Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Massachusetts Housing Finance Agency

January 26, 2017 · Read the full official report (PDF) ↗

Published January 26, 2017 Audit covers July 1, 2014 – December 31, 2015; extended to April 14, 2016 in the area of asset inventory Under Suzanne M. Bump · 2011–2023

In plain English
Auditors found several weaknesses in MassHousing's information technology controls, including planning, policies, disaster recovery, asset tracking, security training, and backups. The public report leaves out two cybersecurity-sensitive findings.
source
“Our audit of MHFA identified seven findings, but only five are disclosed in this public report.”
Read the plain-English breakdown
What is this?

This is a public version of a Massachusetts State Auditor audit of MassHousing's IT controls for July 1, 2014 through December 31, 2015.

“I am pleased to provide this information technology general control audit of the Massachusetts Housing Finance Agency.”
Why was it audited?

The audit looked at whether MassHousing had enough IT controls to protect systems, data, and operations that support its work.

“The objective of ITGCs is to ensure the confidentiality, integrity, and availability of systems, programs, data files, and computer operations in an organization.”
Why it matters

Weak IT governance can mean daily technology work may not line up with the agency's broader mission or protect data well enough.

“As a result, there is an increased risk that day-to-day IT operations do not support its overall strategies and objectives.”
What's in it for me?

If you are a Massachusetts resident, borrower, homeowner, employee, or someone whose information is handled by MassHousing, weak data controls can increase the risk that personal or confidential information is mishandled.

“Compromise of personal and confidential data can seriously damage the mission, safety, or integrity of an agency and its staff.”
The bottom line

The main takeaway is that MassHousing had important gaps in how it managed and protected IT systems and protected information.

“MassHousing did not have sufficient controls over the security and confidentiality of protected information.”
What happens next

MassHousing received recommendations and is responsible for acting on them; the agency said it was already taking or planning steps in several areas.

“In accordance with Sections 7.39–7.43 of the Government Accountability Office’s Government Auditing Standards, as well as the policies of the Office of the State Auditor, for reporting confidential and sensitive information, we have given a separate full report to MFHA, which will be responsible for acting on our recommendations.”
Why it's significant

MassHousing is a major public housing finance agency, so weaknesses in its technology controls matter because the agency supports billions of dollars in affordable housing work.

“Since its inception, it has provided more than $18.5 billion for affordable housing.”
Jargon, unpacked

ITGCs means basic technology safeguards that apply across an organization, such as backup controls, access controls, disaster recovery, asset tracking, and data protection.

“ITGCs are a subset of internal controls that are applied to every information technology (IT) system that an organization relies on and to the IT staff that administers those systems.”

1 figure(s) pending source verification - not shown

What the Auditor checked

What the Auditor found

MassHousing lacked a complete IT governance framework.
cybersecurityinternal controlsdata privacyrecordkeeping/documentation

Why it matters: Day-to-day IT operations may not support MassHousing's overall strategies and objectives, increasing risks such as lost productivity, inadequate data protection, miscommunication, and insufficient protection of personal and confidential data.

Standard: COBIT 4.1 Sections PO1, PO2, and PO4; MassIT Enterprise IT Asset and Risk Management Policy ( Section PO1 in Control Objectives for Information and Related Technologies (COBIT) 4.1; Section PO4 of COBIT 4.1; Massachusetts Office of Information Technology Enterprise IT Asset and Risk Management Policy )

3 recommendations
  • MassHousing should formally document an IT strategic plan to manage and direct all IT resources in line with its business strategies and objectives.agency: disagreed
  • MassHousing should modify its ISP and create policies to include all functions such as physical access security, retention and restoration of data, and data classification.agency: disagreed
  • MassHousing should perform a data inventory and develop a data-classification scheme.agency: disagreed
Agency response & Auditor reply
Agency: "MassHousing respectfully disagrees with the State Auditor’s assessment that we have not “established adequate internal controls to support the agency’s mission critical and essential application systems” in seven out of eight audit objectives."
Auditor: "Although MassHousing asserts that it maintains robust internal controls and effectively manages risks related to IT, our audit identified significant problems with the agency’s IT controls."
MassHousing did not adequately oversee service providers for disaster recovery and backup media.
cybersecurityvendor oversightprocurement/contractsinternal controlsrecordkeeping/documentation

Why it matters: Restoration of technology operations could be delayed in a disaster, potentially causing financial loss and reputational damage.

Standard: MassHousing Disaster Recovery and Incident Management Team Plan; COBIT 4.1 Section DS1; MassHousing ISP Section IV(C) ( MassHousing’s Disaster Recovery and Incident Management Team Plan; Section DS1 of COBIT 4.1; Section IV(C) of MassHousing’s ISP )

4 recommendations
  • MassHousing should conduct and document an annual disaster-recovery test, including testing of mission-critical applications and recovery resources with all employees at the hot site.agency: partially agreed
  • MassHousing should repair or replace the Incident Management Team laptop.agency: already implemented
  • MassHousing should review and update the contract for service of backup media and implement a control to periodically review and update all service-provider contracts, including reviews and updates when there is a change in ownership.agency: already implemented
  • MassHousing should establish policies and procedures that require the appropriate agency staff members to periodically request and review the SOC 2 Type 2 report from the contractor that administers its service provider’s data center.agency: partially agreed
Agency response & Auditor reply
Agency: "MassHousing has successfully tested its abilities to retrieve electronic data for continued operations at its disaster (hot) site, with the last test during the audit period occurring in March 2015."
MassHousing did not ensure employees completed security training and signed ISP acknowledgments before accessing protected information.
cybersecuritydata privacyinternal controlsrecordkeeping/documentation

Why it matters: Protected information was not properly safeguarded against possible misuse.

Standard: Massachusetts Executive Order 504; MassHousing ISP Section III(A); NIST Special Publication 800-53 Revision 4 Appendix F ( Massachusetts Executive Order 504; Section III(A) of MassHousing’s ISP; Appendix F of Revision 4 of NIST’s Special Publication 800-53 )

3 recommendations
  • MassHousing should train the new employees who have not completed security training.agency: agreed
  • MassHousing should review the training log periodically and implement appropriate controls to ensure that all employees are trained before they are given access to protected information.agency: agreed
  • MassHousing should establish and implement effective policies, procedures, and monitoring controls to ensure that all employees, contractors, and interns sign acknowledgment forms before they are given access to protected information.agency: agreed
Agency response & Auditor reply
Agency: "Management is planning to implement a process to ensure initial, day-one security awareness training for all new hires with access to our IT network by October 31, 2016."
Auditor: "MassHousing’s implementation and documentation of IT security training for all employees, temporary personnel, and contractors who have access to its systems is key to ensuring that its systems are properly safeguarded."
MassHousing used a shared system account to control its backup schedule.
cybersecurityinternal controlsdata privacy

Why it matters: The system could not establish accountability for backup schedule changes, increasing the risk that configuration settings could be changed without detection and cause loss of files and data.

Standard: COBIT 4.1 Section DS5 ( Section DS5 of COBIT 4.1 )

2 recommendations
  • MassHousing should establish access-security policies that state the requirements for managing accounts.agency: already implemented
  • MassHousing should add the user accounts of the staff members who are responsible for the backup schedule to the backup operation group.agency: already implemented
Agency response & Auditor reply
Agency: "MassHousing IT has made the appropriate changes to the backup operations group, and each system-level account is held by an individual IT Division employee."
Auditor: "We believe MassHousing is taking the appropriate steps to control its backup schedule adequately."

More audits of this entity

Other Office of the State Auditor reports on Massachusetts Housing Finance Agency .

See this entity's page with all 3 audits →