This page, Audit of the Administration of the Internet of Things Objectives, Scope, and Methodology, is offered by

Audit of the Administration of the Internet of Things Objectives, Scope, and Methodology

An overview of the purpose and process of conducting this audit.

Table of Contents


In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor (OSA) has completed a performance audit of the administration of the Internet of Things (IoT) at various Commonwealth agencies for the period July 1, 2016 through March 31, 2017.

We assessed the services that the Executive Office of Technology Services and Security (EOTSS) provided to agencies that were adopting the IoT. We also reviewed the Division of Capital Asset Management and Maintenance (DCAMM) Commonwealth Building Energy Intelligence (CBEI) Program because, as an IoT project, it uses devices with an Internet connection at various state hospitals, prisons, universities, community colleges, trial courts, and office buildings to measure energy use in state buildings and provide decision-makers with information that could be used to reduce energy use.

In conducting this audit, we reviewed key reports, attended conferences, conducted the aforementioned survey, and interviewed key state agency officials to obtain their views on the specific implications of the IoT.

We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

Below is our audit objective, indicating the question we intended our audit to answer and where the objective is discussed in the audit findings.



  1. Is there adequate administration of IoT use at various state agencies?

No; see Findings 1a, 1b, and 1c


We conducted this audit using criteria from industry standards established by the National Institute of Standards and Technology. Although the Commonwealth is not required to follow these industry standards, we believe they represent information technology (IT) industry best practices. We formally engaged EOTSS to evaluate its roles and responsibilities related to providing cybersecurity and governance to state agencies to manage current and emerging IT risks. OSA also engaged DCAMM to observe its implementation of IoT technology for smart building management in its CBEI Program.

This audit was intended to provide an understanding of the Commonwealth’s administration of the IoT. To achieve our objective, we performed the following audit procedures:

  • We sent a survey to 84 agencies to gain an understanding of the current and future plans for deployment of IoT devices in the Commonwealth, the types of IoT devices deployed, the ways IoT devices are connected to networks, the purposes IoT devices serve, and agencies’ perspectives on the benefits and risks of IoT technology. Twenty-eight of the agencies responded.
  • We obtained an understanding of the implications of the state government adopting IoT technology through interviews with the chief information officer of the City of Boston and professors from the University of Massachusetts, Harvard University, and the Massachusetts Institute of Technology. In addition, we gained insight from chief information officers, chief information security officers, and IT management from EOTSS, DCAMM, the Massachusetts Department of Transportation, the Executive Office of Public Safety and Security, the Executive Office of Energy and Environmental Affairs, the Massachusetts Port Authority, the Department of Public Health, and the Executive Office of Health and Human Services.
  • We reviewed reports, academic research, online webinars, and documents and attended conferences to gain a better understanding of the IoT.
  • We reviewed DCAMM’s IoT data security classification and determined whether the data were adequately protected when in transit and when stored.
  • We reviewed the current and potential impact of the lack of governmental oversight over the adoption of IoT technology.

Further, at EOTSS, we performed the following work:

  • We reviewed the applicable network security controls in the Massachusetts Access to Government Network that were intended to safeguard against potential security vulnerabilities of IoT devices and related information system resources.
  • We reviewed the procurement and project management methodology for the CBEI Program and determined whether cybersecurity risks were properly mitigated.
  • We reviewed asset management processes and verified the effectiveness of physical security for IoT devices and related IT resources.
  • We reviewed the IoT vendor selection and vendor relationship management processes, as well as the availability of state data upon vendor termination.
  • We reviewed the problem management and patch management6 processes for IoT devices and related IT resources.

The results of our survey of state agencies were not used to support our findings, conclusions, or recommendations; they were used for background and contextual information only. Therefore, a data-reliability assessment of the survey data was determined to be unnecessary.

We also assessed the reliability of DCAMM’s IoT inventory list. Specifically, we reviewed existing information and interviewed knowledgeable staff members about the data. In addition, we performed validity and integrity tests on all data, including testing to determine whether (1) data were missing from relevant fields, (2) data were consistent with overall aggregate formatting, and (3) data were within the correct data range. We determined that the data provided to us by DCAMM were reliable.

6.    According to the Information Systems Audit and Control Association’s website, patch management is “an area of systems management that involves acquiring, testing and installing multiple patches (code changes) to an administered computer system in order to maintain up-to-date software and often to address security risk.”

Date published: September 5, 2018