Log in links for this page

Risk Management

Providing leadership in the development, delivery, and maintenance of enterprise risk management and information governance programs to safeguard the Commonwealth’s information assets.

Table of Contents

What we do

man at computer

The Enterprise Risk Management (ERM) Office provides leadership in the development, delivery and maintenance of both an Information Governance Program and an Enterprise Information Security Risk Management Standard to identify vulnerabilities and streamline monitoring, testing, compliance and training. 

Led by the Chief Risk Officer, the ERM Office also works with executive branch agencies to identify and mitigate third-party vendor risk. The ERM Office is in the process of developing an enterprise risk appetite statement that will be incorporated into technology planning, acquisitions, and implementations across the Commonwealth.  

Additionally, the ERM Office continues to review and update policies, standards, guidelines, and administrative directives in line with our Enterprise Security Incident Reporting and Response framework and new technology standards that align with the EOTSS Standard Operating Environment. 

Enhancing security operations

EOTSS has developed a risk mitigation strategy that combines security operations, incident reporting and response, and vulnerability management. 

We continue to build out the capacity and services of our Security Operations Center (SOC) and its Security Incident Event Management (SIEM).

The SOC routinely participates in training exercises with government and industry partners to improve the Commonwealth’s readiness and preparedness and to practice repairing compromised systems. 

The SIEM provides the state with an analytical platform to assist in the prevention, protection, mitigation, response, and recovery from cyber threats.

Preparing state workers for the latest threats

cybersecurity training

Cybersecurity and risk management are not just an “IT” responsibility. Combating today’s threats requires the cooperation of all state employees and agencies.

Through training and professional development, the people that lead, manage, and run the Commonwealth’s day-to-day operations remain the first line of defense against cyber threats. 

Simulated phishing campaigns and annual training sessions help state workers learn how to practice good ‘cyber hygiene’ and foster a culture of cyber awareness.

Confidence through collaboration



Cybersecurity questions: CommonwealthCISO@mass.gov
Risk management questions: ERM@mass.gov


McCormack Building
1 Ashburton Place, 8th Floor
Boston, MA 02108

Help Us Improve Mass.gov with your feedback