Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Audit of the Department of Revenue (DOR) - Information Security

December 13, 2019 · Department of Revenue (DOR) —Information Security · Read the full official report on mass.gov ↗

Published December 13, 2019 Audit covers July 1, 2016 – December 31, 2018 Under Suzanne M. Bump · 2011–2023

In plain English
The auditor found that the Department of Revenue had important information-security gaps: no active IT strategy committee, no documented and tested incident response procedures, no documented review of vendor risks, and no updated agreement spelling out security responsibilities with the state technology office.
source
“Below is a summary of our findings and recommendations, with links to each page listed.”
Read the plain-English breakdown
What is this?

This is a Massachusetts State Auditor performance audit of the Department of Revenue’s information security practices for July 1, 2016 through December 31, 2018.

“I am pleased to provide this performance audit of the Department of Revenue.”
Why was it audited?

Auditors reviewed whether DOR had strong enough controls for information security, staff training, IT policies, responding to security incidents, and managing vendor risks.

“The purpose of this audit was to assess DOR’s information security governance, information security training programs, information technology (IT) policies, incident response procedures, and management of third-party risks.”
Why it matters

DOR handles sensitive public information, so weak security planning or unclear responsibilities could make it harder to prevent or respond to data problems.

“DOR is still responsible for establishing controls to ensure the proper safeguarding of the information it collects and retains in its systems.”
What's in it for me?

If you pay taxes, receive or pay child support, or rely on local government finance services, DOR systems may affect you, so protecting the information in those systems matters.

“The focus of DOR’s tax administration function is to manage the Commonwealth’s tax collection, and the focus of DOR’s child support function is to establish paternity and administer child support orders.”
The bottom line

The audit did not say DOR had a data breach; it said DOR lacked several key security-management practices that reduce risk.

“DOR did not have documented and tested incident response procedures.”
What happens next

DOR said it would work with EOTSS on governance, incident response testing, vendor-risk review, and an updated agreement defining responsibilities.

“An ISA between DOR and EOTSS is currently being updated.”
Why it's significant

The main risk is that security problems involving vendors, state systems, or sensitive data might not be caught, assigned, or handled quickly enough.

“A lack of assessment of third-party risks increases the chance that information security risks with such vendors will not be identified and mitigated promptly or at all, which results in a higher-than-acceptable risk of sensitive data being inappropriately accessed.”
Jargon, unpacked

PII means personally identifiable information, IT means information technology, EOTSS is the state technology and security office, and an ISA is an agreement between agencies that says who is responsible for what.

“EOTSS and EOAF manage DOR’s IT services.”

What the Auditor checked

What the Auditor found

DOR did not establish an information technology strategy committee.
cybersecurityinternal controls

Why it matters: Responsibility for IT governance and risk was unclear, creating risk that information security risks and investments would not align with business needs.

Standard: Information Systems Audit and Control Association’s Control Objectives for Information and Related Technology 4.1, PO4.2 and PO4.8 ( Information Systems Audit and Control Association’s Control Objectives for Information and Related Technology 4.1; PO4.2 IT Strategy Committee; PO4.8 Responsibility for Risk, Security and Compliance )

1 recommendation
  • DOR should work with EOTSS to establish an IT strategy committee that meets regularly to ensure IT governance, determine acceptable risk, align IT resources, and create strategies to mitigate risk to an acceptable level in line with business needs.agency: agreed
Agency response & Auditor reply
Agency: "DOR will work with EOTSS to establish a Governance, Risk, and Compliance (GRC) committee comprised of the following and/or their designees:"
Auditor: "Based on its response, DOR is taking measures to address this issue."
DOR did not have documented and tested incident response procedures.
cybersecuritydata privacyinternal controlsrecordkeeping/documentation

Why it matters: DOR faced a higher risk that it could not respond properly to information security incidents, which could delay incident identification, cause additional data loss, or damage public opinion.

Standard: DOR Security Incident Response Policy and NIST Special Publication 800-53, Revision 4 ( DOR Security Incident Response Policy, dated July 1 2015; NIST Special Publication 800-53, Revision 4, IR-1 Incident Response Policy and Procedures; NIST Special Publication 800-53, Revision 4, IR-3 Incident Response Testing )

2 recommendations
  • DOR should develop and document security incident response procedures to facilitate the implementation of its “Security Incident Response Policy” and associated incident response controls.agency: agreed
  • Once security incident response procedures are documented, DOR should test them regularly.agency: agreed
Agency response & Auditor reply
Agency: "The Incident Response Policy and Incident Response Plan (Plan) have been under revision."
Auditor: "Based on its response, DOR is taking measures to address this issue."
DOR did not assess and document third-party vendor risks.
vendor oversightprocurement/contractsdata privacycybersecurityrecordkeeping/documentation

Why it matters: Information security risks with vendors might not be identified or mitigated promptly, increasing the risk of inappropriate access to sensitive data.

Standard: EOTSS standard IS.015, “Third-Party Information Security,” Section 6.2 and MassIT “Enterprise Information Security Organization Policy,” Section 2 ( EOTSS standard IS.015, “Third-Party Information Security,” Section 6.2; MassIT “Enterprise Information Security Organization Policy,” Section 2 )

2 recommendations
  • DOR should update its “Third Party Security Policy” to include procedures necessary to assess and document third-party risks.agency: agreed
  • DOR should assess and document third-party risks.agency: agreed
Agency response & Auditor reply
Agency: "DOR will convene a working group to research and develop criteria and tools for evaluating and monitoring third party vendor risks."
Auditor: "Based on its response, DOR is taking measures to address this issue."
DOR and EOTSS did not have an updated interdepartmental service agreement defining information security roles and responsibilities.
cybersecurityinternal controlsrecordkeeping/documentation

Why it matters: Unclear roles and responsibilities could cause IT security activities to be ineffectively managed.

Standard: NIST Special Publication 800-53, Revision 4, Section SA-9 ( NIST Special Publication 800-53, Revision 4, Section SA-9; NIST Special Publication 800-53, Revision 4, Section SA-9 )

1 recommendation
  • DOR should work with EOTSS to negotiate an updated ISA that spells out roles and responsibilities related to information security and IT governance at DOR.agency: agreed
Agency response & Auditor reply
Agency: "An ISA between DOR and EOTSS is currently being updated."
Auditor: "Based on its response, DOR is taking measures to address this issue."