Information Data Security Standards Update
The CTR Cyber Cybersecurity Responsibilities page has been updated with the recently updated Enterprise Information Security Policies and Standards.
The Office of the Comptroller and the Executive Office of Technology Services and Security (EOTSS) have partnered and designated these standards as the Commonwealth’s default data and security standards and internal controls.
These standards apply to all Executive Department offices and agencies and are the default standard for non-Executive departments who have not adopted comparable cyber and data security standards as part of their internal control.
Note: EOTSS has reviewed the threat data and terms of service and privacy policies of the DeepSeek AI platform that has gained significant attention as a viral alternative to ChatGPT. EOTSS has determined that this platform does not comply with the EOTSS Enterprise Information Security Policies and Standards or Enterprise Generative AI Development and Use Policy. Safeguarding Commonwealth information remains a shared responsibility for all employees.
Action Steps
- Departments should take the necessary steps to update their Internal Control Plan or written system of internal controls including additional written procedures and protocols that ensure that these standards are integrated into daily operations, and personnel comply with these requirements to safeguarding information.
- Departments are urged to notify and train staff to refrain from use of DeepSeek and other similar AI platforms for any work-related activities that expose Commonwealth data.
- Staff should be instructed to avoid installing DeepSeek on BYOD (Bring Your Own Device) devices that are registered for both work and personal use.