- Enterprise Access Control Security Policies and Standards
- Enterprise Business Continuity Management Policy & Standards
- Enterprise Communications and Operations Management Policy
- Enterprise Electronic Messaging Communications Security Policy
This policy focuses on the specific category of electronic messaging (i.e., email, instant messaging (IM), etc.) communication and related threats that, if left unmitigated, may lead to a loss of data and/or system integrity, confidentiality, or availability.
- Enterprise Information Security Standards: Data Classification
The purpose of this document is to identify the minimum standards that agencies must adopt for the appropriate classification of data and the ongoing management of that classification. Classification of data is a critical part of data management which includes planning and implementing comprehensive and responsible information security practices. This document describes a standard data classification scheme, the required considerations for classification, risk assessment, security control requirements and data management and lifecycle requirements.
- Enterprise IT Asset and Risk Management Policy
This policy articulates requirements for performing periodic reviews of Secretariats' and their respective Agencies' IT (Information Technology) assets, determining appropriate data classifications and controls, and assessing and reacting to risks in order to safeguard those assets.
- Enterprise IT Security Incident Response Policy
This policy articulates the requirements for responding to Security Incidents and Attack Intrusions.
- Enterprise Physical & Environmental Security Policy
This document articulates requirements that management must address in defining a policy to implement adequate physical and environmental security controls at Secretariats and their respective Agencies or Contractors’ facilities to secure and protect information assets, infrastructure and Information Technology (IT) resources.
- Information Security Policy
This policy articulates requirements that assist management in defining a framework that establishes a secure environment for providing services provided by Commonwealth agencies, authorities, and business partners.
- Enterprise Security Incident Handling Procedures
A link to CommonWiki (requires a login) that outlines the Incident Handling Procedures.
- Enterprise Staff Information Technology Security Policy
This policy describes requirements for all Commonwealth Executive Department Secretariats, Agencies and Organizations sited within the Massachusetts Access to Government Network (MAGNet) as well as Executive Department Agencies outside of MAGNet for addressing data security considerations involving their staff.
- Website Privacy Policies