Skip to Main Content

About

Department leadership and managers are responsible for establishing a “tone from the top” and assigning appropriate staff to ensure that cybersecurity internal controls are developed, tested, updated and that all staff are routinely trained to prevent operational disruption and data or financial losses due to a cyber incident.

Government financial and operational audits now evaluate data reliability and cybersecurity internal controls as a standard part of normal government operations.

Enterprise Security Standards are now included as part of a department’s Internal Controls and have compliance responsibilities at all levels of the organization.

Tone from the Top – Cybersecurity is a top priority

Cybersecurity compliance in not solely an “IT” or technology function, but is a series of controls, operations, procedures and training that apply to all employees at all levels in a department.

Leadership and managers are responsible to establishing a strong tone from the top that identifies that cybersecurity internal controls are part of the foundation of all operations and are a top organization priority.

Assign Key Staff to Ensure Cybersecurity Compliance

As part of cybersecurity preparedness, leadership and managers must assign appropriate staff at all levels of the organization to ensure compliance with required cybersecurity and data protection internal Controls.

Cybersecurity internal controls require collaboration across the organization including IT, HR, Legal, Policy, Fiscal, Budget, Payroll, Program and Operations staff and extend to any contractor or 3rd party supporting operations.

Primary Cybersecurity Data and System Security Internal Controls

Internal Controls should be updated to include ransomware considerations, perform risk assessments, additional internal controls, and updated incident Response, Business Continuity, and Disaster Recovery Plans.

VIEW THE CTR INTERNAL CONTROLS POLICY

Annual updates to your Internal Controls should include cybersecurity risk assessments and mitigating controls, and up-to-date Incident Response, Business Continuity, and Disaster Recovery plans.   

Departments should include the following cybersecurity internal controls when updating your Internal Control Plan and system of internal controls: 

  1. Enterprise information security policies and standards 
  2. Cybersecurity Awareness Training
  3. Governance and Risk Management

Enterprise Information Security Policies and Standards

The Commonwealth’s default data and security standards and internal controls must be included in a Department’s Internal Control Plan, implemented, tested, and included in staff training. These standards apply to all Executive Department offices and agencies and are the default standard for non-Executive Departments who have not adopted comparable cyber and data security standards as part of their Internal Control Plan.  View highlights of each EOTSS standard below.

Enterprise Information Security Standards Self Assessment Questionnaire

CTR has developed this voluntary tool to be used to evaluate the level of compliance with EOTTS Enterprise Security Standards.

VIEW EXCEL
Enterprise Information Security Standards Self Assessment Questionnaire Walkthrough

Instructions for Completing the Self Assessment Questionnaire for the Enterprise Information Security Standards Self Assessment Questionnaire.

VIEW PDF
Highlights of EOTSS IS.000 Enterprise Information Security Policy and IS.001 Organization of Information Security Standard
VIEW ARTICLE
Highlights of IS.002 Acceptable Use of Information Technology Policy
VIEW ARTICLE
Highlights of IS.003 Access Management Standard
VIEW ARTICLE
Highlights of IS.004 Asset Management Standard
VIEW ARTICLE
Highlights of IS.005: Business Continuity and Disaster Recovery Standard
VIEW ARTICLE
Highlights of IS.006 Communication and Network Security Standard
VIEW ARTICLE
Highlights of IS.007 Compliance Standard
VIEW ARTICLE
Highlights of IS.008 Cryptographic Management Standard
VIEW ARTICLE
Highlights of IS.009 Information Security Incident Management Standard
VIEW ARTICLE
Highlights of IS.010 Information Security Risk Management Standard
VIEW ARTICLE
Highlights of IS.011 Logging and Event Monitoring Standard
VIEW ARTICLE
Highlights of IS.012 Operations Management Standard
VIEW ARTICLE
Highlights of IS.013 Physical and Environmental Security Standard
VIEW ARTICLE
Highlights of IS.014 Secure System and Software Lifecycle Management Standard
VIEW ARTICLE
Highlights of IS.015 Third Party Information Security Standard
VIEW ARTICLE
Highlights of IS.016 Vulnerability Management Standard
VIEW ARTICLE

Cybersecurity Awareness Training

The Office of the Comptroller has created CTR Cyber to provide departments with additional free resources to distribute to your employees in addition to any mandatory cybersecurity awareness trainings required by your department.  There is no excuse not to train employees to be cyber aware.   

 Audits now routinely include questions related to what steps you are taking to continually train your staff on cybersecurity threats.  Keep a record of all trainings and reminders for your audit.    

 See our CTR Cyber  Cybersecurity Awareness Training page with tips and internal controls to protect your workstations and networks.  See our Pause Verify Report 3 simple internal controls that everyone in your organization can use to protect your networks at work and at home.

The 'Pause Verify Report' logo, consisting of a red gear with a pause sign, a yellow gear with a checkmark, and a green gear with a play sign, and the words 'PAUSE VERIFY REPORT' underneath

 Pause Verify Report gives staff 3 simple steps to handle incoming requests from emails, texts and calls and how to identify fraudsters, which can prevent most cyber and fraud incidents!  

See our CTR Cyber page  and follow us on Facebook, LinkedIn and X for the latest cybersecurity tips.  

Governance and Risk Management Resources

Departments are required to include cybersecurity risk assessments and mitigating controls as part of the Internal Control Plan and system of internal controls. In addition to the Enterprise Information Self-Assessment Questionnaire listed above, here are some additional tools and resources to consider when completing your Internal Control Plan and system of internal controls:  

Template: Four Steps to Prepare for a Cybersecurity Risk Assessment

CTR has created an informational document with four steps to prepare an entity to perform a cybersecurity risk assessment that identifies and mitigates security risks.

VIEW PDF
Cybersecurity Risk Assessment Prep Inventory

Entities can use this worksheet to help identify the types of information needed for a cybersecurity risk assessment.

VIEW EXCEL
Lessons Learned from Cyber Incidents

CTR has compiled lessons learned from prior cyber incidents to assist with targeting areas of weaknesses, and recommendations to prevent and remediate cyber events.

VIEW PDF
Records Retention Internal Controls, Digitizing of Records, Security and Custody of Records

Records Conservation Board page for the policies and procedures regarding retention and digitization of records including information about secure retention and destruction to protect from unauthorized access, theft, and destruction.

VIEW ON SEC.STATE.MA.US

Teleworking Guidance and Advisories

Telework & Cybersecurity Fundamentals from Enterprise Security Office
VIEW ON MASS.GOV

Data Privacy and Security Standards Internal Controls

Depending upon the type of data your department manages your internal controls should include risk assessments and mitigating controls for ensuring the security and privacy of this data and the systems (department or third-party vendor) that hold this type of data. See the following sections for guidance on the most common data privacy standards for departments: 

Compliance Obligations for Businesses and Other Entities Handling Personally Identifiable Information

Personal Information Compliance Checklist

Use this checklist to ensure compliance with M.G.L. Chapter 93H data protection.

VIEW ON MASS.GOV

Obligations Under the Data Security Regulations and Breach Notification Law

Requirements if you have reason to believe your organization has experienced a data breach under M.G.L. Chapter 93H.

VIEW ON MASS.GOV

Report Cyber Incidents, Suspicious Activity, and Fraud

Mandatory reporting and compliance obligations for a data breach.

VISIT PAGE

Credit Card Payments Standards

Commonwealth of Massachusetts departments that accept credit cards must comply with the Payment Collection Data Security Policy and the Payment Card Industry (PCI) Security Standards Council requirements for the protection of personally identifiable information.

For compliance services, departments are required to use Statewide Contract PRF73DesignatedCTR – Payment Data & Payment Card Industry (PCI) Compliance Services Statewide Contract. (Updated: December 30, 2020)

Health Care Privacy (HIPAA)

Health Insurance Portability & Accountability Act (HIPAA) 1996

A national standard for the security of electronic health information, including the protection of individually identifiable health information, the rights granted to individuals, breach notification requirements, and the role of the Office for Civil Rights.

VIEW AT HHS.GOV
Summary of HIPAA Security Rule

A summary of key elements of the Security Rule including who is covered, what information is protected, and what safeguards must be in place to ensure appropriate protection of electronic protected health information.

VIEW ON HHS.GOV
Mass Digital Health Initiative's Cybersecurity Toolkit for Digital Health

An educational toolkit covering the fundamentals and best practices for healthcare cybersecurity and privacy protection.

VISIT ON MASSDIGITALHEALTH.ORG

Mandatory Reporting Obligations for HIPAA Breach

Checklist for Reporting HIPAA Breach

Reporting requirements for a HIPAA breach due to a cyber attack.

VIEW ON HHS.GOV
Cybersecurity Infographic Reporting Cyber Attack

A printable infographic for reporting a HIPAA-related cyber attack.

VIEW ON HHS.GOV
Fact Sheet: Ransomware and HIPAA

Frequently Asked Questions

VIEW ON HHS.GOV

Protecting Student Privacy (Family Educational Rights and Privacy Act)

Family Education Rights and Privacy Act (FERPA)

Regulations at 34 CFR Part 99 implementing section 444 of the General Education Provision Act, which is commonly referred to as the Family Educational Rights and Privacy Act.

VIEW ON ED.GOV
U.S. Department of Education Compliance Laws and Guidance

Legislation, regulations, guidance, and other policy documents can be found here for the Every Student Succeeds Act and other topics.

VIEW ON ED.GOV

Other Cybersecurity and Data Privacy Standards and Guidance

Massachusetts Laws About Internet and Online Privacy

A compilation of laws, regulations, cases, and web sources on internet and online privacy law.

VIEW ON MASS.GOV
Association of Government Accountants Intergovernmental Partnership Cybersecurity Hub

AGA’s Intergovernmental Partnership program project to help address cybersecurity awareness at all levels of government.

VIEW AT AGACGFM.ORG
National Governors Association Resource Center for State Cybersecurity

Guidance for states to implement effective state cybersecurity practices.

VIEW ON NGA.ORG
ISO/IEC 27001

International standard for best practice information security management systems controls based on risks that can be applied to organizations in a structured manner to achieve compliance.

VISIT ITGOVERNANCEUSA.COM
NIST Cybersecurity Standards

National Institute of Standards and Technology voluntary guidance to help organizations better manage and reduce cybersecurity risk.

VISIT NIST.GOV
NIST Cybersecurity Framework

NIST implements practical cybersecurity and privacy through outreach and effective application of standards and best practices necessary for the U.S. to adopt cybersecurity capabilities.

VISIT NIST.GOV

Additional Resources for Cybersecurity Controls