EOTSS Enterprise Risk Management Office

The Executive Office of Technology Services and Security (EOTSS) provides Enterprise Risk Management to support all agency missions.

Skip table of contents

You skipped the table of contents section.

Overview

Led by the Commonwealth's Chief Information Security Officer (CISO) and Chief Risk Officer (CRO), the Enterprise Risk Management Office (ERM) coordinates efforts to strengthen the state's digital transformation, including enhancing data security, safeguarding privacy, and improving service delivery to end users. The Office focuses on the areas of enterprise risk management, auditing, strategy, and Executive Branch policies around risk and security services.

View an accessible version of the EOTSS organization chart

Internal Audits & Controls

Internal Control Plan: The Office oversees the development, implementation, and testing of policies and standards used to identify, assess, and mitigate potential risks.

Compliance: The Office works with all Commonwealth agencies to strengthen compliance with EOTSS policies, standards, and guidelines that are necessary to mitigate risks and ensure their operations comply with legal and regulatory requirements.

Risk Assessment Campaign: This campaign identifies and captures the Executive branch’s acknowledgment of the Commonwealth’s Enterprise Security Policies & Standards.

Application Security Center of Excellence (ASCOE): The ASCOE Program sets the vulnerability management standard for product security by implementing continuous security scanning of internet-facing applications.

Risk Management

Risk Appetite Statement: The Office produces a statement that clearly defines a strategic framework for addressing risk in an organization, including the amount and kinds of risk an organization is willing to take on to achieve its objectives.

Vendor Risk Management (VRM) Program: This program assesses the maturity of the information security and data privacy standards that current third-party vendors and any apparent successful bidders have in place.

Risk Response: ERM determines the EOTSS response to identified risks in one of four ways: acceptance, transfer, mitigation, and avoidance.

Governance

Risk Committee: This committee advises the EOTSS Secretary regarding the review and approval of risk policies and analysis, and outlines the roles, responsibilities, and functions of ERM programs.

Chief Information Security Officer (CISO) Council: This council of Executive Branch chief information security officers and other cybersecurity officials meets monthly and promotes coordination and collaboration on issues related to enterprise security and risk management.

Contact for EOTSS Enterprise Risk Management Office

Online

For cybersecurity or risk management questions: Email Cybersecurity and Enterprise Risk Management at ERM@mass.gov

Address

McCormack Building

1 Ashburton Place, 8th Floor, Boston, MA 02108

Directions

Help Us Improve Mass.gov with your feedback

Did you find what you were looking for on this webpage?

Yes

If you have any suggestions for the website, please let us know. How can we improve the page?

Please do not include personal or contact information.

The feedback will only be used for improving the website. If you need assistance, please contact the Executive Office of Technology Services and Security. Please limit your input to 500 characters.

Please remove any contact information or personal data from your feedback.

If you need assistance, please contact the Executive Office of Technology Services and Security.

Please let us know how we can improve this page.