Download the Enterprise Open Standards Policy doc format of Open Standards Policy

 

Reference #: ITD-APP-1.2

Issue #: 2

Revision Date: March 6, 2014

 

Table of Contents                   


Executive Summary

Who This Policy Applies To

Policy Statement

Roles and Responsibilities

Related Documents

Contact

Terms

Document History


Executive Summary

The Commonwealth must ensure that its investments in information technology result in systems that are sufficiently interoperable to meet the business requirements of its agencies and to effectively serve its constituencies. This policy articulates the importance of open standards compliance for IT investments in the Commonwealth. For the purpose of this policy, open standards is defined as follows:

Open Standards:  Specifications for systems that are publicly available and are developed by an open community and affirmed by a standards body. Hypertext Markup Language (HTML) is an example of an open standard. Open standards imply that multiple vendors can compete directly based on the features and performance of their products. It also implies that the existing information technology solution is portable and that it can be removed and replaced with that of another vendor with minimal effort and without major interruption (see current version of the Enterprise Technical Reference Model ).

 

Who This Policy Applies To

Secretariats and their respective Agencies and entities governed by the overarching Enterprise Information Security Policy must adhere to the requirements of this supporting policy. 

  • Executive Department Secretariats and their respective Agencies, [1] in addition to any agency or third party that connects to the Commonwealth’s wide area network (MAGNet), must comply with this policy.
  • Executive Department Secretariats and their respective Agencies are required to ensure compliance by any business partner that accesses Executive Department IT Resources or shared environments, e.g. MAGNet; and
  • Executive Department Secretariats and their respective Agencies are required to ensure compliance by third parties in any aspect of the process of providing goods and services to their agency. 

Other Commonwealth entities are encouraged to adopt security requirements in accordance with this policy or a more stringent agency policy that addresses agency-specific directives, laws, and regulations.

Policy Statement

Secretariats and their respective Agencies are required to comply with open standards referenced in the current version of the Enterprise Technical Reference Model (ETRM) when evaluating all prospective IT investments and must review existing IT systems for open standards compatibility as well as enhance these systems to achieve open standards compatibility where appropriate. In addition, open standards solutions must be selected when existing systems are to be retired.

Effective and efficient government service delivery requires system integration and data sharing. The Commonwealth’s technology investments must be made based on total cost of ownership and best value to the Commonwealth. Component-based software development based on open standards allows for a more cost-effective “build once, use many times” approach. In order to ensure compliance with this policy the following controls must be put in place:

  • ITD will review all agency IT Investment Briefs, project plans and service requests for compliance with this policy before granting approvals.
  • Agencies must integrate open standards compliance language in all IT bids and solicitations.

Roles and Responsibilities

All agencies and entities governed by the overarching Enterprise Information Security Policy are subject to the referenced roles and responsibilities in addition to those specifically stated within this supporting policy.  The roles and responsibilities for compliance with this policy follow

Assistant Secretary for Information Technology

  • The Assistant Secretary for Information Technology has developed mandatory standards and procedures for Secretariats and their respective Agencies to follow before entering into contracts that provide third parties with access to electronic high sensitivity information, including but not limited to personal information or IT systems containing such information.
  • The Assistant Secretary for Information Technology is responsible for the approval and adoption of the Enterprise Open Standards Policy and its revisions.

Secretariat Chief Information Officer (SCIO), Agency Head, and Agency Chief Information Officer (CIO)

  • SCIOs,  Agency Heads, and CIOs are collectively responsible for exercising due diligence in adhering to the requirements contained in this policy, and must either adopt this policy for their agency and/or Secretariat or publish their own in a manner consistent with this policy.
  • SCIOs, Agency Heads, and CIOs will collectively provide communication, training and enforcement of this policy that support the security goals of the Secretariat, its agencies and the Commonwealth.

Secretariat or Agency Information Security Officer (ISO)

  • Ensure that the goals and requirements of the Enterprise Open Standards Policy are implemented and met.
  • Ensure that this policy is communicated to the appropriate parties.

Enterprise Security Board (ESB)

  • The Enterprise Security Board will recommend revisions and updates to this policy and related standards.

Information Technology Division (ITD)

  • The Information Technology Division will issue revisions and updates to this policy and related standards.

Third parties

  • Third parties are required to comply with agency implementation of this policy.

Related Documents

Primary references that were used in development of this policy include:

ISO 27001

ISO 27005

Enterprise IT Acquisition Policy

ETRM

Enterprise Information Security Policy

Executive Order 504

Additional information referenced includes:

M.G.L., Ch. 93H

M.G.L., Ch. 93I

M.G.L., Ch. 66A

ISO 27002

CobiT

ITIL

HIPAA Security Rule

HIPAA Privacy Rule

 

Contact

Standards@state.ma.us
 

Terms

Key terms used in this policy have been provided below for your convenience.  For a full list of terms please refer to the Information Technology Division’s web site where a full glossary of Commonwealth Specific Terms is maintained.

Entity - An agency, department, secretariat, authority, college or other unit of government of the Commonwealth of Massachusetts.

IT Asset - An IT asset can be a physical IT asset (hardware, network devices, etc.) or a logical IT asset (data, software, licensing, and applications).

Third Party – Private sector companies or individuals that conduct business with MAGNet members.

ETRM-Enterprise Technical Reference Model-is a blueprint for standards that provides the architectural framework for the Enterprise and ultimately is the roadmap to a Service Oriented Architecture for the Commonwealth.

           

Document History

DateAction

Effective Date

Next Review Date
01/13/2004ITD-APP-01Published01/13/200401/13/2004
01/23/12Reviewed1/31/121/23/13
3/6/2014Updated – Approved by CCIO3/6/20141/1/2015
    

 



The Executive Department is comprised of the Executive Branch minus the Constitutional Offices, i.e., the State Auditor, State Treasurer, the Attorney General, and the Secretary of the Commonwealth.  While the Governor’s Office is also a Constitutional Office, it is covered by all ITD standards and policies.