Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Audit of the Department of Transitional Assistance (DTA) - Information Security

January 6, 2020 · Department of Transitional Assistance · Read the full official report on mass.gov ↗ · official site ↗

Published January 6, 2020 Audit covers July 1, 2018 – June 30, 2019 Under Suzanne M. Bump · 2011–2023

In plain English
The audit found DTA had information-security gaps: some former employees kept system access too long, its incident response plan had not been tested, and vendor risks were not properly assessed.
source
“DTA did not revoke terminated employees’ access to one of its systems in a timely manner.”
Read the plain-English breakdown
What is this?

This is a state audit of the Department of Transitional Assistance’s information security practices during July 1, 2018 through June 30, 2019.

“This report details the audit objectives, scope, methodology, findings, and recommendations for the audit period, July 1, 2018 through June 30, 2019.”
Why was it audited?

Auditors reviewed whether DTA was protecting sensitive information through training, technology policies, password rules, employee account shutdowns, incident response, and vendor oversight.

“The purpose of this audit was to assess DTA’s training programs, information technology policies, password parameters, process for terminating user accounts, incident response procedures, and management of third-party risks.”
Why it matters

DTA handles benefits systems and personal information, so weak security controls can put residents’ private information at risk.

“This increases the risk that terminated employees could extract personally identifiable information (PII) from the system.”
The bottom line

Auditors found DTA only partly met some security goals and did not meet the goal for managing third-party vendor risks.

“Does DTA manage risks with third-party vendors to meet Executive Office of Technology Services and Security (EOTSS) standards and NIST standard 800-53r4 related to the protection of PII?”
What happens next

DTA was told to tighten employee access shutdowns, test its incident response plan every year, and assess vendor risks.

“DTA should conduct incident response tests annually and modify its plan according to lessons learned.”
Why it's significant

The report is significant because auditors found problems that could make it harder for DTA to prevent or respond to cybersecurity issues involving public benefit systems.

“Without a tested incident response plan, there is a higher-than-acceptable risk that DTA cannot effectively identify and respond to information security incidents.”
Jargon, unpacked

PII means personally identifiable information: information that could identify a person and should be protected from improper access.

“This increases the risk that terminated employees could extract personally identifiable information (PII) from the system.”

What the Auditor checked

What the Auditor found

DTA did not revoke some terminated employees' BEACON access within the required timeframe.
cybersecurityinternal controlsdata privacy

Why it matters: Terminated employees could extract personally identifiable information from the system.

Standard: User credentials should be removed when access is no longer authorized, and EOTSS requires terminated users' access to be removed within 24 business hours. ( Section 6.1.6.2.1 of Executive Office of Technology Services and Security information security standard IS.003, “Access Management”; American Institute of Certified Public Accountants’ Trust Services Criteria )

2 recommendations
  • DTA should implement additional controls to ensure that access is terminated in a timely manner after an employee is terminated.agency: already implemented
  • DTA should consider controls to automatically notify the security team when employees are terminated.agency: agreed
Agency response & Auditor reply
Agency: "Because of these additional controls, in the most recent Quarterly Termination Review, DTA was in full compliance with Section 6.1.6.2.1 of the EOTSS information security standard IS.003 “Access Management.”"
Auditor: "Based on its response, DTA has taken measures to address our concerns in this area."
DTA did not test its incident response plan during the audit period.
cybersecurityinternal controls

Why it matters: DTA may not be able to effectively identify and respond to information security incidents.

Standard: EOTSS requires incident response plans and procedures to be tested at least annually. ( Section 6.5.2 of EOTSS information security standard IS.009, “Information Security Incident Management”; Section IR-8 of the National Institute of Standards and Technology Special Publication 800-53, Revision 4 )

1 recommendation
  • DTA should conduct incident response tests annually and modify its plan according to lessons learned.
Agency response & Auditor reply
Agency: "EOHHS has developed an enterprise-wide incident response plan in its enterprise standards—which are the agency implementation standards of the EOTSS security policies—and will be meeting with DTA in January to begin operationalization of that plan at DTA."
Auditor: "Based on its response, EOHHS and DTA are taking measures to address our concerns in this area."
DTA did not assess and document third-party vendor risks for vendors with access to personally identifiable information.
vendor oversightprocurement/contractscybersecuritydata privacyinternal controls

Why it matters: Information security risks with third-party vendors may not be identified or mitigated, increasing the risk of inappropriate access to sensitive data.

Standard: EOTSS and MassIT standards required agencies to assess third-party information security risks before granting access or entering agreements. ( Section 6.2 of EOTSS standard IS.015, “Third-Party Information Security”; Section 2 of MassIT’s “Enterprise Information Security Organization Policy” )

2 recommendations
  • DTA should establish a third-party security policy that includes procedures necessary to assess and document third-party risks.
  • DTA should assess and document third-party risks.
Agency response & Auditor reply
Agency: "DTA has not operationalized a third-party security policy because EOTSS and EOHHS are both working towards implementation of a third-party security policy."
Auditor: "We encourage DTA to incorporate EOHHS’s third-party security management standard as soon as possible in order to sufficiently assess and document third-party risks."

More audits of this entity

Other Office of the State Auditor reports on Department of Transitional Assistance .

See this entity's page with all 3 audits →