During our audit period, DOR did not assess and document third-party risks for any of the vendors that received, or had access to, PII from DOR. To do this, DOR would need to assess both its use of vendors and the control risks at third-party vendors. A lack of assessment of third-party risks increases the chance that information security risks with such vendors will not be identified and mitigated promptly or at all, which results in a higher-than-acceptable risk of sensitive data being inappropriately accessed.
Section 6.2 of EOTSS standard IS.015, “Third-Party Information Security,” effective October 15, 2018, requires the following of all executive state agencies:
All contracts by which a third party provides services to the Commonwealth or allows a third party to access, store, process, analyze, or transmit Commonwealth confidential information shall be assessed, prior to entering into an agreement, to determine the third party’s capability to maintain the confidentiality, integrity and availability of Commonwealth information assets.
Previously, the “Enterprise Information Security Organization Policy” issued by EOTSS’s predecessor agency, the Massachusetts Office of Information Technology, was effective from March 6, 2014 through October 14, 2018. Section 2 of the policy required all executive agencies to do the following for external parties, which include third-party vendors.
[Document] the specific responsibilities of External Parties: The documentation should include the identification of third party risks to the agency’s information from business processes involving external parties with appropriate controls implemented prior to granting access, by:
2.1 Performing a risk assessment of the identified security risks associated with conducting business with the third party prior to granting access and determine whether:
2.1.1 The security risks can be remediated either by third parties or agency action.
2.1.2 Compensating controls may be applied to satisfactorily diminish the security risks.
2.1.3 The security risks can be effectively managed without undue risk to the agency.
Reasons for Issue
DOR’s “Third Party Security Policy” does not specify the steps DOR should take to assess and document third-party risks.
- DOR should update its “Third Party Security Policy” to include procedures necessary to assess and document third-party risks.
- DOR should assess and document third-party risks.
DOR will convene a working group to research and develop criteria and tools for evaluating and monitoring third party vendor risks.
Based on its response, DOR is taking measures to address this issue. We urge the agency and its working group to update DOR policies to include the criteria and tools developed and the monitoring process for third-party vendor risks.
|Date published:||December 13, 2019|