Audit

Audit  Audit of the Department of Fire Services

Our office has conducted a performance audit of the Department of Fire Services (DFS) for the period July 1, 2021 through December 31, 2022.

Organization: Office of the State Auditor
Date published: March 20, 2024

Executive Summary

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of the Department of Fire Services (DFS) for the period July 1, 2021 through December 31, 2022. In this performance audit, we determined the following:

  • whether DFS’s website met the accessibility standards established by the Executive Office of Technology Services and Security (EOTSS) and the Web Content Accessibility Guidelines 2.1 for user accessibility, keyboard accessibility, navigation accessibility, language, error identification, and color accessibility and
  • whether DFS established information technology (IT) governance policies and procedures that met the requirements of EOTSS’s Enterprise Information Security Policies and Standards for business continuity plans, disaster recovery plans, information security incident response plans and procedures, and cybersecurity awareness training.

Below is a summary of our findings and recommendations, with links to each page listed.

  
Finding 1
 
DFS’s website is not fully accessible for all Massachusetts residents.
Recommendation
 
DFS should review its webpages to ensure that all hyperlinks lead to related information to provide equitable access to critical information and services offered online by DFS to all Commonwealth residents.
Finding 2
 
DFS did not update its business continuity plan.
Recommendation
 
DFS should update its business continuity plan annually and whenever a major organizational change occurs.
Finding 3
 
DFS relies on an information security incident response plan and procedures that do not include all of the required elements.
Recommendation
 
DFS should rely on an information security incident response plan and procedures that include all required elements. Alternatively, DFS could establish a supplemental information security incident response plan and procedures that include guidance for implementing corrective action or post-incident analysis, criteria for business recovery, data backup processes, and an analysis of legal requirements for reporting IT system compromises.
Finding 4
 
DFS did not provide its contractors with cybersecurity awareness training.
Recommendations
 
  1. DFS should ensure that its contractors complete cybersecurity awareness training.
  2. DFS should ensure that its contractors have access to its cybersecurity awareness training platform.

Downloads

Help Us Improve Mass.gov  with your feedback

Please do not include personal or contact information.
Feedback