• Enterprise Communications and Operations Management Policy

    This policy articulates requirements that assist management in defining a framework that establishes secure agency Information Technology (IT) environments.

  • Enterprise Electronic Messaging Communications Security Policy

    This policy focuses on the specific category of electronic messaging (i.e., email, instant messaging (IM), etc.) communication and related threats that, if left unmitigated, may lead to a loss of data and/or system integrity, confidentiality, or availability.
  • Information Security Policy

    This policy articulates requirements that assist management in defining a framework that establishes a secure environment for providing services provided by Commonwealth agencies, authorities, and business partners.

  • Enterprise Information Security Standards: Data Classification

    The purpose of this document is to identify the minimum standards that agencies must adopt for the appropriate classification of data and the ongoing management of that classification. Classification of data is a critical part of data management which includes planning and implementing comprehensive and responsible information security practices. This document describes a standard data classification scheme, the required considerations for classification, risk assessment, security control requirements and data management and lifecycle requirements.

  • Enterprise IT Asset and Risk Management Policy

    This policy articulates requirements for performing periodic reviews of Secretariats' and their respective Agencies' IT (Information Technology) assets, determining appropriate data classifications and controls, and assessing and reacting to risks in order to safeguard those assets.
  • Enterprise IT Security Incident Response Policy

    This policy articulates the requirements for responding to Security Incidents and Attack Intrusions.
  • Enterprise Physical & Environmental Security Policy

    This document articulates requirements that management must address in defining a policy to implement adequate physical and environmental security controls at Secretariats and their respective Agencies or Contractors’ facilities to secure and protect information assets, infrastructure and Information Technology (IT) resources.

  • Enterprise Security Incident Handling Procedures

    A link to CommonWiki (requires a login) that outlines the Incident Handling Procedures.

  • Enterprise Staff Information Technology Security Policy

    This policy describes requirements for all Commonwealth Executive Department Secretariats, Agencies and Organizations sited within the Massachusetts Access to Government Network (MAGNet) as well as Executive Department Agencies outside of MAGNet for addressing data security considerations involving their staff.  

  • Enterprise Website Cookie Policy

    Cookies are small text files which are downloaded to your personal computer, mobile, or other device when you visit a website. This policy updates the provisions of the Executive Department's "Requirements of Agency Web Site Privacy Policies" which pertain to use of cookies.
  • Enterprise Access Control Policy

    This policy articulates the access controls that are required to meet the security objectives of the Enterprise Information Security Policy .  Access control management is paramount to protecting Commonwealth Information Technology (IT) Resources and requires implementation of controls and continuous oversight to restrict access.