Organization: | Office of the State Auditor |
---|---|
Date published: | December 13, 2019 |
Executive Summary
In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted an audit of the Department of Revenue (DOR) covering the period July 1, 2016 through December 31, 2018. For our review of DOR’s training programs, we used attendance records from April 19, 2018 through June 4, 2019. The purpose of this audit was to assess DOR’s information security governance, information security training programs, information technology (IT) policies, incident response procedures, and management of third-party risks.
Below is a summary of our findings and recommendations, with links to each page listed.
DOR did not establish an IT strategy committee. |
|
DOR should work with the Executive Office of Technology Services and Security (EOTSS) to establish an IT strategy committee that meets regularly to ensure IT governance, determine acceptable risk, align IT resources, and create strategies to mitigate risk to an acceptable level in line with business needs. |
|
DOR did not have documented and tested incident response procedures. |
|
|
|
DOR did not assess and document third-party vendor risks. |
|
|
|
DOR and EOTSS did not have an interdepartmental service agreement (ISA) that defined and documented updated roles and responsibilities. |
|
DOR should work with EOTSS to negotiate an updated ISA that spells out roles and responsibilities related to information security and IT governance at DOR. |
A PDF copy of the audit of the Department of Revenue - Information Security is available here.
Table of Contents
- List of Abbreviations
- Overview of Audited Entity
- Audit Objectives, Scope, and Methodology
-
- The Department of Revenue Did Not Establish an Information Technology Strategy Committee.
- DOR Did Not Have Documented and Tested Incident Response Procedures.
- DOR Did Not Assess and Document Third-Party Vendor Risks.
- DOR and EOTSS Did Not Have an Interdepartmental Service Agreement That Defined and Documented Updated Roles and Responsibilities.
Downloads
Contact
Phone
Online
Fax
Address
Room 230
Boston, MA 02133