Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Executive Order 504 Compliance Review Regarding the Security and Confidentiality of Personal Information at Executive Department Agencies

September 14, 2012 · Executive Department Agencies · Read the full official report (PDF) ↗

Published September 14, 2012 Audit covers January 1, 2009 – June 30, 2011 Under Suzanne M. Bump · 2011–2023

In plain English
Massachusetts agencies made real progress protecting personal information, but the audit found gaps in follow-through and oversight.
source
“However, our review found that improvements could be made in state agencies’ compliance with EO504 requirements and that an adequate process was not in place to assess the controls that state agencies have established over the safeguarding of personal information.”
Read the plain-English breakdown
What is this?

This is a State Auditor review of how well Massachusetts executive agencies followed Executive Order 504, a rule about protecting residents’ personal information.

“On September 19, 2008, Executive Order 504 (EO504) was issued regarding the security and confidentiality of personal information of residents of the Commonwealth.”
Why was it audited?

The auditor checked whether agencies were meeting EO504’s security and reporting rules for personal information.

“Our audit scope was to assess whether Executive Department agencies adequately addressed the security and reporting requirements of EO504 to ensure the security, confidentiality and integrity of personal information.”
Why it matters

The issue matters because state agencies hold sensitive information, and weak controls can expose residents to privacy breaches or misuse of their data.

“The security and confidentiality goals of EO504 include improving security awareness and strengthening responsibilities and controls for safeguarding personal information.”
What's in it for me?

For an ordinary resident, this report is about whether the state is doing enough to keep your personal details private and secure.

“Section 2 of EO504 states that it “shall be the policy of the Executive Department of the Commonwealth of Massachusetts to adopt and implement the maximum feasible measures reasonably needed to ensure the security, confidentiality and integrity of personal information, as defined in Chapter 93H, and personal data, as defined in Massachusetts General Law Chapter 66A, maintained by state agencies.”
The bottom line

The state had policies, training, and reporting in place, but it did not have enough independent checking to prove the protections were actually working.

“As a result, ITD management lacks (1) reliable feedback on the existence and performance of an operational process, activity, or combination of controls and (2) independent review processes to validate agency reports and verify the existence of controls necessary to protect personal information.”
What happens next

The auditor recommended that ITD build a stronger review program and give agencies better guidance, and ITD generally agreed.

“ITD should establish an adequate assurance program framework to independently assess compliance with the requirements of EO504 and Chapter 93H and 93I of the General Laws, including the adequacy of controls to safeguard personal information.”
Why it's significant

The audit is significant because identity theft is costly and widespread, and the state wanted standards at least as strong as private-sector rules.

“WHEREAS, identity theft is a serious crime that, according to current Federal Trade Commission statistics, affects as many as 9 million Americans each year and costs consumers and businesses approximately $52 billion annually;”
Jargon, unpacked

EO504 is the state order; ISOs are agency security officers; SAQs are self-audit questionnaires agencies submit about how they protect personal information.

“The agency head and the ISO are required to certify and submit to ITD an Information Security Program (ISP), an Electronic Security Plan (ESP), and a Self-Audit Questionnaire (SAQ) annually on September 19th.”

What the Auditor checked

What the Auditor found

Executive Department agencies needed to improve compliance with Executive Order 504 personal information security requirements.
cybersecuritydata privacyrecordkeeping/documentationinternal controlsreporting timelinessvendor oversight

Why it matters: Personal information could be inadequately identified, reported, classified, trained on, or protected, including in hardcopy form and by vendors.

Standard: Executive Order 504 requirements for personal information security, agency reporting, ISO responsibilities, training, and vendor contract controls. ( Executive Order 504; 201 Code of Massachusetts Regulations 17.00; Executive Order 510 )

7 recommendations
  • Delinquent agencies should file annual personal information security reports and/or SAQs with ITD, and the CIO should consider remedial action for noncompliant agencies.agency: agreed
  • ITD should consider modifying filing requirements where operational responsibility or IT security has transferred outside the agency or systems are shared.agency: agreed
  • ITD should continue developing IT security policies and standards and share EO504 control information with other government branches and authorities.agency: agreed
  • Agencies should develop a coordinated baseline security training curriculum tailored to agency operations and technology.agency: agreed
  • Responsibility and accountability for EO504 internal controls should be evaluated at agency and secretariat levels.agency: agreed
  • State agencies should establish a formal ISO transition and training process.agency: agreed
  • ITD should develop programs that guide agencies on security methods, controls, and procedures for EO504 compliance.agency: agreed
Agency response & Auditor reply
Agency: "ITD is in general agreement with the recommendations made by the SAO."
ITD lacked an adequate assurance program to verify controls protecting personal information.
cybersecuritydata privacyinternal controlsrecordkeeping/documentationvendor oversight

Why it matters: ITD lacked reliable feedback and independent validation that agency controls existed and were working to protect personal information.

Standard: Executive Order 504 and Chapters 93H and 93I of the General Laws require protection of personal information and allow ITD to assess agency compliance. ( Executive Order 504; Chapter 93H and Chapter 93I of the General Laws; Executive Order 532 )

4 recommendations
  • ITD should establish an assurance framework to independently assess EO504 and Chapter 93H/93I compliance and the adequacy of controls.agency: agreed
  • The assurance program should assess EO504 reporting data integrity controls.agency: agreed
  • ITD should use risk assessments to select agencies and areas with the greatest risk exposure for review.agency: agreed
  • ITD should assess whether agencies verified contractor and subcontractor competency and integrity and limited contractor access to data and systems.agency: agreed
Agency response & Auditor reply
Agency: "ITD is in general agreement with the recommendations made by the SAO."