Executive Order 504 Compliance Review Regarding the Security and Confidentiality of Personal Information at Executive Department Agencies
September 14, 2012 · Executive Department Agencies · Read the full official report (PDF) ↗
source
“However, our review found that improvements could be made in state agencies’ compliance with EO504 requirements and that an adequate process was not in place to assess the controls that state agencies have established over the safeguarding of personal information.”
Read the plain-English breakdown
This is a State Auditor review of how well Massachusetts executive agencies followed Executive Order 504, a rule about protecting residents’ personal information.
“On September 19, 2008, Executive Order 504 (EO504) was issued regarding the security and confidentiality of personal information of residents of the Commonwealth.”
The auditor checked whether agencies were meeting EO504’s security and reporting rules for personal information.
“Our audit scope was to assess whether Executive Department agencies adequately addressed the security and reporting requirements of EO504 to ensure the security, confidentiality and integrity of personal information.”
The issue matters because state agencies hold sensitive information, and weak controls can expose residents to privacy breaches or misuse of their data.
“The security and confidentiality goals of EO504 include improving security awareness and strengthening responsibilities and controls for safeguarding personal information.”
For an ordinary resident, this report is about whether the state is doing enough to keep your personal details private and secure.
“Section 2 of EO504 states that it “shall be the policy of the Executive Department of the Commonwealth of Massachusetts to adopt and implement the maximum feasible measures reasonably needed to ensure the security, confidentiality and integrity of personal information, as defined in Chapter 93H, and personal data, as defined in Massachusetts General Law Chapter 66A, maintained by state agencies.”
The state had policies, training, and reporting in place, but it did not have enough independent checking to prove the protections were actually working.
“As a result, ITD management lacks (1) reliable feedback on the existence and performance of an operational process, activity, or combination of controls and (2) independent review processes to validate agency reports and verify the existence of controls necessary to protect personal information.”
The auditor recommended that ITD build a stronger review program and give agencies better guidance, and ITD generally agreed.
“ITD should establish an adequate assurance program framework to independently assess compliance with the requirements of EO504 and Chapter 93H and 93I of the General Laws, including the adequacy of controls to safeguard personal information.”
The audit is significant because identity theft is costly and widespread, and the state wanted standards at least as strong as private-sector rules.
“WHEREAS, identity theft is a serious crime that, according to current Federal Trade Commission statistics, affects as many as 9 million Americans each year and costs consumers and businesses approximately $52 billion annually;”
EO504 is the state order; ISOs are agency security officers; SAQs are self-audit questionnaires agencies submit about how they protect personal information.
“The agency head and the ISO are required to certify and submit to ITD an Information Security Program (ISP), an Electronic Security Plan (ESP), and a Self-Audit Questionnaire (SAQ) annually on September 19th.”
What the Auditor checked
- Partially Assess ITD compliance with EO504 requirements for guidelines, standards, ISO assignment, self-audits, contract language, and annual reporting.
- Partially Assess agency compliance with EO504 filing, ISO designation, and training requirements.
- Partially Assess the extent to which EO504 helped state government implement controls over personal information.
What the Auditor found
Why it matters: Personal information could be inadequately identified, reported, classified, trained on, or protected, including in hardcopy form and by vendors.
Standard: Executive Order 504 requirements for personal information security, agency reporting, ISO responsibilities, training, and vendor contract controls. ( Executive Order 504; 201 Code of Massachusetts Regulations 17.00; Executive Order 510 )
7 recommendations
- Delinquent agencies should file annual personal information security reports and/or SAQs with ITD, and the CIO should consider remedial action for noncompliant agencies.agency: agreed
- ITD should consider modifying filing requirements where operational responsibility or IT security has transferred outside the agency or systems are shared.agency: agreed
- ITD should continue developing IT security policies and standards and share EO504 control information with other government branches and authorities.agency: agreed
- Agencies should develop a coordinated baseline security training curriculum tailored to agency operations and technology.agency: agreed
- Responsibility and accountability for EO504 internal controls should be evaluated at agency and secretariat levels.agency: agreed
- State agencies should establish a formal ISO transition and training process.agency: agreed
- ITD should develop programs that guide agencies on security methods, controls, and procedures for EO504 compliance.agency: agreed
Agency response & Auditor reply
Agency: "ITD is in general agreement with the recommendations made by the SAO."
Why it matters: ITD lacked reliable feedback and independent validation that agency controls existed and were working to protect personal information.
Standard: Executive Order 504 and Chapters 93H and 93I of the General Laws require protection of personal information and allow ITD to assess agency compliance. ( Executive Order 504; Chapter 93H and Chapter 93I of the General Laws; Executive Order 532 )
4 recommendations
- ITD should establish an assurance framework to independently assess EO504 and Chapter 93H/93I compliance and the adequacy of controls.agency: agreed
- The assurance program should assess EO504 reporting data integrity controls.agency: agreed
- ITD should use risk assessments to select agencies and areas with the greatest risk exposure for review.agency: agreed
- ITD should assess whether agencies verified contractor and subcontractor competency and integrity and limited contractor access to data and systems.agency: agreed
Agency response & Auditor reply
Agency: "ITD is in general agreement with the recommendations made by the SAO."