Audit

Audit  Audit of the Office of Consumer Affairs and Business Regulation

Our office conducted a performance audit of the Office of Consumer Affairs and Business Regulation (OCABR) for the period July 1, 2022 through June 30, 2023.

Organization: Office of the State Auditor
Date published: May 5, 2025

Executive Summary

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of the Office of Consumer Affairs and Business Regulation (OCABR) for the period July 1, 2022 through June 30, 2023.

The purpose of this performance audit was to determine whether OCBAR’s website adhered to the accessibility standards established by the Web Content Accessibility Guidelines (WCAG) 2.1 for user accessibility, keyboard accessibility, navigation accessibility, language, error identification, and color accessibility. Adherence to WCAG ensures that all users, regardless of ability, can access the content and functions of OCABR’s website.

Additionally, we determined whether OCABR had an information classification policy, procedures for disposing of information, and a business impact analysis or risk assessment to classify its information systems. We also evaluated whether access to personally identifiable information (PII) was restricted solely to individuals with a legitimate business need. These information technology (IT) governance practices are critical because they form the foundation of a robust security framework, ensuring compliance with data protection regulations and minimizing the risk of unauthorized access or breaches.

Below is a summary of our findings, the effects of those findings, and our recommendations, with links to each page listed.

   
Finding 1
 
OCABR’s website was not fully accessible for all Massachusetts residents and users.
Effect

Broken hyperlinks create barriers for users, particularly people with disabilities who rely on accessible navigation features to engage with online content. When users encounter inaccessible or nonfunctioning links, they may struggle to locate critical consumer protection resources, regulatory information, licensing forms, etc. This lack of accessibility not only impacts user experience but also undermines OCABR’s ability to provide equitable access and digital inclusiveness.

Additionally, nonfunctional links increase the likelihood that Massachusetts residents will either access outdated or incorrect information or be directed to webpages that no longer exist, potentially leading to confusion, misinformation, or missed opportunities to engage with OCABR services. Ensuring that all website components function properly and meet accessibility standards is essential for providing transparent and inclusive government services to all residents.

Recommendations
 
  1. OCABR should implement a policy to review its webpages periodically for WCAG 2.1 compliance.
  2. OCABR should collaborate with Executive Office of Technology Services and Security (EOTSS) to establish a link validation system using automated tools that regularly scan for broken hyperlinks and incorrect redirects.
  3. OCABR should collaborate with EOTSS to develop a web maintenance schedule to review and update outdated or incorrect links on a periodic basis (e.g., quarterly or semiannually).
  4. OCABR should assign designated staff members to oversee accessibility compliance and website updates.
Finding 2
 
OCABR did not have an information classification policy and did not classify its data.
Effect

Not classifying information (e.g., PII or regulated information) hinders OCABR’s ability to establish effective policies and procedures for information management and data protection. Without effective data policies in place, OCABR’s sensitive data may be more vulnerable to unauthorized access, theft, or misuse.

The lack of effective information classification can lead to other challenges, such as legal liabilities, regulatory violations, and OCABR reputational damage, particularly if personal information or data protected by privacy regulations is compromised. Improper management of data can not only harm OCABR, but it could also lead to increased risk and security vulnerabilities for Massachusetts residents who have used OCABR’s services.

Additionally, if the subsets of data contained in information systems are not properly classified, then the risk increases that critical systems are left exposed to threats, such as unauthorized use or theft. This can cause OCABR to face challenges in planning for potential threats such as cybersecurity attacks, natural disasters, or fraud.

Recommendations
  1. OCABR management should develop and implement an information classification policy to comply with EOTSS’s Asset Management Standard IS.004 and should assign an information custodian in this policy.
  2. OCABR should conduct a data inventory and classification assessment of information based on sensitivity, criticality, and regulatory requirements.
Finding 3
 
OCABR did not have procedures for disposing information.
EffectOCABR migrated its data to the cloud in 2021 and did not assess whether it is storing unnecessary data. Keeping information for longer than necessary also wastes valuable storage space and leads to additional costs for the agency and the Commonwealth, as large quantities of data can be stored longer than needed in the cloud environment at a financial cost to the agency. Not reviewing information at specified intervals and disposing of it when appropriate forces OCABR to keep information for longer than it should, creating additional security risks such as theft, mismanagement, and unauthorized access of data in its custody. Additionally, any Massachusetts residents who use the services OCABR offers are at greater risk of having their data compromised, as their information is retained, and therefore potentially vulnerable, long after they engaged with OCABR.
Recommendation
 
  1. OCABR should implement policies and procedures for information disposal to ensure that information is properly disposed of in accordance with Commonwealth retention schedules.
  2. OCABR should designate an information custodian responsible for ensuring compliance with data disposal policies.
  3. OCABR should implement an internal policy which includes the retention schedules and the procedures necessary to dispose of information, in no event before the expiration of its retention period.
  4. OCABR should implement a process in which it justifies the business need for archiving information kept past retention schedules.
Finding 4
 
OCABR did not perform a business impact analysis or risk assessment to classify its information systems.
EffectWithout a business impact analysis or risk assessment to classify information systems, OCABR may not assess the criticality of systems based on the sensitivity of the information stored within them. If vital systems are not classified correctly, then they cannot be protected correctly, whether from cybersecurity threats, natural disasters, or fraud. As a result, OCABR could face challenges in planning for these potential disruptions and may not be able to prioritize IT resources effectively in the event of an emergency.
Recommendations
 
  1. OCABR management should implement a policy to periodically conduct a business impact analysis or risk assessment in order to classify its information systems.
  2. OCABR should review these classifications at least annually or anytime a significant system change occurs.
Finding 5
 
OCABR did not ensure that access to PII was limited to approved personnel members who have business needs to access it.
Effect

Granting personnel members access to PII without requiring formal approval of their business need, as well as appropriate training, exposes OCABR to significant risks, such as data breaches. This can lead to identity theft, damaged reputation, or legal liability for OCABR. Each of these risks would have negative impacts on the people whose information is compromised.

The introduction of role-based access controls can be used to ensure that users are being assigned permissions based on their roles and business needs instead of individually assigned permissions on a person-by-person basis. In order to implement role-based access, all information must be classified (see finding 2) to determine what information is confidential, such as PII, and should only be accessed by certain approved individuals in pertinent roles.

Limiting access to PII helps protect the privacy of Massachusetts residents and reduces the risk that their information may be accessed by someone who may mismanage or steal it.

Recommendations
 
  1. OCABR should ensure that every user requiring access to PII has their business need reviewed and approved before access is granted.
  2. OCABR should implement role-based access. This new process should align with the principle of least privilege, where users should only be given the minimum level of access necessary to perform their job functions.
  3. OCABR should review users’ access to determine whether these users have the appropriate approval, and OCABR should perform this review on a periodic basis.

Help Us Improve Mass.gov  with your feedback

Please do not include personal or contact information.
Feedback