Audit of the Department of Transitional Assistance (DTA) - Information Security
January 6, 2020 · Department of Transitional Assistance · Read the full official report on mass.gov ↗ · official site ↗
source
“DTA did not revoke terminated employees’ access to one of its systems in a timely manner.”
Read the plain-English breakdown
This is a state audit of the Department of Transitional Assistance’s information security practices during July 1, 2018 through June 30, 2019.
“This report details the audit objectives, scope, methodology, findings, and recommendations for the audit period, July 1, 2018 through June 30, 2019.”
Auditors reviewed whether DTA was protecting sensitive information through training, technology policies, password rules, employee account shutdowns, incident response, and vendor oversight.
“The purpose of this audit was to assess DTA’s training programs, information technology policies, password parameters, process for terminating user accounts, incident response procedures, and management of third-party risks.”
DTA handles benefits systems and personal information, so weak security controls can put residents’ private information at risk.
“This increases the risk that terminated employees could extract personally identifiable information (PII) from the system.”
Auditors found DTA only partly met some security goals and did not meet the goal for managing third-party vendor risks.
“Does DTA manage risks with third-party vendors to meet Executive Office of Technology Services and Security (EOTSS) standards and NIST standard 800-53r4 related to the protection of PII?”
DTA was told to tighten employee access shutdowns, test its incident response plan every year, and assess vendor risks.
“DTA should conduct incident response tests annually and modify its plan according to lessons learned.”
The report is significant because auditors found problems that could make it harder for DTA to prevent or respond to cybersecurity issues involving public benefit systems.
“Without a tested incident response plan, there is a higher-than-acceptable risk that DTA cannot effectively identify and respond to information security incidents.”
PII means personally identifiable information: information that could identify a person and should be protected from improper access.
“This increases the risk that terminated employees could extract personally identifiable information (PII) from the system.”
What the Auditor checked
- Complied Does DTA have user training programs and acknowledgment forms that meet the standards of the National Institute of Standards and Technology (NIST) related to the protection of personally identifiable information (PII)?
- Partially Has DTA designed and implemented password parameters and a process for terminating user accounts to protect the security of its information?
- Partially Does DTA have documented and tested procedures to handle information security incidents?
- Did not comply Does DTA manage risks with third-party vendors to meet Executive Office of Technology Services and Security (EOTSS) standards and NIST standard 800-53r4 related to the protection of PII?
What the Auditor found
Why it matters: Terminated employees could extract personally identifiable information from the system.
Standard: User credentials should be removed when access is no longer authorized, and EOTSS requires terminated users' access to be removed within 24 business hours. ( Section 6.1.6.2.1 of Executive Office of Technology Services and Security information security standard IS.003, “Access Management”; American Institute of Certified Public Accountants’ Trust Services Criteria )
2 recommendations
- DTA should implement additional controls to ensure that access is terminated in a timely manner after an employee is terminated.agency: already implemented
- DTA should consider controls to automatically notify the security team when employees are terminated.agency: agreed
Agency response & Auditor reply
Agency: "Because of these additional controls, in the most recent Quarterly Termination Review, DTA was in full compliance with Section 6.1.6.2.1 of the EOTSS information security standard IS.003 “Access Management.”"
Auditor: "Based on its response, DTA has taken measures to address our concerns in this area."
Why it matters: DTA may not be able to effectively identify and respond to information security incidents.
Standard: EOTSS requires incident response plans and procedures to be tested at least annually. ( Section 6.5.2 of EOTSS information security standard IS.009, “Information Security Incident Management”; Section IR-8 of the National Institute of Standards and Technology Special Publication 800-53, Revision 4 )
1 recommendation
- DTA should conduct incident response tests annually and modify its plan according to lessons learned.
Agency response & Auditor reply
Agency: "EOHHS has developed an enterprise-wide incident response plan in its enterprise standards—which are the agency implementation standards of the EOTSS security policies—and will be meeting with DTA in January to begin operationalization of that plan at DTA."
Auditor: "Based on its response, EOHHS and DTA are taking measures to address our concerns in this area."
Why it matters: Information security risks with third-party vendors may not be identified or mitigated, increasing the risk of inappropriate access to sensitive data.
Standard: EOTSS and MassIT standards required agencies to assess third-party information security risks before granting access or entering agreements. ( Section 6.2 of EOTSS standard IS.015, “Third-Party Information Security”; Section 2 of MassIT’s “Enterprise Information Security Organization Policy” )
2 recommendations
- DTA should establish a third-party security policy that includes procedures necessary to assess and document third-party risks.
- DTA should assess and document third-party risks.
Agency response & Auditor reply
Agency: "DTA has not operationalized a third-party security policy because EOTSS and EOHHS are both working towards implementation of a third-party security policy."
Auditor: "We encourage DTA to incorporate EOHHS’s third-party security management standard as soon as possible in order to sufficiently assess and document third-party risks."
More audits of this entity
Other Office of the State Auditor reports on Department of Transitional Assistance .
- Audit of the Department of Transitional Assistance (January 30, 2026)State Agency / Office · January 30, 2026
-
Audit of Settlement Agreements and Confidentiality Clauses Across Multiple State Agencies - Department of Transitional Assistance (January 28, 2025)State Agency / Office · January 28, 2025