Providing leadership in the development, delivery, and maintenance of enterprise risk management and information governance programs to safeguard the Commonwealth’s information assets.
- This page, Risk Management, is offered by
- Cybersecurity and Enterprise Risk Management
Risk Management
Table of Contents
What we do
The Enterprise Risk Management (ERM) Office provides leadership in the development, delivery and maintenance of both an Information Governance Program and an Enterprise Information Security Risk Management Standard to identify vulnerabilities and streamline monitoring, testing, compliance and training.
Led by the Chief Risk Officer, the ERM Office also works with executive branch agencies to identify and mitigate third-party vendor risk. The ERM Office is in the process of developing an enterprise risk appetite statement that will be incorporated into technology planning, acquisitions, and implementations across the Commonwealth.
Additionally, the ERM Office continues to review and update policies, standards, guidelines, and administrative directives in line with our Enterprise Security Incident Reporting and Response framework and new technology standards that align with the EOTSS Standard Operating Environment.
Enhancing security operations
EOTSS has developed a risk mitigation strategy that combines security operations, incident reporting and response, and vulnerability management.
We continue to build out the capacity and services of our Security Operations Center (SOC) and its Security Incident Event Management (SIEM).
The SOC routinely participates in training exercises with government and industry partners to improve the Commonwealth’s readiness and preparedness and to practice repairing compromised systems.
The SIEM provides the state with an analytical platform to assist in the prevention, protection, mitigation, response, and recovery from cyber threats.
Preparing state workers for the latest threats
Cybersecurity and risk management are not just an “IT” responsibility. Combating today’s threats requires the cooperation of all state employees and agencies.
Through training and professional development, the people that lead, manage, and run the Commonwealth’s day-to-day operations remain the first line of defense against cyber threats.
Simulated phishing campaigns and annual training sessions help state workers learn how to practice good ‘cyber hygiene’ and foster a culture of cyber awareness.
Confidence through collaboration
EOTSS maintains strong relationships with our partners and peers at the national, regional, state, and local level.
Department of Homeland Security (DHS)
Cybersecurity Infrastructure Security Agency (CISA)
Multi-State Information Sharing and Analysis Center (MS-ISAC)
National Governors Association (NGA)
National Association of State Chief Information Officers (NASCIO)
Mass Cyber Center
MA State Police Fusion Center
Advanced Cyber Security Center (ACSC)
The Massachusetts State Legislature
Contact
Online
Cybersecurity questions:
CommonwealthCISO@mass.gov
Risk management questions:
ERM@mass.gov
Report cybersecurity incident:
eotss-soc@mass.gov