Key compliance information for the most common cybersecurity and data security internal control standards that leadership of Commonwealth of Massachusetts departments is responsible for managing as part of their normal operations.
Department leadership and managers are responsible for establishing a “tone from the top” and assigning appropriate staff to ensure that cybersecurity internal controls are developed, tested, updated and that all staff are routinely trained to prevent operational disruption and data or financial losses due to a cyber incident.
Government financial and operational audits now evaluate data reliability and cybersecurity internal controls as a standard part of normal government operations.
Enterprise Security Standards are now included as part of a department’s Internal Controls and have compliance responsibilities at all levels of the organization.
Tone from the Top – Cybersecurity is a top priority
Cybersecurity compliance in not solely an “IT” or technology function, but is a series of controls, operations, procedures and training that apply to all employees at all levels in a department.
Leadership and managers are responsible to establishing a strong tone from the top that identifies that cybersecurity internal controls are part of the foundation of all operations and are a top organization priority.
Assign Key Staff to Ensure Cybersecurity Compliance
As part of cybersecurity preparedness, leadership and managers must assign appropriate staff at all levels of the organization to ensure compliance with required cybersecurity and data protection internal Controls.
Cybersecurity internal controls require collaboration across the organization including IT, HR, Legal, Policy, Fiscal, Budget, Payroll, Program and Operations staff and extend to any contractor or 3rd party supporting operations.
Primary Cybersecurity Data and System Security Internal Controls
Internal Controls should be updated to include ransomware considerations, perform risk assessments, additional internal controls, and updated incident Response, Business Continuity, and Disaster Recovery Plans.
Enterprise Information Security Policies and Standards
The Commonwealth’s default data and security standards and internal controls must be included in a Department’s Internal Control Plan, implemented, tested, and included in staff training. These standards apply to all Executive Department offices and agencies and are the default standard for non-Executive Departments who have not adopted comparable cyber and data security standards as part of their Internal Control Plan. View highlights of each EOTSS standard below.
Highlights of EOTSS IS.000 Enterprise Information Security Policy and IS.001 Organization of Information Security Standard
The Office of the Comptroller has created CTR Cyber to provide departments with additional free resources to distribute to your employees in addition to any mandatory cybersecurity awareness trainings required by your department. There is no excuse not to train employees to be cyber aware.
Audits now routinely include questions related to what steps you are taking to continually train your staff on cybersecurity threats. Keep a record of all trainings and reminders for your audit.
See our CTR Cyber Cybersecurity Awareness Training page with tips and internal controls to protect your workstations and networks. See our PauseVerifyReport 3 simple internal controls that everyone in your organization can use to protect your networks at work and at home.
PauseVerifyReport gives staff 3 simple steps to handle incoming requests from emails, texts and calls and how to identify fraudsters, which can prevent most cyber and fraud incidents!
Departments are required to include cybersecurity risk assessments and mitigating controls as part of the Internal Control Plan and system of internal controls. In addition to the Enterprise Information Self-Assessment Questionnaire listed above, here are some additional tools and resources to consider when completing your Internal Control Plan and system of internal controls:
Template: Four Steps to Prepare for a Cybersecurity Risk Assessment
CTR has created an informational document with four steps to prepare an entity to perform a cybersecurity risk assessment that identifies and mitigates security risks.
Records Retention Internal Controls, Digitizing of Records, Security and Custody of Records
Records Conservation Board page for the policies and procedures regarding retention and digitization of records including information about secure retention and destruction to protect from unauthorized access, theft, and destruction.
Data Privacy and Security Standards Internal Controls
Depending upon the type of data your department manages your internal controls should include risk assessments and mitigating controls for ensuring the security and privacy of this data and the systems (department or third-party vendor) that hold this type of data. See the following sections for guidance on the most common data privacy standards for departments:
For compliance services, departments are required to use Statewide Contract PRF73DesignatedCTR – Payment Data & Payment Card Industry (PCI) Compliance Services Statewide Contract. (Updated: December 30, 2020)
Health Care Privacy (HIPAA)
Health Insurance Portability & Accountability Act (HIPAA) 1996
A national standard for the security of electronic health information, including the protection of individually identifiable health information, the rights granted to individuals, breach notification requirements, and the role of the Office for Civil Rights.
A summary of key elements of the Security Rule including who is covered, what information is protected, and what safeguards must be in place to ensure appropriate protection of electronic protected health information.
NIST National Checklist Program (NCP) Repository
U.S. government repository of publicly available security checklists (or benchmarks) that provide detailed low-level guidance on setting the security configuration of operating systems and applications.