Skip to Main Content

About

部门领导和管理人员负责 建立“自上而下的基调” and 分配合适的工作人员 确保网络安全内部控制得到发展, tested, updated and that all staff are routinely trained to prevent operational disruption and data or financial losses due to a cyber incident.

Government financial and operational audits now evaluate data reliability and cybersecurity internal controls as a standard part of normal government operations.

企业安全标准现在作为一个部门的一部分 Internal Controls 并且在组织的各个层面都有合规责任.

来自高层的声音——网络安全是重中之重

网络安全合规性不仅仅是“IT”或技术功能, 而是一系列的控制, operations, 适用于部门内各级员工的程序和培训.

Leadership and managers are responsible to establishing a strong tone from the top that identifies that cybersecurity internal controls are part of the foundation of all operations and are a top organization priority.

指派关键人员确保网络安全合规

作为网络安全准备的一部分, leadership and managers must assign appropriate staff at all levels of the organization to ensure compliance with required cybersecurity and data protection internal Controls.

网络安全内部控制需要包括IT在内的整个组织的协作, HR, Legal, Policy, Fiscal, Budget, Payroll, 项目和运营人员,并扩展到任何承包商或第三方支持运营.

主要网络安全数据和系统安全内部控制

内部控制应该更新,以包括对勒索软件的考虑, perform risk assessments, 额外的内部控制, 和更新的事件响应, Business Continuity, 和灾难恢复计划.

查看CTR内控策略

内部控制的年度更新应包括网络安全风险评估和缓解控制, 及最新的事故应变措施, Business Continuity, 和灾难恢复计划.   

Departments should include the following cybersecurity internal controls when updating your Internal Control Plan and system of internal controls: 

  1. 企业信息安全策略和标准 
  2. 网络安全意识培训
  3. 治理和风险管理

企业信息安全策略与标准

The Commonwealth’s default data and security standards and internal controls must be included in a Department’s Internal Control Plan, implemented, tested, 并包括在员工培训中. These standards apply to all Executive Department offices and agencies and are the default standard for non-Executive Departments who have not adopted comparable cyber and data security standards as part of their Internal Control Plan.  查看下面每个EOTSS标准的亮点.

企业信息安全标准自评问卷

CTR has developed this voluntary tool to be used to evaluate the level of compliance with EOTTS Enterprise Security Standards.

VIEW EXCEL
企业信息安全标准自我评估问卷演练

Instructions for Completing the Self Assessment Questionnaire for the 企业信息安全标准自评问卷.

VIEW PDF
Highlights of EOTSS IS.000企业信息安全政策和信息系统.001信息安全标准组织
VIEW ARTICLE
Highlights of IS.002可接受的信息技术使用政策
VIEW ARTICLE
Highlights of IS.003访问管理标准
VIEW ARTICLE
Highlights of IS.004资产管理规范
VIEW ARTICLE
Highlights of IS.005:业务连续性和灾难恢复标准
VIEW ARTICLE
Highlights of IS.006通信与网络安全标准
VIEW ARTICLE
Highlights of IS.007 Compliance Standard
VIEW ARTICLE
Highlights of IS.008密码管理标准
VIEW ARTICLE
Highlights of IS.009信息安全事件管理标准
VIEW ARTICLE
Highlights of IS.010信息安全风险管理标准
VIEW ARTICLE
Highlights of IS.011日志和事件监控标准
VIEW ARTICLE
Highlights of IS.012运营管理标准
VIEW ARTICLE
Highlights of IS.013物理和环境安全标准
VIEW ARTICLE
Highlights of IS.014安全系统和软件生命周期管理标准
VIEW ARTICLE
Highlights of IS.015第三方信息安全标准
VIEW ARTICLE
Highlights of IS.016漏洞管理标准
VIEW ARTICLE

网络安全意识培训

审计长bet356英国在线创建了 CTR Cyber to provide departments with additional free resources to distribute to your employees in addition to any mandatory cybersecurity awareness trainings required by your department.  没有理由不对员工进行网络意识培训.   

 Audits now routinely include questions related to what steps you are taking to continually train your staff on cybersecurity threats.  记录所有的培训和审核提醒.    

 See our CTR Cyber  网络安全意识培训页面 与提示和内部控制,以保护您的工作站和网络.  See our Pause Verify Report 3 simple internal controls that everyone in your organization can use to protect your networks at work and at home.

“暂停验证报告”标志, 由带有暂停标志的红色齿轮组成的, 带有勾号的黄色齿轮, 还有带游戏标志的绿色装备, 以及下面的“PAUSE VERIFY REPORT”字样

 Pause Verify Report 给员工3个简单的步骤来处理来自电子邮件的请求, 短信和电话以及如何识别骗子, 哪种方法可以防止大多数网络和欺诈事件!  

See our CTR Cyber page  and follow us on Facebook, LinkedIn and X 获取最新的网络安全提示.  

治理和风险管理资源

Departments are required to include cybersecurity risk assessments and mitigating controls as part of the Internal Control Plan and system of internal controls. 除了上面列出的企业信息自我评估问卷, here are some additional tools and resources to consider when completing your Internal Control Plan and system of internal controls:  

模板:准备网络安全风险评估的四个步骤

CTR has created an informational document with four steps to prepare an entity to perform a cybersecurity risk assessment that identifies and mitigates security risks.

VIEW PDF
网络安全风险评估准备清单

Entities can use this worksheet to help identify the types of information needed for a cybersecurity risk assessment.

VIEW EXCEL
从网络事件中吸取的教训

CTR从以往的网络事件中吸取了经验教训,以帮助针对薄弱环节, 以及预防和补救网络事件的建议.

VIEW PDF
记录保留内部控制,记录bet356官网首页化,记录安全和保管

Records Conservation Board page for the policies and procedures regarding retention and digitization of records including information about secure retention and destruction to protect from unauthorized access, theft, and destruction.

VIEW ON SEC.STATE.MA.US

远程办公指导和咨询

Telework & 企业安全bet356英国在线提供的网络安全基础知识
VIEW ON MASS.GOV

资料私隐及保安标准及内部控制

Depending upon the type of data your department manages your internal controls should include risk assessments and mitigating controls for ensuring the security and privacy of this data and the systems (department or third-party vendor) that hold this type of data. 请参见以下部分 guidance 有关部门最常用的资料私隐标准: 

处理个人身份信息的企业和其他实体的合规义务

个人资料遵从核对表

使用这个检查表来确保符合M.G.L. 第93H章数据保护.

VIEW ON MASS.GOV

《bet356官网首页》和《bet356官网首页》规定的义务

如果您有理由相信您的组织在M.G.L. Chapter 93H.

VIEW ON MASS.GOV

报告网络事件、可疑活动和欺诈

数据泄露的强制性报告和遵从性义务.

VISIT PAGE

信用卡付款标准

接受信用卡的马萨诸塞州联邦部门必须遵守 收款数据安全策略 and the 支付卡行业(PCI)安全标准委员会的要求 保护个人身份信息.

对于合规服务,部门需要使用 全州范围的合同PRF73DesignatedCTR – Payment Data & 支付卡行业(PCI)合规服务全州合同. (更新日期:2020年12月30日)

医疗保健隐私(HIPAA)

健康保险可携性 & 责任法案(HIPAA) 1996

电子卫生信息安全国家标准, 包括保护个人可识别的健康信息, 授予个人的权利, 违约通知要求, 以及民权bet356英国在线的角色.

VIEW AT HHS.GOV
HIPAA安全规则概述

《bet356英国在线》关键要素的摘要,包括所涵盖的人员, 哪些信息受保护, 以及必须采取哪些保障措施来确保适当保护受电子保护的健康信息.

VIEW ON HHS.GOV
大众bet356官网首页健康倡议的bet356官网首页健康网络安全工具包

An educational toolkit covering the fundamentals and best practices for healthcare cybersecurity and privacy protection.

访问大众bet356官网首页医疗.ORG

违反HIPAA的强制性报告义务

报告违反HIPAA的核对表

因网络攻击而违反HIPAA的报告要求.

VIEW ON HHS.GOV
报告网络攻击的网络安全信息图

用于报告hipaa相关网络攻击的可打印信息图表.

VIEW ON HHS.GOV
概况介绍:勒索软件和HIPAA

常见问题

VIEW ON HHS.GOV

保护学生隐私(家庭教育权利和隐私法)

家庭教育权利和隐私法(FERPA)

美国联邦法典第34编第99部分实施通识教育规定法第444条的条例, 通常被称为《bet356英国在线》.

VIEW ON ED.GOV
U.S. 教育部合规法律与指导

Legislation, regulations, guidance, 和其他政策文件可以在这里找到每个学生成功法案和其他主题.

VIEW ON ED.GOV

其他网络安全和数据隐私标准和指南

马萨诸塞州bet356官网首页互联网和在线隐私的法律

互联网和网络隐私法的法律、法规、案例和网络资源汇编.

VIEW ON MASS.GOV
政府会计师协会政府间合作网络安全中心

AGA’s Intergovernmental Partnership program project to help address cybersecurity awareness at all levels of government.

VIEW AT AGACGFM.ORG
国家网络安全全国州长协会资源中心

指导各州实施有效的国家网络安全实践.

VIEW ON NGA.ORG
ISO/IEC 27001

International standard for best practice information security management systems controls based on risks that can be applied to organizations in a structured manner to achieve compliance.

VISIT ITGOVERNANCEUSA.COM
NIST网络安全标准

National Institute of Standards and Technology voluntary guidance to help organizations better manage and reduce cybersecurity risk.

VISIT NIST.GOV
NIST网络安全框架

NIST implements practical cybersecurity and privacy through outreach and effective application of standards and best practices necessary for the U.S. 采用网络安全功能.

VISIT NIST.GOV

网络安全控制的额外资源