MRB did not Document and Test a Business Continuity Plan

MRB lacked proper procedures for dealing with incidents that might compromise its ability to recover from disruptions to its operations or destruction of data that are vital to serving the citizens of the Commonwealth. Without proper procedures (such as regular backups of data) to safeguard the continuance of normal operations after a disaster, it may be difficult, if not impossible, for MRB to fulfill its mission.

We interviewed MRB management and MassDOT IT staff members and found that MRB did not have a business continuity plan (BCP) that was documented, implemented, and up to date for all mission-critical objectives. This may cause MRB’s critical operations to be disrupted in the event of a loss of data or systems.

Authoritative Guidance

MassIT’s Enterprise Business Continuity for IT Management Policy states,

Agencies are required to develop, implement, test, and maintain a Business Continuity Plan (BCP) for all Information Technology Resources (ITR) that deliver or support core systems and services on behalf of the Commonwealth of Massachusetts.

The minimum components set by MassIT for a BCP are standard incident response procedures, a disaster recovery (DR) plan, and a continuity-of-operations plan.

Reasons for Noncompliance

MRB management stated that MRB followed MassDOT’s ISP instead of developing its own. MassDOT IT staff members could not provide a reason that no BCP had been developed.

MRB did not perform a DR test for fiscal years 2015 and 2016 to assess its ability to sustain operations in the event of a business interruption. This increases the risk that the confidentiality, integrity, and availability of MRB information will be compromised.

Authoritative Guidance

According to MassIT’s Enterprise Business Continuity for IT Management Policy,

Agencies are required to document, implement and annually test plans [including DR plans] including the testing of all appropriate security provisions to minimize impact to systems or processes from the effects of major failures of IT Resources or disasters. [Emphasis added.]

Reasons for Noncompliance

MRB received an email from MassIT regarding the DR test for fiscal year 2015, but MRB did not receive any follow-up from MassIT about when and how the DR test would be conducted and did not follow up with MassIT itself for fiscal year 2015 or 2016.

MRB did not have policies and procedures to manage backup activity for its internal FTP server. Furthermore, MRB could not provide evidence that a full backup had been performed during the audit period. Partial backups had been performed and kept at the same physical location as the server, but there were no offsite backups of any kind. This increases the risk of MRB permanently losing protected information in the event of a business interruption or disaster.

Authoritative Guidance

MassIT’s Enterprise Communications and Operations Management Policy states,

Agencies are required to develop and implement backup procedures to ensure that backup of systems and data and verification testing are performed, schedules and backup documentation are written, and storage locations chosen, in accordance with industry best practices and agency security requirements.

The National Institute of Standards and Technology (NIST) Special Publication 800-34 states,

System data should be backed up regularly. Policies should specify the minimum frequency and scope of backups (e.g., daily or weekly, incremental or full) based on data criticality and the frequency that new information is introduced. Data backup policies should designate the location of stored data, file-naming conventions, media rotation frequency, and method for transporting data offsite. . . .

It is good business practice to store backed-up data offsite. [Emphasis added.]

Reasons for Noncompliance

MRB management told us that they did not have policies and procedures for backups and that they followed MassDOT IT’s ISP. We found that the ISP had no specific section regarding backups. Therefore, we concluded that MRB management was not aware of their responsibility of documenting, developing, and implementing backup procedures. They also did not designate an employee responsible for the development of backup policies and procedures.

1. MRB should work with MassDOT IT to develop, document, and implement a BCP that includes MRB operations.
2. MRB should consult with MassDOT to perform a DR test for all critical information technology (IT) assets (such as data, equipment, IT services, and IT personnel) to ensure that suitable alternative procedures exist in case disruptions occur. The DR test should be performed annually to minimize the duration of any disruption to MRB operations.
3. MRB should consult with MassDOT to document, develop, and implement backup procedures for its servers. These procedures should ensure that full offsite backups are performed and maintained regularly.

The Merit Rating Board has no control of infrastructure on which to conduct DR testing and all ALARS data is shared between the Merit Rating Board and the Registry of Motor Vehicles. It would not be possible for the Merit Rating Board to create a BUSINESS Continuity Plan (BCP) or conduct any Disaster Recovery testing independent of MASSDOT IT and MASS IT.

The Merit Rating Board has provided documentation to MASSDOT IT & MASSIT whenever requested concerning the Merit Rating Board requirements for business continuity and disaster recovery. The creation of a formal BCP and all disaster testing must be done as part of an overall effort on the part of MASSDOT IT with the Merit Rating Board as one of the subdivisions within that effort. . . .

The Merit Rating Board no longer has control over the data servers and workstation infrastructure within our department. We are dependent on MASSDOT IT to provide backup and recovery for this data. It is our understanding that the data servers are backed up regularly and a set of backups is routinely sent to an offsite location. These Recommendations will be directed appropriately to MASSDOT IT.

We acknowledge that MRB does not have control over infrastructure and ALARS data. This is why we recommend that MRB consult with MassDOT in developing a BCP and performing a DR test for all critical IT assets (such as data, equipment, IT services, and IT personnel) to ensure that suitable alternative procedures exist in case disruptions occur. MRB needs to work with MassDOT IT to develop, implement, test, and maintain a BCP for all IT resources that deliver and support core critical business functions of MRB.

Further, we acknowledge that MRB was in the process of moving its data servers and workstations under MassDOT IT operations during our audit period. However, the Office of the State Auditor believes MRB should still take measures to ensure that its data servers are backed up regularly by MassDOT IT and maintained off site.