|Office of the State Auditor
|January 6, 2020
In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor (OSA) has conducted an audit of the Department of Transitional Assistance (DTA) covering the period July 1, 2018 through June 30, 2019. The purpose of this audit was to assess DTA’s training programs, information technology policies, password parameters, process for terminating user accounts, incident response procedures, and management of third-party risks.
Our audit of DTA identified an issue that has been omitted from this report in accordance with Exemption (n) of the Commonwealth’s public-records law (Section 7 of Chapter 4 of the General Laws), which requires the withholding of certain records, including security measures or any other records related to cybersecurity or other infrastructure, if their disclosure is likely to jeopardize public safety or cybersecurity.
In accordance with Sections 7.39–7.41 of the Government Accountability Office’s Government Auditing Standards, as well as OSA policies, for reporting confidential and sensitive information, we have given a separate, full report to DTA, which will be responsible for acting on our recommendations.
Below is a summary of our findings and recommendations, with links to each page listed.
DTA did not revoke terminated employees’ access to one of its systems in a timely manner.
DTA did not have a tested incident response plan.
DTA should conduct incident response tests annually and modify its plan according to lessons learned.
DTA did not assess and document third-party vendor risks.