Cyber Center

The CTR has developed the Cyber Center as a resource to promote cybersecurity awareness for everyone in your organization; to improve overall cyber hygiene; and to help prevent increasing denial of service (DoS), phishing, malware, and social engineering attacks.  

The Commonwealth averages 525 million pings a day from bad actors seeking to victimize state agencies for their own gain.  Cybercriminals will steal money, change or destroy information, or even hold it for ransom.  The two easiest ways for an attacker to get into your network are via phishing emails and breached passwords.

Cybersecurity Alerts

Report cyber incidents

•    The Office of the Comptroller: CTREmergencyNotification@Mass.gov
•    The FBI encourages reporting of suspicious activity, including cyber incidents or fraud 
•    The State Auditor for Chapter 647 for any variance, loss, shortage or theft of funds or public property)

 

For more information on required data breach notifications go to Required Data Breach Reporting.

 

For help with cyberattack preparation or remediation

Statewide Contract (PRF56DesignatedOSC)
Pre-screened cyber and data security vendors available to state and municipal governments that provide assistance with cyber incident response plans, risk assessments, penetration testing, emergency incident management, forensics and Payment Card Industry (PCI) compliance.

New statewide contract for cyber and data security

The Office of the Comptroller is pleased to announce an exciting opportunity for cybersecurity, data security, and PCI compliance vendors. As part of its commitment to protecting public resources and mitigating the risk of fraud against the Commonwealth of Massachusetts, CTR is seeking qualified bidders for a statewide contract for a range of cyber and data security services.

The bid period is closed. The Request for Responses (RFR) is COMMBUYS Bid # BD-20-1080-OSD03-SRC02-45583, and can be found at COMMBUYS.

Cyber and Data Security Standards

The Payment Collection Data Security Policy identifies minimum data security PCI compliance requirements related to the collection of payments and the associated protection of personally identifiable information.

The Commonwealth has default security policies and standards for Commonwealth Departments to be used to establish internal controls and protocols. These apply to all Executive Department offices and agencies, and is the default standard for non-Executive Departments without comparable internal standards.

Commonwealth Lessons Learned

Recently, the Office of the Comptroller Statewide Risk Management Team has assisted Commonwealth Departments who have suffered cyberattacks. The below lessons learned can help Departments build appropriate cybersecurity protections and strategies.

Resources for Employees

Employees are the first line of defense against a cyberattack. The following resources will help improve cybersecurity literacy among all employees.​

  • Security Awareness Training
    Free online training from the U.S. Department of Health and Human Services

  • The MassCyberCenter at MassTech Collaborative
    The MassCyberCenter’s vision is to enhance opportunities for the Massachusetts Cybersecurity ecosystem to compete as the national cybersecurity leader while strengthening the resiliency of the Commonwealth’s public and private communities

  • Cyber Crimes
    Tips from the Cyber Crimes Division of the Massachusetts Attorney General’s Office to protect yourself from crimes online

  • Computer and Online Privacy
    Tips from the Massachusetts Attorney General's Office to protect yourself and your computer from viruses, spyware, malware, and other threats to your computer system, as well as phishing, hacking, and spam

  • Detecting a Phishing Email: 10 Things to Watch
    How to spot and handle a phishing email

  • Stay Safe Online
    Learn more, get involved, and do your part to make the internet safer and more secure for everyone

  • Stop Think Connect
    Global online safety awareness campaign available in English, Spanish, French Canadian, Portuguese (Brazilian), Russian, and Japanese

  • ID Theft: Here’s what to look for and what to do when it happens
    Guidance from the IRS on warning signs and steps to take after identity theft occurs

  • Secure Password Check
    An online test to check the security of your password

Resources for IT/Data/Security Staff

IT, Data, and Security staff have a unique responsibility and opportunity to invest in systems that encourage maximum protection of data, assets, and infrastructure.

Resources for Cybersecurity Governance

Newsletters and Magazines

Additional Resources

  • Protecting Our Data: What Cities Should Know About Cybersecurity [NEW!]
    From the Public Technology Institute (PTI) and  the National League of Cities (NLC)

  • ISO/IEC 27001
    The international standard for best-practice ISMS’s (information security management systems) controls based on risks that can be applied to organizations in a structured manner to achieve compliance

  • Health Insurance Portability & Accountability Act (HIPAA) 1996
    HIPAA established a national standard for the security of electronic health information, including the protection of individually identifiable health information, the rights granted to individuals, breach notification requirements, and the role of the Office for Civil Rights (OCR)

  • NIST Cybersecurity | NIST Cybersecurity Framework
    NITS implements practical cybersecurity and privacy through outreach and effective application of standards and best practices necessary for the U.S. to adopt cybersecurity capabilities 

Required Data Breach Reporting

Any business or entity that owns or licenses personal information of Massachusetts residents is required by law to notify the following when it knows or has reason to know of a breach of personal information:

View more information about data breaches and what the law defines as personal information, and what you are obligated to do to prevent a breach and in the event of a breach.

 

See Security Breach Compliance M.G.L. c. 93H, s. 3.

 

Entities can use this checklist to ensure compliance with state regulations regarding the handling of Personally Identifiable Information.

 
 

OFFICE OF THE COMPTROLLER OF THE COMMONWEALTH

William McNamara, Comptroller of the Commonwealth

One Ashburton Place, 9th Floor, Boston MA 02108

comptroller.info@mass.gov

For your protection, please do not email personal information (e.g. Social Security Number, Bank Account Number, Passwords).

For assistance, please call us at

(617) 727-5000

  • Twitter
  • Facebook
  • LinkedIn
  • Instagram