Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Audit of the Division of Standards (March 19, 2024)

March 19, 2024 · Division of Standards · Read the full official report on mass.gov ↗

Published March 19, 2024 Audit covers July 1, 2021 – December 31, 2022 Under Diana DiZoglio · 2023–present

In plain English
The audit found that the Division of Standards had problems with website accessibility and with its plans for keeping operations and computer systems running during disruptions or security incidents.
source
“Below is a summary of our findings and recommendations, with links to each page listed.”
Read the plain-English breakdown
What is this?

This is a Massachusetts State Auditor performance audit of the Division of Standards, covering July 1, 2021 through December 31, 2022.

“In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of the Division of Standards (DOS) for the period July 1, 2021 through December 31, 2022.”
Why was it audited?

Auditors checked whether the agency’s website met accessibility rules and whether its IT policies covered business continuity, disaster recovery, security incident response, and cybersecurity training.

“In this performance audit, we determined the following:”
Why it matters

People rely on state websites for services, and broken links or inaccessible pages can make it harder for residents to get important information or apply for services.

“Broken or faulty hyperlinks negatively impact the user experience and make it difficult to locate additional relevant information.”
What's in it for me?

If you use the Division of Standards website, the recommendations aim to make online information and services easier and fairer to access, including for people with disabilities.

“DOS should review its webpages to ensure that all hyperlinks lead to related information to provide equitable access to critical information and services offered online by DOS to all Commonwealth residents.”
The bottom line

The auditors found three main issues: the website was not fully accessible, the agency’s continuity and disaster recovery planning was incomplete, and its security incident response planning was missing required pieces.

“DOS’s website is not fully accessible for all Massachusetts residents.”
What happens next

The Division of Standards said it is working with state technology officials to update its business continuity, disaster recovery, and security incident response planning.

“Based on its response, DOS is taking measures to address our concerns on this matter.”
Why it's significant

The findings matter because incomplete planning could leave the agency less prepared to protect information, restore critical work, or respond properly after a security incident or disruption.

“Without adequate and updated business continuity or disaster recovery plans, DOS cannot ensure that it has procedures for protecting information assets or a plan to recover critical operations when an interruption or disaster occurs.”
Jargon, unpacked

A business continuity plan is the agency’s plan for keeping essential work going during a disruption; a disaster recovery plan is about restoring systems and services after an emergency.

“These plans ensure that agencies have procedures to protect their information assets, recover critical operations, and reduce risks from a potential disruption or disaster.”

What the Auditor checked

What the Auditor found

The Division of Standards’ website had broken and faulty hyperlinks that limited navigation accessibility.
data privacyinternal controls

Why it matters: Broken or faulty hyperlinks make it difficult for users to find relevant information and may limit equitable access to critical information and online services.

Standard: Executive Office of Technology Services and Security’s Enterprise Information Technology Accessibility Policy and Web Content Accessibility Guidelines 2.1, Success Criterion 2.4.5 Multiple Ways. ( Executive Office of Technology Services and Security’s Enterprise Information Technology Accessibility Policy; Web Content Accessibility Guidelines 2.1, Success Criterion 2.4.5 Multiple Ways )

1 recommendation
  • DOS should review its webpages to ensure that all hyperlinks lead to related information to provide equitable access to critical information and services offered online by DOS to all Commonwealth residents.agency: already implemented
Agency response & Auditor reply
Agency: "As noted during the audit, DOS believes the website accessibility findings identified by the Auditors were caused by factors not directly in DOS’s control but took immediate action to rectify these issues to the Auditors’ satisfaction."
Auditor: "Based on its response, DOS has taken measures to address our concerns on this matter."
The Division of Standards’ business continuity plan lacked required elements, and the division did not have a disaster recovery plan.
cybersecurityinternal controls

Why it matters: Without adequate and updated plans, DOS may not be able to protect information assets or recover critical operations during an interruption or disaster.

Standard: EOTSS’s Business Continuity and Disaster Recovery Standard IS.005. ( EOTSS’s Business Continuity and Disaster Recovery Standard IS.005 )

2 recommendations
  • DOS should update its business continuity plan to include all required elements. It should also update the plan annually and whenever a major organizational change occurs.
  • DOS should develop and implement a disaster recovery plan.
Agency response & Auditor reply
Agency: "DOS is working in conjunction with EOTSS to update its current business continuity plan in accordance with all applicable requirements and will issue it as soon as possible."
Auditor: "Based on its response, DOS is taking measures to address our concerns on this matter."
The Division of Standards relied on an information security incident response plan and procedures that lacked required elements.
cybersecurityinternal controls

Why it matters: Without an adequate incident response plan and procedures, DOS may not take sufficient containment measures or complete proper documentation, investigation, risk analysis, and impact analysis after a security incident.

Standard: EOTSS’s Information Security Incident Management Standard IS.009. ( EOTSS’s Information Security Incident Management Standard IS.009 )

1 recommendation
  • DOS should rely on an information security incident response plan and procedures that include all required elements.
Agency response & Auditor reply
Agency: "DOS relies on and follows the information security incident response plan and procedures adopted by [the Executive Office of Economic Development (EOED)]."
Auditor: "Based on its response, DOS is taking measures to address our concerns on this matter."

More audits of this entity

Other Office of the State Auditor reports on Division of Standards .

See this entity's page with all 3 audits →