MassHire Department of Career Services - Finding 4

MDCS revealed to us in interviews that it did not have an information classification policy and did not establish classification levels for its information assets (e.g., confidential, internal use, or public), leaving sensitive data without a clear framework for protection and management.

Not classifying information (e.g., personally identifiable information [PII] or regulated information) hinders MDCS’s ability to establish effective policies and procedures for information management and data protection. Without effective data policies in place, MDCS’s sensitive data may be more vulnerable to unauthorized access, theft, or misuse.

The lack of effective information classification can lead to other challenges, such as legal liabilities, regulatory violations, and MDCS reputational damage, particularly if personal information or data protected by privacy regulations is compromised. Improper management of data can not only harm MDCS, but it could also lead to increased risk and security vulnerabilities for Massachusetts residents who have used MDCS’s services.

Additionally, if the subsets of data contained in information systems are not properly classified, then the risk that critical systems are left exposed to threats, such as unauthorized use or theft, increases. This can cause MDCS to face challenges in planning for potential threats such as cybersecurity attacks, natural disasters, or fraud.

EOTSS’s Information Asset Management Standard IS.004 states,

6.2.  Information Classification

The classification or sensitivity level of all information must be established to ensure that appropriate measures are taken to protect the information commensurate with its value to the organization and the legal restrictions on its dissemination.

MDCS was not aware of the requirement to issue an information classification policy separate from but based on Section 6.2 of EOTSS’s Asset Management Standard IS.004.

1. MDCS management should develop and implement an information classification policy to comply with IS.004 and should assign an information custodian¹⁷ in this policy.
2. MDCS should conduct a data inventory and classification assessment of information based on sensitivity, criticality, and regulatory requirements.

EOLWD is in the process of developing a comprehensive data framework and related governance strategy that will apply to all MDCS data. MDCS will classify its data in accordance with the EOLWD policy when finalized.

Based on its response, MDCS is taking measures to address our concerns regarding this matter.