Audit of the Department of Transitional Assistance—Information Security Objectives, Scope, and Methodology

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of certain activities of the Department of Transitional Assistance (DTA) for the period July 1, 2018 through June 30, 2019.

We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

Below is a list of our audit objectives, indicating each question we intended our audit to answer; the conclusion we reached regarding each objective; and, if applicable, where each objective is discussed in the audit findings.

We conducted this performance audit using policies, procedures, and standards issued by DTA; enterprise security policies and standards issued by EOTSS; and Chapter 93H of the General Laws as criteria. A preliminary version of the EOTSS enterprise security policies was available to agencies in October 2017, and agencies were required to comply with a finalized version on October 15, 2018. Although compliance with these policies was not required for the whole audit period, they were available for agencies to view on EOTSS’s website and represented best practices that should have been followed by state agencies such as DTA. We also referred to standards issued by the Massachusetts Office of Information Technology (MassIT) before 2017. MassIT is EOTSS’s predecessor agency.

We also used NIST Special Publication 800-53, Revision 4, titled Security and Privacy Controls for Federal Information Systems and Organizations; NIST’s Framework for Improving Critical Infrastructure Cybersecurity; the American Institute of Certified Public Accountants’ Trust Services Criteria; and the Information Systems Audit and Control Association’s (ISACA’s) Control Objectives for Information and Related Technology 4.1. Although DTA is not required to follow these industry standards, they represent best practices for information security.

By conducting interviews and performing observations, we were able to gain an understanding of the internal controls that we deemed significant to our audit objectives. To achieve our audit objectives, we conducted the following procedures:

• To assess the design of DTA’s user training programs and acknowledgement forms aimed at protecting PII, we performed the following procedures.

• We conducted interviews of staff members charged with administering DTA’s training programs to gain an understanding of DTA’s training processes.
• We evaluated the adequacy of the Executive Office of Health and Human Services’ 2018 “Acceptable Use Policy,” which DTA had adopted, by comparing it with ISACA best practices to determine its adherence to those practices.
• We reviewed DTA’s annual security awareness training materials from 2018 to determine whether they addressed the “Acceptable Use Policy” and complied with NIST best practices.

• To assess DTA’s access controls over terminations and password parameters, we performed the following procedures.

• We obtained a list of employees terminated between July 1, 2018 and June 30, 2019 from the Human Resource Compensation Management System (HR/CMS) to determine the dates employees were terminated from HR/CMS.
• We took a nonstatistical sample of 25 terminated employees out of a population of 155 to determine whether these employees’ access to DTA systems was terminated in a timely manner.
• We reviewed DTA’s password parameters to determine whether they complied with EOTSS standards.

• To assess DTA’s security incident response procedures, we performed the following procedures.

• We reviewed DTA’s incident response plan to determine whether it addressed what EOTSS requires from agencies.
• We asked about incident response tests during our audit period to determine whether DTA regularly performed such tests.

• To assess DTA’s risk management with its third-party vendors, we performed the following procedures:

• We asked whether DTA had documented risk assessments for its third-party vendors.
• We reviewed DTA’s interdepartmental service agreement with EOTSS to determine whether it clearly spelled out each party’s roles and responsibilities.
• We reviewed all four DTA contracts with vendors identified by DTA officials as having received or accessed PII during our audit period to determine whether the contracts contained applicable information security and confidentiality provisions.

To assess the completeness and accuracy of the list of terminated employees from HR/CMS, we interviewed the application security and operations manager, as well as human resource data analysts, at DTA. We also tested for missing data, duplicate data, and data outside the audit period. To assess the accuracy of DTA’s list of vendors that received PII, we vouched vendors from this list to vendors in the Commonwealth’s Information Warehouse. Because there was no other way for us to determine which vendors had access to PII, we relied on the list provided by the agency. Based on the results of these data reliability assessment procedures, we determined that the information obtained for our audit was sufficiently reliable for the purpose of the audit.