Audit of the Executive Office of Public Safety and Security
September 27, 2018 · Executive Office of Public Safety and Security · Read the full official report on mass.gov ↗
source
“We did not identify any significant deficiencies in those areas.”
Read the plain-English breakdown
This is a state performance audit of the Executive Office of Public Safety and Security, covering selected IT activities from October 1, 2017 through March 31, 2018.
“In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of certain information technology (IT) activities of the Executive Office of Public Safety and Security (EOPSS) for the period October 1, 2017 through March 31, 2018.”
Auditors wanted to see whether EOPSS properly kept track of hardware on its network and handled software security weaknesses.
“The purpose of this audit was to review and evaluate controls over selected information technology (IT) operations and activities for the period October 1, 2017 through March 31, 2018.”
EOPSS oversees major public safety agencies, so its technology systems support work tied to crime prevention, emergency readiness, law enforcement, and public safety.
“EOPSS is responsible for the policy development and budgetary oversight of its secretariat agencies, independent programs, and several boards which aid in crime prevention, homeland security preparedness, and ensuring the safety of residents and visitors in the Commonwealth.”
For an ordinary resident, the audit gives some assurance that the reviewed public safety IT controls were in place and working adequately.
“Based on our audit, we have concluded that EOPSS has established adequate controls and practices in the areas we reviewed that were related to our audit objectives.”
The auditor answered yes to both audit questions: EOPSS managed network hardware inventory and had a vulnerability patching program.
“Does EOPSS have a program in place to detect, manage, and patch1 potential system and software vulnerabilities?”
The report does not list corrective actions, because the audit did not find significant deficiencies in the reviewed areas.
“We did not identify any significant deficiencies in those areas.”
The audit focused on basic cybersecurity practices: knowing what devices are on the network and finding and fixing vulnerabilities before attackers can exploit them.
“Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers.”
A patch is a software fix that helps correct security or functionality problems.
“According to the National Institute of Standards and Technology’s Special Publication 800-40r3, patches are software packages deployed by a manufacturer to “correct security and functionality problems in software and firmware.””
What the Auditor checked
- Complied Does EOPSS actively manage the inventory of hardware devices connected to its network?
- Complied Does EOPSS have a program in place to detect, manage, and patch potential system and software vulnerabilities?
More audits of this entity
Other Office of the State Auditor reports on Executive Office of Public Safety and Security .
-
Audit of Settlement Agreements and Confidentiality Clauses Across Multiple State Agencies - Executive Office of Public Safety and Security (January 28, 2025)State Agency / Office · January 28, 2025 - Audit of the Executive Office of Public Safety and Security (August 8, 2024)State Agency / Office · August 8, 2024