Policy Advisory

Policy Advisory  Third-Party Information Security Standard

Date: 01/01/2025
Organization: Cybersecurity and Enterprise Risk Management
Referenced Sources: MGL Chapter 7D, Section 2

The Third-Party Information Security Standard reinforces the Commonwealth’s commitment to a Third-Party information security strategy and outlines the controls necessary to safeguard the Commonwealth’s information assets and reduce risks.

Contact

Cybersecurity and Enterprise Risk Management

Online

For cybersecurity or risk management questions: Email Cybersecurity and Enterprise Risk Management at ERM@mass.gov

Table of Contents

Purpose

This standard establishes security requirements for the use of third parties that handle Commonwealth confidential information, either by storing, processing, transmitting, or receiving information.

•This standard outlines the following controls to reduce the information security risks associated with contracted services and staff:

•Identification of risks related to third parties to ensure appropriate protection of Commonwealth information assets

•Definition of information security requirements for third-party agreements

•Third-party information management oversight from contract initiation through termination

Downloads

Contact

Online

For cybersecurity or risk management questions: Email Cybersecurity and Enterprise Risk Management at ERM@mass.gov
Referenced Sources:

Help Us Improve Mass.gov  with your feedback

Please do not include personal or contact information.
Feedback