Other Matters - Merrimack Valley Transit Authority

During our audit, we met with the Merrimack Valley Regional Transit Authority’s (MVRTA’s) information technology (IT) director to review its IT policies. According to its IT director, MVRTA has not established IT security policies to protect its information assets. Specifically, we noted the following:

• MVRTA had not established access controls for password configuration requirements, a password expiration or reset timeline, multifactor authentication, user identification and authentication procedures, or a period of inactivity time before computers are locked.
• MVRTA had not established controls to ensure that system users received cybersecurity awareness training.
• MVRTA had not established controls to ensure that there is management of system configuration changes or segregation of compatible duties.

The Commonwealth’s Executive Office of Technology Services and Security’s Enterprise Information Security Policy IS.000 establishes the high-level functions of an information security program and outlines information security requirements for all state agencies in the Executive Department to safeguard information assets. The policy includes various standards for user access, security, identification, and accountability controls. Further, the policy states that all employees should receive cybersecurity awareness training when hired and annually thereafter to educate them on their responsibility to help protect the confidentiality, availability, and integrity of information assets. 

Section 2 of Chapter 7D of the Massachusetts General Laws states,

Notwithstanding any general or special law, rule, regulation, executive order, policy or procedure to the contrary, all executive department agencies shall, and other state agencies may, adhere to the policies, procedures and objectives established by the executive office of technology services and security with respect to activities concerning information technology.

MVRTA employees, under the oversight of the Department of Transportation, must comply with the Executive Office of Technology Services and Security’s requirements. 

MVRTA’s absence of IT policies and procedures to safeguard its information assets exposes it to a higher-than-acceptable risk of viruses and malware, losses of sensitive data, unauthorized use of data, and financial and/or reputation losses. We strongly recommend MVRTA develop IT policies in compliance with Executive Office of Technology Services and Security policies and standards to protect its information assets.