Overview
Led by the Commonwealth's Chief Information Security Officer (CISO) and Chief Risk Officer (CRO), the Enterprise Risk Management Office (ERM) coordinates efforts to strengthen the state's digital transformation, including enhancing data security, safeguarding privacy, and improving service delivery to end users. The Office focuses on the areas of enterprise risk management, auditing, strategy, and Executive Branch policies around risk and security services.
Internal Audits & Controls
Internal Control Plan: The Office oversees the development, implementation, and testing of policies and standards used to identify, assess, and mitigate potential risks.
Compliance: The Office works with all Commonwealth agencies to strengthen compliance with EOTSS policies, standards, and guidelines that are necessary to mitigate risks and ensure their operations comply with legal and regulatory requirements.
Risk Assessment Campaign: This campaign identifies and captures the Executive branch’s acknowledgment of the Commonwealth’s Enterprise Security Policies & Standards.
Application Security Center of Excellence (ASCOE): The ASCOE Program sets the vulnerability management standard for product security by implementing continuous security scanning of internet-facing applications.
Risk Management
Risk Appetite Statement: The Office produces a statement that clearly defines a strategic framework for addressing risk in an organization, including the amount and kinds of risk an organization is willing to take on to achieve its objectives.
Vendor Risk Management (VRM) Program: This program assesses the maturity of the information security and data privacy standards that current third-party vendors and any apparent successful bidders have in place.
Risk Response: ERM determines the EOTSS response to identified risks in one of four ways: acceptance, transfer, mitigation, and avoidance.
Governance
Risk Committee: This committee advises the EOTSS Secretary regarding the review and approval of risk policies and analysis, and outlines the roles, responsibilities, and functions of ERM programs.
Chief Information Security Officer (CISO) Council: This council of Executive Branch chief information security officers and other cybersecurity officials meets monthly and promotes coordination and collaboration on issues related to enterprise security and risk management.