Audit of the Department of Revenue (DOR) - Information Security
December 13, 2019 · Department of Revenue (DOR) —Information Security · Read the full official report on mass.gov ↗
source
“Below is a summary of our findings and recommendations, with links to each page listed.”
Read the plain-English breakdown
This is a Massachusetts State Auditor performance audit of the Department of Revenue’s information security practices for July 1, 2016 through December 31, 2018.
“I am pleased to provide this performance audit of the Department of Revenue.”
Auditors reviewed whether DOR had strong enough controls for information security, staff training, IT policies, responding to security incidents, and managing vendor risks.
“The purpose of this audit was to assess DOR’s information security governance, information security training programs, information technology (IT) policies, incident response procedures, and management of third-party risks.”
DOR handles sensitive public information, so weak security planning or unclear responsibilities could make it harder to prevent or respond to data problems.
“DOR is still responsible for establishing controls to ensure the proper safeguarding of the information it collects and retains in its systems.”
If you pay taxes, receive or pay child support, or rely on local government finance services, DOR systems may affect you, so protecting the information in those systems matters.
“The focus of DOR’s tax administration function is to manage the Commonwealth’s tax collection, and the focus of DOR’s child support function is to establish paternity and administer child support orders.”
The audit did not say DOR had a data breach; it said DOR lacked several key security-management practices that reduce risk.
“DOR did not have documented and tested incident response procedures.”
DOR said it would work with EOTSS on governance, incident response testing, vendor-risk review, and an updated agreement defining responsibilities.
“An ISA between DOR and EOTSS is currently being updated.”
The main risk is that security problems involving vendors, state systems, or sensitive data might not be caught, assigned, or handled quickly enough.
“A lack of assessment of third-party risks increases the chance that information security risks with such vendors will not be identified and mitigated promptly or at all, which results in a higher-than-acceptable risk of sensitive data being inappropriately accessed.”
PII means personally identifiable information, IT means information technology, EOTSS is the state technology and security office, and an ISA is an agreement between agencies that says who is responsible for what.
“EOTSS and EOAF manage DOR’s IT services.”
What the Auditor checked
- Did not comply Does DOR have a governing committee tasked with identifying, classifying, and mitigating information security risks?
- Complied Has DOR designed and implemented user training programs and acknowledgement forms to protect personally identifiable information (PII)?
- Complied Have policies supporting PII protection been defined and documented?
- Did not comply Does DOR have documented and tested procedures to handle information security incidents?
- Did not comply Does DOR manage risks with third-party vendors to meet Executive Office of Technology Services and Security (EOTSS) standards and National Institute of Standards and Technology (NIST) standard 800-53r4 related to the protection of PII?
What the Auditor found
Why it matters: Responsibility for IT governance and risk was unclear, creating risk that information security risks and investments would not align with business needs.
Standard: Information Systems Audit and Control Association’s Control Objectives for Information and Related Technology 4.1, PO4.2 and PO4.8 ( Information Systems Audit and Control Association’s Control Objectives for Information and Related Technology 4.1; PO4.2 IT Strategy Committee; PO4.8 Responsibility for Risk, Security and Compliance )
1 recommendation
- DOR should work with EOTSS to establish an IT strategy committee that meets regularly to ensure IT governance, determine acceptable risk, align IT resources, and create strategies to mitigate risk to an acceptable level in line with business needs.agency: agreed
Agency response & Auditor reply
Agency: "DOR will work with EOTSS to establish a Governance, Risk, and Compliance (GRC) committee comprised of the following and/or their designees:"
Auditor: "Based on its response, DOR is taking measures to address this issue."
Why it matters: DOR faced a higher risk that it could not respond properly to information security incidents, which could delay incident identification, cause additional data loss, or damage public opinion.
Standard: DOR Security Incident Response Policy and NIST Special Publication 800-53, Revision 4 ( DOR Security Incident Response Policy, dated July 1 2015; NIST Special Publication 800-53, Revision 4, IR-1 Incident Response Policy and Procedures; NIST Special Publication 800-53, Revision 4, IR-3 Incident Response Testing )
2 recommendations
- DOR should develop and document security incident response procedures to facilitate the implementation of its “Security Incident Response Policy” and associated incident response controls.agency: agreed
- Once security incident response procedures are documented, DOR should test them regularly.agency: agreed
Agency response & Auditor reply
Agency: "The Incident Response Policy and Incident Response Plan (Plan) have been under revision."
Auditor: "Based on its response, DOR is taking measures to address this issue."
Why it matters: Information security risks with vendors might not be identified or mitigated promptly, increasing the risk of inappropriate access to sensitive data.
Standard: EOTSS standard IS.015, “Third-Party Information Security,” Section 6.2 and MassIT “Enterprise Information Security Organization Policy,” Section 2 ( EOTSS standard IS.015, “Third-Party Information Security,” Section 6.2; MassIT “Enterprise Information Security Organization Policy,” Section 2 )
2 recommendations
- DOR should update its “Third Party Security Policy” to include procedures necessary to assess and document third-party risks.agency: agreed
- DOR should assess and document third-party risks.agency: agreed
Agency response & Auditor reply
Agency: "DOR will convene a working group to research and develop criteria and tools for evaluating and monitoring third party vendor risks."
Auditor: "Based on its response, DOR is taking measures to address this issue."
Why it matters: Unclear roles and responsibilities could cause IT security activities to be ineffectively managed.
Standard: NIST Special Publication 800-53, Revision 4, Section SA-9 ( NIST Special Publication 800-53, Revision 4, Section SA-9; NIST Special Publication 800-53, Revision 4, Section SA-9 )
1 recommendation
- DOR should work with EOTSS to negotiate an updated ISA that spells out roles and responsibilities related to information security and IT governance at DOR.agency: agreed
Agency response & Auditor reply
Agency: "An ISA between DOR and EOTSS is currently being updated."
Auditor: "Based on its response, DOR is taking measures to address this issue."