Organization: | Office of the State Auditor |
---|---|
Date published: | April 25, 2024 |
Executive Summary
In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of the Operational Services Division (OSD) for the period July 1, 2021 through December 31, 2022. In this performance audit, we determined the following:
- whether OSD’s Mass.gov website met the accessibility standards established by the Executive Office of Technology Services and Security (EOTSS) and the Web Content Accessibility Guidelines (WCAG) 2.1 for user accessibility, keyboard accessibility, navigation accessibility, language, error identification, and color accessibility;
- whether OSD ensured that all contracts posted to its COMMBUYS website complied with EOTSS’s Enterprise Information Technology Accessibility Policy and WCAG 2.1 for user accessibility, keyboard accessibility, navigation accessibility, language, error identification, and color accessibility; and
- whether OSD established information technology governance policies and procedures that met the requirements of EOTSS’s Enterprise Information Security Policies and Standards for business continuity plans, disaster recovery plans, information security incident response plans and procedures, and cybersecurity awareness training.
Below is a summary of our findings and recommendations, with links to each page listed.
Finding 1 | OSD’s Mass.gov website is not fully accessible for all Massachusetts residents. |
Recommendations |
|
Finding 2 | OSD did not ensure that all of its hyperlinks within contract user guides (CUGs) led to related information. |
Recommendation | OSD should regularly review its posted CUGs and ensure that hyperlinks within them are up-to-date and functional. |
Finding 3 | OSD did not ensure that all contracts posted to COMMBUYS had a language tag. |
Recommendations |
|
Finding 4 | OSD did not ensure that its COMMBUYS website provided correction suggestions. |
Recommendations |
|
Finding 5 | OSD relies on an information security incident response plan and procedures that do not include all required elements. |
Recommendation | OSD should establish information security incident response procedures for implementing corrective action or post-incident analysis, criteria for business recovery, data backup processes, and an analysis of legal requirements for reporting information technology system compromises. |
Finding 6 Page 32 | OSD does not have a business continuity plan or a disaster recovery plan. |
Recommendations Page 33 |
|
Table of Contents
- List of Abbreviations
- Overview of Audited Entity
- Objectives, Scope, and Methodology
-
- The Operational Services Division’s Mass.gov Website Is Not Fully Accessible for All Massachusetts Residents
- The Operational Services Division Did Not Ensure That All of Its Hyperlinks Within Contract User Guides Led to Related Information
- The Operational Services Division Did Not Ensure That All Contracts Posted to COMMBUYS Had a Language Tag
- The Operational Services Division Did Not Ensure That Its COMMBUYS Website Provided Correction Suggestions
- The Operational Services Division Relies on an Information Security Incident Response Plan and Procedures That Do Not Include All Required Elements
Downloads
Contact
Phone
Online
Fax
Address
Room 230
Boston, MA 02133