Office of Consumer Affairs and Business Regulation - Finding 2

OCABR revealed to us in interviews that it did not have an information classification policy and did not establish classification levels for its information assets (i.e., public, internal use, and confidential), leaving sensitive data without a clear framework for protection and management.

Not classifying information (e.g., personally identifiable information [PII] or regulated information) hinders OCABR’s ability to establish effective policies and procedures for information management and data protection. Without effective data policies in place, OCABR’s sensitive data may be more vulnerable to unauthorized access, theft, or misuse.

The lack of effective information classification can lead to other challenges, such as legal liabilities, regulatory violations, and OCABR reputational damage, particularly if personal information or data protected by privacy regulations are compromised. Improper management of data can not only harm OCABR, but it could also lead to increased risk and security vulnerabilities for Massachusetts residents who have used OCABR’s services.

Additionally, if the subsets of data contained in information systems are not properly classified, then the risk increases that critical systems are left exposed to threats, such as unauthorized use or theft. This can cause OCABR to face challenges in planning for potential threats such as cybersecurity attacks, natural disasters, or fraud.

EOTSS’s Asset Management Standard IS.004 states,

6.2.    Information Classification

The classification or sensitivity level of all information must be established to ensure that appropriate measures are taken to protect the information commensurate with its value to the organization and the legal restrictions on its dissemination.

OCABR management informed us that they used an application rating system for the initial inventory of information systems, with the later goal of producing a detailed inventory of data that included information classification and sensitivity levels. This goal was not met because Executive Office of Economic Development information technology (IT) staff members transitioned to EOTSS in 2023. This created a vacuum for resources and many competing priorities.

1. OCABR management should develop and implement an information classification policy to comply with EOTSS’s Asset Management Standard IS.004 and should assign an information custodian¹⁴ in this policy.
2. OCABR should conduct a data inventory and classification assessment of information based on sensitivity, criticality, and regulatory requirements.

OCABR developed a written Information Asset Policy after the audit period and effective October 2024.

OCABR’s written Information Asset Policy identifies the classification levels to be used for stored information (restricted, confidential, internal use, and public), the responsible person for recommending classification levels (the Information Owner who is the business owner for each OCABR unit), and the role of the Information Custodian (the General Counsel) in working with the Information Owners both to set and to update classification levels on a periodic basis. In particular, OCABR only posts information on its website classified as public, and semi-annual reviews are conducted to consider existing classification levels for information.

Based on its response, OCABR is taking measures to address our concerns regarding this matter.