Massachusetts' Department of Revenue is not doing enough to protect the sensitive information of taxpayers.
A recent report on the cybersecurity protocols of the Department of Revenue (DOR), compiled by auditor of the commonwealth Suzanne Bump, found that the DOR had no system in place to assess and document third-party vendor risks.
Furthermore, the audit found that the DOR had no documented and tested incident response procedures and had not established an information technology strategy committee.
The department previously had a security review board, but the board has not been active since early 2017.
"Without a committee or board charged with governing DOR’s IT environment, responsibility for IT governance and risk is not clear. This can result in information security risks and investments not being aligned with business needs," states the report.
"Without documented and tested incident response procedures, there is a higher-than-acceptable risk that DOR may not be able to respond properly to information security incidents, which may result in delayed identification of an incident, additional loss of data, or negative public opinion."
The audit revealed that the DOR had failed to come up with an interdepartmental service agreement with the Executive Office of Technology Services and Security (EOTSS) that defined and documented updated roles and responsibilities despite having three years in which to do so.
The report states: "DOR management officials told us that they had been trying for three years to negotiate an ISA with EOTSS. They mentioned organizational and managerial changes at EOTSS as a cause of the delay."
No instances in which sensitive data had been compromised were discovered, but Bump’s office found that the DOR "was not prepared to respond to or mitigate cyber-attacks it or its vendors face" and "did not have procedures in place to guide its response to IT security incidents."
"The whole infrastructure for data security was missing at the Department of Revenue," Bump said in an interview that aired Sunday morning on Boston TV show On the Record.
The report, which was published on December 13, covered the DOR’s IT and security-related activities from July 2016 through December 31, 2018.