Audit  Audit of the Department of Revenue (DOR) —Information Security

Audit cautions inadequate controls at the Massachusetts Department of Revenue (DOR) could make sensitive taxpayer data, including Social Security numbers and tax payment history, vulnerable to cyberattacks and inappropriate disclosure. The audit examined July 1, 2016 through December 31, 2018.

Organization: Office of the State Auditor
Date published: December 13, 2019

Executive Summary

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted an audit of the Department of Revenue (DOR) covering the period July 1, 2016 through December 31, 2018. For our review of DOR’s training programs, we used attendance records from April 19, 2018 through June 4, 2019. The purpose of this audit was to assess DOR’s information security governance, information security training programs, information technology (IT) policies, incident response procedures, and management of third-party risks.

Below is a summary of our findings and recommendations, with links to each page listed.

Finding 1

DOR did not establish an IT strategy committee.


DOR should work with the Executive Office of Technology Services and Security (EOTSS) to establish an IT strategy committee that meets regularly to ensure IT governance, determine acceptable risk, align IT resources, and create strategies to mitigate risk to an acceptable level in line with business needs.

Finding 2

DOR did not have documented and tested incident response procedures.


  1. DOR should develop and document security incident response procedures to facilitate the implementation of its “Security Incident Response Policy” and associated incident response controls.
  2. Once security incident response procedures are documented, DOR should test them regularly.

Finding 3

DOR did not assess and document third-party vendor risks.


  1. DOR should update its “Third Party Security Policy” to include procedures necessary to assess and document third-party risks.
  2. DOR should assess and document third-party risks.

Finding 4

DOR and EOTSS did not have an interdepartmental service agreement (ISA) that defined and documented updated roles and responsibilities.


DOR should work with EOTSS to negotiate an updated ISA that spells out roles and responsibilities related to information security and IT governance at DOR.


A PDF copy of the audit of the Department of Revenue - Information Security is available here.





(617) 727-3014


Massachusetts State House
Room 230
Boston, MA 02133

Help Us Improve with your feedback