DTA Did Not Assess and Document Third-Party Vendor Risks.

During our audit period, DTA did not assess and document third-party risks for any of the vendors that received, or had access to, PII from DTA. A lack of assessment of third-party risks increases the chance that information security risks with third-party vendors will not be identified and mitigated promptly or at all, which results in a higher-than-acceptable risk of sensitive data being inappropriately accessed.

Section 6.2 of EOTSS standard IS.015, “Third-Party Information Security,” effective October 15, 2018, requires the following of all executive state agencies:

All contracts by which a third party provides services to the Commonwealth or allows a third party to access, store, process, analyze or transmit Commonwealth confidential information shall be assessed, prior to entering into an agreement, to determine the third party’s capability to maintain the confidentiality, integrity and availability of Commonwealth information assets.

Previously, Section 2 of MassIT’s “Enterprise Information Security Organization Policy,” effective from March 6, 2014 through October 14, 2018, required all executive agencies to do the following:

Documenting the specific responsibilities of External Parties: The documentation should include the identification of third party risks to the agency’s information from business processes involving external parties with appropriate controls implemented prior to granting access, by:

2.1  Performing a risk assessment of the identified security risks associated with conducting business with the third party prior to granting access and determine whether:

2.1.1     The security risks can be remediated either by third parties or agency action.

2.1.2     Compensating controls may be applied to satisfactorily diminish the security risks.

2.1.3     The security risks can be effectively managed without undue risk to the agency.

DTA did not develop a third-party security policy that specified the steps it should take to assess and document third-party risks. DTA managers were able to provide us with System and Organization Control (SOC) reports for some vendors,¹ which they believed to be sufficient. However, although SOC reports provide insight from external auditors on the design and effectiveness of vendors’ IT controls, they do not assess the risks of DTA’s use of vendors.

1. DTA should establish a third-party security policy that includes procedures necessary to assess and document third-party risks.
2. DTA should assess and document third-party risks.

EOHHS provided the following response on DTA’s behalf.

DTA has not operationalized a third-party security policy because EOTSS and EOHHS are both working towards implementation of a third-party security policy. EOHHS has implemented a third-party security management standard in its enterprise standards. . . . EOHHS is working with agencies to operationalize such standards. However, EOTSS has indicated that it will implement contractual standards for managing third parties. Those provisions are still pending.

OSA acknowledges that EOHHS and EOTSS establish policies that DTA must follow. We encourage DTA to incorporate EOHHS’s third-party security management standard as soon as possible in order to sufficiently assess and document third-party risks. We also encourage EOTSS to establish the contractual standards for managing third parties as soon as possible so that all Commonwealth agencies may update their own policies.