Executive Office of Technology Services and Security Policies

The Communication and Network Security Standard details requirements for network security management, remote access security management, third-party network access and secure file transfer by the Commonwealth of Massachusetts.

This standard reinforces the Commonwealth’s commitment to an effective compliance agenda and outlines the controls necessary to safeguard the Commonwealth’s information assets and reduce risks.

The Compliance Standard defines the requirements to ensure that the Commonwealth complies with all relevant legislative, regulatory, statutory and contractual requirements related to information security.

This standard reinforces the Commonwealth’s commitment to an effective cryptographic management strategy and outlines the controls necessary to safeguard the Commonwealth’s information assets and reduce risks.

The purpose of this standard is to establish requirements for cryptography and encryption techniques for the Commonwealth. Cryptographic controls shall be used to protect the confidentiality (e.g., encryption), authenticity and integrity (e.g., digital signatures or message authentication codes).

The Commonwealth will centrally leverage Microsoft Defender Advanced Threat Protection as an enterprise endpoint security platform. Defender is designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. Additionally, Microsoft Defender for Office 365 will be leveraged to safeguard the Commonwealth against malicious threats posed by email messages, links (URLs), and collaboration tools.

Microsoft BitLocker offers enhanced protection against data theft or data exposure for computers that are lost or stolen. BitLocker encrypts all data that is stored on the Windows operating system volumes and drives and configured data drives.

A compilation of Enterprise Information Security Policies

The EOTSS “Information Governance Framework” and Information Governance Program provides independent planning, execution, and management of the necessary policies, standards, practices, technologies, and tools to support our information lifecycle, risk, and compliance needs at an enterprise level.

Positioning the Commonwealth on cybersecurity readiness and preparedness to remain vigilant to potential threats.