Overview
MRB did not have adequate controls in place to process personally identifiable information (PII). MassIT and MassDOT both have guidelines in place for agencies and sub-agencies to follow, but MRB did not adhere to some of these guidelines. By not following these guidelines, MRB increases the risk that PII may be compromised and used inappropriately.
MRB did not have Policies and Procedures to Classify Data and Maintain a Data Inventory
We requested from MRB management a copy of policies and procedures related to data classification and the maintenance of a data inventory, but MRB did not have such policies and procedures. Without policies and procedures to guide the data classification and data inventory process, MRB is not aware of what data could be missing or lost.
Authoritative Guidance
MassIT’s Enterprise IT Security Compliance Policy states,
Agencies must develop and implement uniform policies and standards that meet the compliance requirements associated with the sensitivity classification of their data as articulated in the Enterprise Information Security Standards: Data Classification.
Furthermore, MassIT’s Enterprise IT Asset and Risk Management Policy states,
Secretariats and their respective Agencies must maintain an inventory of IT assets which consist of physical IT assets (hardware, network devices, etc.) and logical IT assets (data, software, licensing, and applications). [Emphasis added.]
Reasons for Noncompliance
MRB management told us that they were not aware that they were responsible for developing data classification and data inventory procedures. They instead assumed that MassDOT IT was responsible.
Employees did not Receive Information Technology Security Training Before Receiving Access to ALARS
In reviewing the training logs for four employees hired during the audit period (who included full-time employees, interns, and contractors), we found that three employees received access to ALARS even though they had not received security awareness training during the onboarding process. Insufficient security awareness may lead to user error and compromise the integrity and security of protected information in MRB systems.
Authoritative Guidance
Massachusetts Executive Order 504 states,
All agency heads, managers, supervisors, and employees (including contract employees) shall attend mandatory information security training within one year of the effective date of this Order. For future employees, such training shall be part of the standardized orientation provided at the time they commence work. [Emphasis added.]
Reasons for Noncompliance
MassDOT’s ISP did not define a required timeline for completing security awareness training.
Recommendations
- MRB should consult with MassDOT to develop policies and procedures to classify and inventory its data in case of loss or corruption. In addition, a periodic review should be put in place to ensure that this procedure occurs regularly.
- MRB should ensure that all new employees receive security awareness training during the onboarding process, before they receive access to MRB systems.
Auditee’s Response
The Merit Rating Board has no control over data classification or data inventory. We are totally dependent on MASSDOT IT to control and maintain the ALARS database. These deficiencies in these policies and procedures will be directed towards MASSDOT IT. . . .
The Merit Rating Board will work with MASSDOT IT for security training prior to employees receiving access to ALARS.
Auditor’s Reply
We acknowledge that it is MassDOT IT’s responsibility to control and maintain the ALARS database. However, MRB also needs to work with MassDOT IT and provide it with the information necessary for MassDOT IT to effectively administer this process. This is why we recommend that MRB consult with MassDOT to develop policies and procedures to classify and inventory its data in case of loss or corruption.
Based on its response, MRB is taking some measures to address our concerns in this area.
| Date published: | February 1, 2018 |
|---|