Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Audit of the Office of the Commissioner of Probation (OCP)

November 8, 2021 · Office of the Commissioner of Probation · Read the full official report on mass.gov ↗

Published November 8, 2021 Audit covers July 1, 2018 – June 30, 2020 Under Suzanne M. Bump · 2011–2023

In plain English
The auditor found that the probation office generally followed the rules tested for electronic monitoring and juvenile record access, but also found several technology control problems that needed attention.
source
“Our audit revealed no significant instances of noncompliance by OCP that must be reported under generally accepted government auditing standards.”
Read the plain-English breakdown
What is this?

This is a state performance audit of the Massachusetts Office of the Commissioner of Probation, covering July 1, 2018 through June 30, 2020.

“This report details the audit objectives, scope, methodology, findings, and recommendations for the audit period, July 1, 2018 through June 30, 2020.”
Why was it audited?

Auditors checked whether the office properly enrolled and monitored people in electronic monitoring programs and protected access to juvenile probation records.

“In this performance audit, we determined whether OCP enrolled participants in the Electronic Monitoring Program in accordance with court-ordered parameters, monitored the participants in accordance with OCP policies and procedures, and ensured that participants’ juvenile probation records were accessed by police officials in accordance with Section 90 of Chapter 276 of the General Laws.”
Why it matters

Probation work affects public safety, fairness in the courts, victims, and people trying to avoid reoffending.

“The Massachusetts Probation Service’s mission is to increase community safety, reduce recidivism, contribute to the fair and equitable administration of justice, support victims and survivors, and assist individuals and families in achieving long term positive change.”
What's in it for me?

For ordinary residents, this matters because electronic monitoring is supposed to help enforce court orders such as house arrest and alcohol restrictions.

“GPS devices are used to enforce court-mandated curfews and court orders, including house arrest.”
The bottom line

The main audit tests came back clean, but the report flagged weaknesses in system access, training, background-check records, and removal of former employees’ access.

“However, we did identify a number of information technology control issues we believe warrant OCP’s attention, which we have disclosed in the “Other Matters” section of this report.”
What happens next

The probation office said it has started fixing the technology-control issues, and the auditor said it should also update its internal controls to reduce future risk.

“Based on its response, OCP is taking measures to address our concerns on this matter.”
Why it's significant

The most important risk was not the monitoring itself, but weak technology controls that could expose sensitive information or create public safety risks.

“Not deactivating terminated employees’ access rights in a timely manner increases the risk of terminated employees improperly accessing offender and victim information, including personal and location information.”
Jargon, unpacked

ELMO is the electronic monitoring program; GPS devices track location, and SCRAM devices test for alcohol use and location.

“The primary tools the ELMO Program uses to monitor participants are global positioning system (GPS) devices—specifically, electronic bracelets that provide participants’ locations via GPS—and Secure Continuous Remote Alcohol Monitoring (SCRAM) remote breath devices, which provide participants’ real-time breath alcohol test results and locations via GPS.”

What the Auditor checked

What the Auditor found

OCP lacked complete approval documentation for user system access.
cybersecurityinternal controlsrecordkeeping/documentation

Why it matters: Not having adequate access controls could compromise the security and integrity of sensitive OCP case data.

Standard: EOTSS Access Management Standard and OCP internal control plan requirements for approved and limited access. ( Section 6.1.4.3 of EOTSS’s “Access Management Standard”; Section 1.5.7 of OCP’s internal control plan )

1 recommendation
  • Update access forms and ensure required OCP and vendor signatures and approvals are documented.agency: already implemented
Agency response & Auditor reply
Agency: "To address the issues of (1) incomplete or missing system approval documentation and (2) user access rights that were inconsistent with employees’ job functions, we created and now use the [Global Positioning System, or GPS] and Remote Alcohol Monitoring Software Access Form."
Auditor: "Based on its response, OCP is taking measures to address our concerns on this matter."
Some users had system access rights that did not match their job functions.
cybersecurityinternal controls

Why it matters: Inappropriate permission rights could compromise the security and integrity of OCP data.

Standard: EOTSS, Attenti Group, and SCRAM Systems access-control requirements for role-appropriate user permissions. ( Section 6.1.5.1 of EOTSS’s “Access Management Standard”; The Attenti Group’s “Access Control Policies and Procedures”; Section 3.1 of SCRAM Systems’ “Access Control Policy ([Information Security Management System, or ISMS])” )

1 recommendation
  • Ensure user permission rights correspond to the system access level appropriate to each employee’s position.agency: already implemented
Agency response & Auditor reply
Agency: "This updated form and process helps ensure sensitive case data is secure and user access rights are consistent with employees’ job functions."
Auditor: "Based on its response, OCP is taking measures to address our concerns on this matter."
Some employees had not completed cybersecurity awareness training.
cybersecurityinternal controls

Why it matters: Insufficient cybersecurity awareness training may lead to user error and compromise the integrity and security of protected information at OCP.

Standard: EOTSS Information Security Risk Management Standard requiring annual security awareness training. ( Section 6.2.4 of EOTSS’s “Information Security Risk Management Standard” )

1 recommendation
  • Ensure all employees who use Attenti EM Manager and SCRAMNET take annual cybersecurity awareness training.agency: already implemented
Agency response & Auditor reply
Agency: "To address the issue of (3) employees not completing cybersecurity awareness training, MPS employees had to complete the mandatory online security awareness courses that were introduced by the Trial Court in March 2020."
Auditor: "Based on its response, OCP is taking measures to address our concerns on this matter."
OCP lacked evidence that CORI background checks were completed for some users.
recordkeeping/documentationinternal controlspublic safety

Why it matters: Not completing CORI checks could cause OCP to give individuals with serious convictions access to personally identifiable information as well as probation monitoring information that is crucial to public safety.

Standard: Trial Court Personnel Policies and Procedures Manual requirements for criminal record checks and recordkeeping. ( Trial Court Personnel Policies and Procedures Manual )

1 recommendation
  • Work with the Trial Court to ensure completed CORI checks are filed accurately and are easily accessible.agency: already implemented
Agency response & Auditor reply
Agency: "Last, to address the issue of (4) missing evidence of Criminal Offender Record Information (CORI) checks, the Office of the Commissioner of Probation is now creating and filing its own copies of the CORI completion/compliance forms, which are typically kept at the Office of Court Management."
Auditor: "Based on its response, OCP is taking measures to address our concerns on this matter."
Some terminated employees still had active or enabled system accounts.
cybersecurityinternal controlsdata privacypublic safety

Why it matters: Not deactivating terminated employees’ access rights in a timely manner increases the risk of terminated employees improperly accessing offender and victim information, including personal and location information.

Standard: EOTSS, Attenti Group, and SCRAM Systems requirements to promptly terminate user access privileges. ( EOTSS’s document “Enterprise Access Control Security Standards”; Attenti Group’s “Access Control Policies and Procedures”; SCRAM Systems’ “Access Control Policy (ISMS)” )

2 recommendations
  • Revoke employees’ access to systems in accordance with vendor access-control policy timelines.agency: already implemented
  • Update the internal control plan to include an information system control section.
Agency response & Auditor reply
Agency: "This list contains the names and positions of all terminated employees and we cross-reference it and update the ELMO Terminated Account Access Log to ensure employees that are no longer working for the MPS have their ELMO software accounts deactivated, which resolves the issue of (5) terminated employees not having their system access removed in accordance with state or vendor policies."
Auditor: "OCP should also update its internal control plan to incorporate an information system control section to reduce the risk of issues associated with access controls and permission rights, ensure that cybersecurity training is conducted, and ensure that CORI checks are completed in accordance with its policies and procedures."