Cybersecurity and Enterprise Risk Management

The cybersecurity and enterprise risk program focuses on protecting citizen data, ensuring the availability of the Commonwealth’s networks and systems, and maintaining the continuity of government operations and services. 

Our organization leads and coordinates efforts to strengthen the Commonwealth’s cybersecurity posture to prevent, protect, mitigate, respond, and recover from cyber threats and incidents. 

As technology becomes ever-more integrated into the business of state government and the delivery of constituent services, mature enterprise information security and risk management programs are essential in protecting citizen data, ensuring the availability of the Commonwealth’s networks and systems, and maintaining the continuity of government operations.

EOTSS manages these enterprise programs for the Executive Branch under the direction of the EOTSS Secretary/Commonwealth CIO and the Assistant Secretary for Security and Operations.

The Commonwealth’s Chief Information Security Officer (CISO) oversees enterprise security policies, standards, and information sharing among EOTSS leadership, state agencies, municipalities, federal partners and the vendor community. Our security and risk management approach aligns with the National Institute of Standards and Technology (NIST) framework, the Center for Internet Security (CIS) controls, and industry best practices. 

The Commonwealth operates a unified Security Operations Center (SOC), supervised by the Director of Security Operations. SOC services to the enterprise include Security Information and Event Management (SIEM), vulnerability management, threat intelligence, and security incident response and reporting programs.

The Commonwealth’s first Chief Risk Officer (CRO) leads the Enterprise Risk Management (ERM) Office and works in close collaboration with the Chief Privacy Officer, the CISO, SOC Director and other state officials in the continued development of comprehensive enterprise risk management and information governance programs. Through these programs, the CRO is working to mitigate one of the biggest cybersecurity threats facing governments today – third-party vendor risk.

Alignment among the CISO, secretariat CISOs, the ERM Office, and the Security Operations Team further strengthens the Commonwealth’s cybersecurity posture and ensures a more coordinated and robust enterprise effort to combat today’s emerging threats.