- The Enterprise Access Control Policy effort has been an comprehensive effort to consolidate and reorganize many of the Commonwealth’s Enterprise security access policies and standards and align them with the structure of Section 11 “Access Control” of the ISO/IEC 27002:2005, “Information technology - Security techniques - Code of practice for information security management”. The Enterprise Access Control Policy and supporting standard, Enterprise Access Control Security Standards have been drafted together as a suite with sections that are aligned with each other as well as with ISO 27k. The Policy is generally higher level and relies on the associated Standards to elaborate into the detail required for further technical use. All Executive Department agencies are required to comply with this policy and the supporting standards in addition to any agency or third party that connects to the Commonwealth’s wide area network (MAGNet). Entities outside the Executive Department are encouraged to adopt these or similar policies and standards. This policy is effective as of the date of publication.
This policy articulates requirements that assist management in defining a framework that establishes secure agency Information Technology (IT) environments.
- This policy focuses on the specific category of electronic messaging (i.e., email, instant messaging (IM), etc.) communication and related threats that, if left unmitigated, may lead to a loss of data and/or system integrity, confidentiality, or availability.
This policy articulates requirements that assist management in defining a framework that establishes a secure environment for providing services provided by Commonwealth agencies, authorities, and business partners.
The purpose of this document is to identify the minimum standards that agencies must adopt for the appropriate classification of data and the ongoing management of that classification. Classification of data is a critical part of data management which includes planning and implementing comprehensive and responsible information security practices. This document describes a standard data classification scheme, the required considerations for classification, risk assessment, security control requirements and data management and lifecycle requirements.
- This policy articulates requirements for performing periodic reviews of Secretariats' and their respective Agencies' IT (Information Technology) assets, determining appropriate data classifications and controls, and assessing and reacting to risks in order to safeguard those assets.
- This policy articulates the requirements for responding to Security Incidents and Attack Intrusions.
This document articulates requirements that management must address in defining a policy to implement adequate physical and environmental security controls at Secretariats and their respective Agencies or Contractors’ facilities to secure and protect information assets, infrastructure and Information Technology (IT) resources.
A link to CommonWiki (requires a login) that outlines the Incident Handling Procedures.
This policy describes requirements for all Commonwealth Executive Department Secretariats, Agencies and Organizations sited within the Massachusetts Access to Government Network (MAGNet) as well as Executive Department Agencies outside of MAGNet for addressing data security considerations involving their staff.