This page, MassHire Department of Career Services - Finding 5, is offered by
Office of the State Auditor

MassHire Department of Career Services - Finding 5

The MassHire Department of Career Services did not perform a business impact analysis or risk assessment to classify its information systems.

Skip table of contents

You skipped the table of contents section.

Overview

MDCS management revealed to us in interviews that they did not perform a business impact analysis or risk assessment to classify their information systems. Information systems should be classified as low, medium, high, or critical, depending on the use of the system and the information it contains.

Without a business impact analysis or risk assessment to classify information systems, the criticality of systems will not be assessed based on the sensitivity of the information stored within them. If vital systems are not classified correctly, then they cannot be protected correctly, whether from cybersecurity threats, natural disasters, or fraud. As a result, MDCS could face challenges in planning for these potential disruptions and may not be able to prioritize information technology (IT) resources effectively in the event of an emergency.

Authoritative Guidance

EOTSS’s Asset Management Standard IS.004 states,

6.6.2 Commonwealth Agencies and Offices must conduct a business impact analysis or a risk assessment to determine information system classifications for their information assets.

Reasons for Issue

MDCS management stated that they have classified the information system but have yet to document it anywhere or conduct a business impact analysis or risk assessment corresponding to it. Additionally, the system has not been reclassified in 5 to 10 years because there have not been any significant changes. MDCS management stated that they do conduct risk assessments, but that these are related to fiscal areas and not IT systems.

Recommendations

MDCS management should implement a policy to periodically conduct a business impact analysis or risk assessment in order to classify its information systems.
MDCS should review these classifications at least annually or anytime a significant system change occurs.

Auditee’s Response

See response 4. MDCS will continue to partner with EOLWD to implement the required recommendations to ensure full compliance. This will include a related business impact analysis and risk assessment.

Auditor’s Reply

Based on its response, MDCS is taking measures to address our concerns regarding this matter.

Date published:	May 27, 2025

Help Us Improve Mass.gov with your feedback

Did you find what you were looking for on this webpage?

Yes

If you have any suggestions for the website, please let us know. How can we improve the page?

Please do not include personal or contact information.

The feedback will only be used for improving the website. If you need assistance, please contact the State Auditor. Please limit your input to 500 characters.

Please remove any contact information or personal data from your feedback. You will NOT get a response.

If you need assistance, please contact the State Auditor.

Please let us know how we can improve this page.