Skip to Main Content


Graphic with a red pause button, a yellow check mark, and a green play button and the words pause, verify, report for leadership and IT underneath.

The following free resources are available to Leadership and IT at Commonwealth of Massachusetts departments to support cybersecurity internal controls. These are provided in addition to any mandatory cybersecurity requirements your department may have, for additional and continuous training and support in leadership and IT internal controls requirements.   

Audits now routinely include questions related to what steps your department is taking to continually train department staff and support improved cybersecurity controls. Keep a record of all trainings and cybersecurity controls activities for any audit.   


PAUSE VERIFY REPORT gives employees three simple steps to handle incoming requests from emails, text messages, and calls. These steps will help identify fraudsters, prevent most cyber attacks and fraud incidents. These cybersecurity internal controls are designed to protect data and systems from fraud, waste, and abuse of Commonwealth resources.

Tips for Leadership and IT Staff

Here is a list of Cybersecurity Tips and Alerts to keep Leadership and IT aware of cybersecurity threats.

Cybersecurity Risk Assessments must be part of Annual Internal Control Plan review

In addition to ongoing cybersecurity compliance, departments are required to include a cybersecurity risk assessment as part of the annual Internal Control Plan review.

Enterprise Information Security Policies and Standards are minimum internal controls

See our tips on the enterprise information security policies and standards that are the Commonwealth’s state agency minimum cybersecurity internal controls.

PAUSE, VERIFY, REPORT – For Leadership and IT Infographic

Leadership and IT units at departments throughout the Commonwealth of Massachusetts can post this infographic at state offices. Send it to managers as a reminder to build a strong culture of cybersecurity internal controls.

Leadership must set a tone from the top of cybersecurity as a top priority

Prioritizing cybersecurity is a must for state agencies. Take our action steps to ensure that all employees are taking cybersecurity seriously.

Why should we PAUSE? (Less than 1 min. read)

PAUSE is a simple internal control that can help state employees prevent most fraud and cyber incidents, including methods seen recently and frequently.

What should I VERIFY? (Less than 1 min. read)

VERIFY who you are interacting with before you act.

Who do I REPORT suspicious activity to? (Less than 1 min. read)

REPORT suspicious emails or requests or any you can't verify.


Cybersecurity Made Simple with PAUSE, VERIFY, REPORT

In the 2023 Employee Cyber Awareness Micro Training, we simplify Cybersecurity with three simple steps: PAUSE, VERIFY, REPORT. Cybersecurity simply is the protection of data and systems with internal controls. This video is meant for state employees and should be shared with department colleagues.


Free Cybersecurity Awareness Training Videos

The following videos will help support Leadership and IT's Cybersecurity practices.

CTR Cyber with Sec. Jason Snyder (:48 sec)

Secretary Jason Snyder of the Executive Office of Technology Services and Security joins CTR with a general cybersecurity message to prevent the number one way that fraudsters attack the Commonwealth of Massachusetts

CTR Cyber with Anthony Ristaino, CISO of the Executive Office of Health and Human Services (1:03 min)

Anthony Ristaino, Chief Information Security Officer for the Massachusetts Executive Office of Health and Human Services, joins CTR Cyber for cloud security with key questions and answers for agencies seeking to implement cloud security

Prioritize Resources (9:44 min)

Scott Foote, Managing Director of the Phenomenati Group, discusses 5 tips for organizations on a limited budget on how to prioritize resources for cybersecurity. (CTR Cyber 5)

Tips for Successful Cybersecurity Compliance Management (4:54 min.)

Lisa Beth Lentini Walker, CEO of Lumen Worldwide, talks about ways to make conversations about cybersecurity easy to understand, and relatable to others. (CTR Cyber 5)

The CTR Cyber 5 with Thomas Cesso, CISO of Salem State University (16:50 min.)

Thomas Cesso, Chief Information Security Officer of Salem State University, joins the CTR Cyber 5 to talk about institutional processes that will set organizations on the right path to cybersecurity success. (CTR Cyber 5)

5 Tips to Speak to Leadership about Cybersecurity (3:43 min.)

Tomás Maldonado, Vice President / Chief Information Security Officer of the National Football League, joins CTR Cyber 5 to talk about how to engage leadership to focus on cybersecurity. (CTR Cyber 5)

5 Tips for Managing a Robust Cybersecurity Program (6:30 min.)

Doug Domin from the FBI Cyber Task Force shares 5 Tips for Managing a Robust Cybersecurity Program. (CTR Cyber 5)


Related Cybersecurity Content

Cybersecurity Awareness Training Page

The Cybersecurity Awareness Training main page has free resources to keep employess security at work, at home, and on the go.


CTR Cyber

The Office of the Comptroller has developed CTR Cyber to identify key cybersecurity internal controls for Commonwealth of Massachusetts departments, and to promote cybersecurity awareness and cyber vigilance for everyone in these organizations.


Report Cyber Incidents, Suspicious Activity, and Fraud

It is important that Commonwealth of Massachusetts departments immediately report any cyber incidents or other suspicious activity to departmental IT staff, even if the activity or email seems innocuous.