This page, The Massachusetts Water Resources Authority Did Not Review and Update Its Information Security Program Annually., is offered by
Office of the State Auditor

The Massachusetts Water Resources Authority Did Not Review and Update Its Information Security Program Annually.

Our audit reviewed the Massachusetts Water Resources Authority’s (MWRA’s) information security program (ISP) and determined that it had not been reviewed annually.

Skip table of contents

You skipped the table of contents section.

Overview

During our audit, we reviewed the Massachusetts Water Resources Authority’s (MWRA’s) information security program (ISP) and determined that it had not been reviewed annually. Specifically, Policy ADM.30 (MWRA Information Technology User Responsibilities) and Policy ADM.31 (MWRA Information Security Policy) of MWRA’s ISP were last reviewed in 2017.

As a result, there is a higher-than-acceptable risk that MWRA’s information systems may not be adequately protected from vulnerabilities, which could result in the loss of protected information.

Authoritative Guidance

According to Policy ADM.31, “The ISP will be reviewed annually.”

Reasons for Issue

MWRA officials told us they were not aware of the requirement to do an annual review of the ISP. Additionally, MWRA did not have internal controls in place to ensure that it reviewed the ISP.

Recommendations

MWRA should review its ISP annually.
MWRA should develop and implement internal controls to ensure that it reviews its ISP annually.

Auditee’s Response

MWRA has comprehensively revised its Information Security Policy ADM.31, including additional requirements on annual updating processes, required staff training, roles and responsibilities, and enforcement mechanisms. That policy review was already underway while the audit was being conducted. The revised policy is undergoing final senior management review and is anticipated to be approved before the end of June. While the policy itself had not been formally reviewed annually, MWRA’s Information Security Council, made up of senior staff from process controls, administrative and physical security, meets monthly to discuss events in cyber and physical security and their impact on MWRA policies and procedures. Following the Department of Homeland Security’s recommended best practices, MWRA has a process for distributing and installing security upgrades and patches to all systems.

MWRA internal audit staff will develop and implement the necessary internal controls to ensure that annual reviews of the policy are conducted.

Auditor’s Reply

Based on its response, MWRA is taking measures to address our concerns on this matter.

Date published:	August 25, 2023

Help Us Improve Mass.gov with your feedback

Did you find what you were looking for on this webpage?

Yes

If you have any suggestions for the website, please let us know. How can we improve the page?

Please do not include personal or contact information.

The feedback will only be used for improving the website. If you need assistance, please contact the State Auditor. Please limit your input to 500 characters.

Please remove any contact information or personal data from your feedback.

If you need assistance, please contact the State Auditor.

Please let us know how we can improve this page.