An official website of the Commonwealth of Massachusetts

Log in links for this page

This page, Audit of the Department of Transitional Assistance (DTA)—Information Security, is offered by

Audit Audit of the Department of Transitional Assistance (DTA)—Information Security

The audit, which examined the period of July 1, 2018 through June 30, 2019, found DTA was not adequately protecting sensitive data from inappropriate access.

Organization: Office of the State Auditor
Date published: January 6, 2020

Executive Summary

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor (OSA) has conducted an audit of the Department of Transitional Assistance (DTA) covering the period July 1, 2018 through June 30, 2019. The purpose of this audit was to assess DTA’s training programs, information technology policies, password parameters, process for terminating user accounts, incident response procedures, and management of third-party risks.

Our audit of DTA identified an issue that has been omitted from this report in accordance with Exemption (n) of the Commonwealth’s public-records law (Section 7[26] of Chapter 4 of the General Laws), which requires the withholding of certain records, including security measures or any other records related to cybersecurity or other infrastructure, if their disclosure is likely to jeopardize public safety or cybersecurity.

In accordance with Sections 7.39–7.41 of the Government Accountability Office’s Government Auditing Standards, as well as OSA policies, for reporting confidential and sensitive information, we have given a separate, full report to DTA, which will be responsible for acting on our recommendations.

Below is a summary of our findings and recommendations, with links to each page listed.

Finding 1

DTA did not revoke terminated employees’ access to one of its systems in a timely manner.


  1. DTA should implement additional controls to ensure that access is terminated within a timely manner after an employee is terminated.
  2. DTA should consider controls to automatically notify the security team when employees are terminated.

Finding 2

DTA did not have a tested incident response plan.


DTA should conduct incident response tests annually and modify its plan according to lessons learned.

Finding 3

DTA did not assess and document third-party vendor risks.


  1. DTA should establish a third-party security policy that includes procedures necessary to assess and document third-party risks.
  2. DTA should assess and document third-party risks.


A PDF copy of the audit of the Department of Transitional Assistance - Information Security is available here.