Organization: | Office of the State Auditor |
---|---|
Date published: | March 19, 2024 |
Executive Summary
In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of the Division of Insurance (DOI) for the period July 1, 2021 through December 31, 2022. In this performance audit, we determined the following:
- whether DOI’s website met the accessibility standards established by the Executive Office of Technology Services and Security (EOTSS) and the Web Content Accessibility Guidelines 2.1 for user accessibility, keyboard accessibility, navigation accessibility, language, error identification, and color accessibility and
- whether DOI established information technology (IT) governance policies and procedures that met the requirements of EOTSS’s Enterprise Information Security Policies and Standards for business continuity plans, disaster recovery plans, information security incident response plans and procedures, and cybersecurity awareness training.
Below is a summary of our findings and recommendations, with links to each page listed.
Finding 1 | DOI’s website is not fully accessible for all Massachusetts residents. |
Recommendations |
|
Finding 2 | DOI did not update its business continuity plan or have a disaster recovery plan. |
Recommendations |
|
Finding 3 | DOI relies on an information security incident response plan and procedures that do not include all required elements. |
Recommendation | DOI should rely on an information security incident response plan and procedures that include all required elements. Alternatively, DOI could establish a supplemental information security incident response plan and procedures that include guidance for implementing corrective action or post-incident analysis, criteria for business recovery, data backup processes, an analysis of legal requirements for reporting IT system compromises, and incident response procedures from required external parties. |
Table of Contents
- List of Abbreviations
- Overview of Audited Entity
- Objectives, Scope, and Methodology
-
- The Division of Insurance’s Website Is Not Fully Accessible for All Massachusetts Residents
- The Division of Insurance Did Not Update Its Business Continuity Plan or Have a Disaster Recovery Plan
- The Division of Insurance Relies on an Information Security Incident Response Plan and Procedures That Do Not Include All Required Elements