Infosecurity Group Websites

Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.

Okay, I understand Learn more
Latest
News

Audit Faults Massachusetts' Information Security

Massachusetts' Department of Revenue is not doing enough to protect the sensitive information of taxpayers. 

A recent report on the cybersecurity protocols of the Department of Revenue (DOR), compiled by auditor of the commonwealth Suzanne Bump, found that the DOR had no system in place to assess and document third-party vendor risks.

Furthermore, the audit found that the DOR had no documented and tested incident response procedures and had not established an information technology strategy committee. 

The department previously had a security review board, but the board has not been active since early 2017.

"Without a committee or board charged with governing DOR’s IT environment, responsibility for IT governance and risk is not clear. This can result in information security risks and investments not being aligned with business needs," states the report.

"Without documented and tested incident response procedures, there is a higher-than-acceptable risk that DOR may not be able to respond properly to information security incidents, which may result in delayed identification of an incident, additional loss of data, or negative public opinion."

The audit revealed that the DOR had failed to come up with an interdepartmental service agreement with the Executive Office of Technology Services and Security (EOTSS) that defined and documented updated roles and responsibilities despite having three years in which to do so.

The report states: "DOR management officials told us that they had been trying for three years to negotiate an ISA with EOTSS. They mentioned organizational and managerial changes at EOTSS as a cause of the delay."

No instances in which sensitive data had been compromised were discovered, but Bump’s office found that the DOR "was not prepared to respond to or mitigate cyber-attacks it or its vendors face" and "did not have procedures in place to guide its response to IT security incidents."

"The whole infrastructure for data security was missing at the Department of Revenue," Bump said in an interview that aired Sunday morning on Boston TV show On the Record.

The report, which was published on December 13, covered the DOR’s IT and security-related activities from July 2016 through December 31, 2018.

Related to This Story

What’s Hot on Infosecurity Magazine?

1
News

BlueCross BlueShield Whistleblower Warns of Cybersecurity Vulnerabilities

2
News

Data Leak Exposes Thousands of US Defense Contractor Staff

3
News

Siemens Contractor Jailed for Planting Logic Bombs

4
News

Honda Leak Hits 26,000 North American Customers

5
News

Emotet Spammers Send Christmas Phishing Emails

6
News

FBI: Don’t Dabble with Public Wi-Fi This Holiday Season

1
News

Australia to Launch First ACS-Accredited University Cybersecurity Course

2
News

Audit Faults Massachusetts' Information Security

3
News

Cybersecurity a Growing Concern for America's Corporate Lawyers

4
Editorial

Parting Shots (Q4 2019 Issue)

5
Opinion

The Three Cyber Attacks Ruining Your Holiday Spirit

6
News

Honda Leak Hits 26,000 North American Customers

1
Webinar

2019 Cybersecurity Headlines in Review

2
Webinar

Authentication Standards in 2019: Why Passwords Remain Problematic, and Future Solutions

3
Webinar

New Year, New Decade, New Threats and Challenges

4
Webinar

The Insider's Motive: Defending Against the 7 Most Common Insider Threats

5
Webinar

The Persistence of Ransomware, New Variants & Better Tactics to Defend & Defeat

6
Webinar

Zero Trust in Practice: Why Identity Drives Next-Gen Access

1
Blog

Year in Review: Automation

2
Blog

Year in Review: Social Engineering Attacks

3
Next-Gen

#NextGenResearch: Would You Expect Company Training For Skills Required For Compliance and Cloud?

4
Blog

Year in Review: Need for Better Security Effectiveness

5
Interview

Five Continents, Five Voices: Mihoko Matsubara, Asia

6
Blog

Year in Review: DNS Security