Auditor Suzanne M. Bump today released an audit of the Merit Rating Board (MRB) that provides recommendations to improve the security of the agency\u2019s IT infrastructure, which contains sensitive information about Massachusetts\u0027\u00a0drivers including names, home addresses, birthdates, and driver\u2019s license numbers. The MRB\u2019s primary mission is to maintain and update driving records and report driving record information to auto insurers and other transportation and public-safety government agencies. \u00a0\n\n\u201cNew technologies provide agencies with more efficient ways to conduct their work. These opportunities, however, also bring new challenges related to protecting the data contained within the IT infrastructure,\u201d Bump said of the audit. \u201cThis audit provides the Merit Rating Board with important steps it can take to improve the security of its IT assets to ensure that the personal data of Massachusetts\u2019 residents is protected.\u201d\n\nIn the audit, Bump calls on MRB to take specific steps related to access, training, and protection of its IT assets. She encouraged the agency to:\n\ndevelop processes to ensure employees no longer employed at MRB immediately lose access to its IT systems;\n\treview employee access to those systems quarterly to ensure appropriate permissions were granted; \n\timprove protections of personally identifiable information by establishing policies and procedures for data classification and inventory;\n\tensure employees receive security awareness training before being granted access to sensitive IT systems; and\n\tdevelop and routinely test its plans to continue serving residents of the Commonwealth in the event of a loss of data or systems, or data breach. \nIn response to the audit, MRB noted that many of its IT systems are administered by the Massachusetts Department of Transportation (MassDOT). However, Bump noted that while MassDOT may administer these functions, it remains the responsibility of MRB to collaborate with them to ensure adequate protections are in place. \n\nThe audit released to the public is abridged because of the sensitivity of the information contained in the full audit. Consistent with government auditing standards and the Massachusetts public records law, only the Merit Rating Board will receive a full, unabridged copy of the report.\n\nThe Merit Rating Board was established in 1976 as a subdivision of the Massachusetts Department of Transportation\u2019s Registry of Motor Vehicles. This audit was conducted as part of Bump\u2019s efforts to help state agencies efficiently and effectively modernize government. It examined activities of MRB from July 1, 2014 through June 30, 2016.\n\nThe abridged audit of the Merit Rating Board is available here.