Other Matters: The Massachusetts Department of Agricultural Resources Did Not Securely Store All Documentation Related to the Rights of Way Program

The Massachusetts Department of Agricultural Resources (MDAR) did not store the following in a secure location: 78 Vegetation Management Plans (VMPs), 123 Yearly Operational Plans (YOPs), several Pesticide Use Observation Reports, and several General Inspection Reports.

During our audit, MDAR officials initially stated that all VMPs, YOPs, Pesticide Use Observation Reports, and General Inspection Reports were on the Rights of Way (ROW) Program coordinator’s computer and in their email. However, during a follow-up meeting with MDAR officials (which was specifically to review the VMPs and YOPs on the ROW Program coordinator’s desktop), we learned that all data related to the program is actually stored on a removable flash drive. This flash drive was not issued to the ROW Program coordinator by MDAR; was stored in various locations, such as the ROW Program coordinator’s home office; and was not encrypted or password protected.

If MDAR does not properly secure its data, then it assumes a higher-than-acceptable risk of its data becoming lost, stolen, or destroyed.

Section 6.3.6 of the Executive Office of Technology Services and Security’s Asset Management Standard IS.004 states, “Commonwealth Executive Offices and Agencies shall by default restrict removable media use for personnel. . . . Removable media use shall be granted on an exception basis when there is a compelling organizational need.”

Additionally, Section 6.3.2 of the Executive Office of Technology Services and Security’s Acceptable Use of Information Technology Policy IS.002 states, “The confidentiality and integrity of information must be protected at rest, in use and in transit.” Section 6.3.2.1.1 of this policy specifically goes on to state that all Commonwealth agencies within the executive branch should “store all information on access-restricted and/or -controlled Shared Folders or Drives.”

In response to our request for information related to the ROW Program, MDAR officials told us the following in an email dated June 7, 2023:

It was customary for field staff to use [flash] drives since [Microsoft] Teams/Cloud was not being used at that time and when in the field, staff had no way to access files that were stored on the network. It was not until the pandemic that the agency moved over to [Microsoft] Sharepoint/ Onedrive /Teams.

SharePoint, OneDrive, and Teams, as referenced in the above email, allow users to securely store and access data online from any device.

We recommend that MDAR securely store documentation related to any MDAR program in an access-restricted folder or drive on MDAR’s computer network and that it does so in a manner that allows recovery or reproduction of the data if the storage medium is lost or stolen.