Overview
MDCS did not ensure that access to PII inside of the MDCS centralized database was limited to personnel members with a business need to access it. Specifically, 2 out of 35 randomly sampled employees at MDCS did not have an authorization form approving their access to the MDCS centralized database and 1 out of 10 randomly sampled employees from the Framingham Career Center did not have an authorization form approving their access to the MDCS centralized database.
Additionally, MDCS could not locate any user authorization forms submitted before fiscal year 2014, and therefore, could not provide documentation that users with access granted in fiscal year 2013 or earlier had been approved. Before fiscal year 2014, MDCS required employees to submit authorization forms for access to the centralized database in a hardcopy format, rather than electronically. When the process changed in fiscal year 2014, MDCS did not require current users to resubmit the appropriate documentation in the new format. Also, MDCS did not periodically review current users’ access to determine whether these users were authorized to access the database.
Granting personnel members access to PII without requiring formal approval of their business need exposes MDCS to significant risks, such as data breaches. This can lead to identity theft, damaged reputation, or legal liability for MDCS. Each of these risks would have negative impacts on the people whose information is compromised.
The introduction of role-based access controls can be used to ensure that users are assigned permissions based on their roles and business need instead of individually assigned permissions on a person-by-person basis. In order to implement role-based access, all information must be classified (see Finding 4) to determine what information is confidential, such as PII, and should only be accessed by certain approved individuals in pertinent roles.
Limiting access to PII helps protect the privacy of Massachusetts residents and reduces the risk that their information may be accessed by someone who may mismanage or steal it.
The table below details the results of our testing.
| Overall Results Testing Completed | Number of Approved Employees | No User Authorization Form on File | Hired Before Fiscal Year 2014* | Sample Size |
|---|---|---|---|---|
| MassHire Department of Career Services | 18 | 2 | 15 | 35 |
| Berkshire Career Center | 10 | 0 | 0 | 10 |
| Boston Career Center | 9 | 0 | 1 | 10 |
| Cape and Islands Career Center | 5 | 0 | 0 | 5 |
| Framingham Career Center | 9 | 1 | 0 | 10 |
| Greater Brockton Career Center | 9 | 0 | 1 | 10 |
| Metro North-Woburn Career Center | 5 | 0 | 0 | 5 |
| North Central Career Center | 5 | 0 | 0 | 5 |
| North Shore Youth Center | 3 | 0 | 1 | 4 |
| Merrimack Valley Career Center | 10 | 0 | 0 | 10 |
| Holyoke Career Center | 20 | 0 | 0 | 20 |
| Total | 103 | 3 | 18 | 124 |
* These personnel members submitted their authorization forms prior to fiscal year 2014. Forms submitted prior to fiscal year 2014 were submitted physically instead of electronically and could not be located by MDCS.
Authoritative Guidance
EOTSS’s Asset Management Standard IS.004 states,
6.2.1. Confidential — organization or customer information that if inappropriately accessed or disclosed could cause adverse financial, legal, regulatory, or reputational damage to the Commonwealth, its constituents, customers, and business partners.
Except as required by law, confidential information must be access-restricted to a narrow subset of personnel who have a business need to access the information. Examples may include but are not limited to:
6.2.1.1. Personally Identifiable Information (PII)
Reasons for Issue
MDCS management stated that they could not locate MDCS’s centralized database authorization forms for three of the personnel members, but they were able to provide a human resources user access form. If a user does not log into the database for 90 days, then their access is automatically revoked. However, there is no formal process in place to regularly review user access once it has been granted. The only way a user’s access is manually revoked is if an email requesting termination is received. Additionally, MDCS management stated that before fiscal year 2014, MDCS was using hardcopy submissions of the authorization forms to approve access and could not locate the hard copies. In fiscal year 2014, MDCS switched to electronic versions of the forms.
Recommendations
- MDCS should ensure that every user requiring access to PII in the centralized database has their business need reviewed and approved before access is granted.
- MDCS should implement role-based access. This new process should align with the principle of least privilege, where users should only be given the minimum level of access necessary to perform their job functions.
- MDCS should review current users’ access to determine whether these users have the appropriate approval, and MDCS should perform this review on a periodic basis.
- MDCS should have users hired before fiscal year 2014 resubmit the database access forms electronically.
Auditee’s Response
See Response 1. This is a priority for MDCS and a primary driver of the modernization efforts. As part of system modernization, MDCS will implement a multi-tiered authorized access management system based on necessary functions, including a periodic review of user access to determine whether these users have the appropriate approval. . . .
MDCS will review user access to ensure that all users have formal authorization to access the database; as part of a comprehensive policy review built into the new system, MDCS intends to build in an automated annual review process.
Auditor’s Reply
Based on its response, MDCS is taking measures to address our concerns regarding this matter.
| Date published: | May 27, 2025 |
|---|