Skip to Main Content

About

Department leadership and managers are responsible for establishing a “tone from the top” and assigning appropriate staff to ensure that cybersecurity internal controls are developed, tested, 更新并定期培训所有员工,以防止由于网络事件造成的业务中断和数据或财务损失.

政府财务和运营审计现在评估数据可靠性和网络安全内部控制,作为正常政府运作的标准组成部分.

Enterprise Security Standards are now included as part of a department’s Internal Controls and have compliance responsibilities at all levels of the organization.

Tone from the Top – Cybersecurity is a top priority

Cybersecurity compliance in not solely an “IT” or technology function, but is a series of controls, operations, procedures and training that apply to all employees at all levels in a department.

领导层和管理者有责任从高层建立一种强有力的基调,确定网络安全内部控制是所有业务的基础,是组织的首要任务.

Assign Key Staff to Ensure Cybersecurity Compliance

As part of cybersecurity preparedness, 领导层和管理者必须在组织的所有级别指派适当的员工,以确保遵守要求的网络安全和数据保护内部控制.

Cybersecurity internal controls require collaboration across the organization including IT, HR, Legal, Policy, Fiscal, Budget, Payroll, Program and Operations staff and extend to any contractor or 3rd party supporting operations.

Internal controls should include:
  1. Enterprise information security policies and standards
  2. Telework guidance and advisories
  3. Ransomware preparedness and mitigation
  4. 对处理个人身份信息的业务和其他实体的遵从义务
  5. Other unique data privacy standards

a. Credit card payment standards (if accepting credit cards)
b. Health care privacy (HIPAA) (health and medical records)
c. Protecting student privacy (FERPA)

Enterprise Information Security Policies and Standards

英联邦的默认数据和安全标准以及内部控制必须包括在一个部门的内部控制计划中, implemented, tested, and included in staff training. 这些标准适用于所有执行部bt365手机备用网址和机构,并为未在其内部控制计划中采用可比网络和数据安全标准的非执行部的默认标准.

VIEW ON MASS.GOV

请参阅下面的企业信息安全政策和标准自我评估问卷工具,以帮助评估您是否符合这些标准.

Primary Cyber and Data Security Internal Controls

以下是一些帮助遵从企业安全策略和标准实现的工具. These should be part of Commonwealth departments' systems of internal controls.

Enterprise Information Security Standards Self Assessment Questionnaire

CTR自愿开发了这个工具,用于评估符合EOTSS企业安全标准的水平

VIEW EXCEL
Enterprise Information Security Standards Self Assessment Questionnaire Walkthrough

《bt365手机备用网址》填写指南

VIEW PDF
Lessons Learned from Cyber Incidents

CTR汇编了从以前的网络事件中吸取的教训,以协助锁定弱点, and recommendations to prevent and remediate cyber events.

VIEW PDF
Template: Four Steps to Prepare for a Cybersecurity Risk Assessment

CTR创建了一份包含四个步骤的信息文档,用于准备实体执行网络安全风险评估,以识别和降低安全风险.

VIEW PDF
Cybersecurity Risk Assessment Prep Inventory

实体可使用此工作表帮助识别网络安全风险评估所需的信息类型.

VIEW EXCEL
Incident Response Template

CTR has prepared this template to cover the basics of incident response. In order to be successful, organizations must take a coordinated and organized approach to any incident.

VIEW WORD DOC

Teleworking Guidance and Advisories

Teleworking Key Tips from the Office of the Comptroller
VIEW PDF
Telework & Cybersecurity Fundamentals from Enterprise Security Office
VIEW ON MASS.GOV
MassCyberCenter Teleworking Cybersecurity Tips
VISIT MASSCYBERCENTER.ORG
Guide to Telework in the Federal Government
VISIT TELEWORK.GOV
Employee Online Training from the U.S. Department of Health and Human Services
VISIT HHS.GOV

Ransomware Preparedness and Mitigation

Ransomware is now one of the biggest threats to both businesses and private citizens. This guidance can assist with preventing and mitigating ransomware attacks.

Internal Controls Policy

Internal Controls should be updated to include ransomware considerations, perform risk assessments, additional internal controls, and updated Incident Response, Business Continuity, and Disaster Recovery Plans.

VIEW ON bt365手机备用网址
CISA MS-ISAC Ransomware Guide

Guide for leadership, management, and staff to understand ransomware, protect against, and mitigate incidents.

VIEW ON CISA.GOV
Cyber Hygiene Services

CISA offers several free scanning and testing services to help organizations assess, identify, and reduce their exposure to threats, including ransomware. By requesting these services, organizations of any size can find ways to reduce their risk and mitigate attack vectors.

VIEW ON CISA.GOV
Cybersecurity Evaluation Tool

独立的桌面bt365手机备用网址,指导资产所有者和操作员通过评估操作技术和信息技术的系统过程.

VIEW ON CISA.GOV

Ransomware Trainings

Don't Wake Up to a Ransomware Attack
VIEW RECORDING
Don't Wake Up to a Ransomware Attack
VIEW SLIDES
I've Been Hit By Ransomware!
VIEW ON CISA.GOV

处理个人身份信息的企业和其他实体的合规义务

Personal Information Compliance Checklist

Use this checklist to ensure compliance with M.G.L. Chapter 93H data protection.

VIEW ON MASS.GOV

Obligations Under the Data Security Regulations and Breach Notification Law

要求,如果您有理由相信您的组织在M下经历了数据泄露.G.L. Chapter 93H.

VIEW ON MASS.GOV

Report Cyber Incidents, Suspicious Activity, and Fraud

Mandatory reporting and compliance obligations for a data breach.

VISIT PAGE

Credit Card Payments Standards

Commonwealth of Massachusetts departments that accept credit cards must comply with the Payment Collection Data Security Policy and the Payment Card Industry (PCI) Security Standards Council requirements for the protection of personally identifiable information.

For compliance services, departments are required to use Statewide Contract PRF73DesignatedCTR – Payment Data & Payment Card Industry (PCI) Compliance Services Statewide Contract. (Updated: December 30, 2020)

Health Care Privacy (HIPAA)

Health Insurance Portability & Accountability Act (HIPAA) 1996

A national standard for the security of electronic health information, including the protection of individually identifiable health information, the rights granted to individuals, breach notification requirements, and the role of the Office for Civil Rights.

VIEW AT HHS.GOV
Summary of HIPAA Security Rule

A summary of key elements of the Security Rule including who is covered, what information is protected, 以及必须采取何种保障措施以确保对受电子保护的健康信息进行适当保护.

VIEW ON HHS.GOV
Mass Digital Health Initiative's Cybersecurity Toolkit for Digital Health

涵盖医疗保健网络安全和隐私保护的基础知识和最佳实践的教育工具包.

VISIT ON MASSDIGITALHEALTH.ORG

Mandatory Reporting Obligations for HIPAA Breach

Checklist for Reporting HIPAA Breach

Reporting requirements for a HIPAA breach due to a cyber attack.

VIEW ON HHS.GOV
Cybersecurity Infographic Reporting Cyber Attack

A printable infographic for reporting a HIPAA-related cyber attack.

VIEW ON HHS.GOV
Fact Sheet: Ransomware and HIPAA

Frequently Asked Questions

VIEW ON HHS.GOV

Protecting Student Privacy (Family Educational Rights and Privacy Act)

Family Education Rights and Privacy Act (FERPA)

Regulations at 34 CFR Part 99 implementing section 444 of the General Education Provision Act, which is commonly referred to as the Family Educational Rights and Privacy Act.

VIEW ON ED.GOV
U.S. Department of Education Compliance Laws and Guidance

Legislation, regulations, guidance, 和其他政策文件可以在这里找到“每个学生成功法案”和其他主题.

VIEW ON ED.GOV

Other Cybersecurity and Data Privacy Standards and Guidance

Massachusetts Laws About Internet and Online Privacy

A compilation of laws, regulations, cases, and web sources on internet and online privacy law.

VIEW ON MASS.GOV
Association of Government Accountants Intergovernmental Partnership Cybersecurity Hub

AGA的政府间伙伴关系项目旨在帮助各级政府提高网络安全意识.

VIEW AT AGACGFM.ORG
National Governors Association Resource Center for State Cybersecurity

Guidance for states to implement effective state cybersecurity practices.

VIEW ON NGA.ORG
ISO/IEC 27001

基于风险的信息安全管理系统控制的最佳实践国际标准,可应用于组织以结构化的方式实现合规性.

VISIT ITGOVERNANCEUSA.COM
NIST Cybersecurity Standards

国家标准与技术研究所自愿指导,帮助组织更好地管理和降低网络安全风险.

VISIT NIST.GOV
NIST Cybersecurity Framework

NIST通过推广和有效应用标准和最佳实践,实现实际的网络安全和隐私保护.S. to adopt cybersecurity capabilities.

VISIT NIST.GOV

Additional Resources for Cybersecurity Controls