The Commonwealth averages 525 million pings a day from bad actors seeking to victimize state agencies for their own gain.  Cybercriminals will steal money, change or destroy information, or even hold it for ransom.  The two easiest ways for an attacker to get into your network are via phishing emails and breached passwords.

Cybersecurity Alerts

• CTR has issued a Cybersecurity Heightened Alert on January 16, 2020 with reminders and recommendations for immediate updates to internal controls related to cyber security. 

• US Department of Homeland Security National Cyber Awareness System Alerts.
  Subscribe to CISA alerts, tips, and other updates at the bottom of the page.

• View all Cybersecurity Tips

Report cyber incidents

•    The Office of the Comptroller: CTREmergencyNotification@Mass.gov
•    The FBI encourages reporting of suspicious activity, including cyber incidents or fraud 
•    The State Auditor for Chapter 647 for any variance, loss, shortage or theft of funds or public property)

For more information on required data breach notifications go to Required Data Breach Reporting.

For help with cyberattack preparation or remediation

Statewide Contract (PRF56DesignatedOSC)
Pre-screened cyber and data security vendors available to state and municipal governments that provide assistance with cyber incident response plans, risk assessments, penetration testing, emergency incident management, forensics and Payment Card Industry (PCI) compliance.

​

New statewide contract for cyber and data security

The Office of the Comptroller is pleased to announce an exciting opportunity for cybersecurity, data security, and PCI compliance vendors. As part of its commitment to protecting public resources and mitigating the risk of fraud against the Commonwealth of Massachusetts, CTR is seeking qualified bidders for a statewide contract for a range of cyber and data security services.

​

The bid period is closed. The Request for Responses (RFR) is COMMBUYS Bid # BD-20-1080-OSD03-SRC02-45583, and can be found at COMMBUYS.

​

Cyber and Data Security Standards

The Payment Collection Data Security Policy identifies minimum data security PCI compliance requirements related to the collection of payments and the associated protection of personally identifiable information.

​

The Commonwealth has default security policies and standards for Commonwealth Departments to be used to establish internal controls and protocols. These apply to all Executive Department offices and agencies, and is the default standard for non-Executive Departments without comparable internal standards.

​

Commonwealth Lessons Learned

Recently, the Office of the Comptroller Statewide Risk Management Team has assisted Commonwealth Departments who have suffered cyberattacks. The below lessons learned can help Departments build appropriate cybersecurity protections and strategies.

• Lessons Learned

• 10/18/2019: Cyber Incident Report # 2019-CCC-01

• 09/13/2019: Cyber Incident Report # 2019-MAS-01

• 09/12/2019: Cyber Incident Report #2019-CPC-01

• 09/09/2019: Cyber Incident Report #2019-MBC-01

​

Resources for Employees

Employees are the first line of defense against a cyberattack. The following resources will help improve cybersecurity literacy among all employees.​

• Security Awareness Training
  Free online training from the U.S. Department of Health and Human Services

• The MassCyberCenter at MassTech Collaborative
  The MassCyberCenter’s vision is to enhance opportunities for the Massachusetts Cybersecurity ecosystem to compete as the national cybersecurity leader while strengthening the resiliency of the Commonwealth’s public and private communities

• Cyber Crimes
  Tips from the Cyber Crimes Division of the Massachusetts Attorney General’s Office to protect yourself from crimes online

• Computer and Online Privacy
  Tips from the Massachusetts Attorney General's Office to protect yourself and your computer from viruses, spyware, malware, and other threats to your computer system, as well as phishing, hacking, and spam

• Detecting a Phishing Email: 10 Things to Watch
  How to spot and handle a phishing email

• Stay Safe Online
  Learn more, get involved, and do your part to make the internet safer and more secure for everyone

• Stop Think Connect
  Global online safety awareness campaign available in English, Spanish, French Canadian, Portuguese (Brazilian), Russian, and Japanese

• ID Theft: Here’s what to look for and what to do when it happens
  Guidance from the IRS on warning signs and steps to take after identity theft occurs

• Secure Password Check
  An online test to check the security of your password

​

Resources for IT/Data/Security Staff

IT, Data, and Security staff have a unique responsibility and opportunity to invest in systems that encourage maximum protection of data, assets, and infrastructure.

• NEW - Four Steps to Prepare for a Cybersecurity Risk Assessment
  CTR has created an informational document with four steps to prepare an entity perform a cybersecurity risk assessment that identifies and mitigates security risks. Entities can use the optional attached Cybersecurity Risk Assessment Prep Inventory to help identify the types of information needed for a cybersecurity risk assessment.

• NEW - Incident Response Template
  CTR has prepared this template to cover the basics of incident response. In order to be successful, organizations must take a coordinated and organized approach to any incident.

• Center for Internet Security’s Multi-State information Sharing & Analysis Center
  A service available to the nation’s state, local, tribal and territorial governments to improve cybersecurity posture through focused cyber threat prevention, protection, response, and recovery. Registration

• CISA Cybersecurity Tips
  Quick links provided by the U.S. Department of Homeland Security

• Information Security for IT Administrators
  Training course published by the U.S. Department of Health & Human Services - Departments accepting federal funds may be required to meet federal requirements

• Poneman Institute’s “Separating the Truths from Myth in Cybersecurity”
  Whitepaper on removing barriers to a more effective IT security function

• Top 20 Critical Security Controls for Cyber Defense
  Critical security controls, and steps to implement them in a pragmatic way. Developed by the SANS Institute together with the Center for Internet Security (CIS) and other organizations

​​

Resources for Cybersecurity Governance

• MassCyberCenter Cybersecurity Toolkit
  A toolkit to understand the cybersecurity posture of their municipality and figure out next steps for protecting municipal infrastructure against cyber threats before they occur

• Massachusetts Digital Health Initiative’s “Cybersecurity Toolkit for Digital Health”
  An educational toolkit covering the fundamentals and best practices for cybersecurity and privacy protection, created by MassChallenge HealthTech,

• National Governors Association Resource Center for State Cybersecurity
  Intended to help craft and implement effective state cybersecurity practices

• Stop. Think. Connect. Government Resources
  U.S. Department of Homeland Security’s Cybersecurity Best Practices

​​

Newsletters and Magazines

• 2019 Top Ten Cyber Security Blogs

• Infosecurity Magazine | Twitter

• Government Technology

​

Additional Resources

• Protecting Our Data: What Cities Should Know About Cybersecurity [NEW!]
  From the Public Technology Institute (PTI) and  the National League of Cities (NLC)

• ISO/IEC 27001
  The international standard for best-practice ISMS’s (information security management systems) controls based on risks that can be applied to organizations in a structured manner to achieve compliance

• Health Insurance Portability & Accountability Act (HIPAA) 1996
  HIPAA established a national standard for the security of electronic health information, including the protection of individually identifiable health information, the rights granted to individuals, breach notification requirements, and the role of the Office for Civil Rights (OCR)

• NIST Cybersecurity | NIST Cybersecurity Framework
  NITS implements practical cybersecurity and privacy through outreach and effective application of standards and best practices necessary for the U.S. to adopt cybersecurity capabilities 

​​

Required Data Breach Reporting

Any business or entity that owns or licenses personal information of Massachusetts residents is required by law to notify the following when it knows or has reason to know of a breach of personal information:

• Office of the Attorney General (AGO)

• Office of Consumer Affairs and Business Regulation (OCABR)

• Affected Massachusetts residents

View more information about data breaches and what the law defines as personal information, and what you are obligated to do to prevent a breach and in the event of a breach.

See Security Breach Compliance M.G.L. c. 93H, s. 3.

Entities can use this checklist to ensure compliance with state regulations regarding the handling of Personally Identifiable Information.

​

​

​

​