Audit  Audit of MassHire Department of Career Services

1. MDCS should implement a policy to review its webpages periodically for WCAG 2.1 compliance.
2. MDCS should collaborate with the Executive Office of Technology Services and Security (EOTSS) to develop a web maintenance schedule to review and update incorrect language tags and improper reflow on a periodic basis (e.g., quarterly or semiannually).
3. MDCS should assign designated staff members to oversee accessibility compliance and website updates.

Common effects of noncompliance with WCAG 2.1 are listed below.

• Improper reflow when zoomed in to 200% or 400% can significantly impact users with visual impairments who rely on zoom functionality to read and navigate content.
• Broken or faulty hyperlinks limit users from having equitable access to critical information and key online services offered by MDCS. They also increase the likelihood that Massachusetts residents and users may either access outdated or incorrect information or be directed to webpages that no longer exist.
• When hyperlinks are not identifiable because of poor color contrast or a lack of other distinguishable visual cues (e.g., underlining, bolding, color differentiation, or hover effects), users may struggle to identify interactable elements within a body of text. This may also result in users missing a hyperlink that could have provided them with important information.
• When keyboard accessibility is limited (e.g., users cannot tab through the webpage), those with mobility issues may be unable to access certain features or content.
• If users are not informed of errors when inputting data, then they may be unable to identify their errors and retrieve the content they need.

This lack of accessibility not only impacts user experience but also undermines MDCS’s ability to provide equitable access and digital inclusiveness.

1. MDCS should implement and enforce a policy for its career centers to review their webpages periodically for WCAG 2.1 compliance.
2. MDCS should collaborate with EOTSS and the career centers to develop a web maintenance schedule to review and update their webpages on a periodic basis (e.g., quarterly or semiannually).
3. MDCS should require its career centers to assign designated staff members to oversee accessibility compliance and website updates.

Common effects of noncompliance with WCAG 2.1 are listed below.

• Improper reflow when zoomed in to 200% or 400% can significantly impact users with visual impairments who rely on zoom functionality to read and navigate content.
• Broken or faulty hyperlinks limit users from having equitable access to critical information and key online services offered by MDCS. They also increase the likelihood that Massachusetts residents may either access outdated or incorrect information or be directed to webpages that no longer exist.
• When hyperlinks are not identifiable because of poor color contrast or a lack of other distinguishable visual cues (e.g., underlining, bolding, color differentiation, or hover effects), users may struggle to identify interactable elements within a body of text. This may also result in users missing a hyperlink that could have provided them with important information.
• When keyboard accessibility is limited (e.g., users cannot tab through the webpage), those with mobility issues may be unable to access certain features or content.
• Keyboard traps may cause a user with mobility issues to become stuck on certain elements of the webpage.
• Webpages without bypass blocks make it difficult for users who rely on screen readers or the keyboard for navigation to jump past repetitive content such as menus, headers, or sidebars and access the main content directly.
• Webpages without titles can cause users with a screen reader to lose comprehension of what the webpage is.
• A missing or incorrect language tag can create accessibility challenges, particularly for screen readers, which rely on the correct language attribute to provide accurate pronunciation and interpretation of the text.
• Interactive elements (e.g., buttons) that lack clear labels may make it difficult for users with screen readers to understand that the content is clickable.

This lack of accessibility not only impacts user experience but also undermines MDCS’s ability to provide equitable access and digital inclusiveness.

1. MDCS should ensure that its third-party contractor is in compliance with WCAG 2.1. For example, MDCS can request accessibility statements and reports from its third-party contractor to review for compliance.
2. MDCS should work with its third-party contractor to develop a web maintenance schedule to periodically (e.g., quarterly or semiannually) review and update JobQuest webpages that are noncompliant with WCAG 2.1.
3. MDCS should assign designated staff members to oversee the accessibility compliance of all webpages on the JobQuest website.

Not classifying information (e.g., PII or regulated information) hinders MDCS’s ability to establish effective policies and procedures for information management and data protection. Without effective data policies in place, MDCS’s sensitive data may be more vulnerable to unauthorized access, theft, or misuse.

The lack of effective information classification can lead to other challenges, such as legal liabilities, regulatory violations, and MDCS reputational damage, particularly if personal information or data protected by privacy regulations is compromised. Improper management of data can not only harm MDCS, but it could also lead to increased risk and security vulnerabilities for Massachusetts residents who have used MDCS’s services.

Additionally, if the subsets of data contained in information systems are not properly classified, then the risk that critical systems are left exposed to threats, such as unauthorized use or theft, increases. This can cause MDCS to face challenges in planning for potential threats such as cybersecurity attacks, natural disasters, or fraud.

1. MDCS management should develop and implement an information classification policy to comply with IS.004 and should assign an information custodian in this policy.
2. MDCS should conduct a data inventory and classification assessment of information based on sensitivity, criticality, and regulatory requirements.

1. MDCS management should implement a policy to periodically conduct a business impact analysis or risk assessment in order to classify its information systems.
2. MDCS should review these classifications at least annually or anytime a significant system change occurs.

Granting personnel members access to PII without requiring formal approval of their business need exposes MDCS to significant risks, such as data breaches. This can lead to identity theft, damaged reputation, or legal liability for MDCS. Each of these risks would have negative impacts on the people whose information is compromised.

The introduction of role-based access controls can be used to ensure that users are assigned permissions based on their roles and business need instead of individually assigned permissions on a person-by-person basis. In order to implement role-based access, all information must be classified (see Finding 4) to determine what information is confidential, such as PII, and should only be accessed by certain approved individuals in pertinent roles.

Limiting access to PII helps protect the privacy of Massachusetts residents and reduces the risk that their information may be accessed by someone who may mismanage or steal it.

1. MDCS should ensure that every user requiring access to PII in the centralized database has their business need reviewed and approved before access is granted.
2. MDCS should implement role-based access. This new process should align with the principle of least privilege, where users should only be given the minimum level of access necessary to perform their job functions.
3. MDCS should review current users’ access to determine whether these users have the appropriate approval, and MDCS should perform this review on a periodic basis.
4. MDCS should have users hired before fiscal year 2014 resubmit the database access forms electronically.

Granting personnel members access to PII without requiring formal approval of their business need exposes MDCS to significant risks, such as data breaches. This can lead to identity theft, damaged reputation, or legal liability for MDCS. Each of these risks would have negative impacts on the people whose information is compromised.

The introduction of role-based access controls can be used to ensure that users are assigned permissions based on their roles and business need instead of individually assigned permissions on a person-by-person basis. In order to implement role-based access, all information must be classified (see Finding 4) to determine what information is confidential, such as PII, and should only be accessed by certain approved individuals in pertinent roles.

Limiting access to PII helps protect the privacy of Massachusetts residents and reduces the risk that their information may be accessed by someone who may mismanage or steal it.

1. MDCS management should implement a strict access control policy requiring formal approval before granting access to PII stored outside of MDCS’s centralized database.
2. MDCS should implement role-based access. This new process should align with the principle of least privilege, where users should only be given the minimum level of access necessary to perform their job functions.
3. MDCS should ensure that its career centers review current users’ access to determine whether these users have the appropriate approval. MDCS should ensure its career centers perform this review on a periodic basis.