MassHire Department of Career Services - Finding 7

MDCS did not ensure that access to PII stored at the career centers was limited to personnel members with a business need to access it. Berkshire, Boston, Cape and Islands, Framingham, Metro North-Woburn, North Central, Merrimack Valley, and North Shore Youth Center all require employees to sign general confidentiality agreements when they begin working at their career centers, but do not have a process for authorizing a user’s access to PII stored at their career centers.

Granting personnel members access to PII without requiring formal approval of their business need exposes MDCS to significant risks, such as data breaches. This can lead to identity theft, damaged reputation, or legal liability for MDCS. Each of these risks would have negative impacts on the people whose information is compromised.

The introduction of role-based access controls can be used to ensure that users are assigned permissions based on their roles and business need instead of individually assigned permissions on a person-by-person basis. In order to implement role-based access, all information must be classified (see Finding 4) to determine what information is confidential, such as PII, and should only be accessed by certain approved individuals in pertinent roles.

Limiting access to PII helps protect the privacy of Massachusetts residents and reduces the risk that their information may be accessed by someone who may mismanage or steal it.

EOTSS’s Asset Management Standard IS.004 states, 

6.2.1.       Confidential — organization or customer information that if inappropriately accessed or disclosed could cause adverse financial, legal, regulatory, or reputational damage to the Commonwealth, its constituents, customers, and business partners.

Except as required by law, confidential information must be access-restricted to a narrow subset of personnel who have a business need to access the information. Examples may include but are not limited to:

6.2.1.1.    Personally Identifiable Information (PII)

MDCS management stated that although all of the career centers are required to follow MDCS guidelines for maintaining their data, each of them has their own process and policies. All career centers use MDCS’s centralized database but can also store additional data in other locations specific to each career center. MDCS does not keep track of the additional locations at which the career centers are storing PII and has not implemented an access control policy for the career centers.

1. MDCS management should implement a strict access control policy requiring formal approval before granting access to PII stored outside of MDCS’s centralized database.
2. MDCS should implement role-based access. This new process should align with the principle of least privilege, where users should only be given the minimum level of access necessary to perform their job functions.
3. MDCS should ensure that its career centers review current users’ access to determine whether these users have the appropriate approval. MDCS should ensure its career centers perform this review on a periodic basis. 

See Response 1. This is a priority for MDCS and a primary driver of the modernization efforts. As part of system modernization, MDCS will implement a multi-tiered authorized access management system based on necessary functions, including a periodic review of user access to determine whether these users have the appropriate approval.

Based on its response, MDCS is taking measures to address our concerns regarding this matter.