Security Policies & Standards

This policy articulates requirements that assist management in defining a framework that establishes secure agency Information Technology (IT) environments.

This policy focuses on the specific category of electronic messaging (i.e., email, instant messaging (IM), etc.) communication and related threats that, if left unmitigated, may lead to a loss of data and/or system integrity, confidentiality, or availability.

This policy articulates requirements that assist management in defining a framework that establishes a secure environment for providing services provided by Commonwealth agencies, authorities, and business partners.

The purpose of this document is to identify the minimum standards that agencies must adopt for the appropriate classification of data and the ongoing management of that classification. Classification of data is a critical part of data management which includes planning and implementing comprehensive and responsible information security practices. This document describes a standard data classification scheme, the required considerations for classification, risk assessment, security control requirements and data management and lifecycle requirements.

This policy articulates requirements for performing periodic reviews of Secretariats' and their respective Agencies' IT (Information Technology) assets, determining appropriate data classifications and controls, and assessing and reacting to risks in order to safeguard those assets.

This policy articulates the requirements for responding to Security Incidents and Attack Intrusions.

This document articulates requirements that management must address in defining a policy to implement adequate physical and environmental security controls at Secretariats and their respective Agencies or Contractors’ facilities to secure and protect information assets, infrastructure and Information Technology (IT) resources.

A link to CommonWiki (requires a login) that outlines the Incident Handling Procedures.

This policy describes requirements for all Commonwealth Executive Department Secretariats, Agencies and Organizations sited within the Massachusetts Access to Government Network (MAGNet) as well as Executive Department Agencies outside of MAGNet for addressing data security considerations involving their staff.  

Cookies are small text files which are downloaded to your personal computer, mobile, or other device when you visit a website. This policy updates the provisions of the Executive Department's "Requirements of Agency Web Site Privacy Policies" which pertain to use of cookies.

This policy articulates the access controls that are required to meet the security objectives of the Enterprise Information Security Policy .  Access control management is paramount to protecting Commonwealth Information Technology (IT) Resources and requires implementation of controls and continuous oversight to restrict access.