ServiceNow for tech support & requests

Risk Management

Providing leadership in the development, delivery, and maintenance of enterprise risk management and information governance programs to safeguard the Commonwealth’s information assets.

Skip table of contents

You skipped the table of contents section.

What we do

The Enterprise Risk Management (ERM) Office provides leadership in the development, delivery and maintenance of both an Information Governance Program and an Enterprise Information Security Risk Management Standard to identify vulnerabilities and streamline monitoring, testing, compliance and training.

Led by the Chief Risk Officer, the ERM Office also works with executive branch agencies to identify and mitigate third-party vendor risk. The ERM Office is in the process of developing an enterprise risk appetite statement that will be incorporated into technology planning, acquisitions, and implementations across the Commonwealth.

Additionally, the ERM Office continues to review and update policies, standards, guidelines, and administrative directives in line with our Enterprise Security Incident Reporting and Response framework and new technology standards that align with the EOTSS Standard Operating Environment.

Enhancing security operations

EOTSS has developed a risk mitigation strategy that combines security operations, incident reporting and response, and vulnerability management.

We continue to build out the capacity and services of our Security Operations Center (SOC) and its Security Incident Event Management (SIEM).

The SOC routinely participates in training exercises with government and industry partners to improve the Commonwealth’s readiness and preparedness and to practice repairing compromised systems.

The SIEM provides the state with an analytical platform to assist in the prevention, protection, mitigation, response, and recovery from cyber threats.

Preparing state workers for the latest threats

Cybersecurity and risk management are not just an “IT” responsibility. Combating today’s threats requires the cooperation of all state employees and agencies.

Through training and professional development, the people that lead, manage, and run the Commonwealth’s day-to-day operations remain the first line of defense against cyber threats.

Simulated phishing campaigns and annual training sessions help state workers learn how to practice good ‘cyber hygiene’ and foster a culture of cyber awareness.

Confidence through collaboration

EOTSS maintains strong relationships with our partners and peers at the national, regional, state, and local level.

Department of Homeland Security (DHS) Cybersecurity Infrastructure Security Agency (CISA) Multi-State Information Sharing and Analysis Center (MS-ISAC) National Governors Association (NGA) National Association of State Chief Information Officers (NASCIO) Mass Cyber Center MA State Police Fusion Center Advanced Cyber Security Center (ACSC) The Massachusetts State Legislature

Contact

Online

Cybersecurity questions: CommonwealthCISO@mass.gov

Risk management questions: ERM@mass.gov

Address

McCormack Building

1 Ashburton Place, 8th Floor
Boston, MA 02108

Directions

Help Us Improve Mass.gov with your feedback

Did you find what you were looking for on this webpage?

Yes

If you have any suggestions for the website, please let us know. How can we improve the page?

Please do not include personal or contact information.

The feedback will only be used for improving the website. If you need assistance, please contact the Cybersecurity and Enterprise Risk Management. Please limit your input to 500 characters.

Please remove any contact information or personal data from your feedback.

If you need assistance, please contact the Cybersecurity and Enterprise Risk Management.

Please let us know how we can improve this page.