• Enterprise Access Control Security Policies and Standards

    The Enterprise Access Control Policy effort has been an comprehensive effort to consolidate and reorganize many of the Commonwealth’s Enterprise security access policies and standards and align them with the structure of Section 11 “Access Control” of the ISO/IEC 27002:2005, “Information technology - Security techniques - Code of practice for information security management”.  The Enterprise Access Control Policy and supporting standard, Enterprise Access Control Security Standards have been drafted together as a suite with sections that are aligned with each other as well as with ISO 27k.  The Policy is generally higher level and relies on the associated Standards to elaborate into the detail required for further technical use.   All Executive Department agencies are required to comply with this policy and the supporting standards in addition to any agency or third party that connects to the Commonwealth’s wide area network (MAGNet). Entities outside the Executive Department are encouraged to adopt these or similar policies and standards. This policy is effective as of the date of publication.
  • Enterprise Communications and Operations Management Policy

    This policy articulates requirements that assist management in defining a framework that establishes secure agency Information Technology (IT) environments.

  • Enterprise Electronic Messaging Communications Security Policy

    This policy focuses on the specific category of electronic messaging (i.e., email, instant messaging (IM), etc.) communication and related threats that, if left unmitigated, may lead to a loss of data and/or system integrity, confidentiality, or availability.
  • Information Security Policy

    This policy articulates requirements that assist management in defining a framework that establishes a secure environment for providing services provided by Commonwealth agencies, authorities, and business partners.

  • Enterprise Information Security Standards: Data Classification

    The purpose of this document is to identify the minimum standards that agencies must adopt for the appropriate classification of data and the ongoing management of that classification. Classification of data is a critical part of data management which includes planning and implementing comprehensive and responsible information security practices. This document describes a standard data classification scheme, the required considerations for classification, risk assessment, security control requirements and data management and lifecycle requirements.

  • Enterprise IT Asset and Risk Management Policy

    This policy articulates requirements for performing periodic reviews of Secretariats' and their respective Agencies' IT (Information Technology) assets, determining appropriate data classifications and controls, and assessing and reacting to risks in order to safeguard those assets.
  • Enterprise IT Security Incident Response Policy

    This policy articulates the requirements for responding to Security Incidents and Attack Intrusions.
  • Enterprise Physical & Environmental Security Policy

    This document articulates requirements that management must address in defining a policy to implement adequate physical and environmental security controls at Secretariats and their respective Agencies or Contractors’ facilities to secure and protect information assets, infrastructure and Information Technology (IT) resources.

  • Enterprise Security Incident Handling Procedures

    A link to CommonWiki (requires a login) that outlines the Incident Handling Procedures.

  • Enterprise Staff Information Technology Security Policy

    This policy describes requirements for all Commonwealth Executive Department Secretariats, Agencies and Organizations sited within the Massachusetts Access to Government Network (MAGNet) as well as Executive Department Agencies outside of MAGNet for addressing data security considerations involving their staff.  

  • Enterprise Website Cookie Policy

    Cookies are small text files which are downloaded to your personal computer, mobile, or other device when you visit a website. This policy updates the provisions of the Executive Department's "Requirements of Agency Web Site Privacy Policies" which pertain to use of cookies.