Organization: | Office of the State Auditor |
---|---|
Date published: | September 5, 2018 |
Executive Summary
The Internet of Things (IoT) is the interconnection of devices via the Internet to allow the devices to collect and receive data over a network without requiring human-to-human or human-to-computer interaction. The flow of information in the IoT relies on what are commonly referred to as “smart” devices or on sensors that can be found in many products such as thermostats, health monitors, and motor vehicles. These devices need to collect, respond to, and/or transmit data as part of their normal operations. The IoT has many beneficial applications. For example, IoT-enabled devices and equipment are used to manage traffic; monitor health, weather, and energy; sense changes in environmental conditions to make necessary adjustments to control costs; and monitor equipment failure to ensure timely repair. Some common IoT devices include fitness trackers; smart watches; health monitoring devices; environmental monitoring devices; and devices in vehicles, such as those for global positioning system location and autonomous driving. It has been estimated that about 30 billion devices will be connected to the IoT by 2020.
In this audit, we obtained an understanding of the Commonwealth’s current IoT environment in terms of device use and planned use by surveying a sample of Commonwealth agencies (see Appendix) where we believed IoT devices were used for significant purposes. Some of the important feedback from this survey included the following:
- Sixty-eight percent of respondents believe that the IoT has enabled their agencies to manage specific activities more efficiently. However, survey responses indicate that the adoption of IoT technology has been slow in the Commonwealth.
- Forty-three percent of respondents believe that the IoT is in its infancy and the risk of adopting IoT devices is greater than the benefits.
- Forty-six percent of respondents believe that IoT risks cannot be managed effectively and efficiently by current controls.
Our audit also assessed the adequacy of the internal controls that the Executive Office of Technology Services and Security (EOTSS)1 has established for implementing and using IoT technology as well as the measures EOTSS has taken to mitigate security and privacy risks associated with the use of this technology. We found that controls in this area could be improved.
According to EOTSS, the Massachusetts Access to Government Network (MAGNet)2 will eventually be replaced by the One Network initiative, which will consolidate the specific agency networks into one centrally managed Commonwealth network. According to EOTSS, this will enhance network security and allow high network availability, fast network connectivity, centralized network monitoring, and centralized network traffic management.
Below is a summary of our findings and recommendations, with links to each page listed.
The Commonwealth’s Enterprise Information Security Policy (EISP) does not offer any guidelines to state agencies regarding the adoption of IoT technology. |
|
The Commonwealth does not have a formally documented information security incident response plan. |
|
The Division of Capital Asset Management and Maintenance did not involve the Commonwealth’s chief information officer (CCIO) in a project that connected IoT devices to MAGNet. |
|
|
A PDF copy of the audit of the Administration of the Internet of Things is available here.
1. On August 1, 2017, the Governor established EOTSS to replace a previous agency, the Massachusetts Office of Information Technology, and made EOTSS responsible for administering the state’s information technology infrastructure.
2. MAGNet is the Commonwealth’s private geographically dispersed telecommunication network; it is managed by EOTSS and is used to connect the various local area networks used by state agencies.
List of Abbrevations
CBEI |
Commonwealth Building Energy Intelligence |
CCIO |
Commonwealth’s chief information officer |
DCAMM |
Division of Capital Asset Management and Maintenance |
DEP |
Department of Environmental Protection |
DPH |
Department of Public Health |
DTA |
Department of Transitional Assistance |
EISP |
Enterprise Information Security Policy |
EOTSS |
Executive Office of Technology Services and Security |
IoT |
Internet of Things |
IT |
information technology |
MAGNet |
Massachusetts Access to Government Network |
MassDOT |
Massachusetts Department of Transportation |
MBTA |
Massachusetts Bay Transportation Authority |
NIST |
National Institute of Standards and Technology |
OSA |
Office of the State Auditor |
Table of Contents
Contact
Phone
Online
Fax
Address
Room 230
Boston, MA 02133