Organization: | Office of the State Auditor |
---|---|
Date published: | May 5, 2025 |
Executive Summary
In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of the Office of Consumer Affairs and Business Regulation (OCABR) for the period July 1, 2022 through June 30, 2023.
The purpose of this performance audit was to determine whether OCBAR’s website adhered to the accessibility standards established by the Web Content Accessibility Guidelines (WCAG) 2.1 for user accessibility, keyboard accessibility, navigation accessibility, language, error identification, and color accessibility. Adherence to WCAG ensures that all users, regardless of ability, can access the content and functions of OCABR’s website.
Additionally, we determined whether OCABR had an information classification policy, procedures for disposing of information, and a business impact analysis or risk assessment to classify its information systems. We also evaluated whether access to personally identifiable information (PII) was restricted solely to individuals with a legitimate business need. These information technology (IT) governance practices are critical because they form the foundation of a robust security framework, ensuring compliance with data protection regulations and minimizing the risk of unauthorized access or breaches.
Below is a summary of our findings, the effects of those findings, and our recommendations, with links to each page listed.
Finding 1 | OCABR’s website was not fully accessible for all Massachusetts residents and users. | |
Effect | Broken hyperlinks create barriers for users, particularly people with disabilities who rely on accessible navigation features to engage with online content. When users encounter inaccessible or nonfunctioning links, they may struggle to locate critical consumer protection resources, regulatory information, licensing forms, etc. This lack of accessibility not only impacts user experience but also undermines OCABR’s ability to provide equitable access and digital inclusiveness. Additionally, nonfunctional links increase the likelihood that Massachusetts residents will either access outdated or incorrect information or be directed to webpages that no longer exist, potentially leading to confusion, misinformation, or missed opportunities to engage with OCABR services. Ensuring that all website components function properly and meet accessibility standards is essential for providing transparent and inclusive government services to all residents. | |
Recommendations |
| |
Finding 2 | OCABR did not have an information classification policy and did not classify its data. | |
Effect | Not classifying information (e.g., PII or regulated information) hinders OCABR’s ability to establish effective policies and procedures for information management and data protection. Without effective data policies in place, OCABR’s sensitive data may be more vulnerable to unauthorized access, theft, or misuse. The lack of effective information classification can lead to other challenges, such as legal liabilities, regulatory violations, and OCABR reputational damage, particularly if personal information or data protected by privacy regulations is compromised. Improper management of data can not only harm OCABR, but it could also lead to increased risk and security vulnerabilities for Massachusetts residents who have used OCABR’s services. Additionally, if the subsets of data contained in information systems are not properly classified, then the risk increases that critical systems are left exposed to threats, such as unauthorized use or theft. This can cause OCABR to face challenges in planning for potential threats such as cybersecurity attacks, natural disasters, or fraud. | |
Recommendations |
| |
Finding 3 | OCABR did not have procedures for disposing information. | |
Effect | OCABR migrated its data to the cloud in 2021 and did not assess whether it is storing unnecessary data. Keeping information for longer than necessary also wastes valuable storage space and leads to additional costs for the agency and the Commonwealth, as large quantities of data can be stored longer than needed in the cloud environment at a financial cost to the agency. Not reviewing information at specified intervals and disposing of it when appropriate forces OCABR to keep information for longer than it should, creating additional security risks such as theft, mismanagement, and unauthorized access of data in its custody. Additionally, any Massachusetts residents who use the services OCABR offers are at greater risk of having their data compromised, as their information is retained, and therefore potentially vulnerable, long after they engaged with OCABR. | |
Recommendation |
| |
Finding 4 | OCABR did not perform a business impact analysis or risk assessment to classify its information systems. | |
Effect | Without a business impact analysis or risk assessment to classify information systems, OCABR may not assess the criticality of systems based on the sensitivity of the information stored within them. If vital systems are not classified correctly, then they cannot be protected correctly, whether from cybersecurity threats, natural disasters, or fraud. As a result, OCABR could face challenges in planning for these potential disruptions and may not be able to prioritize IT resources effectively in the event of an emergency. | |
Recommendations |
| |
Finding 5 | OCABR did not ensure that access to PII was limited to approved personnel members who have business needs to access it. | |
Effect | Granting personnel members access to PII without requiring formal approval of their business need, as well as appropriate training, exposes OCABR to significant risks, such as data breaches. This can lead to identity theft, damaged reputation, or legal liability for OCABR. Each of these risks would have negative impacts on the people whose information is compromised. The introduction of role-based access controls can be used to ensure that users are being assigned permissions based on their roles and business needs instead of individually assigned permissions on a person-by-person basis. In order to implement role-based access, all information must be classified (see finding 2) to determine what information is confidential, such as PII, and should only be accessed by certain approved individuals in pertinent roles. Limiting access to PII helps protect the privacy of Massachusetts residents and reduces the risk that their information may be accessed by someone who may mismanage or steal it. | |
Recommendations |
|
Table of Contents
Downloads
-
Open PDF file, 1.21 MB, Audit Report - Office of Consumer Affairs and Business Regulation (English, PDF 1.21 MB)