Log in links for this page

EOTSS Enterprise Risk Management Office

The Executive Office of Technology Services and Security (EOTSS) provides Enterprise Risk Management to support all agency missions.

Table of Contents


Led by the Commonwealth's Chief Information Security Officer (CISO) and Chief Risk Officer (CRO), the Enterprise Risk Management Office (ERM) coordinates efforts to strengthen the state's digital transformation, including enhancing data security, safeguarding privacy, and improving service delivery to end users. The Office focuses on the areas of enterprise risk management, auditing, strategy, and Executive Branch policies around risk and security services.

EOTSS Enterprise Risk Management Office organizational chart

Internal Audits & Controls

Internal Control Plan: The Office oversees the development, implementation, and testing of policies and standards used to identify, assess, and mitigate potential risks.

ComplianceThe Office works with all Commonwealth agencies to strengthen compliance with EOTSS policies, standards, and guidelines that are necessary to mitigate risks and ensure their operations comply with legal and regulatory requirements.

Risk Assessment Campaign: This campaign identifies and captures the Executive branch’s acknowledgment of the Commonwealth’s Enterprise Security Policies & Standards

Application Security Center of Excellence (ASCOE): The ASCOE Program sets the vulnerability management standard for product security by implementing continuous security scanning of internet-facing applications. 

Risk Management

Risk Appetite Statement: The Office produces a statement that clearly defines a strategic framework for addressing risk in an organization, including the amount and kinds of risk an organization is willing to take on to achieve its objectives.

Vendor Risk Management (VRM) Program: This program assesses the maturity of the information security and data privacy standards that current third-party vendors and any apparent successful bidders have in place.

Risk Response: ERM determines the EOTSS response to identified risks in one of four ways: acceptance, transfer, mitigation, and avoidance.


Risk Committee: This committee advises the EOTSS Secretary regarding the review and approval of risk policies and analysis, and outlines the roles, responsibilities, and functions of ERM programs. 

Chief Information Security Officer (CISO) Council: This council of Executive Branch chief information security officers and other cybersecurity officials meets monthly and promotes coordination and collaboration on issues related to enterprise security and risk management.

Contact for EOTSS Enterprise Risk Management Office


For cybersecurity or risk management questions: Email Cybersecurity and Enterprise Risk Management at ERM@mass.gov


McCormack Building
1 Ashburton Place, 8th Floor, Boston, MA 02108

Help Us Improve Mass.gov with your feedback