Audit of the Division of Insurance

This page, Audit of the Division of Insurance, is offered by
Office of the State Auditor

Organization:	Office of the State Auditor
Date published:	March 19, 2024

Executive Summary

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of the Division of Insurance (DOI) for the period July 1, 2021 through December 31, 2022. In this performance audit, we determined the following:

whether DOI’s website met the accessibility standards established by the Executive Office of Technology Services and Security (EOTSS) and the Web Content Accessibility Guidelines 2.1 for user accessibility, keyboard accessibility, navigation accessibility, language, error identification, and color accessibility and

whether DOI established information technology (IT) governance policies and procedures that met the requirements of EOTSS’s Enterprise Information Security Policies and Standards for business continuity plans, disaster recovery plans, information security incident response plans and procedures, and cybersecurity awareness training.

Below is a summary of our findings and recommendations, with links to each page listed.

Finding 1	DOI’s website is not fully accessible for all Massachusetts residents.
Recommendations	DOI should review its webpages to ensure that all hyperlinks lead to related information to provide equitable access to critical information and services offered online by DOI to all Commonwealth residents. DOI should review web content that appears in other languages to ensure that the pages have accurate language attributes to facilitate effective translation and provide a user experience that is inclusive to all Commonwealth residents.
Finding 2	DOI did not update its business continuity plan or have a disaster recovery plan.
Recommendations	DOI should update its business continuity plan annually and whenever a major organizational change occurs. DOI should develop and implement a disaster recovery plan.
Finding 3	DOI relies on an information security incident response plan and procedures that do not include all required elements.
Recommendation Page 22	DOI should rely on an information security incident response plan and procedures that include all required elements. Alternatively, DOI could establish a supplemental information security incident response plan and procedures that include guidance for implementing corrective action or post-incident analysis, criteria for business recovery, data backup processes, an analysis of legal requirements for reporting IT system compromises, and incident response procedures from required external parties.

Downloads

Open PDF file, 1018.73 KB, Audit of the Division of Insurance (English, PDF 1018.73 KB)

Help Us Improve Mass.gov with your feedback

Did you find what you were looking for on this webpage?

Yes

If you have any suggestions for the website, please let us know. How can we improve the page?

Please do not include personal or contact information.

The feedback will only be used for improving the website. If you need assistance, please contact the State Auditor. Please limit your input to 500 characters.

Please remove any contact information or personal data from your feedback.

If you need assistance, please contact the State Auditor.

Please let us know how we can improve this page.

Please remove any contact information or personal data from your feedback.

If you need assistance, please contact the State Auditor.

Audit Audit of the Division of Insurance

Executive Summary

Table of Contents

Downloads

Help Us Improve Mass.gov with your feedback