Reference #: ITD-APP-1.2
Issue #: 2
Revision Date: March 6, 2014
Table of Contents
The Commonwealth must ensure that its investments in information technology result in systems that are sufficiently interoperable to meet the business requirements of its agencies and to effectively serve its constituencies. This policy articulates the importance of open standards compliance for IT investments in the Commonwealth. For the purpose of this policy, open standards is defined as follows:
Open Standards: Specifications for systems that are publicly available and are developed by an open community and affirmed by a standards body. Hypertext Markup Language (HTML) is an example of an open standard. Open standards imply that multiple vendors can compete directly based on the features and performance of their products. It also implies that the existing information technology solution is portable and that it can be removed and replaced with that of another vendor with minimal effort and without major interruption (see current version of the Enterprise Technical Reference Model ).
Secretariats and their respective Agencies and entities governed by the overarching Enterprise Information Security Policy must adhere to the requirements of this supporting policy.
- Executive Department Secretariats and their respective Agencies,  in addition to any agency or third party that connects to the Commonwealth’s wide area network (MAGNet), must comply with this policy.
- Executive Department Secretariats and their respective Agencies are required to ensure compliance by any business partner that accesses Executive Department IT Resources or shared environments, e.g. MAGNet; and
- Executive Department Secretariats and their respective Agencies are required to ensure compliance by third parties in any aspect of the process of providing goods and services to their agency.
Other Commonwealth entities are encouraged to adopt security requirements in accordance with this policy or a more stringent agency policy that addresses agency-specific directives, laws, and regulations.
Secretariats and their respective Agencies are required to comply with open standards referenced in the current version of the Enterprise Technical Reference Model (ETRM) when evaluating all prospective IT investments and must review existing IT systems for open standards compatibility as well as enhance these systems to achieve open standards compatibility where appropriate. In addition, open standards solutions must be selected when existing systems are to be retired.
Effective and efficient government service delivery requires system integration and data sharing. The Commonwealth’s technology investments must be made based on total cost of ownership and best value to the Commonwealth. Component-based software development based on open standards allows for a more cost-effective “build once, use many times” approach. In order to ensure compliance with this policy the following controls must be put in place:
- EOTSS will review all agency IT Investment Briefs, project plans and service requests for compliance with this policy before granting approvals.
- Agencies must integrate open standards compliance language in all IT bids and solicitations.
All agencies and entities governed by the overarching Enterprise Information Security Policy are subject to the referenced roles and responsibilities in addition to those specifically stated within this supporting policy. The roles and responsibilities for compliance with this policy follow
Assistant Secretary for Information Technology
- The Assistant Secretary for Information Technology has developed mandatory standards and procedures for Secretariats and their respective Agencies to follow before entering into contracts that provide third parties with access to electronic high sensitivity information, including but not limited to personal information or IT systems containing such information.
- The Assistant Secretary for Information Technology is responsible for the approval and adoption of the Enterprise Open Standards Policy and its revisions.
Secretariat Chief Information Officer (SCIO), Agency Head, and Agency Chief Information Officer (CIO)
- SCIOs, Agency Heads, and CIOs are collectively responsible for exercising due diligence in adhering to the requirements contained in this policy, and must either adopt this policy for their agency and/or Secretariat or publish their own in a manner consistent with this policy.
- SCIOs, Agency Heads, and CIOs will collectively provide communication, training and enforcement of this policy that support the security goals of the Secretariat, its agencies and the Commonwealth.
Secretariat or Agency Information Security Officer (ISO)
- Ensure that the goals and requirements of the Enterprise Open Standards Policy are implemented and met.
- Ensure that this policy is communicated to the appropriate parties.
Enterprise Security Board (ESB)
- The Enterprise Security Board will recommend revisions and updates to this policy and related standards.
The Executive Office of Technology Services and Security (EOTSS)
- The Executive Office of Technology Services and Security (EOTSS) will issue revisions and updates to this policy and related standards.
- Third parties are required to comply with agency implementation of this policy.
Primary references that were used in development of this policy include:
Executive Order 504
Additional information referenced includes:
M.G.L., Ch. 93H
M.G.L., Ch. 93I
M.G.L., Ch. 66A
HIPAA Security Rule
HIPAA Privacy Rule
Key terms used in this policy have been provided below for your convenience. For a full list of terms please refer to the Executive Office of Technology Services and Security (EOTSS) web site where a full glossary of Commonwealth Specific Terms is maintained.
Entity - An agency, department, secretariat, authority, college or other unit of government of the Commonwealth of Massachusetts.
IT Asset - An IT asset can be a physical IT asset (hardware, network devices, etc.) or a logical IT asset (data, software, licensing, and applications).
Third Party – Private sector companies or individuals that conduct business with MAGNet members.
ETRM-Enterprise Technical Reference Model-is a blueprint for standards that provides the architectural framework for the Enterprise and ultimately is the roadmap to a Service Oriented Architecture for the Commonwealth.
|Date||Action||Effective Date||Next Review Date|
|3/6/2014||Updated – Approved by CCIO||3/6/2014||1/1/2015|
|12/21/15||Accessibility remediation, corrected sections 1-2 numbering – no content changes||2/22/16||1/1/17|