The CTR has developed the Cyber Center as a resource to promote cybersecurity awareness for everyone in your organization; to improve overall cyber hygiene; and to help prevent increasing denial of service (DoS), phishing, malware, and social engineering attacks.
The Commonwealth averages 525 million pings a day from bad actors seeking to victimize state agencies for their own gain. Cybercriminals will steal money, change or destroy information, or even hold it for ransom. The two easiest ways for an attacker to get into your network are via phishing emails and breached passwords.
CTR has issued a Cybersecurity Heightened Alert on January 16, 2020 with reminders and recommendations for immediate updates to internal controls related to cyber security.
US Department of Homeland Security National Cyber Awareness System Alerts.
Subscribe to CISA alerts, tips, and other updates at the bottom of the page.
Report cyber incidents
• The Office of the Comptroller: CTREmergencyNotification@Mass.gov
• The FBI encourages reporting of suspicious activity, including cyber incidents or fraud
• The State Auditor for Chapter 647 for any variance, loss, shortage or theft of funds or public property)
For more information on required data breach notifications go to Required Data Breach Reporting.
For help with cyberattack preparation or remediation
Statewide Contract (PRF56DesignatedOSC)
Pre-screened cyber and data security vendors available to state and municipal governments that provide assistance with cyber incident response plans, risk assessments, penetration testing, emergency incident management, forensics and Payment Card Industry (PCI) compliance.
New statewide contract for cyber and data security
The Office of the Comptroller is pleased to announce an exciting opportunity for cybersecurity, data security, and PCI compliance vendors. As part of its commitment to protecting public resources and mitigating the risk of fraud against the Commonwealth of Massachusetts, CTR is seeking qualified bidders for a statewide contract for a range of cyber and data security services.
The bid period is closed. The Request for Responses (RFR) is COMMBUYS Bid # BD-20-1080-OSD03-SRC02-45583, and can be found at COMMBUYS.
Cyber and Data Security Standards
The Payment Collection Data Security Policy identifies minimum data security PCI compliance requirements related to the collection of payments and the associated protection of personally identifiable information.
The Commonwealth has default security policies and standards for Commonwealth Departments to be used to establish internal controls and protocols. These apply to all Executive Department offices and agencies, and is the default standard for non-Executive Departments without comparable internal standards.
Commonwealth Lessons Learned
Recently, the Office of the Comptroller Statewide Risk Management Team has assisted Commonwealth Departments who have suffered cyberattacks. The below lessons learned can help Departments build appropriate cybersecurity protections and strategies.
Resources for Employees
Employees are the first line of defense against a cyberattack. The following resources will help improve cybersecurity literacy among all employees.
Security Awareness Training
Free online training from the U.S. Department of Health and Human Services
The MassCyberCenter at MassTech Collaborative
The MassCyberCenter’s vision is to enhance opportunities for the Massachusetts Cybersecurity ecosystem to compete as the national cybersecurity leader while strengthening the resiliency of the Commonwealth’s public and private communities
Tips from the Cyber Crimes Division of the Massachusetts Attorney General’s Office to protect yourself from crimes online
Computer and Online Privacy
Tips from the Massachusetts Attorney General's Office to protect yourself and your computer from viruses, spyware, malware, and other threats to your computer system, as well as phishing, hacking, and spam
Detecting a Phishing Email: 10 Things to Watch
How to spot and handle a phishing email
Stay Safe Online
Learn more, get involved, and do your part to make the internet safer and more secure for everyone
Stop Think Connect
Global online safety awareness campaign available in English, Spanish, French Canadian, Portuguese (Brazilian), Russian, and Japanese
ID Theft: Here’s what to look for and what to do when it happens
Guidance from the IRS on warning signs and steps to take after identity theft occurs
Secure Password Check
An online test to check the security of your password
Resources for IT/Data/Security Staff
IT, Data, and Security staff have a unique responsibility and opportunity to invest in systems that encourage maximum protection of data, assets, and infrastructure.
NEW - Four Steps to Prepare for a Cybersecurity Risk Assessment
CTR has created an informational document with four steps to prepare an entity perform a cybersecurity risk assessment that identifies and mitigates security risks. Entities can use the optional attached Cybersecurity Risk Assessment Prep Inventory to help identify the types of information needed for a cybersecurity risk assessment.
NEW - Incident Response Template
CTR has prepared this template to cover the basics of incident response. In order to be successful, organizations must take a coordinated and organized approach to any incident.
Center for Internet Security’s Multi-State information Sharing & Analysis Center
A service available to the nation’s state, local, tribal and territorial governments to improve cybersecurity posture through focused cyber threat prevention, protection, response, and recovery. Registration
Information Security for IT Administrators
Training course published by the U.S. Department of Health & Human Services - Departments accepting federal funds may be required to meet federal requirements
Poneman Institute’s “Separating the Truths from Myth in Cybersecurity”
Whitepaper on removing barriers to a more effective IT security function
Top 20 Critical Security Controls for Cyber Defense
Critical security controls, and steps to implement them in a pragmatic way. Developed by the SANS Institute together with the Center for Internet Security (CIS) and other organizations
Resources for Cybersecurity Governance
MassCyberCenter Cybersecurity Toolkit
A toolkit to understand the cybersecurity posture of their municipality and figure out next steps for protecting municipal infrastructure against cyber threats before they occur
Massachusetts Digital Health Initiative’s “Cybersecurity Toolkit for Digital Health”
An educational toolkit covering the fundamentals and best practices for cybersecurity and privacy protection, created by MassChallenge HealthTech,
National Governors Association Resource Center for State Cybersecurity
Intended to help craft and implement effective state cybersecurity practices
Stop. Think. Connect. Government Resources
U.S. Department of Homeland Security’s Cybersecurity Best Practices
Newsletters and Magazines
Protecting Our Data: What Cities Should Know About Cybersecurity [NEW!]
From the Public Technology Institute (PTI) and the National League of Cities (NLC)
The international standard for best-practice ISMS’s (information security management systems) controls based on risks that can be applied to organizations in a structured manner to achieve compliance
Health Insurance Portability & Accountability Act (HIPAA) 1996
HIPAA established a national standard for the security of electronic health information, including the protection of individually identifiable health information, the rights granted to individuals, breach notification requirements, and the role of the Office for Civil Rights (OCR)
NIST Cybersecurity | NIST Cybersecurity Framework
NITS implements practical cybersecurity and privacy through outreach and effective application of standards and best practices necessary for the U.S. to adopt cybersecurity capabilities
Required Data Breach Reporting
Any business or entity that owns or licenses personal information of Massachusetts residents is required by law to notify the following when it knows or has reason to know of a breach of personal information:
See Security Breach Compliance M.G.L. c. 93H, s. 3.
Entities can use this checklist to ensure compliance with state regulations regarding the handling of Personally Identifiable Information.