solely an “IT” or technology function, but is a series of controls, operations, procedures and training that apply to all employees at all levels in a department.

Leadership and managers are responsible to establishing a strong tone from the top that identifies that cybersecurity internal controls are part of the foundation of all operations and are a top organization priority.

Assign Key Staff to Ensure Cybersecurity Compliance

As part of cybersecurity preparedness, leadership and managers must assign appropriate staff at all levels of the organization to ensure compliance with required cybersecurity and data protection internal Controls.

Cybersecurity internal controls require collaboration across the organization including IT, HR, Legal, Policy, Fiscal, Budget, Payroll, Program and Operations staff and extend to any contractor or 3rd party supporting operations.

Internal controls should include:
  1. Enterprise information security policies and standards
  2. Telework guidance and advisories
  3. Ransomware preparedness and mitigation
  4. Compliance obligations for business and other entities handling personally identifiable information
  5. Other unique data privacy standards

a. Credit card payment standards (if accepting credit cards)
b. Health care privacy (HIPAA) (health and medical records)
c. Protecting student privacy (FERPA)

Enterprise Information Security Policies and Standards

The Commonwealth’s default data and security standards and internal controls must be included in a Department’s Internal Control Plan, implemented, tested, and included in staff training. These standards apply to all Executive Department offices and agencies and are the default standard for non-Executive Departments who have not adopted comparable cyber and data security standards as part of their Internal Control Plan.

VIEW ON MASS.GOV

See Enterprise Information Security Policies and Standards Self Assessment Questionnaire tool below to assist in assessing your compliance with these standards.

Primary Cyber and Data Security Internal Controls

The following are several tools to assist with compliance with implementation of the Enterprise Security Policies and Standards. These should be part of Commonwealth departments' systems of internal controls.

Enterprise Information Security Standards Self Assessment Questionnaire

CTR has developed this voluntary tool to be used to evaluate the level of compliance with EOTSS Enterprise Security Standards.

VIEW EXCEL
Enterprise Information Security Standards Self Assessment Questionnaire Walkthrough

Instructions for completing the Self Assessment Questionnaire for the Enterprise Information Security Standards Self Assessment Questionnaire.

VIEW PDF
Records Retention Internal Controls, Digitizing of Records, Security and Custody of Records

Records Conservation Board page for the policies and procedures regarding retention and digitization of records including information about secure retention and destruction to protect from unauthorized access, theft, and destruction.

VIEW ON SEC.STATE.MA.US
Lessons Learned from Cyber Incidents

CTR has compiled lessons learned from prior cyber incidents to assist with targeting areas of weaknesses, and recommendations to prevent and remediate cyber events.

VIEW PDF
Template: Four Steps to Prepare for a Cybersecurity Risk Assessment

CTR has created an informational document with four steps to prepare an entity to perform a cybersecurity risk assessment that identifies and mitigates security risks.

VIEW PDF
Cybersecurity Risk Assessment Prep Inventory

Entities can use this worksheet to help identify the types of information needed for a cybersecurity risk assessment.

VIEW EXCEL
Incident Response Template

CTR has prepared this template to cover the basics of incident response. In order to be successful, organizations must take a coordinated and organized approach to any incident.

VIEW WORD DOC

Teleworking Guidance and Advisories

Teleworking Key Tips from the Office of the Comptroller
VIEW PDF
Telework & Cybersecurity Fundamentals from Enterprise Security Office
VIEW ON MASS.GOV
MassCyberCenter Teleworking Cybersecurity Tips
VISIT MASSCYBERCENTER.ORG
Guide to Telework in the Federal Government
VISIT TELEWORK.GOV
Employee Online Training from the U.S. Department of Health and Human Services
VISIT HHS.GOV

Ransomware Preparedness and Mitigation

Ransomware is now one of the biggest threats to both businesses and private citizens. This guidance can assist with preventing and mitigating ransomware attacks.

Internal Controls Policy

Internal Controls should be updated to include ransomware considerations, perform risk assessments, additional internal controls, and updated Incident Response, Business Continuity, and Disaster Recovery Plans.

VIEW ON POWERDMS
CISA MS-ISAC Ransomware Guide

Guide for leadership, management, and staff to understand ransomware, protect against, and mitigate incidents.

VIEW ON CISA.GOV
Cyber Hygiene Services

CISA offers several free scanning and testing services to help organizations assess, identify, and reduce their exposure to threats, including ransomware. By requesting these services, organizations of any size can find ways to reduce their risk and mitigate attack vectors.

VIEW ON CISA.GOV
Cybersecurity Evaluation Tool

Stand-alone desktop application that guides asset owners and operators through a systematic process of evaluating Operational Technology and Information Technology.

VIEW ON CISA.GOV

Ransomware Trainings

Don't Wake Up to a Ransomware Attack
VIEW RECORDING
Don't Wake Up to a Ransomware Attack
VIEW SLIDES
I've Been Hit By Ransomware!
VIEW ON CISA.GOV

Compliance Obligations for Businesses and Other Entities Handling Personally Identifiable Information

Personal Information Compliance Checklist

Use this checklist to ensure compliance with M.G.L. Chapter 93H data protection.

VIEW ON MASS.GOV

Obligations Under the Data Security Regulations and Breach Notification Law

Requirements if you have reason to believe your organization has experienced a data breach under M.G.L. Chapter 93H.

VIEW ON MASS.GOV

Report Cyber Incidents, Suspicious Activity, and Fraud

Mandatory reporting and compliance obligations for a data breach.

VISIT PAGE

Credit Card Payments Standards

Commonwealth of Massachusetts departments that accept credit cards must comply with the Payment Collection Data Security Policy and the Payment Card Industry (PCI) Security Standards Council requirements for the protection of personally identifiable information.

For compliance services, departments are required to use Statewide Contract PRF73DesignatedCTR – Payment Data & Payment Card Industry (PCI) Compliance Services Statewide Contract. (Updated: December 30, 2020)


Health Care Privacy (HIPAA)

Health Insurance Portability & Accountability Act (HIPAA) 1996

A national standard for the security of electronic health information, including the protection of individually identifiable health information, the rights granted to individuals, breach notification requirements, and the role of the Office for Civil Rights.

VIEW AT HHS.GOV
Summary of HIPAA Security Rule

A summary of key elements of the Security Rule including who is covered, what information is protected, and what safeguards must be in place to ensure appropriate protection of electronic protected health information.

VIEW ON HHS.GOV
Mass Digital Health Initiative's Cybersecurity Toolkit for Digital Health

An educational toolkit covering the fundamentals and best practices for healthcare cybersecurity and privacy protection.

VISIT ON MASSDIGITALHEALTH.ORG

Mandatory Reporting Obligations for HIPAA Breach

Checklist for Reporting HIPAA Breach

Reporting requirements for a HIPAA breach due to a cyber attack.

VIEW ON HHS.GOV
Cybersecurity Infographic Reporting Cyber Attack

A printable infographic for reporting a HIPAA-related cyber attack.

VIEW ON HHS.GOV
Fact Sheet: Ransomware and HIPAA

Frequently Asked Questions

VIEW ON HHS.GOV

Protecting Student Privacy (Family Educational Rights and Privacy Act)

Family Education Rights and Privacy Act (FERPA)

Regulations at 34 CFR Part 99 implementing section 444 of the General Education Provision Act, which is commonly referred to as the Family Educational Rights and Privacy Act.

VIEW ON ED.GOV
U.S. Department of Education Compliance Laws and Guidance

Legislation, regulations, guidance, and other policy documents can be found here for the Every Student Succeeds Act and other topics.

VIEW ON ED.GOV

Other Cybersecurity and Data Privacy Standards and Guidance

Massachusetts Laws About Internet and Online Privacy

A compilation of laws, regulations, cases, and web sources on internet and online privacy law.

VIEW ON MASS.GOV
Association of Government Accountants Intergovernmental Partnership Cybersecurity Hub

AGA’s Intergovernmental Partnership program project to help address cybersecurity awareness at all levels of government.

VIEW AT AGACGFM.ORG
National Governors Association Resource Center for State Cybersecurity

Guidance for states to implement effective state cybersecurity practices.

VIEW ON NGA.ORG
ISO/IEC 27001

International standard for best practice information security management systems controls based on risks that can be applied to organizations in a structured manner to achieve compliance.

VISIT ITGOVERNANCEUSA.COM
NIST Cybersecurity Standards

National Institute of Standards and Technology voluntary guidance to help organizations better manage and reduce cybersecurity risk.

VISIT NIST.GOV
NIST Cybersecurity Framework

NIST implements practical cybersecurity and privacy through outreach and effective application of standards and best practices necessary for the U.S. to adopt cybersecurity capabilities.

VISIT NIST.GOV

Additional Resources for Cybersecurity Controls