Table of Contents
This policy describes requirements for all Commonwealth Executive Department Secretariats, Agencies, and Organizations sited within the Massachusetts Access to Government Network (MAGNet) as well as Executive Department Agencies outside of MAGNet for addressing data security considerations involving their staff. It also addresses appropriate information security awareness and training to reduce the risk of theft, fraud, or misuse of Commonwealth Information Technology (IT) Resources and sensitive information assets.
Massachusetts government employees, vendors, contractors and third parties, hereafter referred to as “staff” whose organizational roles and responsibilities require access to and/or administration of IT Resources or involve the processing of sensitive information are subject too administrative, managerial and//or technical safeguards to protect IT Resources and/or confidential or sensitive data from unauthorized access, disclosure, modification, destruction or interference.
For a list of items to be safeguarded please refer to the Enterprise Information Security Standards: Data Classification document and Executive Order 504.
To ensure staff working on IT system secure and safeguard information, the following actions are also necessary:
- Training on security and privacy awareness
- Agency validation that access to information technology or secure information is adjusted promptly to reflect changes in job responsibilities
- Removal of access for other operational/ business reasons as necessary
This policy is organized into the following key sections which map directly to the ISO 27001/27002 Domain security objectives:
- Pre-Employment or Contract Engagement
- During Employment or Contract Engagement
- Termination or Change of Employment or Contract Engagement
This policy applies to all agencies and entities governed by the overarching Enterprise Information Security Policy and requires adherence to requirements of this policy.
- Executive Department Agencies1, in addition to any agency or third party that connects to the Commonwealth’s wide area network (MAGNet),
- Executive Department Agencies are required to ensure compliance by any business partner that accesses Executive Department IT Resources or shared environments, e.g. MAGNet; and
- Executive Department Agencies are required to ensure compliance by third parties in any aspect of the process of providing goods and services to their agency. These include, but are not limited to, electronic data collection, storage, processing, disposal, dissemination and maintenance. Third parties that interact in any way with Executive Department Commonwealth IT Resources, e.g. MAGNet, are required to comply with this policy.
Other Commonwealth entities are encouraged to adopt, at a minimum, security requirements in accordance with this policy or a more stringent agency policy that addresses agency specific and business related directives, laws, and regulations.
Management of staff information technology security and privacy risks is a requirement and must be considered during all phases of Commonwealth employment and/or contract engagement including prior to, during and post employment and/or contract engagement, and including any change of employment status or contract engagement. The term “staff” includes contract employees, independent contractors, volunteers, interns, temporary employees, trainees, and any persons who will have access to sensitive data.
1. Pre-Employment or Contract Engagement: Secretariats and their respective agencies must implement policies, procedures and processes that support effective communication of this policy’s requirements.
All staff must be screened as appropriate, and when a finalist for a position has been identified, the agency will take appropriate steps to inform the candidate that they will have access to sensitive information and inform them of requirements, conditions and procedures in place to reduce the risk of unauthorized access, use or modification of IT Resources (e.g. theft, fraud or misuse).
1.1. Roles and Responsibilities: Agencies must ensure that staff possesses the requisite skills, knowledge, and experience to effectively perform duties that are essential to meeting the information security requirements of their positions. Those requirements must be included in the job description, job posting or in any detailed description of the services to be provided, such as a statement of work.
Applicant Verification: It is the responsibility of Secretariats and their respective agencies to identify and implement any additional screening procedures and verifications required in any position due to access to Commonwealth IT Resources and sensitive information.
In the event that an information security breach has occurred, agencies are responsible for invoking remedial or disciplinary action as appropriate
1.2. Terms and Conditions: Policies, procedures and acknowledgements must be developed and implemented as part of new staff orientation including:
1.2.1. Confidentiality or non-disclosure agreements to prevent disclosure of restricted or classified information except as delineated in any agreement/contract for services;
1.2.2. Procedures and requirements for the proper return or destruction of restricted information upon termination of employment or completion of contractual obligations;
1.2.3. Compliance and adherence to federal and state laws, regulations Executive Orders, and policies including those regarding privacy and security, including but not limited to Executive Order 504 and the Acceptable Use of Information Technology Policy.
2. Employment: Secretariats and their respective agencies are responsible for defining and articulating management responsibilities that will support the security goals of the organization and the Enterprise throughout the term of an individual’s employment and/or contract engagement.
2.1. Management Responsibilities: It is the responsibility of each agency to:
2.1.1.Conduct position and duty related IT security related risk assessments for each position as the job description and job posting are created.
2.1.2.Inform and continuously update individuals for whom they are responsible of applicable information security requirements, responsibilities, policies and procedures.
2.1.3.Validate that appropriate and timely removal or alteration of physical and logical access mechanisms to IT Resources and assets have been completed based on any change in duties or employment or engagement status for any of their staff.
2.2. Information Security Awareness and Training: Secretariats and their respective agencies are required to provide appropriate awareness training and regular updates pursuant to this policy. In addition, the Information Security Officer (ISO), in collaboration with the Human Resource Training staff, will ensure all staff participate in mandatory EO 504 training and will develop other security training's as required. Security related trainings will be continuously evaluated and updated to meet the changing needs of the organization’s information security requirements.
3. Termination or Change of Employment or Contract Engagement: In instances where any Commonwealth staff is voluntarily or involuntarily terminated from employment or is on an extended leave of absence, it is the respective agency’s responsibility to immediately implement steps to terminate access and privileges as appropriate. Further, it is each agency’s responsibility to ensure they implement and maintain documented procedures to review all access and privileges to data, IT Resources, networks, and facilities and implement appropriate procedures and to ensure the return of all equipment and devices.
All Secretariats and respective Agencies and entities governed by the overarching Enterprise Information Security Policy are subject to the referenced roles and responsibilities in addition to those specifically stated within this supporting policy. The roles and responsibilities associated with implementation and compliance with this policy follow:
Assistant Secretary for Information Technology
- Require all staff to attend mandatory information security training and incorporate training as part of the orientation program provided to new employees
- Develop mandatory standards and procedures that Commonwealth entities subject to this policy must apply before entering into contracts that will provide third parties with access to high sensitivity electronic information which includes but is not limited to personal information or IT systems containing such information
- Approve and adopt this policy and its revisions
Secretariat Chief Information Officer (SCIO)
- Exercise due diligence in adhering to the requirements contained in this policy
- Provide communication, training and enforcement of this policy that supports the security goals of the Secretariat, its agencies and the Commonwealth
- Provide proper third party oversight as applicable for access to and communication with agency IT Resources including applications and information assets
Secretariat or Agency Information Security Officer (ISO)
- Ensure that the goals and requirements of this policy are implemented
Enterprise Security Board (ESB)
- Recommend revisions and updates to this policy and related standards
The Executive Office of Technology Services and Security (EOTSS) and Human Resources Division (HRD)
- issue joint revisions and updates to this policy
Secretariat or Agency Human Resources Directors
- Incorporate and maintain information security awareness, training and risk assessments into the creation of affected positions, employee orientation and on-going position management
- Conduct background verification checks and applicant screening for effected positions as appropriate to safeguard and protect information technology security in accordance with this policy
- Comply with the requirements of this policy and any additional policies or requirements established by the Enterprise and/or each individual agency to ensure information security including:
- Attest and certify that they have received and understand security documents pertaining to EO 504
- Review and comply with all information security programs, plans, guidelines, standards and policies that apply to the work they will be performing
- Implement and maintain any other reasonable and appropriate security procedures and practices necessary to protect sensitive information
- Communicate such provisions and enforce provisions with subcontractors, if applicable
Primary references that were used in development of this policy include: ISO 27001 Executive Order 504
Additional information referenced includes: M.G.L., Ch. 93H M.G.L., Ch. 93I M.G.L., Ch. 66A ISO 27002 CobiT ITIL HIPAA Security Rule
Key terms used in this policy have been provided below for your convenience. For a full list of terms please refer to the A&F portal where a full glossary of <strong>Commonwealth Specific Term</strong> s is maintained.
Staff - Staff include contract employees, independent contractors, volunteers, interns, temporary employees, trainees, and any persons who will have access to sensitive data, whose conduct, in the performance of work for a Commonwealth entity, is under the direct control of the entity, whether or not they are paid by the entity.
|Date||Action||Effective Date||Next Review Date|
|09/27/2011||Enterprise Staff Information Technology Security Policy||09/30/2011||10/1/12|
|12/22/15||Accessibility remediation – no content changes||2/22/16||1/1/17|
 The Executive Department is comprised of the Executive Branch minus the Constitutional Offices, i.e., the State Auditor, State Treasurer, the Attorney General, and the Secretary of the Commonwealth.