Document Type

 

Name

 

Version

 

Published/Updated

 

Policy (ANF)

Acceptable Use Policy

For future reference, you may access this policy using: 
http://www.mass.gov/itd/acceptableuse

This document formalizes the policy for employees and contractors ("users") of all agencies under the Executive Office for Administration and Finance on the use of information technology resources; ("Agency ITRs"), including computers, printers and other peripherals, programs, data, local and wide area networks, and the Internet. In addition to this policy, individual agencies may choose to issue additional policies governing the use of Agency ITRs. Use of Agency ITRs by any employee or contractor shall constitute acceptance of the terms of this policy and any such additional policies.  This policy includes the following sections:

  • User Responsibilities
  • Acceptable Uses
  • Unacceptable Uses of Agency ITRs
  • Data Confidentiality
  • Copyright Protection
  • Computer Viruses
  • Network Security
  • E-mail
  • No Expectation of Privacy
1.06/16/1998
Policy

Access Control Policy

For future reference, you may access this policy using: 
http://www.mass.gov/itd/accesscontrol

This policy requires implementation of access controls for:

  • User access
  • Network Access
  • Operating System Access
  • Application and Information Access, and
  • Mobile Access
1.05/14/2002
Standards

Access Control Standards

For future reference, you may access this policy using: 
http://www.mass.gov/itd/accesscontrolstandards

This document articulates the standards that must be met to comply with the requirements set forth in the Access Control Policy:

  • User access
  • Network Access
  • Operating System Access
  • Application and Information Access, and
  • Mobile Access
1.05/14/2012
Guidance

Business Continuity for IT Management Framework

This framework is a collection of examples, templates and general guidance that users can refer to during the Business Continuity of IT Management planning efforts. There is a tremendous amount of excellent work and templates that has already been done in this area by other Commonwealth agencies, their vendors and other authorities in the field.  Agencies are advised to review the templates and guidance and use, re-purpose or modify as their individual needs indicate.

1.06/5/2013
Policy

Business Continuity for IT Management Policy

For future reference, you may access this policy using: 
http://www.mass.gov/itd/businesscontpolicy

This policy articulates requirements that assist management in defining a framework for business continuity and disaster recovery plans, processes, procedures, testing, and reporting mechanisms in place.

1.06/5/2013
Standards

Business Continuity for IT Management Standards

For future reference, you may access this policy using: 
http://www.mass.gov/itd/businesscontstandards

These standards establish the minimum requirements that must be met to be in compliance with the Enterprise Business Continuity of IT Management Policy.

1.06/5/2013
Policy

Communications and Operations Policy

For future reference, you may access this policy using: 
http://www.mass.gov/itd/communicationsandoperations

Agencies are required to implement procedures for managing system activities associated with access to information and information systems, modes of communication, and information processing. Areas that must be addressed include:

Securing removable/portable media

  • Data backup 
  • Separation of Duties
  • Data collection and secure disposal of data/media
  • Monitoring system use
  • Audit logging
  • Protection of log information
  • Protection of system documentation
  • Fault logging
  • Antivirus
  • Network controls
  • Clock synchronization
  • Network management controls and services
  • Exchange of information
  • Electronic Commerce
1.03/18/2013
Standards

Desktop Power Management Standards

For future reference, you may access this policy using: 
http://www.mass.gov/itd/desktoppower
 
These standards is to establish minimum power management requirements that will result in significant reductions in the energy consumption of the thousands of Personal Computers (PCs) and workstations used throughout the Commonwealth of Massachusetts Executive Department agencies. Such energy reductions will also result in a significant reduction in energy costs and associated environmental impacts, such as greenhouse gas emissions.  Sections of this policy include:

  • Workstation Power Management Requirements
  • Workstation Acquisition and Disposal Requirements
  • Implementation of Power Management Control
  • Relevant Industry References for Power Management
  • Compliance
1.09/12/2008
Policy

Electronic Messaging Communication Security Policy  

For future reference, you may access this policy using: 
http://www.mass.gov/itd/electronicmessaging

This policy address the following areas concerning the use of and securing of Electronic Messaging solutions within the Commonwealth:

  • Enterprise Filtering
  • Commonwealth Agency & Organization Filtering
  • Private Email Accounts
  • Instant Messaging
  • Exception Requests
2.06/14/2012
Architecture

Enterprise Technical Reference Model

For future reference, you may access this policy using: 
http://www.mass.gov/itd/etrm

The blueprint for the technology specifications that make up the architectural framework for the Enterprise and ultimately, the road map to a Service Oriented Architecture. 

5.111/18/2011
Policy

Information Security Policy  

For future reference, you may access this policy using: 
http://www.mass.gov/itd/informationsecurity

This policy articulates requirements that assist management in defining a framework that establishes a secure environment. This framework provides the overarching structure for safeguarding Information Technology (IT) Resources, achieving confidentiality, integrity and availability of the data and IT Resources used to manage the services provided by Commonwealth agencies, authorities, and business partners.  This policy contains the following sections:

  • Information Security Management Program
  • Risk Assessment
  • Risk Treatment
  • Statement of Applicability
  • Security Policy, Policy Adoption and Documentation Review
  • Organization of Information Security
  • Asset Management
  • Human Resources Security
  • Physical and Environmental Security
  • Communications and Operations Management
  • Access Control
  • Information Systems Acquisition Development and Maintenance
  • Information Security Incident Management
  • Business Continuity Management
  • Compliance
3.03/7/2014
Policy

Enterprise Information Security Organization Policy

For future reference, you may access this policy using: 
http://www.mass.gov/itd/securityorganization

This policy articulates the requirements that assist management in defining an organizational framework to initiate and control the implementation of information security practices including development and implementation of security policies, standards, and procedures within their respective agencies.

1.03/6/2014
Standards

Information Security Standards: Data Classification

For future reference, you may access this policy using: 
http://www.mass.gov/itd/dataclassification

The standards provide minimum requirements for:

  • Evaluation and classification of agency data (high, medium or low sensitivity)
  • Assessing the impact of compromise to agency data
  • Establishing security controls commensurate with data classification
2.03/6/2014
Policy

IT Acquisition Policy

For future reference, you may access this policy using: 
http://www.mass.gov/itd/itacquisitionpolicy

This policy was developed jointly with the Operational Services Division to ensure that all viable solutions, including those that may not be otherwise represented by IT vendors during the procurement process, are identified and evaluated by Applicable Entities. This policy includes provisions that require entities to: use Enterprise and Secretariat solution, services or component offerings where available; use existing statewide contracts if an appropriate statewide contract has been established; align acquisitions with applicable enterprise goals and enterprise purchasing targets; and conduct competitive procurements as required by the Operational Services Division.

2.012/18/2012
Policy

IT Acquisition Security Policy

For future reference, you may access this policy using: 
http://www.mass.gov/itd/itacquisitionsecurity

This policy states the requirements for evaluating all various security concerns and implications that must be considered whenever there is a Commonwealth purchase of IT goods, services, and/or solutions. 

1.0 3/7/2014
Standards

IT Accessibility Standards

For future reference, you may access this policy using: 
http://www.mass.gov/itd/enterpriseaccessibilitystandards

The Enterprise IT Accessibility Standards ensure that Massachusetts information technology solutions are available and accessible to people with disabilities.

3.03/6/2014
Policy

Enterprise IT Security Compliance Policy

For future reference, you may access this policy using: 
http://www.mass.gov/itd/securitycompliance

This policy defines a framework that supports compliance with the overall information security goals of the Commonwealth including compliance with laws, regulations, policies and standards to which their IT resources and data, including but not limited to personal information, are subject.

1.03/6/2014
Standards

Enterprise IT Acquisitions Standards

For future reference, you may access this policy using: 
http://www.mass.gov/itd/acquisitionstandards

The Enterprise Information Technology Acquisition Security and Technology Standards provides detailed standards that all IT Acquisitions must adhere to as required by the IT Acquisition Security Policy and IT Acquisition Technology Policy.

1.03/6/2014
Policy

IT Asset and Risk Management Policy

For future reference, you may access this policy using: 
http://www.mass.gov/itd/assetandriskmanagement

This policy calls for:

  • Periodic reviews of Secretariats' and their respective Agencies' IT (Information Technology) assets
  • Assigning appropriate data classifications and controls
  • Assessment and treament of risks in order to safeguard those assets.
2.03/6/2014
Policy

Open Standards Policy

For future reference, you may access this policy using: 
http://www.mass.gov/itd/openstandards

This policy requires:

  • All prospective IT investments to comply with open standards referenced in the current version of the Enterprise Technology Reference Model.
  •  Existing IT systems to be reviewed for open standards compatibility and to be enhanced to achieve open standards compatibility where appropriate.
2.03/6/2014
Policy

Physical and Environmental Security Policy

For future reference, you may access this policy using: 
http://www.mass.gov/itd/physicalandenvironmentalsecurity

This policy requires implementation of adequate physical and environmental security controls for:

  • Workforce security
  • Least Privilege
  • Visitor Control
  • Facility access and Resource Control
  • Equipment and Environmental Security
  • Equipment Maintenance, and
  • Secure disposal, removal, or reuse of equipment
2.03/6/2014
Policy

Printer Cartridge Acquisition Policy

For future reference, you may access this policy using: 
http://www.mass.gov/itd/printercartridgeacquisition

In support of the Patrick-Murray Administration’s Executive Order 515, Establishing an Environmental Purchasing Policy, the Information Technology Division (ITD) in collaboration with the Operational Services Division (OSD) established this policy to establish requirements for the purchase and recycling of printer toner cartridges. It is aimed at increasing the purchase and use of remanufactured printer cartridges throughout the Commonwealth of Massachusetts Executive Department agencies by 40% during Fiscal Year 2013 (FY13) and by a minimum of 10% annually thereafter. 

1.010/27/2012
Policy

Security Incident Response Policy

For future reference, you may access this policy using: 
http://www.mass.gov/itd/incidentresponse

Secretariats and their respective agencies are required to implement management controls that result in a consistent and effective approach for addressing incidents that is aligned with Enterprise Policies and Standards. This policy articulates the requirements for responding to Security Incidents and Attack Intrusions.

It is important to note that the term "breach of security" has a special meaning in the Commonwealth's Identity Theft Law, M.G.L., Ch 93H, which is limited to the protection of a small subset of data. Although this policy's requirements regarding security incidents pertain to events that would be defined as "security breaches" under M.G.L., Ch 93H, it also applies to a far broader range of security breaches in that it is not limited to events related to IT systems containing "personal information" as narrowly defined by M.G.L., Ch 93H.

3.03/6/2014
Procedure

Security Incident Handling Procedures

The purpose of these enterprise procedures is to provide agencies with a procedural framework for handling security incidents and attacks.  These procedures document the necessary steps and actions taken to effectively respond to security incidents as well as attack intrusions involving Commonwealth Information Technology (IT) Resources and assets to insure effective and consistent methods in reporting and handling such events.  Key sections of this procedure include: 

  • Security Incident Categorization and Prioritization
  • Security Incident Handling & Reporting:
    • Vital Steps Agencies Must Take When Handling Any Security Incident
  • Attack Intrusion Notification Procedures:
  • Agency/Department Procedure
  • Escalation Procedures
    • Additional Steps Agencies Must Take During Escalated Event
  • Off-Hours Incident Reporting:
  • Security Incident Categorization Table
2.06/18/2010
Policy

Staff IT Security Policy

For future reference, you may access this policy using: 
http://www.mass.gov/itd/staffitsecuritypolicy

This policy requires implementation of data security controls for staff members to reduce the risk of theft, fraud, or misuse of Commonwealth Information Technology (IT) Resources and sensitive information assets. The policy addresses required controls for the following three periods of engagement with IT Staff:

  • Pre-Employment or Contract Engagement
  • During Employment or Contract Engagement  
  • Termination or Change of Employment or Contract Engagement
1.09/30/2011
Standards

Web Accessibility Standards  

For future reference, you may access this policy using: 
http://www.mass.gov/itd/webaccessibility

These standards are intended for use by all state agencies and their contractors to address accessibility issues in web page design and application development.

2.01/2/2005
Policy

Website Cookie Policy

For future reference, you may access this policy using: 
http://www.mass.gov/itd/webcookiepolicy

This policy requires:

  • Agency web site privacy policy posted prominently on agency websites
  • Disclosure of the purpose of cookie usage and the information collected via session cookies and/or persistent cookies, and
  • Disclosure of the use of cookies, and the purpose for which agencies are using cookies, in privacy policy and Terms of Use
2.03/6/2014
Policy

Website Privacy Policies

For future reference, you may access this policy using: 
http://www.mass.gov/itd/webprivacypolicies

Requires agencies to adopt, post, and enforce a suitable privacy policy.

1.04/27/2001