Audit of the Executive Office of Public Safety and Security Objectives, Scope, and Methodology

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of certain information technology (IT) activities of the Executive Office of Public Safety and Security (EOPSS) for the period October 1, 2017 through March 31, 2018.

We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

Below is a list of our audit objectives, indicating each question we intended our audit to answer and the conclusion we reached regarding each objective.

We conducted this performance audit by using criteria from policies issued by the Executive Office of Technology Services and Security (EOTSS) as well as industry standards established in the Center for Internet Security’s Critical Security Controls (CIS Controls) 1 and 3, which are based on the National Institute of Standards and Technology’s (NIST’s) Special Publication 800-53r4. Although EOTSS is not required to follow these industry standards, we believe they represent IT industry best practices for cybersecurity. The EOTSS policies we used as criteria are also derived from NIST Special Publication 800-53r4.

CIS Control 1 states that IT organizations should do the following:

Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.

CIS Control 3 states that IT organizations should do the following:

Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers.

EOPSS and its entities use a variety of systems and applications to carry out day-to-day tasks. Our audit focused primarily on examining the following applications that were relevant to our audit objectives:

1. ServiceNow, a cloud-based Web application that is used to manage and administer computing devices such as laptops, desktops, and servers from a central application interface.
2. Nessus, an application that scans all computers and devices connected to a common network for known software vulnerabilities.

To achieve our audit objectives, we gained an understanding of the internal control environment related to our audit objectives by reviewing applicable EOPSS and EOTSS policies and procedures, reviewing relevant laws and regulations, and interviewing various EOPSS staff members. Additionally, we performed the following procedures:

• We conducted a survey of EOPSS regarding what activities it performed to adhere to the various subcontrols² outlined in CIS Controls 1 and 3 to ensure that the devices on the network were monitored and that a vulnerability scan process was in place.
• We performed an overall walkthrough of the patching process to ensure that software patches were actively updated. We focused on the patch frequency and triage patches³ being deployed.
• We performed a walkthrough of ServiceNow to determine whether EOPSS had an automated process to track what devices were connected to its network.
• We obtained and verified a list of all EOPSS IT hardware recorded in ServiceNow to ensure that EOPSS had accurate information on what devices were connected to its network.
• We performed a walkthrough of Nessus to ensure that EOPSS kept up to date with software releases to mitigate security vulnerabilities.
• We requested and reviewed an example of a vulnerability scan report from Nessus to determine whether EOPSS knew that vulnerabilities existed on its network.